NatWest failure: Cloud providers are open about outages, why not banks?

NatWest's massive technical failure has turned a spotlight on the IT used to keep money flowing through financial institutions, in particular raising the question as to whether banks should be more open about outages on their systems.

The problems that have hit NatWest and RBS customers across the country highlight the need for the financial industry to be more open about its IT. Image credit: NatWest

For almost a week, NatWest, Ulster Bank and parent company RBS have been grappling with a bug that halted direct debits and standing orders, and blocked off online and ATM access to accounts. During the outage, though, RBS and NatWest have provided their customers with such little information that even the BBC has been drawn into speculating about exactly which part of the IT system broke (batch processing, apparently).

The banks' attitudes to openness about outages compares poorly with the example set by cloud-computing providers — a sector that traffics in items (IT services) that are as critical to the running of a business as RBS/NatWest's payment systems are to their customers.

Clouds, such as Amazon's Amazon Web Service or Microsoft's Windows Azure, have status pages that give blow-by-blow technical details of an outage as it happens. They publish precise technical information and give time estimates for when a fix will be rolled out, how long the fix will take to percolate through the system, and when customers can expect to be able to use the service again.

This serves two purposes: it helps out businesses affected by the outage, as they can point their clients or managers to the exact cause of the problem. It also gives the service provider control of the story around their failure, as they are giving a constant, referenceable stream of information in a public forum. Customers get up-to-date information, and the provider keeps a grip on speculation around the fault.

NatWest's approach

Contrast this with NatWest's approach to the outage. While it has posted updates several times a day on the glitch on its homepage, these messages have been brief and reassuring, rather than informative. On Sunday, the last of the updates only appeared after customers had logged into their online banking, keeping it from general public view.

Cloud providers are under similar pressures in terms of security and are equally careful about keeping their proprietary IT infrastructure secret.

Separately, on the bank's home page, a longer-than-previous message from NatWest chief executive Stephen Hester, now appears for anyone who goes to the bank's site. However, Hester's message doesn't give the technical details of the fault or offer a timeline for when the balance-access problems should be over. The bank's FAQ page is similarly scant on technical details, though it does tell visitors that the initial problem has been fixed.

Over the six-day outage, NatWest has sent only a couple of emails to customers to let them know what is going on. Even though it makes sense to warn people before they need to deal with any related problems, most will have learned about the issues from news reports.

Granted, most customers will want to know when they can get at their money and whether any losses will be made good by NatWest before they think about the technical side. But if you cannot access your money, or cannot pay a bill, you want to know why. Furthermore, your creditors want to know why. The less information you have, the more worried you are going to be — and the less certain that you can trust the bank in the future.

Security via obscurity

Banks may say they need to be secretive about their IT infrastructure because of security concerns. But this does not stand up. First, it is a symptom of the 'security via obscurity' attitude that has been proven, time and time again, not to work in the face of a concerted attack. Second, banks deal in IT systems of equal levels of complexity to those of cloud providers, yet those providers disclose much more about their systems.

Take Amazon Web Services, for example. With a few clicks of a mouse I can find out where Amazon's datacentres are, where its edge locations are, what types of processors it uses (Xeons, of late), and what its network topology is like. But Amazon needs to be just as secure as a bank: it has datacentres specifically for the US government, has passed a range of stringent security certifications, and its chief information security officer head is a former section chief of the FBI. It understands security.

So why the information disparity? The problems at NatWest and RBS should serve as a wake-up call to the financial industry. Amazon and other cloud providers are under similar pressures in terms of security and are equally careful about keeping their proprietary IT infrastructure secret. Disclosure is a lot like walking a tightrope: companies need to balance their duty to the public with their own security protocols. The banks' reaction to a crisis is a far cry from that of their cloud contemporaries.

Once payments are flowing again, RBS, NatWest and the rest of the banking industry should be prepared to give some answers.