The Bank of England is examining a claim that Metro Bank “pirated” a US company’s software and put customers’ data at risk, City A.M. understands.
The central bank’s regulatory arm received an email, seen by City A.M., in February from a whistleblower raising concerns that software used for the high street lender’s coin-counting machines had been built out by the bank without the developer’s authorisation.
Metro Bank’s “Magic Money Machines” are mainly advertised towards children, allowing them to add up small change in its branches. The lender has around 3m customers in total.
The whistleblower said in the email that the bank had introduced the ability for cash to be deposited directly into customers’ accounts using the machines, which made the system “very vulnerable to hackers”.
News of the central bank’s scrutiny, which was first reported by The Guardian, comes amid a long-running legal dispute between US firm Arkeyo and Metro Bank over software used for the “Magic Money Machines”.
According to court documents, Metro Bank and Arkeyo worked together between 2010 and 2016, with the software firm filing a US civil lawsuit against the bank the following year and a £24m English High Court suit in 2022.
Arkeyo claimed Metro Bank leaked its source code to Chicago-based rival Saggezza to reverse-engineer the software. Saggezza has denied wrongdoing.
The whistleblower told City A.M. they contacted the Bank of England shortly after viewing the source code used in the “Magic Money Machines” and finding that it contained “several” of the company’s encrypted keys.
“We didn’t make those keys and product code to be used for online banking transactions with our software,” the person added.
“The new owner at Metro Bank refuses to remove it and is putting all his customers’ money at risk.”
They said individuals with access to Arkeyo’s public key tokens could potentially “compromise” Metro Bank’s systems and gain unauthorised access to its operations, including “account access, ATM networks, backend ledgers and other essential banking applications”.
The person added that Arkeyo’s clients could also be at risk.
A spokesperson for Metro Bank told City A.M. it would not comment on ongoing legal proceedings.
On the High Court suit, Metro Bank said in its annual results report last month: “We believe Arkeyo LLC’s claims are without merit and are vigorously defending the claim.”
The Bank of England and the Financial Conduct Authority, with which the Bank has shared the whistleblower’s communications, declined to comment.
Metro Bank, which operates 76 branches, has not reported any security or data breaches tied to the machines.
The company was saved from potential collapse last year by Colombian billionaire Jaime Gilinski Bacal, who took a controlling 53 per cent stake in the bank alongside a £925m rescue package from investors.
Metro Bank was co-founded by US billionaire Vernon Hill in 2010, who served as its chair until stepping down in 2019 following a major accounting error that caused Metro Bank’s shares to collapse and kickstarted a series of financial troubles.