After 1,300 TSB customers lost money due to an IT glitch, the bank needs to determine whether it was hit by a cyber-attack and make sure its security measures are in order, while it contends with an investigation by the Financial Conduct Authority
TSB became the latest bank to be caught with its trousers down after customers lost money in a move that has placed its IT migration procedures under the microscope.
After 2,200 fraud attempts were made and around 1,300 customers lost their money due to the bank’s IT glitches, the UK financial regulatory body Financial Conduct Authority (FCA) announced yesterday it is now investigating the company.
As TSB CEO Paul Pester faced criticism over the way he handled the ongoing problems at the corporation, Compelo looks at what went wrong and how the bank moves forward.
What happened at TSB to cause customers to lose money?
TSB – which is owned by Spanish bank Sabadell after it split from Lloyds in 2013 – had thousands of its customers locked out of their accounts and hit by fraud last month after it tried to transfer their data from an old IT system.
Paul Pester, the bank’s CEO, had failed to communicate with customers about how many of them were affected.
The FCA put pressure on Mr Pester over his reaction to the crisis and he later apologised and said he had been unaware of the severity of the situation.
“We are deeply sorry for the disruption TSB customers have experienced,” he said.
“We remain focused on doing whatever it takes to put things right and ensuring no customer will be out of pocket as a result of our technology issues.”
But there’s still questions over whether he will resign and how the bank will move forward.
The FCA fined TSB £28m in 2013 for failings in its controls over sales incentive schemes, but has refused to comment on whether it will ban or fine TSB executives over the migration.
In a letter to Nick Morgan, chair of the parliamentary treasury select committee, FCA chief executive Andrew Bailey said the organisation would be undertaking an investigation into the TSB’s IT migration.
He also stressed how the FCA held 38 meetings with the bank when the mention of IT migration came up, in order to make sure everything was being completed correctly.
In the letter, he also said: “The problems experienced by TSB have impacted a significant proportion of its customers across its main banking channels – mobile, web, telephony, branches and ATMs.
“Many customers faced significant impairment of their ability to view correct transaction data on their accounts and to make ad-hoc payments.
“While these challenges have reduced over the last few weeks, the FCA remains concerned about continued instability of performance.”
Could cyber criminals have spotted a weakness in TSB systems?
However, Ayal Zylberman, CEO at software testing company QualiTest, believes the company has been targeted by cyber criminals who are aware of its rocky history and warns TSB to take action now.
He said: “Cyber criminals will focus on companies rocked by internal scandals or public fall-outs and then react accordingly, with phishing attempts from fraudsters becoming more and more common.
“TSB must act now, or risk losing more customers with 12,500 already reported to have left, but the only way to do that is to properly integrate and test the software needed to prevent these cyber-attacks from happening again.”
This is just the latest example of cyber criminals using phishing to try to get victims’ money.
Hatem Naguib, senior vice president of security at Barracuda Networks, urges consumers to be wary and gives out his tips on what to look out for.
- An odd or unexpected request. Just because you recognise the name of the sender, it doesn’t mean it’s them sending it. If it sounds like an odd request, pick up the phone and call the person the email is supposedly from.
- A domain name changed by one letter (eg @gmoil.com instead of @gmail.com). This masking technique is easily overlooked and highly effective, but can nevertheless be overcome by hovering a cursor over the email address. A window will pop up showing the sender’s real domain.
- A message asking the recipient to open an attachment. This could contain malicious activity and should be approached with extreme caution. When in doubt, don’t open attachments.
How can TSB recover?
Yaron Morgenstern, CEO at software firm Glassbox, told Compelo he believes TSB will struggle to recover from this, and will need to spend the next year or so focusing on regaining the trust of its customers.
“In future, TSB must improve their ability to stay in touch with their customers,” he said.
“Knowing what is annoying, frustrating or paining your customers is more important than ever.
“Financial service providers now operate in a digitally-enabled world that offers them the chance to solve issues before they become intractable by identifying customer pain-points – it is up to TSB to put in place processes that do so.
“The organisation also must harmonise the work that IT and customer service teams are doing, in order to make sure this doesn’t happen again.
“This is not just about pre-empting issues from the big back office technology shift, but about continually recording and understanding, the digital journeys of their customer base.”
What can TSB learn?
TSB could have done a lot differently when it came to dealing with technology and fraud.
Mr Morgenstern said: “For any financial services provider, TSB’s IT failures provide a number of lessons for how to truly value customers.
He also stresses that financial organisations should start providing a positive and consistent customer experience, so they can succeed in today’s digital environment.
“Delivering on customer experience will only get more important as the financial services industry moves away from traditional channels of customer engagement, such as in bank branches and via call centres,” he said.
No sympathy for companies that don’t test their platforms
The tech sector is growing and organisations should be on the same track.
Grant Caley, chief technologist at cloud data services company NetApp, believes platform testing is crucial in today’s world, especially if it is being used for banking purposes.
He said: “While time-consuming, the impact of not conducting sufficient testing can be severe, leading to events such as mobile users being fed incorrect data to their accounts – thus highlighting the importance of having a comprehensive testing process.
“All banks must tread a fine line between getting innovative new services to market and making sure that the user experience is perfect, secure and bug free.
“Thanks to modern technology, testing platforms enable data-driven businesses to act at speed and with accuracy.
However, he doesn’t sympathise with TSB and has said system failures are preventable, believing modern financial services should be taking the opportunity to improve on their technology.
He added: “Technology exists to significantly parallelise the running of tests to ensure data processing accuracy, circumventing the limitations of serialised and slow testing strategies of the past.
“Hybrid cloud technology exists to enable the secure bursting and scaling of application service delivery and modern financial services organisations should be embracing the advantage these capabilities can provide.
“This is how banking organisations with huge data ecosystems service at customer peak times without downtime or delay, and without incurring additional capital expenditure costs.”