Capital One’s five-day outage highlights third-party risk

Over the weekend, disruptions to financial transfers plagued dozens of banks, including Capital One, in an episode that highlighted the issues of technical resilience and third-party risks, two matters that regulators have given special attention in recent years.

Capital One and 26 other banks experienced outages starting Wednesday that caused some deposits, payments and transfers to be delayed. Financial services vendor Fidelity Information Services, better known as FIS, said Monday that a power outage initiated the disruption.

FIS provides banking operations and payments services to more than 5,800 companies and processed $12 trillion in 2023. A spokesperson for the fintech said the outage was “due to a local area power loss and a hardware failure” that occurred on Wednesday.

The spokesperson specified that the outage “was not the result of any cyber incident” and that FIS “sincerely apologizes to our clients and their customers who were impacted by this system outage.”

The Bank of Oklahoma said in a Facebook post on Wednesday that the outage affected it and 26 other banks, adding it was “a system issue outside of our control.” On Tuesday, its parent company BOK Financial said on its website that it would “refund fees incorrectly assessed on accounts impacted by the outage.”

Local reports also indicate Cadence Bank in Tupelo, Mississippi experienced disruptions.

Social media reaction

The disruptions, especially those affecting Capital One customers, created a social media stir. Customers complained that their direct deposits had not hit their accounts and that they sat on hold for upwards of an hour with customer service representatives.

On Wednesday, day one of the outage, Capital One’s customer service account on social media platform X said the bank was dealing with a technical issue with a third-party vendor that was disrupting several services. In an email to customers the next evening, the bank said the outage “delayed processing of some transactions including direct deposits and Early Pay credit for direct deposits, as well as electronic payments and transfers (ACH).”

Two days later, a Friday when many people were expecting their paycheck to be deposited, Down Detector reported that the Capital One outage had generated more than 280,000 reports, with the main issue being problems with deposits.

Capital One customers who couldn’t access their paychecks fumed on X. Some got creative with cartoons and GIFs.

Capital One customers who couldn’t access their paychecks fumed on X.

As is often the case, the outage tied up Capital One’s customer service representatives.

On LinkedIn and X, customers provided links to the web page people could use to complain about Capital One to the Consumer Financial Protection Bureau.

On Sunday, Capital One emailed customers to say that the issue had been resolved and impacted systems had been restored.

“We sincerely apologize for the disruption and any impact on your ability to access certain Capital One services,” the company wrote. “We also understand how frustrating this situation may have been, and we’re committed to making it right.”

Attention to third-party risks and resilience

Regulators both in the U.S. and Europe have called on banks to take greater responsibility for the security and resilience of third-party vendors. As exemplified by the FIS-caused outages over the weekend, a failure at a third party can cascade into failures at multiple other companies, even whole industries.

Last year, a much more visible example that affected multiple industries came in the form of the Crowdstrike outages. In that example, days-long disruptions caused some airlines to delay and cancel flights, some broadcasters to temporarily go off air, and some consumers to report problems logging into their bank accounts or using other digital banking services.

Regulators and lawmakers in recent years have looked to minimize the systemic risks posed by large numbers of banks relying on the same third-party vendors for core banking services such as payments and transfers.

Most recently, in the European Union, the Digital Operational Resilience Act went into effect Friday, implementing rules designed to protect the bloc’s financial sector from large-scale failures that might result from cyberattacks or technical outages, such as those that affected Capital One and others over the weekend.

In the U.S., resilience efforts have largely focused on cybersecurity threats rather than technical outages, such as the ones caused last week by FIS, or resilience more generally.

Financial regulators have issued guidance to community banks on their third-party risk policies, and the leading effort to legislate on cyber risk has focused on how companies respond to cyber incidents rather than how they plan for or otherwise mitigate them.

Namely, banks and other companies have been waiting on the Cybersecurity and Infrastructure Security Administration (CISA) to issue rules that will implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). These rules will govern which types of cybersecurity incidents companies have to report, and how they report them.

Melinda Huspen contributed reporting to this story.