Offbeat

Legal

Brit banks must disclose outages via API, decrees finance watchdog

Perhaps TSB's total s*itshow wasn't in vain


The Financial Conduct Authority (FCA) is enforcing new rules that obligate banks to publicly reveal the number and frequency of online outages – including whether these were caused by malicious actors.

Billed as part of consumer-friendly changes to the small print for online banking services, new rules from the FCA and the Competition and Markets Authority will make financial institutions proactively reveal how often they have had to report “major operational and security incidents”.

The move was telegraphed by the FCA over the past few months, having begun with the TSB fiasco in April.

Banks will have to “publish the information on their websites in a consistent format” according to the FCA, while big banks will be expected to dish it up via an API compliant with the Open Banking Standards specs.

A quick squint at the Bank of Scotland’s OBS API (other flavours of moneymen are available) reveals four public incident reporting metrics are currently in use: “total number of incidents reported”; “incidents affecting telephone banking”; “incidents affecting mobile banking”; and “incidents affecting internet banking”.

The latter is likely to be of most interest to infosec-minded folk, as well as uncharitable techies wanting to exercise a little schadenfreude. (yes, you, Reg readers)

The FCA’s master list of banks’ APIs can be found on its website.

“More than any other industry, banks still contain a mix of archaic legacy systems, new cloud platforms, and yet are under pressure to accelerate their software development to combat the threat of their ‘digital-first’ competitors,” opined Dave Anderson, a marketing bod from API-making biz Dynatrace, in a canned quote.

Another marketer, Andrew Stevens of customer service biz Quadient, gravely intoned: “Banks should see this as an opportunity to improve their relationship with customers. By opening up a conversation and being clear about any disruptions to service, internal changes, or even changes to accounts will go a long way in positioning the bank as a trusted provider which cares about its customers..”

Small comfort for folk who were locked out of their TSB accounts earlier this year. Still, better to bolt the stable door before the rest of the herd make a dash for it. ®

Send us news
26 Comments

UK and Canada's data chiefs join forces to investigate 23andMe mega-breach

Three-pronged approach aims to uncover any malpractice at the Silicon Valley biotech biz

Snowflake breach snowballs as more victims, perps, come forward

Also: The leaked Apple internal tools that weren't; TV pirate pirates convicted; and some critical vulns, too

Qilin cyber scum leak data they claim belongs to London hospitals’ pathology provider

At least they didn’t get paid their $50M ransom demand

Coding error in forgotten API blamed for massive data breach

Australian telco Optus allegedly left redundant website with poor access controls online for years

Qilin: We knew our Synnovis attack would cause a healthcare crisis at London hospitals

Cybercriminals claim they used a zero-day to breach pathology provider’s systems

NHS boss says Scottish trust wouldn't give cyberattackers what they wanted

CEO of Dumfries and Galloway admits circa 150K people should assume their details leaked

Blackbaud has to cough up a few million dollars more over 2020 ransomware attack

Four years on and it's still paying for what California attorney general calls 'unacceptable' practice

UK's Total Fitness exposed nearly 500K images of members, staff through unprotected database

Health club chain headed for the spa on choose-a-password day

Student's flimsy bin bags blamed for latest NHS data breach

Confidential patient information found by member of the public

White House report dishes deets on all 11 major government breaches from 2023

The MOVEit breach and ransomware weren’t kind to the Feds last year

Pure Storage pwned, claims data plundered by crims who broke into Snowflake workspace

Secure storage company hasn't spilled details on how they got in

Cylance clarifies data breach details, except where the data came from

Customers, partners, operations remain uncompromised, BlackBerry says