TSB's IT Meltdown Was Evident A Year Before

The banking software at the heart of TSB’s troubles this week was doomed to failure from the start, an insider with extensive knowledge of the systems involved has said. With customers locked out of their bank accounts, mortgage accounts vanishing, small businesses reporting that they could not pay their staff and reports of debit cards ceasing to work, the TSB computer crisis has been one of the worst in recent memory. 

The bank it faces a compensation bill likely to run to tens of millions of pounds and CEO Paul Pester said recently that the bank was on its knees.

Just before the bank’s services crumpled, software engineers and Banco Sabadell, TSB’s Spanish owner, were toasting their own efforts with champagne and claiming a job well done. The comments posted below the photo read: “Hell of a team!” and “Champions!” However, the warning signs that a catastrophe of this magnitude might happen were apparent a full year earlier.
When TSB split from Lloyds Banking Group (LBG), a move forced by the EU as a condition of its taxpayer bailout in 2008, a clone of the original group’s computer system was created and rented to TSB for £100m a year.

That banking system was a “bodge of many old systems for TSB, BOS, Halifax, Cheltenham and Gloucester and others” that had resulted from the “nightmare” integration of HBOS with Lloyds as a result of the banking crisis, according to one insider who had extensive access to and intimate knowledge of LBG and TSB’s internal systems over a prolonged period.

“The idea with the IT was to create a mirror copy of the sprawling LBG merged systems and use this to service the much smaller TSB bank. It seemed a bad fit for a smaller bank to inherit all the problems of a bloated mess to service far fewer customers,” the insider said.

Under this arrangement, LBG held all the cards. It controlled the system and offered it as a costly service to TSB when it was spun off from Lloyds in September 2013. 

When Sabadell bought TSB for £1.7bn in March 2015, it put into motion a plan it had successfully executed in the past for several other smaller banks it had acquired: merge the bank’s IT systems with its own Proteo banking software and, in doing so, save millions.

Sabadell was warned in 2015 that its ambitious plan was high risk and that it was likely to cost far more than the £450m Lloyds was contributing to the effort. 

“It is not overly generous as a budget for that scale of migration,” John Harvie, a director of the global consultancy firm Protiviti, told the Financial Times in July 2015. But the Proteo system was designed in 2000 specifically to handle mergers such as that of TSB into the Spanish group, and Sabadell pressed ahead.

By the summer of 2016, work on developing the new system was meant to be well under way and December 2017 was set as a hard-and-fast deadline for delivery.

“The time period to develop the new system and migrate TSB over to it was just 18 months,” the insider said. “I thought this was ridiculous. TSB people were saying that Sabadell had done this many times in Spain. But tiny Spanish local banks are not sprawling LBG legacy systems.”

To make matters worse, the Sabadell development team did not have full control, and therefore a full understanding, of the system they were trying to migrate customer data and systems from because Lloyds Banking Group was still the supplier. 
“This turned what was a super-hard systems job [into] a clusterfuck in the making,” the insider said.

By March 2017, the nightmare for customers that was going to unfold a year later appeared inevitable. “It was unbelievable, hardly even a prototype or proof of concept, yet it was supposed to be fully tested and working by May before the integration work started,” the insider continued. “Senior staff were furious about the state it was in. Even logging in was problematic.”
By the autumn it still was not ready. TSB announced a delay, blaming the possibility of a UK interest rate rise, which did materialise, and the risk that the bank might leave itself unable to offer mortgage quotes over a crucial weekend. 

Sabadell pushed back the switchover to April to try to get the system working. It was an expensive delay because the fees TSB had to pay to LBG to keep using the old IT system were still clocking up: Pester put the bill at £70m.

On 23 April, Sabadell announced that Proteo4UK, the name given to the TSB version of the Spanish bank’s IT system, was complete, and that 5.4m customers had been “successfully” migrated over to the new system. Josep Oliu, the chairman of Sabadell, said: “With this migration, Sabadell has proven its technological management capacity, not only in national migrations but also on an international scale.”

The team behind the development were celebrating. In a LinkedIn post since removed, those involved in the migration were describing themselves as “champions”, a “hell of a team” and were pictured raising glasses of bubbly to cheers of “TSB transfer done and dusted”.

However, only hours after the switch was flicked, systems crumpled and up to 1.9m TSB customers who use internet and mobile banking were locked out. “I could have put money on the rollout being the disaster it has been, with evidence of major code changes on the hoof over last weekend and into this week,” the insider said.

Twitter lit up as customers frustrated by the inability to access their accounts or get through to the bank’s call centres started to vent their anger.

Customers reported receiving texts saying their cards had been used abroad, that they had discovered thousands of pounds in their accounts they did not have, or that mortgage accounts had vanished, multiplied or changed currency. 
One bemused account holder showed his TSB banking app recording a direct debit paid to Sky Digital 81 years from now. Some saw details of other people’s accounts and holidaymakers complained that they had been left unable to pay restaurant and hotel bills. 

TSB, to customers’ fury, at first insisted the problems were only intermittent. At 3.40am on Wednesday 25 April, Pester, tweeted that the system was “up and running”, only to be forced to apologise the next day and admit it was actually only running at 50% capacity. 

Recently he admitted the bank was on its knees, announced that he was personally seizing control of the attempts to fix the problem from his Spanish masters, and had hired a team from IBM to do the job. Sabadell said it would probably be another week before normal service returned.

The financial ombudsman and the Financial Conduct Authority have launched investigations. The bank has been forced to cancel all overdraft fees for April and raise the interest rate it pays on its classic current account in a bid to stop disillusioned customers taking their business elsewhere.

The number of complaints is slowing, but they have not yet ceased. One customer told the Guardian that some of their personal details that have been switched on to the new system were five years out of date. A Twitter user said they had contacted the bank about a text message received relating to an account closed more than five years ago. 

The software Pester had boasted about in September of being 2,500 man-years in the making, with more than 1,000 people involved, has been a customer service disaster that will cost the bank millions and tarnish its reputation for years.

Guardian:

You Might Also Read:

Bank Data Breaches Are Up And It's An Inside Job:

HSBC Appoints A Technology Advisory Board:
 

 

 

« Cambridge Analytica Goes Out Of Business
British Healthcare System Spends £150m Extra On Cybersecurity »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Lakeside Software

Lakeside Software

Lakeside Software is how organizations with large, complex IT environments can finally get visibility across their entire digital estates and see how to do more with less.

Secure Source

Secure Source

Secure Source specialise in search and recruitment for Cyber Security and Security Cleared markets.

OpenSphere

OpenSphere

OpenSphere is an IT company providing security consultancy, information system risk management and security management services.

SecureAppbox

SecureAppbox

SecureAppbox provide solutions that protects the communication of sensitive data as well as advice on data security and compliance with GDPR.

ODSC

ODSC

ODSC is a security systems integrator that provides services and expertise in identity management and access.

GM Security Technologies

GM Security Technologies

GM Security Technologies provides leading managed security services of the highest quality to every type of individual and organization in Puerto Rico, Caribbean and Latin America.

Specops Software

Specops Software

Specops Software is a leading password management and authentication solution vendor.

TROOPERS

TROOPERS

TROOPERS InfoSec event consists of two days of high-end training, followed by a two-day, three-track conference, culminating in Roundtables on the final day.

Cyber Polygon

Cyber Polygon

Cyber Polygon is an annual online exercise which connects various global organisations to train their competencies and exchange best practices.

MorganFranklin Consulting

MorganFranklin Consulting

MorganFranklin Consulting is a management advisory firm that works with businesses and government to address complex and transformational technology and business objectives including cybersecurity.

Secure Diversity

Secure Diversity

Secure Diversity is an innovative non-profit organization with leaders that think out of the box to create strategies & solutions to increase diversity in the cybersecurity industry.

Plerion

Plerion

Plerion is an all-in-one Cloud Security Platform that supports workloads across AWS, Azure, and GCP delivering cloud security posture management, workload security, data security and more.

Frontier Technology Inc. (FTI)

Frontier Technology Inc. (FTI)

Frontier Technology Inc provides the technology and deep data expertise to drive the best defense and intelligence solutions.

Sprocket Security

Sprocket Security

Sprocket Security protects your business by monitoring the cybersecurity landscape and performing continuous penetration testing services.

Diverto

Diverto

Diverto is a company that provides a high level of information security to companies, institutions and other organisations in an information-centric world.

Cyber Security Certification Australia (CSCAU)

Cyber Security Certification Australia (CSCAU)

CSCAU is the world’s first 'for mission' industry council set up to address small and medium-sized business (SMB) cyber resilience through annually updated certifiable standards.