It’s the IT, BoI
Springsteen wasn’t Bank of Ireland’s only recent IT debacle.
What is the point of Bank of Ireland? Exactly what, or who, is Bank of Ireland for? Certainly not for ordinary customers if they also happen to be Bruce Springsteen fans. On Friday, the bank’s app crashed just as tickets for the Boss’s RDS concert were released.
Moreover, Bank of Ireland (BOI) is not for anyone who needs to complete any transaction face-to-face. About one third of BOI’s Irish branches were culled in 2021 – mostly in areas that already have poor access to banking hall services. And, even if you manage to find a branch that remains open, most staffed-cash-windows have been replaced with self-service teller machines.
The cumulative effect of these changes is that most bank customers now obtain their money through digital channels.
Payments are made through either websites or the mobile app that is provided by their bank. Banks have a financial incentive to deny customers access to branches and force them online regardless of customer preferences – it is far cheaper to provide day-to-day banking services to ordinary customers online than through physical bank branches.
This is a deliberate strategy on the part of banks to make customers get their money through digital channels. Or, in the case of BOI customers, to try to get their money through digital channels.
On Friday, BOI announced the latest interruption to its online services.
Although disappointed music fans drew most attention on Twitter, in fact, all its retail customers were left without any access to their accounts through BOI’s mobile app. That announcement relied on the anodyne explanation that “some customers are experiencing difficulty accessing our app”. The reassurance that “our teams are working hard to resolve this as soon as possible” will have been little comfort to customers who were unable to complete transactions.
In response to questions posed by Village, a BOI spokesperson explained that the interruption of service lasted two and half hours and was fixed later in the morning. The bank confirmed that the service was not overwhelmed by any surge of activity on its app, with the volume of transactions remaining at normal levels.
Customers attempting to use the BOI app to buy tickets were the victims of an unfortunate but unrelated coincidence as: “(U)nfortunately the timing of the technical issue overlapped with when the Bruce Springsteen tickets went on sale”. The spokesperson extended the bank’s apology “for the inconvenience caused to customer as a result of the issue”.
This carries the worrying implication that what occurred was just an ordinary banking failure – doing little to allay fears that BOI’s mobile app is unreliable even under normal conditions.
At the time of publication, BOI had not commented when this suggestion was put to it. Neither had it replied when questioned if the crash represents a repeat of the contraventions identified in the settlement agreement concluded with the Central Bank of Ireland (CBI) on 30 November 2021.
Less than 6 months ago, BOI was fined €24.5 million and reprimanded for “breaches of its IT service continuity framework and related internal control failings”.
Less than 6 months ago, BOI was fined €24.5 million and reprimanded for “breaches of its IT service continuity framework and related internal control failings”. In its statement, the Central Bank of Ireland (CBI) explained that: “IT service continuity failings were repeatedly identified from 2008 onwards but…only started to be appropriately recognised and addressed in 2015”.
The details of the settlement agreement outline that, from 2008 to 2015, and despite third-party contractors repeatedly drawing the bank’s attention to these deficiencies as critical problems, concerns about the resilience of the bank’s IT systems were not brought to the attention of the board or appropriate executive committees.
For seven years BOI senior managers either did not know, or, were not told, that its creaking IT systems were incapable of ensuring “continuity of service in the event of significant IT disruption”.
For seven years BOI senior managers either did not know, or, were not told, that its creaking IT systems were incapable of ensuring “continuity of service in the event of significant IT disruption”.
It took a further four years for BOI to take steps to remedy the situation to the satisfaction of the CBI. As a result, “(F)rom 2008 until 2019, BOI was in breach of key regulatory provisions regarding IT service continuity”.
It took a further four years for BOI to take steps to remedy the situation to the satisfaction of the CBI. As a result, “(F)rom 2008 until 2019, BOI was in breach of key regulatory provisions regarding IT service continuity”.
The CBI’s Director of Enforcement and Anti-Money Laundering, Seána Cunningham, underlined the significance of these failings for ordinary people:
“… IT disruptions, particularly if they were to happen in a bank, could have a very serious impact on millions of customers who rely on ready access to their funds and services to keep their everyday lives and businesses moving…given the ‘always on’ nature of the services BOI provides and how pivotal IT is to the entirety of its business operations”.
It is now clear that the CBI was gravely mistaken in its assessment that BOI had the requisite “operational resilience designed to protect consumers and ensure financial stability”. The basis on which the settlement agreement was reached was, in part, that BOI had in place an adequate “runbook” (the plan to ensure the continued provision of critical services should an incident arise including procedures to begin, stop, supervise, test and restart a service/system) and “failover” (a redundancy procedure by which a system automatically transfers control to a duplicate system when it detects a fault or failure) capable of protecting customers.
Friday’s debacle makes a mockery of the promise from Christine Hamill – who, without a trace of irony, holds the title of Director of the Digital Centre of Excellence at Bank of Ireland – that:
“(T)he financial wellbeing of our customers is a top priority for us, meaning we are committed to giving customers more control over their money. These new capabilities do exactly that, by enabling our customers to manage even more aspects of their day to day (sic) finances in a safe and secure way, using our mobile app or desktop, and without having to call us or visit a branch, if they chose to do this. We look forward to bringing more new features to customers over the coming months”.
Having taken 11 years to solve its IT problems, BOI still cannot guarantee the provision of critical services which is not just a regulatory and legal obligation, but, a basic minimum standard to qualify a bank as a bank.
Next year the words of “Pay Me My Money Down” will ring around the RDS, but, as far as BOI is concerned, its customers can whistle.
