The opinions expressed here are those of the authors. They do not necessarily reflect the views or positions of UK Finance or its members.

Despite billions spent annually on redundant infrastructure, disaster recovery, and failover systems, customers continue to experience service blackouts - unable to make payments, access funds, or even check their balances.

It’s time for a new mindset. Enter Substitution - a modern, pragmatic solution that redefines how banks think about resilience.

What is Substitution in banking?

Substitution - or the concept of a “stand-in bank” - is the idea of having a separate, simplified platform that can take over core banking functions in the event of a failure. This platform is not a backup of the entire system, but rather a pre-synchronised, lightweight version that delivers only the most essential services: checking balances, receiving salaries, making payments, and purchasing goods.

In normal operation, this stand-in system is kept in real-time sync with the main core banking systems. But when a catastrophic failure hits - say, a ransomware attack or a major outage - the customer experience seamlessly switches over to the stand-in platform. No recovery delays. No uncertainty. Just continuity.

Once the bank’s core platform has been successfully restored following the outage, the stand-in platform seamlessly reconciles operations by transmitting all transactions executed during the failover period back to the main system. This ensures data consistency, maintains audit integrity, and enables a smooth transition back to normal operations without customer impact.

Why traditional resilience measures are not enough

In the last few years, most banks have invested heavily in resilience - build secondary data centres, deploy disaster recovery solutions, adopt multi-region cloud architectures, and doubled down on performance engineering. 

However, the reality is stark, even the most prepared institutions struggle to meet the impact tolerances for Important Business Services (IBS) in the event of catastrophic failures.

Modern banking ecosystems consist of thousands of microservices, APIs, third-party integrations, legacy platforms and digital interfaces. With so many moving parts, a fault in even a seemingly insignificant component can cripple the entire ecosystem. No amount of testing or engineering guarantees total resilience.

The cyber threat landscape is escalating

Cybersecurity threats are on the rise. Earlier this year, the UK retail sector experienced a notable escalation in cyber-attacks impacting several major brands. 

According to IBM’s Cost of a Data Breach Report 2024: 

• The average cost of a data breach in financial services was $6.08 million, among the highest of any industry.
• The average time to identify and contain a breach was 258 days.
• Ransomware attacks grew 13 per cent year-on-year, with attackers now targeting core infrastructure, not just data.

If banks are honest with themselves, few can say with confidence that they could restore all services within 24 hours of a breach. Customers, however, expect zero disruption - a tension that substitution can help reconcile.

Why substitution is a better approach

Substitution doesn’t aim to replicate the entire banking architecture in real time. Instead, it narrows the focus to customer-critical services - those that must remain available at all costs. This approach has several advantages:

• Speed: Switching to a stand-in platform can happen at will - not take days.
• Simplicity: A reduced scope means fewer dependencies and lower complexity.
• Security: A clean, isolated environment is less likely to be affected by the same failure or breach.
• Cost-Effectiveness: Maintaining a substitution layer is significantly cheaper than full-system redundancy. A common platform also allows development costs to be spread amongst multiple banks.

Think of it like a bank’s equivalent of a lifeboat - not the whole ship, but just enough to keep people safe until the main vessel is restored.

Lessons from other industries

Other mission-critical industries have long embraced substitution strategies:

• Power grids: Load shedding and fallback grids prevent total blackout by switching to simplified operations during overloads.
• Telecoms: Mobile networks often switch users to different cells or frequencies when one goes down, preserving basic communication.

Why shouldn’t banks do the same?

Time for a new playbook

Resilience is no longer just about failover - it’s about continuity. Substitution doesn’t replace your core systems; it protects your customers when those systems are unavailable.

In a world of increasing cyber risk, platform complexity, and customer intolerance for failure, substitution is not just a technical solution - it’s a strategic necessity.

The banks that embrace this model won’t just survive the next crisis. They’ll be the ones customers remember for keeping the lights on when it mattered most.