Major UK banks have responded to inquiries from the Treasury Committee after IT failures left thousands of customers unable to access their accounts.
Correspondence published by the UK government on May 8 revealed that HSBC, TSB, and Bank of Scotland provided explanations for the outages, as well as details on how they manage and compensate customer complaints.
In March 2025, several UK banks experienced significant periods of downtime due to IT system failures. As a result, many customers were unable to access their bank accounts, with some even locked out of personal accounts during payday.
Amind a rising number of bank outages in recent months, the UK Treasury Committee contacted a majority of the leading banks in March to address the IT issues. The move formed part of a broader effort to scrutinise financial policy in light of an ongoing investigation.
Within one of the responses provided to Dame Meg Hillier MP, Chair of the Treasury Committee, HSBC CEO Chris Pitt stated that the bank’s outage was caused by a fault in a “technical component”. He added that HSBC has since “enhanced alerting and monitoring systems to ensure swifter detection of any future issues”.
When asked by the TSC about the common causes of its IT failures, TSB CEO Marc Armengol outlined that three incidents were due to hardware issues, three were related to capacity restraints, two stemmed from changes by a third-party supplier, and one resulted from a database performance issue.
Addressing customer complaints during Lloyds Bank’s downtime, Group CEO Ron van Kemenade assured that customers would be “not left out of pocket” and that the bank would “cover any charges they incur such as late payment fees”.
Lloyd’s disclosed 700,000 customers – 2.8% of its 28 million customer base – were unable to log into their online account more than once, experiencing persistent latency issues.
As van Kemenade noted, customers being unable to access online banking can lead to missed payments – ranging from utility bills to instalment payments for goods and services – which in turn, may negatively impact an individual’s credit score.
When asked how Lloyd’s compensated affected customers, van Kemendade stated “We received 714 customer complaints, with an average compensation payment of £22 per customer. The overall aggregated amount paid to customers was £16,000.
“Complaint themes were mostly relating to a customer’s inability to make online payments or approve card transactions in the app. Of the 714 complaints received, 157 (22%) were classified as vulnerable.”
Potential remedies?
While banks will now look to implement solutions to mitigate any potential further IT outages, the answer may lie with updating their operating systems.
Speaking to Payment Expert recently (6 May), Michael Hanson, VP of Banking, Financial Services and Insurance at Quantum Metric, believes banks should begin to look into adopting cloud-based systems to replace outdated legacy systems to avoid potential IT failures in the future.
“The recent outages highlight the risks associated with legacy systems or workflows. While these have served banks for years, they cannot keep pace with the digital demands of today’s customers,” he said.
“Moving to cloud-based systems, along with a proactive, agile approach, offers greater stability, resilience and flexibility, which are essential in preventing disruptions or lessening their impact.”
While cloud-based systems are not entirely immune to cyberattacks and IT failures, they are more agile and adaptable to evolving changes within the digital landscape, and can also handle processing more quickly and efficiently than legacy systems.
When asked if there was room for banks to introduce offline capabilities to support customers during down time periods, Hanson revealed that “banks are already exploring offline features like transaction history access or basic payment functionalities to ensure customers aren’t completely disconnected during disruptions”.
A growing problem
Marks & Spencers (M&S) is the latest UK company to be hit with a cyber attack. Today (May 13), the highstreet retailer confirmed its customers’ personal data had been obtained.
According to Sky News, the Scattered Spider Group have been responsible for several hacks of M&S customer data for the past several weeks, with this latest attack resulting in them accessing personal data.
M&S CEO Stuart Machin assured customers there is “no need for customers to take any action”.
Machin revealed data was accessed in a “sophisticated nature”. He also reiterated his assurances that “usable payment or card details” were not shared as the retailer “does not store this information on its systems”.
“To give customers extra peace of mind, they will be prompted to reset their password the next time they visit or log on to their M&S account and we have shared information on how to stay safe online,” he said.
M&S first began experiencing cyber issues on April 20 after it was forced to halt sales and its recruitment process as criminals continued to perform ransom attacks to its softwares.
This, in turn, caused instability for the company as its employees were unable to complete transactions as they had to turn to adhoc personal devices to continue working as M&S’ systems were becoming compromised.
Speaking to Sky News on May 4, one anonymous M&S employee told the news outlet that it could be “months” before its IT systems fully recover, describing the cyberattacks causing “chaos” and that the company “didn’t have a cyber attack plan”.
While M&S have asserted that sensitive customer information such as card details have not been shared in the latest cyberattack, there has been no clarification if names, addresses, emails, etc., have been leaked to the attackers.
This information falling into the wrong hands could lead to cyber criminals developing phishing attacks targeting victims, possibly leading to fraud.
