Following recent technology glitches that hampered the largest banks in the United Kingdom, the timing of a recent whistleblower lawsuit that accuses the Lloyds Banking Group of faulty business continuity processes couldn't be worse (for Lloyds).
After all, Lloyds itself suffered two high profile technology outages in 2012, including an outage in October and a similar disruption on December 31. In the October incident, customers were not able to access the Lloyds’ online services, make payments via credit cards or withdraw money from ATMs. Less than three months later on New Year's Eve, Lloyd's customers experienced "intermittent" problems using ATMs and accessing banking account information.
Lloyd's technology problems, although high profile, were not as large as RBS' computer failure on June 19, 2012 that was caused by a corrupt software update to the bank's core payments application. Millions of customers NatWest and Ulster Bank could not make payments. Many of NatWest's account holders had to wait for more than a week for the system problems to be fixed, while 100,000 customers of Ulster Bank had to wait almost a month before the payment systems were running normally again.
These outages should serve as a wake-up call to the European banks, says London-based Nicholas Brewer, senior analyst at Aite Group. "There has been an underinvestment in core systems over the past few years, as the banks have been focused on the euro crisis and credit crisis," Brewer says. "The big back end systems have not really been touched."
[Lloyds isn't the only bank to face whistleblower lawsuits. To read about Deutsche Bank's recent case, visit: Deutsche Bank Directors to Question Board.]
Core banking system failures, notes Brewer, are extremely rare and are events that banks do "everything to avoid" to prevent financial losses, bad headlines and lasting damage to a bank's reputation. But in 2012 alone, there were three customer facing banking system failures. "These events were unimaginable before, but are happening now."
European banks rely primarily on in-house developed core systems, Brewer says, even more than their counterparts in the United States and Asia. "Since 2008, there have been a large number of mergers and now banks are using multiple decade old systems for mission critical systems." Since the home grown systems are difficult to replace, banks have been unable — or unwilling — to "use vendors to replace the old systems," Brewer says.
As for the recent news that a former business continuity executive at Lloyds is suing the bank for problems that could cause Lloyd's banking systems to fail, it's not clear if the suit has merit or if it is another instance of a disgruntled former employee looking for compensation. Stephen Clements, the former head of the business continuity at Lloyds Banking Group, alleges that he was fired for identifying the problems with the bank's disaster recovery process and was told to "burn the paper" his report was written on, according to a report from The Daily Mail.
In the current lawsuit, according to The Daily Mail report:
Clements … "was 'startled' to discover that only a third of the bank's systems had undergone crucial testing, leaving 'very serious gaps in our ability to recover critical IT systems'.
Mr. Clements said the failure to undertake the risk assessments could have a potentially catastrophic impact on the country's economy.
He said the impact would dwarf a similar glitch at the Royal Bank of Scotland (RBS) last June that left millions of customers unable to access their accounts.
He said: 'The LBG issues are much bigger and could potentially send the bank out of business, thereby destabilizing the British economy. I raised a really serious concern.'
Clements asserts that it would have cost Lloyds approximately £200 million to fix the business continuity plan and that senior technology leaders at RBS, which is 82 percent owned by the UK government, "covered up" his report because it would cause extensive damage to the public's perception of the bank, according to the Daily Mail article.
Although Aite's Brewer isn't familiar with the specifics of Clements' complaint, he does say that whistleblower cases involving IT are rare. "This is an unusual case and I haven't seen anything like this before," Brewer says, noting that many whistleblower cases in financial services involve insider trading or financial crimes. "If [Clements'] claim is correct, it is a very bad thing for Lloyds." But if the claim doesn't have any merit, "it will be a good thing since there isn't that much wrong" with their risk assessment and business continuity processes. "You could argue it either way."
As banks become more complex and larger, however, technology risk will continue to grow. "There are so many systems, so there is always a risk of a problem," Brewer says. Clements "is claiming that [Lloyd's] risk mitigation isn't working. That's very serious, if true. Having a strong business continuity plan is extremely important."