Customers who bank with RBS, Natwest or Ulster Bank have today been experiencing issues when attempting to make payments with their debit cards.

It is currently understood that the problems are affect both online and in-store purchases for thousands of customers, although at time of writing ATMs and online banking services are understood to be operating as usual.

This isn’t the first time computer glitches and infrastructure faults have caused embarrassment for the group.

In January, Natwest and RBS customers reported debit cards being declined in stores and pin numbers blocked on New Year’s Day.

Back in September 2015, customers were unable to withdraw cash or use their card in branches for several hours.

A few months earlier in June 2015, many account holders were left without money for a weekend after 600,000 transactions (including direct debits, standing orders and mortgage repayments) were delayed following a botched upgrade of computer systems.

RBS also suffered a network meltdown in the summer of 2012, where around 6.5 Millions of people were locked out of their online bank accounts for several weeks, which RBS blamed on a cyber attack. This resulted in the bank being landed with a £56m fine by the FCA (Financial Conduct Authority) (compare that to the measly £400,000 fine handed to TalkTalk by the ICO (Information Commissioners Office) last week following their serious cyber attack last year)

It’s not yet clear whether today’s latest computer issues at RBS/Netwast/Ulster Bank are as a result of a cyber attack, but it’s more likely to instead be a result of human error and/or a botched software upgrade or configuration change.

If that’s the case – and in light of another incident at Globalsign yesterday where by a mis-configuration affected hundreds of thousands of people’s ability to access secure websites – it does beg the question; do large organizations such as RBS/Natwest and GlobalSign have sufficient resources and technically knowledgeable and competent IT teams to be able to not only adequately develop configuration changes in a “test” environment first before being rolled out “live”, but also then to actively monitor and be empowered to take swift action (i.e. to roll-back changes) should issues arise.

It’s interesting that as a result of the FCA investigation in 2012, they found that banks did not have adequate systems and controls to identify and manage their exposure to IT risks. In particular:

1. There were inadequate testing procedures for managing changes to software;
2. The risks related to the design of the software system that ran the updates to customers’ accounts were not identified;
3. The IT risk appetite and policy was too limited because it should have had a much greater focus on designing systems to withstand or minimise the effect of a disruptive incident

Four years on, have the banks learned from their mistakes and the FCA report? It’s looking increasingly likely that they’ve not…

UPDATE: 17th October

3 days after RBS/NatWest’s latest computer-related “issues” (an exact cause of which has so far not been forthcoming from the banking group), today, NatWest have revealed that they are forcibly closing the UK bank accounts for Russian state-owned TV news channel “RT”. No reason has been given for the forcible closure of RT’s account, but NatWest have stated that this is “final and non-negotiable“.

This is a very interesting new development! Could Russian state-backed “hackers” have been responsible for the NatWest/RBS outage last week (and perhaps other similar outages at the banking group previously?), and this move by the banking group is their/the UK government’s response/retaliation/”punishment” for the actions of the Russian state?

Are we on the verge of a new “Cold War” but this time in cyber-space?!