The Bank of England is investigating allegations that Metro Bank, a high street lender, jeopardized customers’ data security by allegedly mishandling software involved in a prolonged legal dispute. Last month, the central bank’s whistleblowing unit received a report from an individual expressing concerns regarding the reliability and safety of the software utilized to link known as Magic Money Machines Metro Bank’s in-branch coin-counters, to customer accounts.
According to documents reviewed by the Guardian, the communication asserted that the original Magic Money Machine software “was not designed for use in an online banking environment” but was adapted by the bank in a manner that facilitated direct cash deposits into customer accounts, potentially exposing vulnerabilities in the system.
The whistleblower further alleged that Metro Bank may have shared the source code for the machines with other parties in a manner that exposed customer accounts to potential compromise, suggesting that unauthorized access to cash could occur.
These issues collectively posed a “significant security risk to Metro Bank UK’s network,” according to the email. The Bank of England’s whistleblowing team is currently examining the claims and has forwarded the communications to the Financial Conduct Authority (FCA), the City watchdog.
Both the Bank and the FCA declined to provide comments, while Metro Bank did not directly address the allegations. Metro Bank, serving approximately 2.7 million customers across 76 branches, has not reported any incidents or received complaints regarding security breaches thus far.
The bank has been embroiled in a protracted legal dispute concerning its coin-counting machines, primarily intended for children to tally small change and featuring animated displays, including its mascot, Metro Man.
For six years, a US company named Arkeyo provided software to Metro Bank before alleging that the bank later disclosed its source code to a competitor. Since 2017, Arkeyo has pursued legal action against Metro through US courts and initiated a new lawsuit in the UK in 2022, seeking £24 million in damages.
Arkeyo asserts that Metro Bank violated its copyright and misused proprietary information related to money counting machines. Documents from the High Court detail the collaborative efforts between Metro and Arkeyo from 2010 to 2016 and the subsequent breakdown of their relationship in the following year. Arkeyo alleges that Metro then engaged a Chicago-based company named Saggezza to replicate and copy Arkeyo’s software through reverse engineering, a claim Saggezza has refuted.
Metro Bank stated it couldn’t comment on ongoing legal matters but acknowledged the case in its latest annual report, asserting, “We believe Arkeyo LLC’s claims are unfounded and are vigorously contesting the lawsuit.”