The Bank of England is examining claims that the high street lender Metro Bank allegedly put customers’ data at risk by misusing software at the centre of a long-running legal dispute.
Last month, the central bank’s whistleblowing team was contacted by a person raising concerns about the integrity and security of software used to connect Metro Bank’s in-branch coin-counters – known as Magic Money Machines – to customer accounts.
The communications, seen by the Guardian, claimed that the original Magic Money Machine software was “was not made to be used on an online banking system”, but had been built out by the bank in a way that allowed cash to be deposited directly into customer accounts, potentially creating weaknesses in the system.
The whistleblower also claimed that the source code for the machines may have been shared by Metro with other parties in a way that left customer accounts “susceptible to compromise”, suggesting that cash could be accessed by potential hackers and bad actors.
Together, those issues potentially presented a “significant security risk to Metro Bank UK’s network”, the email said.
The whistleblowing team in the Bank of England is now reviewing the allegations and has shared the communications with the City watchdog, the Financial Regulation Authority.
The Bank and the FCA declined to comment. Metro Bank did not directly respond to the allegations.
Metro Bank, which has about 2.7 million customers and 76 branches, has not reported any incidents or complaints of security and data breaches to date.
The lender has been in a long-running legal dispute regarding its coin-counting machines, which are primarily designed to allow children to add up small change and feature lively animations, including of its mascot, Metro Man.
A US company, Arkeyo, provided the software to Metro for six years, but claims that the lender later leaked its source code to a rival firm. It has been pursuing Metro through US courts since 2017, but filed a fresh lawsuit in the UK in 2022 in an attempt to sue the bank for £24m.
Arkeyo claims that the lender infringed its copyright and misappropriated trade secrets relating to money counting machines.
High court documents outline how Metro and Arkeyo had been working together between 2010 and 2016, but that the relationship broke down over the following year. Arkeyo claims that Metro then instructed a Chicago-based company called Saggezza to reverse-engineer and copy Arkeyo’s software. Saggezza has denied wrongdoing.
Metro said it could not comment on ongoing legal proceedings, but addressed the case in its latest annual report. “We believe Arkeyo LLC’s claims are without merit and are vigorously defending the claim,” it said.
after newsletter promotion
The Bank of England complaint, and ongoing legal dispute, comes during a challenging period for Metro Bank, which rushed to secure a £925m deal in October in order to avoid a potential break-up or takeover.
The bank was co-founded by the US billionaire Vernon Hill and became the UK’s first new high street lender in 150 years when it launched in 2010. Metro grew significantly in the UK, taking on established high street rivals by offering more convenient opening hours and dog-friendly policies.
However, in 2019, an admission that it had made an accounting mistake led to the biggest single-day collapse in a UK bank’s share price since 2008. The mishap shook confidence in the bank and was soon followed by the departure of both Hill and its chief executive, Craig Donaldson.
Last year, Metro Bank was thrown into further turmoil after failing to convince regulators to loosen capital rules. The regulator’s decision left Metro with a shortfall on its balance sheet, causing market panic, until it secured the emergency deal that left it 53%-owned by the Colombian billionaire Jaime Gilinski Bacal.
Earlier this month Metro said it was cutting 1,000 jobs and ending its seven-day branch model, after nearly tripling the size of its cost-cutting plan following the rescue deal.
