A recent report from a top law firm pulls no punches when it comes to analyzing what went wrong at TSB Bank after an IT meltdown resulted in nearly 1.9 million customers being locked out of their accounts. The problems were connected to a migration project designed to separate TSB from the IT systems which were owned by former parent, Lloyds Banking Group.
TSB, which is owned by Spanish banking group, Sabadell, commissioned Slaughter and May to provide independent insight into the crisis, which occurred in 2018. The report has found numerous failings, which included:

  • TSB failed to adequately assess whether the contractor, Sabis (Sabadell’s in-house
    IT arm), was capable of delivering the new IT system, which included not asking
    enough questions about whether the technology was ready.
  • Testing was described as ‘flawed’ and ‘not sufficient’ to migrate the five million
    customers, particularly since the platform consisted of largely new software.
  • It was planned to migrate the customers over a single weekend, a high risk ‘big
    bang’ approach that lacked necessary preparation.

The report directly criticises the board, saying it lacked ‘common sense’ although Paul Pester, former TSB chief executive, said Sabadell had ‘cut corners’ with testing and the board was not kept fully informed about this. As such, he said the board could not fully anticipate the scale of the problems.

There now appears to be conflict between TSB and Slaughter and May, since the report suggests the law firm struggled to obtain all the information it needed for a full analysis, stating:

“We have faced a number of obstacles and difficulties in attempting to carry out an
analysis of the defects.”

The law firm also found a high number of defects – some 5,359 – saying these had not been properly addressed and some 4,424 were still open when the new system went live. But TSB refutes this and said there was a defect backlog of 4,396 and that only 98 of these were applicable to the migration program. Meanwhile, TSB chairman, Richard Meddings, claims the report does not “paint the full picture of migration”.

Whatever the rights and wrongs, TSB’s woes are far from over, since investigations by the FCA and the PRA have yet to be concluded and could result in a huge fine. Sabadell has said it resolved all the 184,000 complaints stemming from the IT problems, paying some £366 million to cover the costs of the IT disaster, with £130 million of this in customer compensation.

The report is a stark reminder of what can happen when firms aren’t resilient enough to these sort of disruptions, an area that the government and regulators are keen to address. Firms should also be aware of the joint discussion paper issued last July from the Bank of England, the PRA and the FCA, ‘Building the UK financial sector’s operational resilience’, which was aimed at ensuring boards were beginning to place a high emphasis on this area, as well as evaluating potential vulnerabilities and taking action where necessary.

At the end of October, the Treasury Committee published a report on IT failures and said regulators must act to improve Operational Resilience, suggesting higher levies should be placed on the sector to pay for more experienced regulatory staff. Further, it stated there was a ‘strong case’ to regulate the cloud services sector including Fintech companies. It was pointed out since the number of bank branches and ATM machines is reducing, there is greater reliance on online banking, and the potential for greater disruption when there are failures.

According to Steve Baker MP, the Treasury Committee’s lead member for the inquiry:

“The number of IT failures that have occurred in the financial services sector, including TSB, Visa and Barclays, and the harm caused to consumers is unacceptable. The Committee, therefore, launched this inquiry to look ‘under the bonnet’ at what’s causing the proliferation of such incidents, and what the regulators can do to prevent and mitigate their impacts…For too long, financial institutions issue hollow words after their systems have failed, which is of no help to customers left cashless and cut-off. Our inquiry into service disruption at TSB remains open, and I’ve no doubt that the Committee will want to examine Slaughter and May’s report and the progress of the regulators’ investigation”.

The government is seeking significant change when it comes to operational resilience and the lessons from TSB’s experience look set to be important ones on the route to achieving this.