A major technical glitch at Barclays that caused days of disruption has sparked questions from MPs this week about the scale and impact of IT failures across the wider UK banking industry. FStech news editor Alexandra Leonards explores how the fifth largest bank in Europe could have suffered such an incident and what Britain’s traditional financial institutions should learn from its mistakes.

Starting 31 January seemingly out of nowhere, Barclays customers begun reporting issues of being locked out of their accounts. As the steady stream of reports became a tidal wave on social media—an issue exacerbated by the fact that the incident lined up with the HMRC tax deadline and payday for many— the bank confirmed that a technical glitch had impacted transfers, payments, and cash withdrawals.

The immediate impact of the outage was a stark reminder of how even the most established banks can suffer serious and far-reaching consequences when a system fails, with the dependence on the sector’s operational resilience only further highlighted by our near cashless and branchless society in 2025.

Following the incident, the Treasury Select Committee has this week demanded information on the scale and impact of IT failures that have impacted operations over the past two years from the chief executives of the UK’s top banks, specifically Allied Irish Bank, Bank of Ireland, Barclays, Danske, HSBC, Lloyds Banking Group, Nationwide Building Society, NatWest Group and Santander. In the letter to Barclays, MPs asked for details about the recent outage, including how customer service teams responded to distressed consumers and what action the board took to rectify the issue.

Speaking about the outage, chair of the Committee Dame Meg Hillier MP said that for an IT system to go down at a major bank like Barclays—particularly at such a crucial time of year—it must have been “either bad luck or bad planning”.

“When a bank’s IT system goes down, it can be a real problem for our constituents who were relying on accessing certain services so they can buy food or pay bills,” she said, “"The rapidly declining number of High Street bank branches makes the impact of IT outages even more painful; that’s why I've decided to write to some of our biggest banks and building societies."

The days-long outage has had a seismic impact and has led to existential questions about the wider industry, the vulnerabilities of traditional banking infrastructure, and the ability of banks—both incumbent and challenger—to meet the requirements of legislation like the EU’s Digital Operational Resilience Act (DORA) which came into effect in January. The recent implementation of such regulation combined with the wide-reaching and public nature of the technical difficulties and growing pressure from MPs suggests that this is more than just one isolated incident.

Old code, legacy tech and the impact of unexpected emergencies

While Europe’s fifth largest bank shared minimal detail about what caused the issue—only revealing that the outage was not related to a cyber-attack in direct refutation of reports that the incident was DDoS-related—many experts have pointed to a likely failure of one of its core platforms. This could have been driven either by a change the bank was making intentionally with an update gone awry— see the 2024 CrowdStrike incident for a case study on this—or a simple failure of hardware.

“While Barclays remains tight-lipped on the causes of the incident, industry patterns point to systemic risks that suggest what the reasons behind the outage could be,” Kashif Nazir, technical manager at modernisation and legacy app migration firm Cloudhouse tells FStech. “Banks like Barclays often rely on legacy systems comprising decades-old codebases and infrastructure.”

This means that integration with newer technologies, or even routine upgrades, can trigger severe failures.

Mona Schroedel, managing associate at law firm Freeths, agrees that that Barclays likely operates on dated code and is in the process of phasing the old systems out. She explains that errors in the upgrading process to new systems are often rife, with data breaches also frequently occurring.

But even if Barclays wanted to tear out its entire legacy tech stack and replace it with 2025’s latest tech overnight, it is not quite so simple from a regulatory perspective.

“Data Protection rules and regulations require companies to process data in a manner that protects against accidental loss using appropriate technical or organisational measures,” she says. “Barclays probably frantically worked behind the scenes to get the systems back up, but unexpected emergencies often take a little time to figure out.”

Patrick Burgess, a cybersecurity expert from BCS, The Chartered Institute for IT’s Information Security Specialist Group (ISSG) asserts that large traditional banks run complex infrastructure on numerous legacy systems which can have limited support and knowledge in the broader community.

When these older systems fail, he explains, it can rapidly impact a wide range of seemingly disconnected services because the bank has to be sure about the transactions taking place.

“The complexity and financial nature of these systems means it can take time to bring them back online, the bank needs to be 100 per cent sure that they understand what went wrong and process the missed transactions or actions in the correct order on return of the system,” he tells FStech.

Very poor decisions

Cloudhouse’s Kashif Nazir agrees that the disruption highlights a growing vulnerability in financial infrastructure but says that it’s not just internal systems that are the problem.

“Many institutions outsource critical functions to third-party vendors,” continues the technical manager. “This makes them highly dependent on these partners and therefore vulnerable to any risks in these external technologies.”

In 2024, for example, a glitch to the Faster Payments system overseen by Pay UK caused significant disruption to payments for banks like Barclays, HSBC, Nationwide and Virgin Money, showing how faults with external systems can cripple multiple banks simultaneously. (That incidentally also occurred towards the end of the month as Brits eagerly anticipated the arrival of payday.)

Barclays approach to its customers following this latest glitch has also come under fire, with Burgess saying the bank made some “very poor decisions” in the way it handled the outage.

“Recommendations to use foodbanks and friends or family may have been well intentioned but seemed incredibly tone deaf,” he says. “The bank lost control of the narrative quite quickly due to the size of the outage and left a vacuum for other voices to fill.

“People don't want to be told it will all be ok in the end; they want to know what's going on and how long it’s going to take to fix. Proactive communication and empathy is always key in major outages.”

Switching banks and moving money can be a hassle, so other than the incident putting off potential new customers, in the short term there is unlikely to be much impact on Barclays but the bank’s long-term legacy has not come out unscathed.

Burgess predicts that larger legacy banks like Barclays will continue to lose custom to newer challengers who are “doing a much better job of focusing on the customer journey.”

His comments are backed up by research published by RFI Global which found that the number of UK adults using a digital-first neobank for financial services has grown from 16 per cent in 2018, to 50 per cent at the end of 2024. Ultimately, such banks are built on modern infrastructure which can often be more stable and adaptable than the legacy systems powering most incumbents.

Consumers and decision-makers alike should be conscious that digital-first neobanks will not remain unchallenged indefinitely. They, too, will be compelled to navigate the process of migrating from their existing legacy technology stacks, particularly in light of the accelerating pace of digital transformation, the proliferation of artificial intelligence systems, and the advent of quantum computing.

Ensuring business continuity and future readiness

Looking ahead, Burgess says that, Barclays must ensure it is quicker out the gate to control the narrative and provide better timelines for expected resolution of service in the event of any future outages.

“Overall, it’s important for all business to be investing in business continuity,” he continues. “Ensuring that they eliminate single points of failure and have robust procedures in place to restore systems as fast as possible.”

Banks aren’t only compelled to do this in order to appease their customers, they also must meet the demands of the regulator, such as the recently launched DORA and its UK equivalent expected to be launched later in 2025. DORA in particular is specifically designed to ensure that banks and other financial entities establish resilient, secure, and adaptable systems that align with contemporary risk management frameworks.

“When it comes to systems themselves, they should be continually stress-tested for peaks in activity,” says Cloudhouse’s Nazir. “So, with the Barclays example, the bank could simulate tax deadlines or payday volumes to identify load thresholds.”

Mona Schroedel of Freeths agrees that engaging in scenario testing and operational resilience exercises is crucial to ensuring that, when such events occur, the appropriate sequence of corrective measures becomes second nature.

“Actually simulating a problem and solving it is one of the best ways to learn, identify room for improvement, and make some day-to-day changes that will assist any emergency measures,” she says. “Often the emergency drill will clarify and crystalise where every day processes can be adjusted to help make an emergency response easier.”

Nazir also urges banks to provide more transparency over the secrecy of systems, something Barclays failed to do when it decided not to disclose its root cause analysis (RCA.)

“CrowdStrike’s detailed RCA after its global outage last year set a standard,” continues Nazir. “Barclays should follow suit to rebuild trust.”

Schroedel adds that from a legal perspective, it is prudent to have proper emergency measures in place, with these being quite wide-ranging.

“If disaster strikes, IT teams and specialists need to get to work, customers need to be informed and up-dated, regulators and contractual partners may need to be informed and steps need to be taken to minimise any lasting damage or harms,” continues Schroedel.

A defining moment for the banking industry

Barclays may have been the latest institution to experience a high-profile outage, but it will not be the last. With the UK’s banking sector increasingly reliant on aging legacy systems, financial institutions must recognise that major disruptions are no longer a matter of if but when. The gradual disappearance of bank branches has only amplified the severity of IT failures, making operational resilience an essential—not optional—priority.

Regulators have made it clear that financial institutions will be held to higher standards, with frameworks like DORA and its anticipated UK equivalent setting new benchmarks for risk management, stress testing, and incident response. Banks that fail to modernise their infrastructure, implement robust contingency plans, and enhance transparency risk not only operational breakdowns but also severe regulatory and reputational consequences.

The choice is clear: Britain’s top banks must act decisively—learning from Barclays’ misfortune, strengthening their digital foundations, and proactively safeguarding customer trust—or risk being the next headline in a growing list of preventable financial crises and losing business to more agile competitors.

---