back to article RBS faces biggest ever fine for THAT huge IT meltdown – leak

The UK's Financial Conduct Authority (FCA) is reportedly preparing to levy its biggest fine yet against Royal Bank of Scotland (RBS) Group over the bank's almighty computer meltdown two years ago. Sources at the FCA told Sky News that the fine would be "several tens of millions of pounds," although the state-backed banking …

  1. Anonymous Coward
    Anonymous Coward

    Corporate fines == useless

    Corprorate penalties are useless, they're just passed on to customers and employees.

    How many senior managers are going to face individual penalties? That would get their attention and might even change some behaviours.

    If the senior management (and their puppets on the remuneration committee) think that the company's success is due to their individual actions and therefore they deserve individual megabonuses when things go well, what does logic tell you should happen when the same people's individual actions cause megadisasters?

    1. Cliff

      Re: Corporate fines == useless

      That's a little harsh - that fine represents money that shareholders will feel they've been deprived of, so the board will have to justify it with a fall guy or risk investor groups questioning /their/ suitability to sit on the gravy train.

      1. Malcolm 2

        Re: Corporate fines == useless

        Cliff, I admire your optimism.

        The day has yet to dawn that shareholders / investor groups will have a real and fundamental impact on the actions of any company board. The cynic in me says that it never will.

    2. Voland's right hand Silver badge

      Re: Corporate fines == useless

      Not necessarily, especially for banks.

      Banks manage anything - including IT change control as "risk" now. The reason why jobs are moved to lower cost and lower qualification geographies is that the cost of risk in doing so does not outweight the cost savings.

      This fine will be a precedent for change in the risk (and its associated costs) calculations. Will this be enough to stop some of the genuine stupidities involved in IT decision making - dunno. It will however have some effect.

    3. Bunbury

      Re: Corporate fines == useless

      having had a property purchase caught up in this mess I remember it well. But as others have said I don't think fines are a good mechanism. I imagine the fine is there as primarily a crime and punishment approach, the fine being both a punishment and an example to others of the risk of poor systems practice. There might be a bit of motivation in there to fill treasury coffers but I suspect that's not a particular motivator here.

      The problem is, it won't work. If there was only one bad apple and the fine was big enough perhaps. But the UK retail banking sector is being effectively fined for all sorts of issues - payment Protection Insurance etc. so they'll all effectively increase revenues to compensate for these costs - customers are more likely to pay than taxpayers.

      Rather than the blunt instrument of fines, it might be better if there was a well policed and operated code of practice in the industry that encouraged good practice and allowed for the right level of quality.

      1. Anonymous Coward
        Anonymous Coward

        From an insider

        Me again, inside RBS.

        > There might be a bit of motivation in there to fill treasury coffers but I suspect that's not a particular motivator here.

        No, because you of course cannot fill Treasury coffers by fining a Treaury-owned body -- although I have no doubt there are some government accountants who think you can.

        > But the UK retail banking sector is being effectively fined for all sorts of issues - payment Protection Insurance etc. so they'll all effectively increase revenues to compensate for these costs - customers are more likely to pay than taxpayers.

        That hasn't happened, though. The banks have set aside large sums out of past revenues to deal with PPI, precisely so they can move on with business without having to constantly factor in those costs. PPI's been going on for a few years now. Have you seen a dramatic increase in your bank charges? If anything, bank charges have been going down over the same period. Because banks do actually think very long-term, and they want to avoid future fines -- and excessive charges have already attracted interest from regulators and are clearly a prime candidate for fines in the future -- and future unknowable fines are a much larger risk than current known costs.

        > Rather than the blunt instrument of fines, it might be better if there was a well policed and operated code of practice in the industry that encouraged good practice and allowed for the right level of quality.

        There is actually a combination of both in place. The FCA (or the BoE) don't just leap straight in with a massive fine. There's a lot of regulation prior to that point. With RBS, remember that there were three major IT crashes that directly affected customers.

    4. Anonymous Coward
      Anonymous Coward

      From an insider

      I'm in RBS at the mo.

      > Corprorate penalties are useless, they're just passed on to customers and employees.

      Well, yes and no. You could of course pass on costs to customers, but it's not a great idea, because you need to keep competing with the other guys who haven't been fined, and the last thing you need after paying a big fine is for your customers to take their money elsewhere. Similar with employees: to avoid the next fine, you need good staff doing things well, and cutting salaries causes them to go to other banks (and the labour market in banking is extremely liquid). Not saying that it doesn't happen -- it seemed pretty clear that Natwest tried passing on their costs to their customers in the wake of Robert Maxwell screwing them over -- but that was very bad for Natwest's reputation, and I think most of the industry have learnt from such mistakes, even if it took them a while. Certainly RBS have decided that their biggest mistake in the run-up to 2008 was a lack of good-quality customer service, and so their big company-wide target at the moment is to make customers want to stay. Passing on the fine to customers would be counterproductive.

      In general, such a fine will be passed on to shareholders. In the case of RBS, that's the taxpayer. (I don't really see the logic in the state fining the taxpayer myself.) From RBS's point of view, what that will equate to is a delay in reaching the point where they can buy themselves back from the state, which is something they really want to do. That's the real punishment.

      > If the senior management (and their puppets on the remuneration committee) think that the company's success is due to their individual actions and therefore they deserve individual megabonuses

      Sorry, which is it? That the costs of fines are being passed on to employees or that employees are being given huge bonuses? You do get that they're opposites, right?

      > what does logic tell you should happen when the same people's individual actions cause megadisasters?

      No argument from me (I'm a great believer in paying the price of failure, and I was against the bailouts), but we know what caused this particular megadisaster, and it wasn't a senior manager; as mentioned in the article, it was an inexperienced member of IT staff screwing up a batch job. We've all been there -- or I have, anyway -- although not always with such disastrous consequences. I'm not sure how I feel about individual members of staff being fined for mistakes. At the least, we need to recognise that what we're talking about here is making people homeless. Who'd apply for a job with that sort of risk attached?

      1. Anonymous Coward
        Anonymous Coward

        Re: From an insider

        "we know what caused this particular megadisaster, and it wasn't a senior manager; as mentioned in the article, it was an inexperienced member of IT staff screwing up a batch job."

        No, what caused this megadisaster was company working practices and an operational environment which allowed a particular individual making an embarrassing mistake (which happens to us all, and is a great way to learn) to turn into a megadisaster on a corporate scale.

        Anybody could have made that mistake. Management built the culture and practices that let a mistake become a disaster.

        Do you even begin to understand the difference?

        1. Destroy All Monsters Silver badge
          Trollface

          Re: From an insider

          "we know what caused this particular megadisaster, and it wasn't a senior manager; as mentioned in the article, it was an inexperienced member of IT staff screwing up a batch job."

          Those events in the Berlin Bunker could all have been avoided if that inexperienced sergeant in Greece had properly followed procedures and applied a different key to his Lorentz machine on the second round!

        2. Fatman

          Re: From an insider

          Management built the culture and practices that let a mistake become a disaster.

          Manglement, in its zeal to increase shareholder value, sent the work that was being done by experienced IT staff, and sent it offshore to less experienced IT staff, just to save money.

          Manglement should be taking the hit - garnish their pensions for their incompetence.

          1. Anonymous Coward
            Anonymous Coward

            Re: From an insider

            > Manglement, in its zeal to increase shareholder value, sent the work that was being done by experienced IT staff, and sent it offshore to less experienced IT staff, just to save money.

            This may well be true, but you're omitting two key things. Firstly, those shareholders are in theory the taxpayer, in practice the government. Secondly, as a result, management are influenced (to exactly what extent is not entirely clear, but they are definitely influenced) by the Cabinet.

      2. Doctor Syntax Silver badge

        Re: From an insider

        "we know what caused this particular megadisaster, and it wasn't a senior manager; as mentioned in the article, it was an inexperienced member of IT staff screwing up a batch job."

        And whose responsibility is it to ensure that inexperienced members of staff aren't in a position to make such a big screw-up and to ensure that there are robust fall-backs in place?

        The buck stops - has to stop - with senior management. If they want big pay then they should earn it by ensuring that this stuff can't happen. And the best time to do that is before it happens, not after.

        1. Anonymous Coward
          Anonymous Coward

          Re: From an insider

          > If they want big pay then they should earn it by ensuring that this stuff can't happen. And the best time to do that is before it happens, not after.

          That's a nice theory, but we're talking about systems built on millions of man-hours of programming over decades. Half of it's not documented. A lot of them are black boxes that no-one dare touch. There is a rumour that there's one UK bank whose standing order system works in pounds, shillings, and pence and has a decimal converter stuck on top of it -- might be apocryphal, but, even if not true, it's indicative. Yes, in some cases, there are experienced staff in the UK who know how to deal with certain problems but have had their jobs offshored. In other cases, though, those experienced staff have simply retired or died -- the stuff's that old. As El Reg reported, the BT Tower contains a load of phone switches that no-one can unplug because the labels peeled off years ago and so no-one even knows which phonelines are going through them. That's the reality with old infrastructure. Yes, it is possible to prevent disasters with such systems before they go wrong, but it can be a long drawn-out process -- long enough that disasters can occur while you're still working on it. So it is reasonable for senior executives, when deciding whether IT managers have screwed up in a punishable way, to consider whether they were simply sitting back and assuming everything was OK or were working to improve systems when the disaster happened. In the case of RBS, it's common knowledge that they've been working on rebuilding and properly documenting all their IT for years.

          There is no such thing as a computer system that doesn't fail -- only one that hasn't yet hit the right set of circumstances to cause a failure. RBS actually have an operational advantage now, having discovered three such sets of circumstances. The difficult bit will be to try and persuade customers of that.

      3. BoldMan

        Re: From an insider

        "we know what caused this particular megadisaster, and it wasn't a senior manager; as mentioned in the article, it was an inexperienced member of IT staff screwing up a batch job."

        It was caused by the decision to contract out the IT support to the lowest bid and get rid of the experienced staff that had dealt with similar problems in the past and knew what to do so that nobody experienced this sort of outage previously.

        This was a failure of management pure and simple and the management should suffer the consequences, but most likely won't.

      4. TheOtherHobbes

        Re: From an insider

        >ou need to keep competing with the other guys who haven't been fined, and the last thing you need after paying a big fine is for your customers to take their money elsewhere.

        Corporations don't compete for customers. They compete for shareholder investment and they lobby hard to minimise regulation.

        The standard corporate rule in the UK is to provide the most mediocre customer-hostile service you can possibly get away with.

        Customers are always at the wrong end of the Financial Penis Substitute.

        >You do get that they're opposites, right?

        What on earth are you talking about? Everyone knows that above a certain level of seniority you're Too Big To Fail, and below that level you're Too Small To Matter.

        >we know what caused this particular megadisaster, and it wasn't a senior manager; as mentioned in the article, it was an inexperienced member of IT staff screwing up a batch job

        Yeah, right. The graduate trainee walked in, leaving the usual trail of amniotic fluid, pressed the wrong buttons, and the system went down.

        Happens all the time in well-run IT depts with competent senior management who know what they're doing.

    5. Doctor Syntax Silver badge

      Re: Corporate fines == useless

      "Corprorate penalties are useless, they're just passed on to customers and employees."

      Fairly simple solution. The fine must be paid from the senior management bonus fund. And if a particular year's fund isn't big enough, just roll it on.

      OK, only fairly simple because it needs a mechanism to stop the fund being inflated by the amount of the fine.

      The same could be applied to all those "here's a few quid and we'll just keep keeping on" responses to complainants. Those few quid should come out of staff bonus funds. When they get depleted enough the staff learn to be more careful.

    6. Anonymous Coward
      Boffin

      Re: Corporate fines == useless

      They are not useless. Quite apart from anything else this will be yet another time when RBS is in the headlines for bad reasons. Each time that happens some number of people decide to bank elsewhere, which hurts RBS.

  2. Gordon 10 Silver badge

    Its not overly harsh

    Indivual members of staff can be done over for all kinds of misconduct already - mainly financial such as insider dealing and money laundering.

    The problem with doing it for IT staff would be making sure the responsible person got hit instead of some innocent foot soldier. Would have to be an un-writteb rule that it is applied at executive level eg MD.

    1. Squander Two

      Re: Its not overly harsh

      > Indivual members of staff can be done over for all kinds of misconduct already - mainly financial such as insider dealing and money laundering.

      Insider trading and money laundering are both deliberate actions. I don't think there's been any suggestion that the employee in question screwed up the batch job on purpose.

  3. JMiles

    Hmm

    "RBS Group has also pledged to spend £750m on its computer systems, both front and backend, and says it already spends £2bn a year as part of its IT budget."

    They do spend well, but not particularly wisely. Like most large companies they will spend years dreaming up requirements, then go buy up various blocks of enterprise software that they think may do the job and then expect lowly-paid techies to implement a solution in a few short months.

  4. localzuk

    Yay, lets fine the victims...

    Any fine paid by a company ends up being recovered via their customers, who in this case are also the victims. So, effectively, the FCA are fining the victims.

    When the management of a company are held fiscally and legally responsible for the performance of their company, we'll see real change. Until then, we're just gonna see more of the same.

    I'll sum it up like this - only a single banker was prosecuted after the crash. Just the one. And he wasn't even a high level executive.

    1. Squander Two

      Re: Yay, lets fine the victims...

      > only a single banker was prosecuted after the crash. Just the one. And he wasn't even a high level executive.

      Please explain which executives should have been prosecuted, and which laws they had broken. Then we may consider your complaint properly.

    2. I ain't Spartacus Gold badge

      Re: Yay, lets fine the victims...

      localzuk,

      It's very hard to prosecute people for screwing up. Especially as you have to prove who did what when. Although I do believe there should have been attempted prosecutions for what I would call deliberate fraud, such as incentivising your staff to sell shitty PPI deals - and hiding it all in the small print. But that's very hard to get criminal levels of proof on.

      However this narrative about the banking crisis misses out one fundamental thing. There was punishment. The problem is it was the shareholders who copped it. The government didn't bail out the banks for fun, it did it because it was cheaper than bailing out us, the banks' customers. So they were bailed out, rather than the expense, hassle and disastrous levels of economic dislocation involved in getting our savings back to us via the deposit insurance scheme.

      The shareholders got wiped out, as the government put capital in, and took shares. In theory the government may not lose very much money at all - and may even make a profit on the bank bail-outs. Eventually we're going to sell off those shares. We've already made a good chunk of the money back on Northern Rock, and there's even a good chance of turning a profit there, as the mortgages in the bad bank we kept are still being paid.

      By going for bail-outs, QE and deficit spending, we balanced most of the costs of the crash across the economy. So house prices dropped, but didn't plummet. This meant most people didn't go into negative equity, which kept us paying our mortgages, and kept the banks us taxpayers now own solvent. Savers lost out due to inflation and low interest rates, but then they got their money saved for them by everyone else, whereas the debt-spiral otherwise would have seen much of their savings wiped out.

      Compare this with the Eurozone, where they tried to cut their deficits faster, did some disguised QE (but unwound it too fast) and haven't bailed out their banks. That's been (and still is) a fucking disaster, that's screwed the debtors over horribly. The savers are still mostly safe, but as the debtors are now totally impoverished (including several governments), they'll stop servicing their debts, and then the savers will start losing out. That'll get the creditor states panicking, and then there'll be QE, when they see the choice between losing their badly invested savings or bailing out the rest of the Eurozone.

      1. Squander Two

        Re: Yay, lets fine the victims...

        Thank you very much, Non-Spartacus. It's been six years, and that's actually the first decent defence of the bailouts I've seen.

  5. El_Fev

    As RBS is majority owened by the government..

    This means we are fining the taxpayer! Plus this is what happens when you outsource the support to India to save on paying for British workers!

    1. I ain't Spartacus Gold badge

      Re: As RBS is majority owened by the government..

      Sure we're fining the taxpayer, who owns 70% odd. The other 30% of shareholders lose their 30%.

      But we're also going to sell RBS in a few years. So if they do it again, they know it's going to cost. As do the other banks. This is a nice incentive to spend a bit more on their IT. Particularly if it's made clear that the next fine will be higher.

  6. LucreLout
    Stop

    Stop the bloody offshoring!

    It's really simple - you take a system built decades ago and still ran by competent people, cut costs by moving the jobs offshore, to a place like India which has zero history with computing, and you wonder why they fuck it up?

    The systems are built in old languages often using out of date techniques. Even if the offshorians had the skill set to do the work, they don't have the experience.

    The FCA is simply posturing to play big man having been caught with their trousers round their ankles being rodgered senseless in the crash, when they were known as the FSA - same people, new moniker. If they actually want to achieve stable IT systems, the only answer is to force the biggest companies to keep the IT work onshore in the UK, where we have the history, the skills, and the experience to do it properly.

    1. Securitymoose
      Devil

      Offshoring saves money!

      That was the excuse the IT management used. Well, it saved a couple of rupees in the first case and cost millions of pounds in the second. Where to find the money? What about fining the outsourcing company and also reclaim the cash from the big payoffs certain top people received for the apparent mismanagement of the outsourcing process?

  7. Anonymous Coward
    Anonymous Coward

    FYI

    RBS Edinburgh were "employing" recently. They then let it slip that I wasnt been interviewed for a specific position and it was more a case of them just getting a feel for the skills available in the market as they are going to be moving their IT operations back on shore in the near future (how much wasnt stated, but a lot was inferred).

  8. Elmer Phud

    Oh, poo!

    So, once again, we will be paying for the misdeeds of others.

    Despite the clamouring for huge penalties - it's best to remember that apparently the taxpayers own RBS.

  9. Anonymous Coward
    Anonymous Coward

    Perhaps the senior IT Management who let 7,500 man years of site knowledge go will now have any bonus's clawed back as per the performance rules, although most of the guilty are now elsewhere anyway. I guess the spin on the report didn't have the offshoring as the root cause of the failures.

    The beancounters should add the fine to the balance sheet when they look at the "savings" made by moving jobs offshore. Not such a saving now, is it. (Companies and Governments considering offshoring should take note)

    It's funny walking round RBS these days - it's the same faces as four years ago, just they have red contractor badges now instead of blue staff badges.

  10. David_H
    WTF?

    Fine

    Shouldn't it be paid to the victims rather than to the government?

    1. I ain't Spartacus Gold badge

      Re: Fine

      The banks do have to pay the victims for any cocked up transactions and charges caused by the cock-up. Though nothing for not being able to get at their money for a week. But it was made clear at the time that this would happen, so it's not like people were in limbo.

      Sadly I was just organising a mortgage with Natwest that week, and I get 0.2% off my interest bill for having a current account with them. So I couldn't take my custom elsewhere. But other people were free to and most didn't.

      So in this case, the regulator are trying to make a point that's easy for the board to understand.

  11. Anonymous Coward
    Anonymous Coward

    great, can't wait for my share!

    ...

    I see, it only goes one way...

  12. Slx

    Banks basically do two things:

    1. Provide a range of savings and loans products that allow them to act as a source for capital investment in a prudent manner so as not to crash the institution into a brick wall requiring multi billion bailouts by the state.

    2. Run a secure, stable, reliable transaction processing and financial information system that provides users with infrastructure to send and receive payments and that manages the bank's accounting systems.

    This institution failed to do either of these core functions that basically define a bank. Yet, they carried on like as if they were doing a good job.

    Can you imagine say a large retailer doing this?

    They'd have to accidentally order in creates of manure instead of food products then accidentally set fire to most of their stores to even come close to the levels of incompetence.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021