Expired Certificate Cripples Bank of England Payment System
In July, the Bank of England experienced a payment system failure due to the expiration of a certificate within the bank’s infrastructure. As a result, the CHAPS system, which processed £6.9 trillion in payments in August, was disrupted. It took 91 minutes to restore full functionality, but during this time, significant issues arose with transaction processing.
The incident was thoroughly detailed in the Bank of England’s annual report on payment system modernization. While the type of expired certificate was not specified, it is likely to have been an SSL/TLS certificate, which ensures secure connections and authenticates the system. Manually tracking the expiration of such certificates can lead to unpredictable failures and data breaches, highlighting the necessity for automated management.
This marks the fourth disruption to the Bank of England’s payment systems in 2024, and the second linked to certificates. In January, a 39-minute outage in the RTGS system also affected CHAPS and CREST, though the root cause remained unclear.
The RTGS system, which underpins CHAPS, is undergoing an upgrade. The transition to a modular structure under the new TS3 management and accounting system is designed to simplify the onboarding of new financial institutions. However, the addition of new participants is currently challenging, as each phase of the RTGS upgrade requires technical preparation and temporary restrictions on changes. The next available slots for organizations to join the system will not be available until 2025.
In addition to the July incident, other disruptions were recorded over the past year: a 36-minute outage on October 26, 2023, caused by network configuration issues, and a 6-minute failure on June 17, 2024, triggered by malfunctions in an internal RTGS component. Moreover, on July 18, 2024, CHAPS experienced a global outage lasting 245 minutes due to problems with SWIFT’s Y-Copy service.
Experts believe that manual management of digital certificates remains a significant challenge for many organizations. For instance, Tim Callan, a security expert at Sectigo, noted that it is a labor-intensive process, complicating the timely renewal of certificates. Furthermore, the upcoming reduction in the maximum validity period of TLS certificates from 398 to 90 days is expected to increase the burden on IT teams managing certificates manually, potentially leading to even more outages and data breaches.
