The move by TSB, which reflects a widespread shift to online banking, will take effect next year. The bank says 220 branches would remain open at the end of June 2022, down from 290 branches today.
Despite the closures, TSB will maintain the seventh-largest high street footprint in the UK, with staff affected by the closures to be offered other positions within the company. TSB also says it plans to open ten “pop-up” branches amid its changes.
TSB chief customer officer Robin Bulloch commented, “Closing branches is an incredibly difficult decision to take, but we have to respond to the changes in the way people bank and provide the right mix of services for all our customers now and into the future.”
The move comes as the continuation of an ongoing trend by TSB and is not wholly unexpected. Back in September 2020, TSB announced it would be closing down 164 of its branches, while in November 2019, the bank announced the closure of 82 of its physical sites.
TSB branches affected by the closures include Bath, Cambridge, Bury St Edmunds, Exeter, Gateshead, Maidstone, Shrewsbury, and Uxbridge.
Here Andy Barratt, UK managing director at international cybersecurity specialist Coalfire, explores how the financial services sector can turn the tide on costly, high-profile cyber missteps.
It’s fair to say that the financial services sector has struggled to secure positive consumer sentiment for itself recently – particularly in relation to cybersecurity. At the end of October, the government’s Treasury Select Committee (TSC) went so far as to say that the number of IT failures at banks and other financial services firms has reached a level it deems “unacceptable”.
The criticism, which highlighted poor IT performance within financial firms and a lack of decisive action from their regulators, comes in the wake of a string of high-profile and costly cyber glitches in recent years. Most notable among those is TSB’s unsuccessful attempt to migrate its systems over to new parent company Banco Sabadell.
Customer details were left easily accessible and vulnerable to fraud attacks, as well as resulting in thousands being unable to access their accounts. But TSB are not the only culprits: Barclays, RBS and VISA are among a raft of other major financial service providers to have suffered serious technical glitches in the past few years.
Why then, with so much at stake, are financial firms lagging behind when it comes to their cyber strategy?
The first aspect that makes large firms so susceptible to attacks is that their IT systems are often complex and, significantly, outdated. Hackers can easily find weak spots in the system or, as in TSB’s case, vital information can slip through the cracks.
The first aspect that makes large firms so susceptible to attacks is that their IT systems are often complex and, significantly, outdated. Hackers can easily find weak spots in the system or, as in TSB’s case, vital information can slip through the cracks.
Our inaugural Penetration Risk Report, which took place around the time of TSB’s issues, found that the largest firms are less likely to be prepared to face up to cybercrime than their mid-sized equivalents – despite greater budgets and resources – due to their cumbersome and slow-moving infrastructure.
More recently, we’ve seen those larger businesses close the gap, mostly through the support of in-built cloud security services, but the risks still remain for many. In the financial services sector specifically, this year’s study indicated that the level of external threat has actually increased.
The rush to implement services under a new ‘Digital’ initiative sometimes comes at the cost of addressing the underlying legacy issues too. Whilst the big banks rush to keep up with the online-only challenger banks they re-allocate budget for the new apps and forget the underlying infrastructure they depend on.
One of the key risks boosting that threat is a habit within large corporate cultures for IT teams or risk managers consistently ‘downgrading’ risks due to lack of understanding or complacency when reporting to those further up the pecking order. This is dangerous and can lead senior figures to the conclusion that everything is ‘ok’ within their organisation when, in reality, an IT crisis is just around the corner. This is particularly true when organised crime groups are targeting financial services with highly sophisticated attacks that are often discounted by management with a throw away ‘nobody would do that’ comment.
Companies should attempt to foster a ‘safe’ environment where staff feel comfortable raising problems they encounter so that solutions can be found before disaster strikes. They should also to remain current with intelligence from their incident response and forensic partners who will see the sophisticated threats when they do cause a breach.
An enhanced understanding of the issues facing the business is less likely to leave senior spokespeople up a creek without a paddle when facing the media. No one would expect a CEO to know all the ins-and-outs of their IT infrastructure, but basic comprehension can go a long way. Knowledge is power.
Due to the nature of the industry and the services they provide, banks and large financial firms are required to interact with third parties on a massive scale. Unfortunately, this isn’t without its drawbacks.
Many third parties – and, by extension, their own supply chain – lack the sophistication and / or the wherewithal to deal with cyberattacks. As such, they are often the first port-of-call for a hacker looking to worm their way into a major system.
An example includes the British Airways data breach in the summer of 2018, when hackers were able to take information directly from the airline’s website thanks to access from a third party.
Often, being subject to this form of intrusion is pure bad luck rather than bad planning. However, large firms must ensure that they’re sufficiently protected and that access for third parties is limited. It’s a simple case of making sure that your back’s covered wherever possible.
Perhaps the most common error (and the most tangibly addressable) is the human risk inherent within any business. Naturally, the larger your workforce, the greater the risk you face, which is a major issue within the financial services sector.
Phishing, a scam that prompts staff to provide their username and password, is still one of the simplest but most successful ways potential attackers get their foot in the door.
The key to combatting the danger is providing constant training to employees so that they’re fully aware of the threat and the responsibility that they have towards protecting the business.
What’s more, the high-profile cases mentioned above are dangers in themselves: when the glitch or failure makes the news, a sign post is placed for hackers looking to break in. Each headline is an ‘x-marks-the-spot’ for a company’s weak spot, as well as their competitors’.
It’s a brutal world that financial services businesses face as technology advances but, with such large amounts of money at stake, they must be up to the challenge.
Amidst a large swathe of planned job cuts at Lloyds, at the beginning of November the bank announced that there was a silver lining - a £3 billion investment programme that will see the country’s biggest high-street lender radically transform its digital strategy. While 6,000 existing roles are being cut from a broad range of areas, 8,000 are being created to focus on areas of digital expansion, including in the group transformation unit. And, the CEO of Tectrade Alex Fagioli points out, it’s about time for Lloyds, as it begins to play catch up with an industry that has quietly been revolutionised by high-street banks and start-ups that have gone all-in on digital banking.
Digital banking provides a great deal of benefits to administrators and alike. Customers are given a more flexible way of banking, accessing their accounts and transferring their money without relying on bank hours. Managers have an unprecedented insight into the activity of branches and can offer services to their customers which they had previously been incapable of. However, the challenges and risks that come with digital transformation have led traditionally large financial institutions like Lloyds to poorly implementing such practices to the detriment of all involved.
In April, a routine systems upgrade at TSB went awry and left 1.9 million customers locked out of their accounts for up to a month. Similarly on Friday 1 June, 5.2 million transactions using Visa failed across Europe as a result of one single faulty switch in one of Visa’s data centres. This isn’t just a continental issue; Atlanta-based Sun Trust – a bank with 1,400 bank branches and 2,160 – experienced a significant outage to its online and mobile banking platforms in September due to a botched upgrade. In all of these cases, the outages weren’t the result of cyberattack or weather-related problems. Instead, these outages came as a result of seemingly insignificant technical factors that had been overlooked – and Lloyds would be wise to heed these cautionary tales.
The challenges and risks that come with digital transformation have led traditionally large financial institutions like Lloyds to poorly implementing such practices to the detriment of all involved.
In the first two instances, cause of the outages are very clear– and they were entirely preventable. TSB rushed into an upgrade by hastily initiating the update across its entire system. For a technical reason that we will likely never know, the update tanked the entire bank and left it at a standstill while it tried to pick up the pieces. Even when it managed to get everything back in place, TSB is now permanently scarred by the event, with its reputation still reeling. The prevention for this would have been a gradual rollout, as opposed to a sweeping installation. If the upgrade was initially piloted with non-essential systems, then the bugs would likely have been spotted early, with little fuss and no media spotlight.
Likewise, the Visa incident came as a result of a single faulty switch and that betrays a lack of understanding of its own systems. It is shocking how few companies have carried out any form of disaster recovery testing on their infrastructure. Administrators are incapable of having a full understanding of the systems they are responsible for without testing them in a controlled and simulated environment. With a controlled disaster test, that faulty switch would have been highlighted and those 5.2 million transactions would have been completed. It’s similar to a car – the reason that MOTs are essential is so that any issues can be highlighted well ahead of them having a serious effect on the vehicle’s performance. Banks must carry out a cyber MOT in order to keep their systems in check and to give IT teams a full working knowledge of any potential issues.
But this is all in the case of preventable issues, and in the modern day accepted wisdom is not if, it’s when outages will happen.
Thus far we’ve only addressed routine operations, but cyberattack is of course an omnipresent threat. Ransomware has spent the past couple of years as the ‘big bad’ in cybercrime, and it is an even bigger threat to the financial sector. Over the past 12 months, the financial services and insurance sector was attacked by ransomware more than any other industry, with the number of cyberattacks against financial services companies in particular, rising by more than 80%. If a bank were to be hit by a ransomware attack, all online systems for banking and insurance transactions will need to be taken offline, rendering that organisation unable to operate. According to a report from Osterman Research, there is a 50% chance of employees in this industry suffering productivity loss, a 30% chance that the financial and insurance services will shut down temporarily, and a 20% chance of revenue loss and adverse effect on customer perception. In cases of ransomware, data recovery can be very difficult as there is a large amount of customer information stored in a variety of disparate systems. As such, many organisations may feel they have no choice but to pay the fee demanded of them to regain access to the data.
Over the past 12 months, the financial services and insurance sector was attacked by ransomware more than any other industry, with the number of cyberattacks against financial services companies in particular, rising by more than 80%.
Equally as unpreventable are environmental factors. Areas like the Southern States of the USA are frequently dominated by hurricanes and tropical storms which can cause large disruptions to everything from schools to banks. Many of these buildings have to be built with this in mind, and network operations should be created with the same mindset. In the UK, by contrast, we don’t have to deal with such extreme weather conditions, but environmental considerations must be made with the potential for freak accidents. A burst pipe in a shared building or road workers drilling through electrical or network cabling, for example, could see a bank offline for an indeterminate period of time outside of its control. One example of this in action was with National Australia Bank, which suffered a power outage that downed ATMs, Eftpos and online banking across the country for five hours in May.
In all of these situations where outages can occur, banks must make sure they have the capacity to get their systems back online and fast. The best way to do this is by adopting a zero-day approach to architecture. Zero-day architecture won’t prevent an outage, but it will mitigate the effects. It allows organisations to minimise downtime and recover from backups without having to worry about lost data.
A zero-day recovery architecture is a service that enables administrators to quickly bring work code or data into operation in the event of any outages, without having to worry about whether the workload is still compromised. An evolution of the 3-2-1 backup rule (three copies of your data stored on two different media and one backup kept offsite), zero-day recovery enables an IT department to partner with the cyber team and create a set of policies which define the architecture for what they want to do with data backups being stored offsite, normally in the cloud. This policy assigns an appropriate storage cost and therefore recovery time to each workload according to its strategic value to the business. It could, for example, mean that a particular workload needs to be brought back into the system within 20 minutes while another workload can wait a couple of days.
Without learning the lessons of the high-profile outages that have come before it from banks that have undergone their own transformations, Lloyds is doomed to repeat the same mistakes.
As it begins its massive investment in digital transformation, Lloyds could very easily sink its budget into exciting features that promise to improve the lives of customers and employees. However, without learning the lessons of the high-profile outages that have come before it from banks that have undergone their own transformations, Lloyds is doomed to repeat the same mistakes. You can promise all the features in the world, but without a solid foundation the bank will essentially be a house of cards, ready to collapse at the slightest sign of danger. All banks, regardless of size, must prioritise the minimisation of downtime by having common sense policies in patch management, full knowledge of a system gained through disaster testing and a recovery strategy in place that enables it to get back online at speed.
Following recent incidents such as TSB's systems failure and Visa's service outage, operational resilience is increasingly vital. Bank of England and FCA recently published a report stressing the importance of business continuity during a disaster. Below Finance Monthly hears from Peter Groucutt, Managing Director at Databarracks, who discusses what businesses need/can to do to strengthen their operational resilience during a disaster to absorb any shock a business may experience.
In July 2018, the Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) published a joint discussion paper aimed at engaging with the financial services industry to improve the operational resilience of firms and financial market infrastructures (FMIs).
At the time it was issued, banks and FMI’s were capturing media attention, following several high-profile incidents.
TSB’s failed IT migration has been well publicised, costing the firm £176.4m in various fees and leading to the departure of its chief executive, Paul Pester. In June 2018, shortly before the release of this paper, millions of people and businesses were unable to pay for shopping due to a sudden failure of Visa’s card payment system.
Financial services lead in business continuity
The financial services industry is a leader in business continuity and operational resilience. It has a requirement of a high level of systems-uptime and is well-regulated. The best practices it introduces are often taken and more widely adopted by other industries. Our own research supports this. Our annual Data Health Check survey provides a snapshot of the IT industry from the perspective of over 400 IT decision-makers. The findings from this year’s survey provided some revealing insights.
64% of financial institutions had a business continuity plan in place, compared to an industry average of 53%. Of the financial sector firms with a specific IT disaster recovery process within their business continuity plan, 64% had tested this in the past 12 months – compared to 47% across other industries. Finally, 81% of financial firms had tested their IT disaster recovery plans against cyber threats, versus 68% of firms in other sectors.
While these findings reinforce the strength of the industry’s operational resilience, incidents like TSB and Visa prove it is not immune to failures.
The regulators want to “commence a dialogue that achieves a step-change in the operational resilience of firms and FMIs”. The report takes a mature view to the kind of incidents firms may face and accepts that some disruptions are inevitable. It provides useful advice that can be taken and applied not only to the financial services community, but other industries too.
Leveraging advice to improve operational resilience
So, what can be learned from this report? Firstly, setting board-approved impact tolerances is an excellent suggestion. This describes the amount of disruption a firm can tolerate and helps senior management prioritise their investment decisions in preparation for incidents. This is fundamental to all good continuity planning; particularly as new technologies emerge, and customer demand for instant access to information intensifies. These tolerances are essential for defining how a business builds its operational practices.
Additionally, focusing on business services rather than systems is another important recommendation. Designing your systems and processes on the assumption there will be disruptions – but ensuring you can continue to deliver business services is key.
It’s also pleasing to see the report highlight the increased concentration of risk due to a limited number of technology providers. This is particularly prevalent in the financial sector for payment systems, but again there are parallels with other industries and technologies. Cloud computing, for example, it’s reaching a state of oligopoly, with the market dominated by a small number of key players. For customers of those cloud services, it can lead to a heavy reliance on a single company. This poses a significant supplier risk.
Looking ahead, the BoE, PRA and FCA have set a deadline of Friday 5th October for interested parties and stakeholders to share their observations. The supervisory authorities will use these responses to inform current supervisory activity, helping to dictate future policy-making. The supervisory authorities will then share relevant information with the Financial Policy Committee (FPC), supporting its efforts to build resilience in the financial system.
Firms looking to improve their operational resilience should take advantage of this excellent resource – whether in financial services or not.
Last week TSB lost around 16,000 customers following a serious IT meltdown. This event serves as a display to how important customer service and customer experience are in the commercial banking sector.
In light of TSB’s recent customer service blunder, Jonny Davis, vice-president of global client management partnerships at Fraedom, comments on how banks can enhance their solutions and services delivery.
The TSB story should serve as a reminder of the importance of customer service and the customer experience. Times have changed – businesses have more choice in who they bank with and can switch banks relatively easily, as we have seen from TSB’s customer losses. In this day and age, it’s unacceptable for banks to have faults on this scale.
Over the last decade, customers have come to expect more from their banks, largely thanks to technological innovation which provides seamless mobile transactions, generally responsive customer service and fast transaction times. These services are now seen as a given and banks, whether consumer or commercial, falling short of these expectations is seen as a failure. With ever-growing customer expectation banks must adapt or innovate in these changing times.
A recent survey conducted by Fraedom found that account management and customer service are priorities for 71% of commercial clients. Ultimately, people want more from their banks and this often means more automation, a focus on online banking and a more personalised service. Customers are looking for the banking system to change and up their game when it comes to customer service. In fact, we discovered that 95% of commercial banking clients want their providers to supply the same aggregated account views and real-time transactional information that their personal apps do. This is one area where commercial banks must innovate to keep up with customer expectations.
The recent development and adoption of technology within the banking sector has certainly given way to an increase in our expectations, as consumers, both in the personal and commercial sphere. We have now come to realise that we can do more and more without ever having to step foot inside a bank or even talk to another human being – and we now expect it. With more than 70% of consumers willing to receive computer-generated banking advice according to Accenture, this is a great way for banks to offer the 24/7 service customers have come to expect. Nowadays, customers see no reason for an adherence to ‘office hours’ when chatbots can provide a solution to this thanks to their 24/7 availability and intelligent access to customer information.
Chatbots are just one area in which banks can innovate beyond the basic banking apps to provide a better customer experience, with other areas including biometrics, security and AI. For instance, banks can provide an added value service by incorporating AI into their existing services for spend analysis or risk identification. This would raise banking services above the level of a commodity, improving brand consideration and customer loyalty and cementing their relationships with clients.
TSB’s experience should be a lesson to its peers about the power of their customers. If customers aren’t happy with the service they are being provided, then it is highly likely they will take their banking elsewhere. It’s therefore up to banks to innovate and use technology to provide faster, safer and more intuitive solutions for their customers.
In light of the recent cyberattacks that TSB and British Airways were faced with, Andy Barratt, UK Managing Director at cybersecurity consultancy Coalfire, delves into the trend for large corporates to be hit harder by IT glitches than their SME peers.
It seems barely a week goes by without the world’s news channels breaking the story of a major cybersecurity incident affecting yet another household-name business. In the last month alone, we’ve seen CEOs fall on their swords, the value of shares plummet and hundreds of thousands of people urged to re-secure their online accounts after IT failures and malicious attacks caused widescale disruption.
In the modern age, no business is safe – either from external threat or from itself. The IT saga that engulfed TSB this summer, and ultimately cost the bank’s CEO Paul Pester his job, is an example of a big business causing itself a monumental headache through poor risk management.
Bank customers were left without access to their digital accounts for weeks as TSB tried to migrate its clients’ account details across from its existing IT platform to that of its new Spanish owner, Sabadell. When IBM was called in to consult on the issue, it quickly became apparent that insufficient testing had been carried out in advance to ensure the transfer process would run smoothly.
Customers, MPs and journalists alike have since accused TSB of having its head in the sand over the incident, failing to get to the root of the issue quickly enough and keeping customers in the dark. The question on the public’s lips was ‘how could this happen to a business with presumably vast security resources?’.
Corporates miss security sweet spot
The answer is that behind the curtain – and contrary to accepted wisdom on cybersecurity – large enterprises are often not the best prepared to protect themselves against cyber risk, despite having bigger budgets and more resources. Coalfire recently conducted its inaugural Penetration Risk Report, which tested the cyber defences of enterprises of various sizes across sectors including financial services, retail, healthcare, and tech and cloud services. The research involved simulating planned cyber-attacks against the businesses – a practice known as penetration testing - to identify weak spots in their security armour.
A financial services organisation fared better that most. But even in this comparatively well-performing sector we found that large enterprises were not the most secure, despite having the most substantial cybersecurity budgets. Instead, it was mid-sized firms that found the sweet spot in terms of protecting their assets and mitigating their security risks.
So why doesn’t bigger spend correlate to improved security?
It’s worth noting at this point that TSB’s issue was not caused by malicious intent or outside interference. However, the incident highlighted a disturbing lack of understanding running throughout the business that is indicative of how large corporations expose themselves to risk.
Business leaders must become comfortable hearing about problems and technical risk when it comes to IT. Often in large organisations, there is a mindset that the board doesn’t want to know about a problem, so risks are constantly re-framed and cracks painted over.
Consequently, senior executives often don’t have visibility of deeply-rooted issues and, ultimately, make decisions that don’t factor those risks in. This can be particularly unhelpful when businesses are looking to innovate as investment in new technology (mobile banking, rapid deposit taking, etc.) is hamstrung by existing technical challenges.
This mindset where boards are in the dark often occurs in organisations where a culture of blame is prevalent. We must move to a corporate environment where staff feel comfortable elevating issues to management rather than patching them up.
In the worst-case scenario, this disconnection between boardroom and shop floor can leave senior spokespeople fronting up to the media with little understanding of the issues that have embroiled their business in controversy. Highlighting how it should be done was British Airways’ Chief Executive Alex Cruz, who was quick out of the blocks to publicly communicate a detailed understanding of the specifics after the flight operator discovered a malicious breach in September.
Heads will roll
In the immediate aftermath of TSB’s IT failure, the Financial Conduct Authority accused the bank’s leadership of ‘portraying an optimistic view’ and failing to adequately communicate the extent of the issue to the public. The bank apologised unreservedly but the real question remained about its competence and whether TSB’s leadership understood, or was on top of, the job at hand.
While it would be unreasonable to expect the CEO of every UK bank or FTSE 100 business to be an expert on IT and cybersecurity, ultimately the buck stops with them. Given the monumental disruption to reputation and performance, there are a lot of lessons senior leaders can learn from the case of TSB.
Large businesses can also be put at risk due to the security shortcomings of the many partners they work with. This issue was evident when Ticketmaster was subject to a supply chain attack earlier this year. In this case, hackers used code supplied by Ticketmaster’s chatbot operator to extract payment details from its website after the code in question was incorrectly repurposed by Ticketmaster’s in-house team.
Similar activity was likely at play for the British Airways data breach, where data was lifted live from its website most likely via third-party code. BA is a regular participant in industry forums and best practice initiatives, and yet has still been affected, highlighting the risk big businesses face through their extended network of partners. Airlines in particular are at risk of attack because they frequently rely on complex infrastructure and shared services provided by airports, booking agents, aggregators and global distribution systems. Many don’t meet the security compliance rules we set here in the UK.
The same can be said for the financial services industry where there is constant interaction between myriad third parties and their affiliated platforms. For businesses of this size, resilience in the face of an attack is the modern approach. Always assume that someone will find a way in. Responding to that quickly will enable you to minimise loss.
To err is human
It’s also worth considering the somewhat unavoidable risk human threat poses to large institutions given the number of people they employ. It goes without saying that the potential for human error increases exponentially the bigger a work force is.
Our Penetration Risk Report found that people remain companies’ biggest weakness – across all sizes and sectors. Whether through human error or creating opportunities for social engineering hacks, the chances are that your staff will be your cybersecurity Achilles’ heel.
Accountancy giant Deloitte was targeted last year as hackers got hold of confidential data via an administrator’s account which had only single-factor authentication in place. In this case, it’s likely that access was achieved after the account password was exposed through phishing – where hackers pose as a trustworthy entity (usually via email) to obtain sensitive information such as usernames and passwords.
Fortunately for the majority of the businesses mentioned in this article, the breaches and failures fell before the arrival of GDPR. British Airways, however, is the first high profile business to experience a major data breach since new rules came into force in April. The new rules outline that a business can be fined as much as 4% of turnover if it has failed to take technical precautions to protect its customers’ data. Unfortunately for BA, if it is found to have failed in that duty of care, then its fine could total £489million.
On top of reputational damage, the proportionate nature of GDPR means that, more than ever, cybersecurity is an issue big businesses can’t afford to get wrong. The days of thinking ‘bigger is always better’ are numbered.
Coalfire is the trusted cybersecurity advisor that helps private and public-sector organisations avert threats, close gaps and effectively manage risk. By providing independent and tailored advice, assessments, technical testing and cyber engineering services, we help clients develop scalable programs that improve their security posture, achieve their business objectives and fuel their continued success. Coalfire has been a cybersecurity thought leader for more than 17 years and has offices throughout the United States and Europe.
For more information, visit Coalfire.com.
ABOUT COALFIRE LABS
The Coalfire Labs team leverages highly skilled penetration testers with focused expertise in helping organisations of all sizes improve their security posture by thinking and acting like an attacker. Coalfire Labs simulates threats, evades your defences, and hunts for active breaches in your environment, and then helps you understand the risk and impact to your organisation.
It has emerged that TSB could be facing £16 million in fines for the catastrophic meltdown of its online banking software which prevented customers from accessing their bank accounts and using their debit cards. On the back of our Your Thoughts this week, Yaron Morgenstern, CEO at Glassbox Digital, discusses the important lessons we can learn from this ordeal.
Almost a month after the crisis emerged, mortgage account holders are still unable to access accounts online, while business customers continue to face problems making online payments.
TSB’s response to its customers’ fury is more revealing, with customers unable to get through to customer service teams, even after fraudsters have drained their accounts. Any financial organisation that truly values its customers can learn a number of lessons from this meltdown. Providing a positive and consistent customer experience is vital in today’s digital environment – and this is likely to get even more important as your clients move away from human interactions, such as in bank branches and via call centres.
In the aftermath of TSB’s IT disaster, the question is: how can organisations create digital engagements that are responsive to clients’ needs and at least as successful as human engagements?
A digital footprint is the only way to understand the issues your clients are experiencing, whether they are on a similar scale to the TSB crisis, or as tiny as a minor frustration. However, the Cambridge Analytica scandal has reminded business of the importance of considering ethical data collection when measuring your customer’s experiences.
These recent events, and the distrust that surrounds tech giants and data collection, have showed that financial organisations must inform their online users how their data is collected, stored and used. More importantly, it must be remembered that customer data is on loan to businesses for a given period of time and not owned by the organisation. As such the data collected must be relevant to the individual customer and be able to offer them a distinct advantage in the customer experience.
In light of this mistrust it’s more important than ever that you demonstrate the advantage your processes offer to customers and clients. We are now in a world where there are all kinds of service users, devices and operating systems operating in the financial services environment. This landscape will only become more complicated as the amount of IoT-enabled devices continues to increase. How organisations connect with customers will also evolve in line with these technological advances.
Digital mapping allows businesses to know precisely what browser, device and operating system each online user is operating on, and therefore to know more about the experiences users are having than ever before. The upshot for customers is that these organisations can offer an improved digital journey at every touchpoint in return.
In this digitally-enabled world, organisations should be more capable of staying in touch with their customers. Digital processes need to identify customer pain-points and solve these problems before they begin to mount up like they did at TSB. And instead of operating in complete silos, IT and customer service teams must work together. When considering the TSB disaster, you cannot help but wonder how prepared other parts of the business were for the back office switch.
How can you react immediately to any issues that emerge? Customisable alerts can be set up that go out to IT, customer service, marketing and web development departments that warn about problems on the website and app. With these alerts in place, all teams have full visibility of digital problems and there are no nasty surprises. Similarly, if a user then approaches a customer service representative with a problem, the handler of this complaint should be able to effortlessly tap into the online session data and identify what the issue is and where it lies.
The TSB fire was stoked by Sabadell’s development team, who before the IT crash were publicly toasting what they thought was a successful migration of customers to a new platform. Whilst this is a PR disaster, it also demonstrates how little they understood about the potential pitfalls they were facing. With such a heavy reliance on online experiences, it’s important your teams consistently prepare for failures, in order to best react.
Financial services firms must put in place processes that prevent online glitches (however small these may be). If they do so, businesses will enjoy increased customer loyalty and retention. Rather than simply employing digital mapping when moving legacy systems over or updating a customer portal, it should be engaged day-to-day.
Can you do it?
The finance industry is more reliant on the online experience to retain and win customers than ever before. Despite this, not all banks and insurers are doing it well. Making sure that your IT and business processes are ethical, ongoing and integrated will help guarantee customer loyalty and retention. This approach will insulate businesses from IT disasters like the TSB fiasco – or at least allow them to respond properly in the event of a crisis.
The ongoing TSB IT meltdown has been strong evidence of the risks and challenges financial institutions face daily. It has caused mass uproar from customers and severely tarnished the bank’s overall reputation.
TSB started a long-planned move of 1.3 billion customer records from its former parent company, Lloyds Banking Group, to Proteo4, a platform built by TSB’s Spanish owner, Banco Sabadell. The change-over, which started on Friday 20 April, was supposed to be completed over the weekend by 18:00 on Sunday. But on Monday morning millions of customers were unable to use online or mobile banking or had been given access to other people’s accounts.
Error messages and glitches meant paydays and company salaries were turned upside down across the UK. This has understandably caused a chain of problems across many sectors. TSB’s overall response has not been appreciated by the public and its customer service methods have been hugely questioned.
Below Finance Monthly lists some of Your Thoughts on TSB’s IT failure and its customer service approach.
Mark Hipperson, CTO, Centtrip:
Looking more closely at what happened and how the events evolved, it appears that some key IT best practices might have been omitted, such as:
And last but not least is proof of concepts (PoCs), which would have revealed any tech and planning errors. TSB should have run PoCs on test accounts, or even staff accounts, before the full release.
Alastair Graham, spokesperson, PIF:
Small business customers have reached a nadir in their relationship with traditional banking partners. Branch closures and the move of services online have meant that few now receive any active guidance or support from their bank in helping to grow their business.
At the same time, many feel that even basic banking services aren’t meeting their expectations. Even without issues such as the recent TSB banking crisis, businesses would like improvements to be made.Whether that is quicker account opening processes, simple lending or transparent and fair charges, the demand for alternatives is growing.
Tech innovations, combined with legislative changes such as Open Banking, mean that more products and services are being launched, designed specifically to meet the needs of small business customers. SMEs have already shown they will trust other providers when their banks fail to provide adequate services. This has been particularly evident where prepaid platforms offer more versatility, while still being a safe, secure and flexible method to transfer money.
Yaron Morgenstern, CEO, Glassbox Digital:
In today’s digital age, customer experience is more important than ever. This banking app drama has revealed how important it is to measure your consumer’s experience with complete visibility of any problems. This should really be an ongoing effort, and not just when you plan large scale back office migration. There are three fundamental tenets to an effective customer experience: observation of the customer journey via touchpoints, reshaping customer interactions, and rewiring the company’s services to align with customer expectations.
It is only through advanced digital analytics and AI technology that organisations can understand what is going through their customers’ minds. These are powerful tools for mapping out customers’ digital journeys from the moment they visit a website. This all goes to the heart of improving conversion in the digital customer journey.
Fabian Libeau, EMEA VP. RiskIQ:
The fact that TSB’s IT meltdown dragged on for such a long time, meant that customers were locked out of their accounts for extended periods. It also made them vulnerable to digital fraud in the form of phishing. TSB itself has warned more than five million customers that fraudsters have been attempting to take advantage of its IT breakdown to trick people into handing over information that could enable them to steal their money. Criminals exploiting brands to defraud stakeholders in this way is nothing new, and we know that financial institutions are a much-loved target for hackers, given the highly-sensitive and valuable information they’ve been entrusted with – it is therefore no wonder that cybercriminals are queuing up for an opportunity to impersonate the bank online.
Andy Barratt, UK Managing Director, Coalfire:
In the grand scheme of things, the TSB incident is perhaps not as significant an event as a nation-state hack like last year's WannaCry. But it has still left many, including the ICO, concerned that a major 'data breach' occurred just weeks away from the implementation of the EU’s General Data Protection Regulation.
The power to hand out major fines that GDPR affords the regulator means that the price of poor data protection is about to become far easier to quantify. When the regulation comes into force at the end of the month, a breach like TSB’s would certainly require a Data Protection Impact Assessment and measures put in place to ensure a similar incident doesn’t happen in the future. At the very least, TSB will have put themselves on the ICO’s radar as ‘one to watch’ when GDPR comes into effect.
While the share price of Banco Sabadell, TSB's Spanish parent, wasn’t overly affected by the incident, there could still be a significant financial consequence for the bank. We now know that a large number of customers are affected so the cost of rolling back any mistaken transactions as well as offering support, and potentially refunds, is likely to eat up a lot of operational resource. This event should be a reminder that data protection and the safeguarding of personal information has to be to priority for financial institutions.
Andy Barr, Founder, www.10Yetis.co.uk:
The best thing you can say about the TSB approach to public relations throughout its issues is that it is going to become the modern benchmark for university lecturers on how not to approach crisis communications.
From the very outset, TSB has failed in its approach to handling this ongoing crisis. Its messages have been wrong, even from its highest-level member of staff, the CEO. He has repeatedly issued statements that have been incorrect and that he has had to retract and apologise for.
TSB’s brand reputation is now circling the plughole and its Spanish owners could very well be forced down the route of a re-brand in the mid to longer term in order to try and recover their reputation. I fully expect a classic crisis communications recovery plan 101 to be rolled out, once this all dies down. Step one; apologise (usually full page ads), step two; announce an independent investigation, step three; a member of the C-Suite gets the Spanish Archer (El-bow), and then step four; another apology before trying to move on.
Whatever the final outcome, this has been a public relations disaster for TSB and they are very lucky that at the time that it happened there was so much other “hard news” going on such as Brexit, rail company re-nationalisation and, of course, Big Don, over the pond, constantly feeding the 24-hour news agenda.
Danny Bluestone, Founder & CEO, Cyber-Duck:
The TSB fiasco shows that many organisations vastly underestimate data migrations. Moving data on such a scale from an incumbent system to a different one is an inherently complex task. There are several steps to follow for a successful migration.
First and foremost, it begins with a considered strategy for structural changes that ensures no legacy data is made unusable and new functionality is accounted for. Banks like Monzo test new features within alpha and beta modes, so new pieces of functionality are tried and tested before a mass general public release. TSB would have been wise to utilise test scripts and automated testing to auto-test thousands of permutations from login to usage of the system. Relevant applications that monitor errors could have then detected issues early on.
TSB could have also used a run-book for deployment so all steps of deployment are documented. When an error was detected, TSB could have rolled back without data loss. Problems could also have arisen if TSB failed to use a testing environment that was identical to the production environment. As if there is even a slight difference, the user experience can break.
With regards to the application hosting, TSB should have an active engineering team monitoring performance 24/7. In our experience at Cyber-Duck – from working with numerous institutions including redesigning the Bank of England’s digital website – there really is no excuse for users to suffer. Complex data migrations can be dealt with in a secure and efficient manner if best practice methodology is followed.
Adam Alton, Senior Developer, Potato:
Software is difficult; Microsoft still hasn't finished Windows. Trying to write a new piece of software or create a new system, and then migrate everything over to it in one go is likely to go badly. The chances of it working are incredibly slim. Instead, a migration in several parts would be better. Release small, release often. When Mark Zuckerberg said "move fast and break things", you could interpret that as "you're going to break things, so do frequent and small releases in order that you break as little as possible before you get a chance to fix it". The problems with TSB's migration appear to be multiple and disparate; error messages, slowness and capacity problems, users shown the wrong data. It seems unlikely that these stem from a single cause or single bug, so it would seem that they tried to do too much at once.
Coerced optimism: when under pressure to get something to work, it's easy for a team of developers to wishfully believe that something is finished and working because they can't see any problems, even though their experience tells them that the complexity of the system and the rushed job they've done means that it's extremely unlikely to be free of issues. I wouldn't be surprised if IT workers at TSB fell into this trap, leading to the premature announcements that the problems were resolved.
Denying that you have a problem is always a bad idea. Amazon Web Services (AWS) provide a detailed status dashboard giving a continuous and transparent view of any issues on their systems. They don't deny that they occasionally hit problems but instead have a process in place for actively updating their customers with as much information as possible. This transparency and openness clearly win them a huge amount of customer trust.
Senthil Ravindran, EVP & Global Head, xLabs, Virtusa:
Fortunately for all involved, it seems as if the worst of TSB’s IT debacle is now behind it. But its botched migration led to more than 40,000 customer complaints in what was arguably the most high-profile banking error we’ve seen this year. Worse still, the technology itself isn’t to blame here – both previous owner Lloyd’s and the Proteo4UK system used by new owner Banco Sabadell have a good record in handling data. Instead, the responsibility here rests solely with TSB.
It mostly boils down to a lack of proper preparation on TSB’s part. Banks carry out small data migrations regularly, but a large-scale migration such as this typically calls for months of preparation. Actually moving the data isn’t the tricky bit; drawing the data from the siloes it’s stored in across the business and knowing how it’ll fit within the target system is the real challenge. This is why banks are increasingly looking to ‘sandbox’ the testing process; creating a synthetic environment with the data they hold to gauge how it’s likely to fit within a new system of record. Granted, this approach to testing doesn’t happen overnight, but when applied properly, it reassures banks that the actual migration will run smoothly.
This method would likely have spared TSB the disaster it has faced. Yet in reality, we’ll likely see similar high-profile stories appear over the coming months thanks to the combined pressures of GDPR and open banking. The former is forcing banks to bolster their data handling practices in order to avoid hefty financial penalties, while the latter is forcing banks to expose their data to all manner of third parties. Both initiatives are incredibly difficult for banks reliant on decades-old legacy IT systems to manage (indeed, it’s likely that the GDPR deadline this month may have added pressure on TSB to rush the migration through), and as the reality of this new banking environment begins to set in, expect to see other examples along the same lines as TSB’s.
We would also love to hear more of Your Thoughts on this, so feel free to comment below and tell us what you think!
The proposal is for 340 pence in cash per TSB share, with the UK bank saying it would be “willing to recommend an offer at the proposed price”.
The offer values TSB at £1.7 billion (€2.4 billion). TSB has a current market value of around £1.3 billion (€1.84 billion) and is the UK’s seventh largest bank.
The Board of TSB said in a statement it: “believes that Sabadell could support and accelerate TSB's retail growth strategy and accelerate the expansion of TSB's presence in the SME sector.”
Citigroup and Rothschild are acting as financial advisers to TSB and Goldman Sachs is acting as financial adviser to Sabadell.