Barclays defence of its IT shutdowns highlights wider limitations

Peter Groucutt, managing director of Databarracks has commented on the BBC’s analysis of IT outages and incidents for major high-street banks.

Groucott said, “Since August 2018, the FCA has required banks to supply information about current account services to help consumers and small businesses make comparisons. This month, for the first time the data included the number of IT-related shutdowns, over the previous nine months.

“Analysis of the data undertaken by the BBC revealed, most major high-street banks suffered more than ten shutdowns between April and December 2018. Barclays was singled out as the worst performer with 41 incidents over the nine months. In response, the bank said, “We take IT resilience extremely seriously and we welcome transparency for our customers which is why we report every incident to the regulator, even minor glitches that have minimal impact on customers.”

“Barclays’ response might sound a little defensive, but it does highlight the limitation of how these incidents are reported. Are all outages equal? For example, does TSB’s prolonged outage from its systems upgrade count as just one incident? If so, that makes it difficult to compare performance between banks.”

Groucutt adds, “The FCA has to strike the balance between the demands on the banks to produce this data and the value it adds. In future reporting our recommendation would be to add:

• Length of outage, the duration of the incident.
• Severity of issue, from minor degraded performance of systems causing delays to complete outages with systems unavailable.
• Number of users/customers affected, to distinguish between incidents that only affect a small number of customers and major incidents that affect all (or a high proportion of) customers.

“For the small amount of effort, it would take to produce this data, the benefit to consumers is high and it would be equally valuable for the FCA to keep track of IT outages for the industry. Lastly, we would also suggest reporting the cause of the issue, which could be taken from a small number of broad categories such as ‘cyber incident’, ‘systems upgrade’ or ‘human error’.