Since the 2007 crisis, all eyes have been on the financial sector to improve its risk management and rebuild trust – but the failure to tackle IT disasters is where the industry's next challenge is coming from.
This lack of competence has left customers "cashless and cut-off" at a level and frequency deemed "unacceptable" by the UK Treasury Committee group of of MPs.
Banking is becoming increasingly digital, with 71% of UK adults using online tools to manage their accounts in 2017, and now demanding round the clock access to financial services.
As a result, firms should be consistently preventing, adapting and responding to IT incidents that can affect users' access to those services.
This is not the case. This year, the Financial Conduct Authority (FCA) said that there had been no less than a 300% year-on-year increase in the number of IT failures reported by financial firms.
And the past few years have seen major banks regularly making headlines for outages that left online bankers locked out of their accounts. One of the worst failures happened in 2012, when a software update resulted in 6.5 million customers being unable to get accurate balances for their accounts at RBS, which landed the firm a hefty £56 million fine.
Since then, Visa saw 5.2 million transactions hit by a service outage in 2018; the same year, millions of Barclays customers were unable to access their accounts following a technical glitch.
It was the same year that TSB's computer failure caused 1.9 million people to lose access to online banking services. This cost the bank an estimated £330 million and 80,000 customers.
Steve Baker, the Committee's lead member for the most recent report, said: "The number of IT failures that have occurred in the financial services sector, including TSB, Visa and Barclays, and the harm caused to consumers is unacceptable."
What it found was largely an industry that does not seem prepared for the technological requirements of the digital age.
Among the common causes of incidents, for example, it was found that legacy IT infrastructure is not systematically upgraded to meet new customer expectations; that cyber risk is the fourth most common cause of incidents; and that 20% of failures were a result of firms' overconfidence in their ability to manage IT changes.
What the report also showed was that, on a management level, financial companies are failing to hold individuals accountable for outages.
The senior managers regime (SMR), which was put in place following the crash in 2007, holds senior staff accountable for financial operations – but when it comes to financial infrastructure, which in turn determines the efficiency of an IT system, the distribution of responsibility is not as straightforward.
As a result, the report highlighted, there has to this date never been a successful enforcement case against an individual following an IT failure.
David Bailey, executive director at the Bank of England, said: "We do not have the same senior managers regime applicable to financial market infrastructure. It is an area where accountability in the firms that I supervise could be enhanced".
But it is ultimately the way that companies handle the crisis once it is already underway that was most heavily condemned by the Treasury Committee. Baker pointed the finger at "the hollow words" that "for too long" have been issued by financial institutions after their systems fail.
TSB, for example, claimed that "the vast majority" of its customers were able to access their online accounts shortly after its computers failed – when in fact the successful log-in rate was only 50%.
As much as banks are to blame for their negligence, however, the report noted that change needs to happen at the level of regulators – that is the FCA, but also the Bank of England and Prudential Regulation Authority (PRA).
For example, expanding the SMR to financial infrastructure to increase accountability is within the competence of regulatory bodies and not individual companies. Or regulators could increase levies to ensure banks have enough staff, resolve complaints and award compensation rapidly.
"To ensure accountability for failures, regulators must have teeth and be seen to have teeth", the Committee said.