Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Offbeat

Legal

Brit banks must disclose outages via API, decrees finance watchdog

Perhaps TSB's total s*itshow wasn't in vain

Gareth Corfield Thu 16 Aug 2018  //  08:40 UTC

The Financial Conduct Authority (FCA) is enforcing new rules that obligate banks to publicly reveal the number and frequency of online outages – including whether these were caused by malicious actors.

Billed as part of consumer-friendly changes to the small print for online banking services, new rules from the FCA and the Competition and Markets Authority will make financial institutions proactively reveal how often they have had to report “major operational and security incidents”.

The move was telegraphed by the FCA over the past few months, having begun with the TSB fiasco in April.

Banks will have to “publish the information on their websites in a consistent format” according to the FCA, while big banks will be expected to dish it up via an API compliant with the Open Banking Standards specs.

A quick squint at the Bank of Scotland’s OBS API (other flavours of moneymen are available) reveals four public incident reporting metrics are currently in use: “total number of incidents reported”; “incidents affecting telephone banking”; “incidents affecting mobile banking”; and “incidents affecting internet banking”.

The latter is likely to be of most interest to infosec-minded folk, as well as uncharitable techies wanting to exercise a little schadenfreude. (yes, you, Reg readers)

The FCA’s master list of banks’ APIs can be found on its website.

“More than any other industry, banks still contain a mix of archaic legacy systems, new cloud platforms, and yet are under pressure to accelerate their software development to combat the threat of their ‘digital-first’ competitors,” opined Dave Anderson, a marketing bod from API-making biz Dynatrace, in a canned quote.

Another marketer, Andrew Stevens of customer service biz Quadient, gravely intoned: “Banks should see this as an opportunity to improve their relationship with customers. By opening up a conversation and being clear about any disruptions to service, internal changes, or even changes to accounts will go a long way in positioning the bank as a trusted provider which cares about its customers..”

Small comfort for folk who were locked out of their TSB accounts earlier this year. Still, better to bolt the stable door before the rest of the herd make a dash for it. ®
Send us news
26 Comments

Young Consulting finds even more folks affected in breach mess – now over 1 million

The insurance SaaS slinger may trade under a different name, but past continues to haunt it

Former US Army Sergeant pleads guilty after amateurish attempt at selling secrets to China

PLUS: 5.4M healthcare records leak; AI makes Spam harder to spot; Many nasty Linux vulns; and more

Glazed and confused: Hole lotta highly sensitive data nicked from Krispy Kreme

Experts note 'major red flags' in donut giant's security as 161,676 staff and families informed of attack details

Dems demand audit of CVE program as Federal funding remains uncertain

PLUS: Discord invite links may not be safe; Miscreants find new way to hide malicious JavaScript; and more!

US infrastructure could crumble under cyberattack, ex-NSA advisor warns

PLUS: Doxxers jailed; Botnets bounce back; CISA questioned over app-vetting program closure; And more

AT&T not sure if new customer data dump is déjà vu

Re-selling info from an earlier breach? Probably. But which one?

ConnectWise customers get mysterious warning about 'sophisticated' nation-state hack

Pen tester on ScreenConnect bug: This one ‘terrifies’ me

Data watchdog put cops on naughty step for lost CCTV footage

Greater Manchester Police reprimanded over hours of video that went AWOL

Attack on LexisNexis Risk Solutions exposes data on 300k +

Data analytics and risk management biz says software dev platform breached, not itself

Adidas confirms criminals stole data from customer service provider

Hackers take personal data bytes from the brand with three stripes

Eeek! p0wned Alabama hit by unspecified 'cybersecurity event'

PLUS: Euro-cops take down investment scammers; Fancy Bear returns to Ukraine; and more

Coinbase extorted for $20M. Support staff bribed. Customers scammed. One hell of a SNAFU

Expert tells us: 'It is the most unique breach disclosure I've ever seen'