top of page

Barclays’ IT outage exposes a major resilience gap: Four critical lessons for UK financial institutions

Writer: Andrew LingleyAndrew Lingley
Feb 11

Barclays Bank

On January 31, Barclays Bank suffered a major IT outage that left customers unable to access their accounts, make payments, or view accurate balances. The disruption couldn’t have come at a worse time—coinciding with payday and the HMRC self-assessment tax deadline, impacting individuals and businesses who were relying on Barclays’ systems to process critical transactions.


For many customers, this wasn’t just an inconvenience—it was a crisis. Rent payments failed, businesses struggled to pay suppliers, and thousands of customers were left in financial limbo for days. Barclays has since apologised and resolved the issue, but the damage to trust and confidence will be lasting.


This is more than a one-off failure—it's a case study in operational resilience gone wrong. And in a world where financial services depend on digital infrastructure, regulators like the Financial Conduct Authority (FCA) have made it clear: resilience is no longer a nice-to-have—it’s critical.



The FCA’s Operational Resilience mandate


The FCA has been steadily tightening its grip on operational resilience, requiring banks and financial institutions to demonstrate that they can prevent, withstand, and recover from severe disruptions.

Firms have been given until March 31 of this year to meet the new PS21/3 Building operational resilience standard, including:


  • Identifying Important Business Services – Knowing which services customers rely on the most and ensuring they remain operational in a crisis.

  • Setting Impact Tolerances – Defining how long a disruption can last before causing serious harm.

  • Building Scenario Testing & Recovery Plans – Running resilience stress tests and proving they can recover from major failures within impact tolerance thresholds.


Barclays' recent failure raises serious questions about whether they (and other banks) are ready for this deadline. If a routine IT issue can cripple essential services for days, what happens during a cyberattack, infrastructure failure, or major economic shock?



4 lessons from Barclays on building real resilience


Barclays' IT outage isn’t just a wake-up call for the bank—it’s a lesson for every financial institution that wants to avoid making the same mistake.


1. Incident response is no replacement for true operational resilience


Many banks have incident response teams, but that’s not the same as resilience. Incident response is about reacting when something breaks. Resilience is about preventing the break in the first place—or ensuring that even when it happens, customers don’t feel it.


2. Communication is critical


One of the biggest frustrations for Barclays customers wasn’t just the outage itself—it was the lack of clear updates. In a crisis, customers don’t just need to know that there’s a problem. They need:


  • Frequent updates with estimated recovery times

  • Proactive solutions (e.g., alternative ways to access funds)

  • Personalised support for high-risk customers (e.g., businesses, vulnerable individuals)


A well-designed resilience strategy includes crisis communication planning, ensuring that even when things go wrong, trust isn’t lost.


3. Banks must stress-test their systems - especially during high-risk periods


Barclays' failure happened right before payday and tax deadline day—a time when banking systems are under maximum load. Did they properly test for this scenario?


Resilience isn’t just about having backup systems—it’s about running real-world stress tests to understand:


  • Can systems handle peak demand?

  • How do third-party providers impact resilience?

  • What failure points exist, and how quickly can they be resolved?


This is exactly why the FCA requires scenario testing—because if a disruption isn’t planned for, it will always take you by surprise.


4. Third-party risk is your risk


Banks don’t operate in isolation. They rely on external cloud providers, payment networks, and IT vendors. If one of those providers fails, so does the bank.


The Barclays outage highlights why financial institutions must actively manage third-party risk, ensuring that:


  • Vendors meet resilience standards

  • There are contingency plans for critical failures

  • Banks don’t become over-reliant on a single provider


Under the FCA’s resilience framework, banks can’t outsource accountability—even if a third party is responsible for a failure, the bank is still on the hook.



Resilience isn’t optional—it’s a competitive advantage


If Barclays’ IT outage has proven anything, it’s that the financial industry is still playing catch-up on resilience. The FCA has set the rules, but meeting the minimum standards won’t be enough—the real leaders will go beyond compliance and build resilience into the core of their operations. Here’s the reality:


  • Customers won’t wait around for banks that can’t guarantee access to their own money.

  • Regulators are watching closely—compliance failures will cost banks their reputation, and their business.

  • Resilience isn’t just about avoiding fines—it’s about winning trust in an era where disruption is the norm.


Barclays took the hit this time… but who’s next?


Now is the time for banks to act, before regulators—and customers—decide they’re too risky to trust.



Meet the FCA's requirements while building an operationally resilient firm


With Drova’s leading operational resilience software solution, you can identify important business services, set impact tolerances, test scenarios and map resilience in a simplified dashboard view. Connect data points across your entire organisation to eliminate risk silos and improve organisation-wide resilience with Drova.




Read more

Subscribe to our newsletter

© 2024 Drova Pty Ltd. All rights reserved.

Privacy Policy

  • Instagram
  • Facebook
  • X
  • LinkedIn
  • YouTube
  • TikTok
bottom of page