Regulatory squeeze seems inevitable after online glitches

Regulators are waking up to the problems that payment and banking glitches and outages cause for customers. They're demanding an accounting, as well as guarantees that customers don't face losses stemming from their bank's problems.

Here's a good example: In one recent incident, consumer groups demanded answers from three of Britain's biggest banks — HSBC, Barclays and TSB — when they all experienced outages on a single day, making online banking impossible and cutting off payments. And in the U.S., Wells Fargo recently suffered a similar outage.

The outages caused “huge inconvenience as millions of people who were shut out of their accounts on payday,” according to Which?, a U.K. consumer group. “Customers can incur fines, penalties and fees when they’re not able to access their finances, so the banks must offer compensation to all those affected.” The glitches (none of the banks publicly announced the reason for the outages) were serious enough to generate a parliamentary inquiry into banking outages; and embarrassingly enough, HSBC customers were again locked out of their accounts — on the very day the inquiry began.

Daniel Tepper/Bloomberg

In another case, British Airways has filed a lawsuit against the outsourcing firm CBRE for a problem at the data center it managed for the airline after 75,000 passengers were stranded in a 2017 outage. The outage affected the airline's computerized check-in system, forcing it to resort to manual check-ins, slowing down the process to the extent that nearly 700 flights were canceled over a holiday weekend. According to BA, the debacle cost it nearly £60 million.

It's just the tip of the iceberg, and, concerned over the damages from outages, both to businesses and individuals, regulators are developing new rules that will require banks to ensure that such glitches don’t occur. In its report on the impact of the September outages in the U.K., Which? said that “yet again customers are being failed by bank IT glitches. These IT failures have become alarmingly common, so banks must invest to ensure their systems are up to the task of protecting their customers’ accounts and maintaining the services they rely on.”

With regulations come penalties for failing to comply with the rules, usually in the form of sanctions or fines. But once regulations are in place, a violation could trigger lawsuits — meaning that the demand by the Which? group that banks compensate customers who experience losses from outages could drag banks through drawn-out and expensive litigation.

The problem with glitches, of course, is that they are glitches, meaning that they generally cannot be predicted. After all, no retailer plans for its credit card system to fail on the biggest shopping day of the year — and no bank wants to be in a situation where it could be losing as much as $100,000 an hour, according to Rand Organization report. And while IT teams in banks certainly do what they can to avoid outages — and do everything possible to get back online if there is an outage — institutions can only battle problems that they know about. And according to a study by the University of Chicago on cloud outages, the biggest reason for them is “unknown.”

“Unknown” could mean anything — misconfiguration, malware, incompatible software, etc. The point is that it is “unknown,” and that is dangerous for any organization that needs to ensure continuity of services — especially organizations like banks, which, subject to regulation and public ire, are in a more sensitive situation than most other service businesses.

And regulators are unlikely to be interested in hearing how difficult it is to predict glitches. With more consumer and regulatory concern over the effects of IT outages, it’s almost inevitable that the pressure will grow on institutions to prevent them, or correct them as soon as they occur. If the regulators don’t get them, the lawyers, in the form of individual or class-action lawsuits, will, as CBRE is now finding out as it deals with the British Airways complaint.

One cause for these “unknown” glitches, for example, is deviation from industry best practices and vendor recommendations in configuration, deployment of software, etc. Often, IT personnel will change files, permissions and dependencies to solve a short-term problem — thus creating another problem that could cause an outage at a critical moment. The big data analysis system can identify those files, dependencies, permissions, etc., and determine if they will indeed be a cause for concern — providing valuable data to personnel to intervene before an outage can take place.

Another cause for these glitches might be software upgrades. Organizations that are upgrading from vSphere 5.5 to 6.x, for example, often have difficulty ironing out the upgrade issues, and help is often hard to come by. One missed configuration step could lead to an outage. The automated big-data analysis system could examine the configuration and installation, and ensure that it will work properly when needed.

As regulators become more attuned to the suffering of customers resulting from outages, they will become more likely to demand from banks that they prevent those outages. With so many factors to consider — and a vast IT system that offers almost limitless possibilities for outages — the imposition of those regulations is likely to be expensive and painful. Banks would be much better off taking the initiative and show regulators that they can be trusted to keep their services online.