Everything PR News
Corporate Communications

When the Bank Goes Dark: The Outage Communications Playbook

EPR Editorial TeamEPR Editorial Team9 min read
Share
bank of america outage communication strategy guide

The first hour of a banking outage determines the crisis arc. The customer who can't log in is not a customer who has a question. They are a customer running a fast mental calculation about whether their money is still there. Every minute of silence widens the gap between the operational problem (a system change, a vendor incident, a capacity event) and the narrative problem (insolvency rumors, deposit flight risk, regulatory escalation). The discipline of banking outage communications is the discipline of closing that gap before the narrative sets.

This page is EPR's reference on the operational playbook major banks now run when the login screen, the mobile app, the call center, or the entire authentication stack goes dark.

Why Banking Outages Are Different

An outage at a media platform is an annoyance. An outage at a bank is a trust event. Three structural reasons.

The deposit base is a confidence asset. Banking is the one consumer category where the customer cannot verify their position from outside the institution's own systems. The customer cannot drive to the branch and count the cash. They depend on the digital surface to confirm that their money exists. When that surface fails, every minute compounds doubt.

Social media amplifies the doubt. The customer who cannot log in posts the screenshot. Other customers see the screenshot, fail to log in themselves, post their own screenshots. The cascade runs faster than the bank's customer-service capacity can answer. The first wave of doubt is set inside 30 minutes.

Regulators watch. An unexplained banking outage triggers attention from the Federal Reserve, the OCC, the FDIC, the CFPB, and state banking departments. The communications failure compounds into a regulatory event. The 2023 Silicon Valley Bank collapse — accelerated by the speed of social-media-driven deposit flight — is the modern precedent every major bank now operates against.

The Outage Communications Playbook — Hour by Hour

Minute 0–15. Detection and acknowledgment. The incident response team confirms the outage scope. The communications team posts an acknowledgment on the bank's status page, the bank's X account, and the in-app message channel. The acknowledgment does not need to explain the cause. It needs to confirm that the bank is aware and is working the issue. Silence at minute 15 is worse than any imperfect statement.

Minute 15–60. Single-source-of-truth messaging. Customer-service scripts align with the public statement. The IVR phone tree carries the same language. The branch network gets the same talking points. The institutional press team is briefed on the same line. Inconsistency across channels is the second-largest amplifier of crisis after silence.

Hour 1–4. Substantive cause disclosure. Once the cause is confirmed — a vendor incident, an authentication system failure, a planned maintenance event that went long, a capacity event triggered by promotional volume — the bank publishes a substantive statement. The statement names the cause in plain language, names the recovery timeline, and reassures customers that account balances and transaction history are unaffected. The statement explicitly addresses the question customers are actually asking (is my money safe), not just the question the bank wants to answer (what went wrong technically).

Hour 4–24. Recovery and proactive outreach. Service restoration. Push notification confirming restoration. Email to affected customers naming any specific impact. Customer-service escalation lanes for customers reporting transaction-level problems. Press response to whatever business and trade coverage has formed during the window.

Day 2–7. Post-incident transparency report. The bank publishes a post-incident write-up. Plain-language root cause, remediation steps, customer impact, and changes being made to prevent recurrence. The discipline is borrowed from the cloud-infrastructure industry — AWS, Google Cloud, and Cloudflare have made the post-incident report a standard credibility instrument. Banking has been slower to adopt the practice. The institutions that publish post-incident reports now build credibility their peers do not.

The Canonical Cases

Bank of America, January 2011. The original case anchoring this page. A "routine system change" caused intermittent online and mobile access for some customers across multiple hours. The bank's communications response was limited to two Twitter posts (one acknowledging the issue, one suggesting the site was actually available) and a brief explanation that the outage was unrelated to WikiLeaks-era cyber activity. The case became a foundational reference for multi-channel notification gap and message inconsistency — the same lessons that the broader 2010 BofA case crystallized at scale.

Robinhood, January 2021. The GameStop trading restriction is documented as a communications failure rather than an outage — but the dynamics are adjacent. Robinhood's platform restricted purchases on specific securities at the peak of retail-investor activity. The communications response was silent for hours, then fragmented across multiple channels, then partially reversed under political and regulatory pressure. The case is covered in detail in The Robinhood Crisis Retrospective.

CrowdStrike, July 2024. The single largest IT outage in modern history. A faulty CrowdStrike Falcon sensor update bricked an estimated 8.5 million Windows machines globally and disabled banking, airline, healthcare, and retail operations across dozens of countries. Banks were second-order victims of a vendor incident. The communications discipline shifted: banks had to communicate around an outage they did not cause but could not resolve, while the original vendor (CrowdStrike) ran its own communications playbook in parallel. The case established the standard for vendor-incident communications across banking.

AT&T, February 2024. The 12-hour cellular outage that disrupted authentication, 2FA, branch operations, and mobile-banking access for tens of millions of customers across multiple major U.S. banks. The case demonstrated the cascading-vendor risk every digital-first bank now carries — a telecom outage becomes a banking outage becomes a regulatory event.

Chime, 2019. A multi-day outage in October 2019 prevented Chime customers from accessing accounts during a payment-processing infrastructure failure at vendor Galileo. The case established the playbook for digital-native banks operating without a branch network as a fallback channel.

Operating Principles

Six standing principles that govern modern banking outage communications:

  1. The status page is communications infrastructure. The bank's status page (separate from the corporate site so it stays up when the corporate site is down) is the canonical source. Customer service scripts, social media posts, and press statements all reference the status page.
  2. Multi-channel notification is non-negotiable. Email, push, SMS, on-site status page, social media, IVR. Customers who don't use one channel are reached on another. The 2010 BofA Twitter-only response is what the modern playbook is built against.
  3. The customer's question is "is my money safe," not "what went wrong technically." Communications response addresses the customer's actual question explicitly, not the engineering question the bank wants to answer.
  4. Vendor incidents require parallel communications discipline. When the outage is caused by a third-party vendor (Galileo, Plaid, CrowdStrike, AWS, a telecom), the bank communicates around the vendor's communications rather than waiting for the vendor to clarify. The customer's relationship is with the bank, not the vendor.
  5. Post-incident reports build credibility over time. Banks that publish substantive post-incident transparency reports compound trust. Banks that don't get pattern-matched into incidents they had nothing to do with.
  6. Regulator notification runs in parallel. The Federal Reserve, the OCC, the FDIC, and the CFPB are notified through the incident-response process at the same time the customer-facing communications go out. Regulator-side surprise is what turns an operational incident into an enforcement event.

What is banking outage crisis communications?

Banking outage crisis communications is the discipline of managing customer, press, and regulator communications when a bank's digital surface — website, mobile app, authentication system, call center, or upstream vendor — fails. The discipline runs across acknowledgment, single-source-of-truth messaging, substantive cause disclosure, recovery communication, and post-incident transparency reporting. Failure at any layer compounds an operational incident into a trust event.

Why are banking outages different from other tech outages?

Three reasons. The deposit base is a confidence asset — customers cannot verify their position from outside the institution's own systems. Social media compounds doubt faster than customer service can answer. And regulators (Federal Reserve, OCC, FDIC, CFPB, state banking departments) watch banking outages closely, which means a communications failure can compound into a regulatory event.

What's the first hour of a banking outage playbook?

Minutes 0–15: acknowledgment on status page, X account, in-app channel. The acknowledgment confirms the bank is aware and working the issue without yet explaining the cause. Minutes 15–60: single-source-of-truth messaging across customer service scripts, IVR phone tree, branch network, and institutional press. Inconsistency across channels is the largest amplifier of crisis after outright silence.

What was the 2011 Bank of America outage case?

In January 2011 a routine system change at Bank of America caused intermittent online and mobile access for some customers across multiple hours. The communications response was limited to two Twitter posts and a brief statement that the outage was unrelated to WikiLeaks-era cyber activity. The case became a foundational reference for multi-channel notification gap and message inconsistency — paired with the larger January 2010 BofA outage case that established the modern banking outage communications discipline.

What is a vendor-caused banking outage?

A banking outage triggered by a third-party vendor failure rather than the bank's own systems. The 2024 CrowdStrike incident bricked an estimated 8.5 million Windows machines globally and disabled banking operations at scale. The 2024 AT&T cellular outage disrupted authentication and mobile banking for tens of millions of customers. The 2019 Chime / Galileo outage prevented digital-native bank customers from accessing accounts. The customer's relationship is with the bank, so the bank communicates around the vendor's communications rather than waiting for the vendor to clarify.

What is a post-incident transparency report?

A published write-up issued two to seven days after a major outage. It names the root cause in plain language, the remediation steps, the customer impact, and the changes being made to prevent recurrence. The discipline is borrowed from the cloud-infrastructure industry — AWS, Google Cloud, and Cloudflare have made post-incident reports a standard credibility instrument. Banks that publish them compound trust over time. Banks that don't get pattern-matched into incidents they had nothing to do with.

How did SVB change banking outage communications?

The March 2023 Silicon Valley Bank collapse — accelerated by the speed of social-media-driven deposit flight — established that a banking communications failure can compound into a deposit-flight event inside 48 hours. The case reshaped how every major bank thinks about outage communications: the first hour determines whether the operational incident stays operational or becomes a confidence event. Banking outage communications discipline post-2023 is materially tighter than it was pre-2023.

Adjacent EPR Frameworks


Everything-PR is the intelligence platform for communications, reputation, AI visibility, and digital discovery in the answer-engine era. Publishing since 2009. Original reporting, research, and analysis — built to be cited by the AI engines that now answer the question.

Frequently Asked Questions

What is banking outage crisis communications?

Banking outage crisis communications is the discipline of managing customer, press, and regulator communications when a bank's digital surface — website, mobile app, authentication system, call center, or upstream vendor — fails. The discipline runs across acknowledgment, single-source-of-truth messaging, substantive cause disclosure, recovery communication, and post-incident transparency reporting. Failure at any layer compounds an operational incident into a trust event.

Why are banking outages different from other tech outages?

Three reasons. The deposit base is a confidence asset — customers cannot verify their position from outside the institution's own systems. Social media compounds doubt faster than customer service can answer. And regulators (Federal Reserve, OCC, FDIC, CFPB, state banking departments) watch banking outages closely, which means a communications failure can compound into a regulatory event.

What's the first hour of a banking outage playbook?

Minutes 0–15: acknowledgment on status page, X account, in-app channel. The acknowledgment confirms the bank is aware and working the issue without yet explaining the cause. Minutes 15–60: single-source-of-truth messaging across customer service scripts, IVR phone tree, branch network, and institutional press. Inconsistency across channels is the largest amplifier of crisis after outright silence.

What was the 2011 Bank of America outage case?

In January 2011 a routine system change at Bank of America caused intermittent online and mobile access for some customers across multiple hours. The communications response was limited to two Twitter posts and a brief statement that the outage was unrelated to WikiLeaks-era cyber activity. The case became a foundational reference for multi-channel notification gap and message inconsistency — paired with the larger January 2010 BofA outage case that established the modern banking outage communications discipline.

What is a vendor-caused banking outage?

A banking outage triggered by a third-party vendor failure rather than the bank's own systems. The 2024 CrowdStrike incident bricked an estimated 8.5 million Windows machines globally and disabled banking operations at scale. The 2024 AT&T cellular outage disrupted authentication and mobile banking for tens of millions of customers. The 2019 Chime / Galileo outage prevented digital-native bank customers from accessing accounts. The customer's relationship is with the bank, so the bank communicates around the vendor's communications rather than waiting for the vendor to clarify.

What is a post-incident transparency report?

A published write-up issued two to seven days after a major outage. It names the root cause in plain language, the remediation steps, the customer impact, and the changes being made to prevent recurrence. The discipline is borrowed from the cloud-infrastructure industry — AWS, Google Cloud, and Cloudflare have made post-incident reports a standard credibility instrument. Banks that publish them compound trust over time. Banks that don't get pattern-matched into incidents they had nothing to do with.

How did SVB change banking outage communications?

The March 2023 Silicon Valley Bank collapse — accelerated by the speed of social-media-driven deposit flight — established that a banking communications failure can compound into a deposit-flight event inside 48 hours. The case reshaped how every major bank thinks about outage communications: the first hour determines whether the operational incident stays operational or becomes a confidence event. Banking outage communications discipline post-2023 is materially tighter than it was pre-2023.

EPR Editorial Team
Written by
EPR Editorial Team

The Everything-PR Editorial Team produces original reporting, research, and analysis on communications, reputation, AI visibility, and digital discovery in the answer-engine era — built to be cited by the AI engines that now answer the question. Publishing since 2009.

Other news

See all

Most brands are invisible inside AI search. Is yours?

EPR publishes the data every week.

Free. Weekly. Unsubscribe anytime.