By Steve Rackham, CTO of Financial Services at NetApp
The House of Commons’ Treasury Select Committee recently revealed that the UK’s leading banks and building societies collectively endured over 800 hours of unplanned technological outages between January 2023 and February 2025. To put this into context, that is 33 days – more than a month – of businesses and individuals being effectively locked out of their financial lives. Affected users were unable to access balances, execute payments, or conduct routine transactions. The most recent one, in January, caused even more disruption by coinciding with the year’s first payday and the HMRC self-assessment tax deadline.
For thousands of customers, this was more than a glitchy application. People were unable to pay rent or mortgages, and businesses struggled to meet payroll obligations. These failures have underscored the vulnerability of digital operations and the urgent need for robust resilience strategies. With the Digital Operational Resilience Act (DORA) now in force, financial institutions are now obligated to take proactive steps to mitigate disruptions or risk regulatory penalties and reputational damage.
We can take three main learnings from these outages: the importance of preventing outages, the need to invest in the right infrastructure, and our collectively improved understanding of how far-reaching fallouts can be. As a result, banks today must embed a model of prevent, monitor and protect across their operations.
Incident response is not resilience
Banks have long invested in incident response teams to minimise and manage disruptions when they occur. What these recent outages have also highlighted is that incident response sits separately to resilience.
Naturally, reacting to a crisis promptly is a non-negotiable for banks and financial institutions as significant outages must be reported under FCA regulations. However, it is not enough to be quick after the fact. Instead, financial institutions must pivot their focus to preventing outages and disruptions in the first place. Banks need to be proactively monitoring for weak points in their technology stack or for any potential vulnerabilities, and strengthening system redundancies. Otherwise we will see the cycle of outage and recovery continue, with each disruption costing banks millions, further eroding customer trust.
Investment doesn’t buy reliability
The financial services industry has invested vast amounts into modernising infrastructure and digitising operations. Yet, outages continue. Even as some institutions spend north of £1 billion annually on IT upgrades. One reason why that level of spend may not be translating into resilient digital infrastructure is down to how legacy systems tend to be intermittently patched rather than fully modernised.
A total, holistic overhaul might seem daunting given fears about potential down-time, expenses, and the perceived complexity of the process. However, it doesn’t need to be so complex. It’s now possible for infrastructure to be modernised in a matter of days, rather than months or years.
This approach is more than worthwhile in the long term. Cloud infrastructure can help embed resilience into the digital architecture of banks or building societies. This foundation can then be reinforced by continuous stress testing, real-time risk monitoring, and establishing a culture that prioritises operational stability over short-term cost-cutting.
The ripple effects of an outage reach far and wide
Banking operations no longer exist in isolation. With the proliferation of third-party vendors, cloud providers, the rise of open banking and interoperability across industry applications, an outage in one entity can have cascading effects across the entire financial ecosystem.
For example, a failure at a cloud service provider can halt payment processing, while a vendor’s cybersecurity breach can expose sensitive banking data. As a result, banks must treat third-party risks exactly as how they would treat their own. It must be weaved into their risk management and resilience planning.
So, what does this actually look like? For most it will mean implementing stringent resilience standards for all vendors and creating contingency plans for critical failures. In addition, diversification is an essential component of any resilience strategy. Institutions should therefore avoid creating an over-reliance on a single provider because this also increases systemic risk.
With DORA now in effect, regulators are expected to take a hard stance on non-compliance, particularly given the high stakes of financial data security. Insurance claims, life savings, pensions – this is some of the most sensitive financial information people and businesses hold. As such, institutions must go beyond minimum compliance requirements.
Building a resilient future
With the UK’s banking sector somewhat reliant on aging legacy systems, financial institutions must recognise that major disruptions are no longer a matter of if but when. The gradual disappearance of bank branches has only amplified the severity of IT failures when they occur, making operational resilience an urgent priority from both an operational and consumer point of view.
On top of this, regulators have also made it clear that financial institutions will be held to higher standards. We’re likely to see regulators assert themselves more often, making examples of non-compliant institutions and further highlighting industry best practise.
In short, UK banks must act decisively to strengthen their digital foundations. If they don’t, they risk being the next headline in a growing list of preventable financial crises.
