The Royal Bank of Scotland (RBS) failed to implement sufficiently capable risk management IT systems to keep pace with the rapid growth of its business, according to a damning Financial Services Authority investigation into the bank's near-collapse.

The FSA concluded in its long-awaited report that RBS had made "seriously flawed" decisions prior to the 2008 disaster. But it also conceded that as a regulator it too needed a tougher framework to bring those responsible to court.

RBS, rescued by the taxpayer in 2008, continues to be 84-percent state-owned and has cut nearly 28,000 staff since the crisis.

The regulator said the bank's "governance, systems and controls and decision-making" appeared to fall short of "best practice", and were "below the practices of a number of peer firms".

RBS had recognised in 2007 to 2008 that its rapid expansion –accelerated by its disastrous takeover over ABN Amro – was not being matched by spending on its risk systems. But in spite of its own recognition of the impending problem, it had not identified specific areas for change or taken the appropriate steps, the FSA said.

The regulator also noted that RBS' chief risk officer, in charge of those systems, was not allowed into the daily morning meeting of the CEO, who preferred to see his financial director – considered higher in the management hierarchy.

RBS board planning meetings and related documents in early 2008, around its capital position, failed to assess a number of key risks. The "failure to reflect any concerns that RBS might fall below its group ICG [appropriate capital level] was caused by weaknesses in RBS's systems and controls", the FSA said.

Nevertheless, the FSA acknowledged that RBS had improved stress testing on its in-house CELT system, producing monthly impact assessments. And it concluded that the some of the more basic reports sent to the RBS board demonstrated "that many of the key features that the FSA would have expected to see in an appropriate management information system were in place at RBS".

However, its risk IT systems in the troubled Global Banking & Markets (GBM) division failed in the most important areas.

Key management information on the division was in general deficient, particularly around collateralised debt obligations – a complex finance product often cited as playing a part in the general economic crisis – the regulator noted.

There was no proper monthly reporting on the exposure to the more risky CDOs, the FSA said. This significantly impaired the board's understanding of the risks.

Additionally, RBS' monthly risk report produced by the systems only analysed past and current risks, "rather than being forward-looking". An RBS internal report in 2008 concluded that data reporting was "relatively light on predictive or leading indicators" and was presented in a complicated way.

"People want to know why RBS failed and why no-one has been punished," said FSA chairman Lord Turner as the report was published today.

RBS as a company would not be sanctioned, he said, because its failure was direct punishment enough. And individuals responsible would not be dragged to court because there was "not sufficient evidence" to bring a case with "a reasonable chance of success".

Lord Turner highlighted "the errors of judgement and execution made by RBS executive management which, in combination, resulted in RBS being one of the banks which failed amid the global crisis".

He called for a change in the regulatory framework so that individuals can be "found legally responsible" for such failures.