Change control gaps were cited by eight of the 12 jurisdictions that contributed incident data to a new Basel Committee on Banking Supervision (BCBS) report, a finding that emerges despite banks in most surveyed jurisdictions demonstrating broadly mature change management practices. The survey focused on global and domestic systemically important banks as well as other banks of interest including digital-only banks.

The volume of changes banks are processing compounds the challenge. One bank claimed to have implemented over five million ICT changes in 2025 while simultaneously reducing its failure rate, an illustration of how scale itself has become a governance variable.

Some institutions are responding by automating up to 85% of pre-approved, low-risk standard changes, reserving multi-layered governance controls for higher-risk modifications. The report notes this approach has proven effective at large banks, but panellists at the outreach event emphasised the need for appropriate safeguards to ensure its safe and efficient use.

Testing environments cannot replicate production conditions

Gaps in system design, development and testing were cited by seven jurisdictions as the second most frequent root cause of ICT incidents, while system capacity and performance issues and external dependency operational failure each ranked third, cited by six jurisdictions apiece. Together these four categories were the most frequently reported root causes in the survey.

The report identifies a structural constraint that makes the design and testing category difficult to close through process improvements alone. Testing environments often fall short of mirroring production systems closely enough, with divergence arising from differences in test data handling such as anonymisation and masking, integration with external systems, configuration settings and security controls. Defects that would surface under production conditions consequently pass validation and create failures that are, by the report's own characterisation, prolonged and complex to remediate, sometimes requiring extensive manual intervention or third-party support.

A case study included in the report illustrates the practical consequence. A combination of an inadequate testing environment, poor system design introducing data mismatches, and development errors that testing did not detect produced failures in critical banking systems requiring extended recovery. The report does not name the institution or jurisdiction.

A separate case study describes the failure of a data centre cooling system, triggered when operators failed to follow proper change management procedures, that cascaded across multiple banks whose systems were co-hosted at the same facility, causing disruption that extended beyond any single bank.

Visibility into supply chains remains structurally limited

Third-party risk management is one of the five most widely implemented ICT risk management practices identified in the survey, alongside ICT change management, ICT continuity testing, incident and problem management, and ICT project management and system development. The report's incident categorisation draws on the Financial Stability Board's Format for Incident Reporting Exchange (FIRE), a cross-sector taxonomy designed to reduce variation and improve comparability of incident data. Banks employ due diligence programmes, contractual audit rights, pooled audits for shared service providers and exit strategies. A total of 14 of the 16 surveyed jurisdictions report that banks have established ICT risk appetites or tolerances, and ICT risk is categorised under operational risk in all 16, with regular reporting to senior management and the board.

Effective oversight reaches its boundary at the nth-party level. Visibility into suppliers' suppliers, whose failures can cascade into bank systems as the cooling system incident illustrated, remains limited. The BCBS published a separate set of principles for the sound management of third-party risk in December 2025, but the current report makes clear that the practical problem of monitoring dependencies outside banks' direct contractual relationships remains unresolved.

Talent shortages compound the exposure. Banks consistently report skills gaps in cyber security, cloud engineering, data management and generative AI, and legacy disciplines including COBOL programming and mainframe administration. Competition with technology firms for these profiles is a structural constraint, with banks responding through university partnerships, internal technical career tracks and selective outsourcing of hard-to-fill roles.

AI integration advances without resolved accountability frameworks

All 16 surveyed jurisdictions have ICT risk management regulations or guidance in place, though reporting criteria, incident thresholds and supervisory timelines vary considerably. Supervisory approaches are broadly risk-based, combining on-site examinations, thematic reviews and off-site assessments. The 16 participating jurisdictions are Argentina, Australia, Brazil, Canada, Germany, Hong Kong SAR, India, Japan, Korea, Mexico, Saudi Arabia, Singapore, South Africa, the EU Single Supervisory Mechanism, the United Kingdom and the United States.

The adoption of AI and machine learning tools within ICT risk management functions, including predictive incident detection, AI-assisted code review and automated change failure identification, is documented across surveyed institutions. Bank representatives flagged a tension between growing automation and supervisory expectations for human accountability. Separately, the Committee has noted that while frontier AI models could help banks and supervisors identify cyber vulnerabilities and strengthen defences, their potential malicious use may materially change the speed and scale of cyber incidents, a risk it will continue to monitor.