TSB glitches cost GBP 176 million

06 September 2018

MIGRATION PAINS

On the evening of Friday 20 April, TSB began to move five million customers and their 1.3 billion records from an IT platform, operated by its former owner Lloyds Bank, to a system managed by Sabadell. However, soon after the new system was switched during Sunday evening, customers reported service disruption and some were able to view the details of other account holders.

Unable to quickly resolve the problem, TSB called in IT specialists from IBM and appointed accountancy firm Deloitte to devise a system to compensate customers - TSB waived banking fees and increased interest on current accounts to appease customers.

The migration of TSB’s online banking platform and the resulting system outage continues to be a drain on the bank’s resources and a source of additional expense. Four months on, the bank is left dealing with thousands of complaints and is unable to offer new customers a full range of services.

COUNTING THE COST

The cost of dealing with the problematic migration totalled GBP 176.4 million in the second quarter alone, pushing TSB into a half-year loss. The outage also saw TSB’s parent, Spanish bank Sabadell, post a quarterly loss, as it absorbed the cost of dealing with the IT issues and compensating customers.

According to Sabadell, TSB’s post migration costs in the second quarter included a EUR 92.4 million provision for future customer redress, EUR 36 million in lost interest; the waiver of overdraft fees and an increase in the interest rate to compensate account holders. The cost of hiring specialists to deal with the outage cost TSB EUR 35 million during the second quarter.

An interesting by-product of the IT issues was a marked increase in fraud. Criminals took advantage of the outage by targeting TSB customers with phishing attacks – some 1,300 customers fell victim to fraudsters in the wake of the attack, while the regulator says that over 10,600 fraudulent attempts were launched. The 70-fold increase in fraud resulted in a EUR 39.8 million charge for TSB during the second half of 2018.

LASTING EFFECT

Over the course of the summer, the outage continued to hinder TSB’s business. Following the outage, TSB lost 12,500 customers, while services for new customers were curtailed, as the bank focused its efforts on serving existing customers. Paul Pester, Chief Executive of TSB, told newswire Reuters that everything should be back to normal in terms of serving existing customers and attracting new ones by the first quarter of 2019.

While most of TSB’s services were reinstated by July, issues remain with their online banking system. Customers were not able to apply for banking products on TSB’s website and TSB mortgage holders were unable to switch products. TSB customers were also hit with a further, albeit brief, outage in July.

One of the biggest problems for TSB has been coping with the deluge of customer complaints. Months after the outage, some 40% of customers were unable to contact the bank via telephone helplines. TSB had received 135,403 complaints related to the outage by 25 July, which are currently being handled by 260 people, an increase on the 54-strong complaints team in place in April. The bank is reportedly looking to double its customer complaints team to 500 personnel, as it battles to resolve customer complaints related to its IT problems earlier this year.

Subscribe to our  Latest Cyber Decoder newsletter

REGULATORY SCRUTINY

The bank’s handling of the IT platform migration and subsequent outage is currently being investigated by the Financial Conduct Authority (FCA), which has the power to levy unlimited fines. The FCA has already criticised TSB’s handling of the outage, in particular its communication with customers and a perceived lack of transparency. With increased dependency on technology, regulators have increased their attention on the resilience of banking services. The Bank of England, for example, recently launched a consultation on cyber related operational resilience, while the FCA introduced disclosure requirements for bank IT outages.

The FCA disclosure requirements revealed that the UK’s five biggest banks reported a total of 64 security or operational incidents that prevented customers using telephone, mobile or online banking in the second quarter of 2018, according to newswire Reuters. The rules, which came into effect in August, require banks to publically disclose outages caused by cyber-attacks or other disruptions.

INSURABLE LOSS

Interestingly, TSB has not indicated if its recent IT platform migration issues were insured. Outages, including those caused by failed upgrades, are generally insurable under standalone cyber insurance. Systems failure coverage is readily available in the insurance market with broad terms and meaningful limits.

Download Cyber Decoder

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on cyber@jltgroup.com.

YOU MAY ALSO BE INTERESTED IN