Ulster Bank has been fined a record €3.5 million by the Central Bank of Ireland and reprimanded over the serious failings of its IT systems in June and July 2012, which resulted in about 600,000 customers being "deprived of essential and basic banking services" over a 28-day period.
This fine is in addition to a redress scheme that was required by the Central Bank under which Ulster Bank paid about €59 million to affected customers. The Central Bank found that Ulster Bank failed to have “robust governance arrangements” in relation to its IT systems and that this resulted in a “major and prolonged IT failure”.
Alongside causing widespread and significant loss and inconvenience to customers, the IT failure threatened confidence in the operation of the retail banking sector as it effectively prevented the institution from participating in the process used to settle payments among banks, the regulator said.
Commenting on the fine, the Central Bank's director of enforcement, Derville Rowland, said: "The IT failure caused significant and unacceptable inconvenience to affected customers trying to carry out everyday financial transactions. Over a prolonged period of time customers were unable to access cash through ATMs and pay for goods and services, and there was a delay in the processing of payments in and out of accounts. As the provision of financial services to customers represents the core business function of the bank, this major breakdown as a result of IT failings was completely unacceptable."
Ulster Bank has accepted the Central Bank's findings "in full". The bank said its governance and controls over its outsourced IT arrangements to parent Royal Bank of Scotland were not sufficiently robust. This led to a prolonged failure that caused significant inconvenience to customers.
Ulster Bank chief executive Jim Brown said the IT systems failure had impacted customers for an "unacceptable period of time" and "went to the heart of the trust they have in us as a bank".
“Our customers need to be able to rely on our systems and in this instance we let them down,” he added.
Mr Brown said improvements have since been made to the bank’s IT resilience. “We now have a dedicated separate batch scheduler for Ulster Bank so that a problem with one brand should not affect another. We have established a mirror bank so that in the event of a service outage we can still process transactions while we recover our systems.”
The Central Bank said while it recognises IT outsourcing is a feature of modern banking business, “outsourcing is no defence for regulatory failings”.
“Senior management must ensure that risks associated with outsourced activities are appropriately managed and must be aware that outsourcing arrangements can never result in the delegation of their responsibility to manage the risks associated with such activities,” it added.
It said these obligations apply equally to situations where activity is outsourced on an intra-group basis or to a third party. Ulster Bank is reliant on RBS for the provision of IT services including IT risk oversight and management. It entered into an outsourcing services agreement with RBS for IT services in 2005.
This is the highest fine collected to date by the financial regulator and “reflects the seriousness with which the Central Bank views the failings” of Ulster Bank and its “determination to ensure customers have access to core banking services without disruption”.
However, in June 2013, the regulator entered into a settlement agreement for €5 million with Quinn Insurance Ltd but the fine was waived as the company was in administration .