Between 2023 and early 2025, Barclays, HSBC, and Santander collectively reported nearly 100 system failures. One misstep at Citigroup resulted in an $81 trillion transfer — meant to be just $280. These aren’t isolated incidents; they’re systemic symptoms of outdated codebases, fragmented systems, and human fallibility under technological strain.

Underlying Causes of Fragility

Modern banks are more exposed than they seem — and it’s not just about cyberattacks. The real problem is structural.

At the core lies technical debt: outdated, poorly written systems patched over for years. These legacy platforms are expensive to maintain and fundamentally unfit for today’s demands in terms of volume, velocity, and complexity.

Then there’s technological complexity: cloud infrastructures, third-party vendors, and distributed systems have created a web of dependencies. While this architecture enables scalability and modular innovation, it also multiplies potential failure points — making even small disruptions capable of causing large-scale outages.

These issues are amplified by:

• Lack of adequate testing: Many legacy environments were never stress-tested for modern use cases. Updates, patches, or integrations often roll out without simulating high-load or edge-case scenarios.

• Outdated user interfaces: Staff-facing systems are often clunky, inconsistent, and unintuitive — increasing cognitive load and the risk of operational mistakes. One Citigroup employee accidentally transferred $81 trillion due to a clunky interface and lack of safeguards

• Data silos and bottlenecks: Information is fragmented across incompatible systems, delaying responses, undermining automation, and obstructing visibility across the organisation.

In short: banks are racing to innovate, but they’re doing so on unstable foundations. And with customer expectations shaped by tech-native platforms like PayPal and Instagram, the pressure to ship features fast is pushing operational resilience — and security — to the limit.

AI: The Double-Edged Sword

Artificial Intelligence is being hailed as the silver bullet — and it can be. AI brings powerful capabilities:

• Automation and operational efficiency:
  It reduces manual touchpoints across internal processes, helping eliminate human error — such as the Citigroup incident — and accelerating complex operations.

• Real-time visibility:
  It enables continuous monitoring of system health and the early detection of anomalies before they escalate into major incidents. This allows banks to shift from a reactive stance to a proactive approach.

• Enhanced cybersecurity:
  AI automates patching, detects behavioural anomalies, and enables faster incident response — even in hybrid environments with multiple third-party vendors.

But AI also brings new threats:

• Model-level vulnerabilities:
  AI systems can be manipulated (e.g. through model poisoning), and poorly trained models may make biased or faulty decisions.
• Increased systemic risk:
  As AI is embedded into critical banking infrastructure, it becomes a high-value target for sophisticated attackers. A single failure or compromise could trigger widespread disruption.

• Lack of governance and oversight:
  Many institutions are deploying AI without a clear strategic framework. This absence of governance opens the door to errors, vulnerabilities, and potential regulatory penalties.

As AI becomes embedded in critical infrastructure, its own vulnerabilities become national security concerns.

Conclusion: Innovation Without Stability Is a Risk Multiplier

Modern banking is being redefined by technology — but technology without governance is chaos. The financial sector needs to treat AI and cloud not just as innovation tools, but as critical components of national infrastructure. Resilience starts with recognising that your system is only as strong as its weakest integration point.