This is not a coding error but partly a configuration error mixed up with poor general routines complemented by bad practice. Also the banking infrastructure doesn’t help.
Instead of fixing these issues this incident will most likely
change regulations in a way that it will be easier for banks to reclaim funds lost in similar ways in the future.
What consequences I can only speculate- but it might very well have severe negative effects.
> Instead of fixing these issues this incident will most likely change regulations in a way that it will be easier for banks to reclaim funds lost in similar ways in the future.
The U.K. FCA tends to be extremely consumer friendly and somewhat bank hostile. There will be no regulation change as a result of this, more likely fines and greater oversight from the FCA. They’ll no doubt be demanding incident post-mortems already, and the general expectation is that Santander will have to cover any lost funds that can’t be recovered by asking nicely. The FCA takes an extremely dim view of banks aggressively pursuing individuals for money after the bank fucked up.
Consumers (ie actual people) will be made whole by law. And most likely affected businesses won't end up out of pocket either, but the law doesn't protect them as much, on the rationale that they're not people. So banks do screw them over all the time too, just probably not this time.
But the Fundamentally Complicit Authority (no that isn't what their initials really stand for, it's a Private Eye recurring joke because of how useless they are) as regulator is unlikely to expect Santander to actually fix anything about their process, and so this will happen again. And again.
> But the Fundamentally Complicit Authority (no that isn't what their initials really stand for, it's a Private Eye recurring joke because of how useless they are) as regulator is unlikely to expect Santander to actually fix anything about their process, and so this will happen again. And again.
Having been at a bank after a similar level of fuck up, you can be sure the FCA will be asking some tough questions, and they absolutely will instruct institutions to fix their processes. Fail to do that enough times, and you’ll be forced to do a skilled persons report. Having experienced that, I can tell you, you don’t want it happening to your bank. It months of audits, followed by years of remediation.
> Instead of fixing these issues this incident will most likely change regulations in a way that it will be easier for banks to reclaim funds lost in similar ways in the future.
I think the rules are generally pretty clear on this: if you receive money by mistake, it is not your money, and you must return it (obviously if you don’t know where to return it to, you should try to find out where it is from and contact the sender, or try to get your bank to revert the transaction. Indeed asking your bank to revert it is probably the best way to return it). People who do spend the money that is accidentally sent to them can be prosecuted for theft.
Furthermore, accidental or incorrect transfers happen relatively frequently and sometimes with massive amounts of money. It is usually resolved with a phone call between companies.
There are some exceptions to these rules like the whole banque worms thing we saw recently, but that doesn’t really matter.
The problems here for the bank are:
- they are on the hook for any losses if they fail to get the money back
- there are a large number of transactions so there is a lot of work to do. Santander is probably trying to contact the other banks to process them in bulk.
I don’t think any regulations will or need to change.
If you’re wondering how crypto fixes this, I have two examples. 1. XRP let’s you mark one transaction as reverting a previous one, and 2. Binance accidentally duplicated a bunch of dogecoin withdrawals and then asked people to return the funds and suspended withdrawals hoping it would further motivate people to return funds.
From what I know of Santander systems I had the "pleasure" to interact with as a third party dev, it's probably a poor sob who triggered a method called "doTheRightThing" which ended up doing something completely different.
Only Citi has surprised me more than Santander when it comes to completely insane IT org (Citi spent 2 months on an automated export and when we went live after UAT, we realized they were not ready and had a monkey do the "automated export" manually, with completely wrong format and information, and they didnt feel the need to warn us when it happened at 11pm...)
I got paid twice 24th and 25th but didn't have to do anything. They just took the money back when they realised. I bank with a different bank to my company.
Instead of fixing these issues this incident will most likely change regulations in a way that it will be easier for banks to reclaim funds lost in similar ways in the future.
What consequences I can only speculate- but it might very well have severe negative effects.