Rules Navigator

Major UK banks had 803 hours of outages in the last two years

Front view of a Barclays branch.
Barclays had the most number of incidents (33) in the two-year period. Photo: Huw Fairclough/Getty Images

Hameed Shuja, Thomas Hyrkiel

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

While deeply concerned about affected customers, the UK Treasury Committee was measured in its criticism, expressing gratitude to the banks compensating customers.

A new report by the UK Treasury Committee has revealed the impact of tech and system failures on internal operations and customers in nine of the UK’s major banks and building societies during the past two years.

The firms suffered a total of 803 hours of tech and system outages during January 2023 and January 2025, the equivalent of more than 33 days, the report has found.

During that period, “At least 158 banking IT failure incidents affected millions of customers’ ability to access and use services,” the Treasury Committee has said.

“Problems with third-party suppliers, disruption caused by a change in systems and internal software malfunctions” were among the major reasons for IT failures over the two year period.

Customers and compensation

The data was compiled after the Treasury Committee wrote to nine major banks in February, asking them about the nature of the outages, the banks’ responses, steps to prevent such failures in the future, the number of customers affected and an estimate on potential compensation.

Chair of the Treasury Select Committee, Dame Meg Hillier MP, has said: “The fact there has been enough outages to fill a whole month within the last two years shows customers’ frustrations are completely valid.”

But she has also thanked the banks for “doing all they can to minimise the impact on their customers” and for “compensating their customers well for the stress they endure.”

The report highlights the vulnerability of the banking industry and the overall financial services sector as a result of its increasing reliance on third-party service providers, especially for IT and other connected banking infrastructure needs.

Of the total 151 outages shown in the table below, 33 incidents (more than 20% of the total) were caused by issues with third-party service providers.

This includes the CrowdStrike outage, which affected HSBC servers for 38 hours, but which did not affect any of its channels and only had an impact on 40 customers – possibly as a result of not affecting critical components or a testament of robust back-up or alternative systems in place at the bank.

Note: Stats in the table below are based on data shared by the banks with the UK Treasury Committee.

Graphic: GRIP

In addition to failures caused by third party suppliers, two other types of prevalent problem causes have been identified by the report: system change and software problems are both obvious culprits of system downtime.

Examining the responses from the banks in the report it is clear that system changes, many of which will be attempts to upgrade existing systems or improve on their security, remain a point of real vulnerability.

The complexity of the technology stack underpinning bank operations as well as its interconnectedness means that any poorly-thought-through change in configuration, an inadvertently applied incorrect setting, or an incompatibility between systems will invariably result in a customer outage when deployed to the production environment.

Software issues

Software issues, including those connected to security certificates, tend to be more easily identifiable and of a shorter duration, but can also have a significant impact (see Barclays system outage below) where no solution is available (many system changes will include the possibility of a roll-back, which is not a solution available to address an unplanned software problem). The impact and duration of an outage can be significant if this compromises a core database(s).  

The submissions from HSBC and Barclays make for particularly interesting reading not only because they come from very large financial institutions, but because of the level of detail disclosed on the root causes of the outages.

These include issues with physical network components or hardware including those of lack of capacity during peak operating periods. The latter a testament of the sheer volume of transactions processed on a continuous basis by the largest retail banks.

We also noted with interest that HSBC appears to be the only bank that has reported outages as a direct result of cyberattacks – specifically DDoS strikes against the bank in 2023 and 2024.

Finally, the table in the submission from Lloyds includes a very well-organized table of material outages with the “failure description” column. This is worth highlighting as a sort of best practice example for the taxonomizing of IT issues in a clear and easily understandable way.

Millions in redress

And speaking of compensation, Barclays has said it will be paying customers in the region of £5m ($6.47m) to £7.5m ($9.7m) due to its latest system outage between late January and early February that lasted for several days.

“We are deeply sorry for the impact this incident has had on our customers who were not able to access some of our services during the incident period,” the bank’s UK chief executive Vim Maru has told the Treasury Committee in a letter.

Barclays has said the incident was caused by “a software problem in a critical module of our UK Mainframe operating system,” and has ruled out the involvement of a malicious cyber actor or any other malicious activity.

The incident took place after the Treasury Committee’s compilation of its report and the bank has therefore not included the information in their aggregated figures for the period between January 2023 and January 2025.

Nevertheless, the severity of the outage was significant: “56% of online payments during the incident failed due to ‘severe degradation’ of their Mainframe processing performance.”

Number of incidents

According to the Committee’s findings, Barclays also had the highest number of incidents (33) during the two year period, but also paid the highest amount, around £5m ($6.47m), in compensation.

It was followed by the Bank of Ireland UK and NatWest Group, who paid compensations in the region of £350,000 for their IT and system failures.

Barclays has also said 3.3 million of its customers were affected by the outages, which is the highest for the two-year period. It was closely followed by HSBC with 3.1 million customers affected.

In terms of the amount of time, NatWest topped the list with a total of 194 hours (more than eight days) of outages during the assessed period.

One of the things that becomes very clear when examining the submissions, however, is how difficult like-for-like comparisons between institutions can be given the very different approaches being taken to disclosures (including not only presentation, but also the level of detail provided as noted above) and, also, to the underlying classification of incidents.

Also worth noting is the fact that the largest retail banks are obviously more susceptible to systems issues simply as a result of scale – the size of the technology real-estate, the sheer number of transactions being processed on a near continuous basis and the very large number of customers affected when things go wrong.

Note: Stats in the table below are based on data shared by the banks with the UK Treasury Committee.

Graphic: GRIP
, , , , , , , ,

You may also like