Critical Outsourcings - The FCA Lays Down The Law

R Raphael & Sons plc has been fined a total of £1,887,252 by the FCA and PRA for failures arising from inadequate systems and controls in respect of a critical outsourcing of payment services.

BACKGROUND

Raphaels provided payment card services, all of which were outsourced to third party suppliers. On 24th December 2015 there was a serious IT incident in respect of one of these suppliers which resulted in approximately 3,367 of the firm’s customers being unable to use their prepaid cards and charge cards. Transactions to the value of £558,400 were declined as a result. The outage lasted for 8 hours.

FAILINGS

The FCA investigated the circumstances of the IT incident and concluded that there were two substantive breaches of the FCA rule book by Raphaels:

• Breach of principle 3 and SYSC 8.1.1R – failing to take reasonable steps to ensure that it has organised its affairs responsibly and effectively with adequate risk management systems. Additionally, under SYSC, while relying on a third party outsourcer, failing to take reasonable steps to avoid undue additional operational risk.
• Breach of principle 2 – failure to conduct its business with due skill, care and diligence.

The FCA identified a number of facts which contributed to these failures. This was the outsourcing of a critical service by the Bank and the FCA was accordingly particularly harsh in its criticism:

• Raphaels’ risk assessments identified failure of its own IT systems as a risk, but omitted to identify (or have any plans for dealing with) IT failures by an outsourcing provider as a risk.
• Raphaels had an outsourcing policy in place, but it merely replicated the FCA handbook provisions, with no additional guidance to its staff e.g. to help them identify a critical outsourcing.
• The contracts between Raphaels and the outsourcing provider did not contain “comprehensive service levels.” From the description, set out in the FCA’s Final Notice it sounds like there may have been service levels in place, but they were not considered sufficient to monitor a critical outsourcing.
• The chief failure identified however related to business continuity plans (“BCP”):
  • Both Raphaels and each outsourcing supplier had their own BCP which included items such as a recovery time objective of four hours and annual testing of BCP and sites. But the FCA noted that the outsourcing agreements did not require the suppliers’ business continuity and recovery arrangements to align with the firm’s requirements or create end to end processes which could be referred to in the event of the BCP being relied upon.
  • Raphaels had a BCP questionnaire which was supposed to be filled out in respect of each supplier. In reality it seldom was. As a result, the firm had no means to assess the BCP arrangements in respect of its key services, including the IT services affected.
  • Raphaels own BCP did not provide procedures for communicating with outsourcing suppliers in the event of an incident affecting the outsourcing supplier and had not sought to consider or assess the impact of disruption on its customers.
• Due diligence and ongoing monitoring
  • As part of prior due diligence Raphaels inspected certain of the BCP of its tenderers. However, this was not a uniform approach and it ignored others. If it had inspected them, it would have noticed that in the case of the affected services, there were no time frames at all set out for recovering critical business functions.
  • When conducting due diligence, there was no written policy or guidelines as to what information to request from a supplier. This meant those carrying out the exercise were effectively blind, unable to identify what to look for.
  • As part of its ongoing management of the outsourcing arrangement, Raphaels issued an annual due diligence form to be completed by the suppliers. These did not seek details of the current business continuity arrangements in place.
  • There was supposed to be an ongoing annual monitoring review of each service. In reality, staff shortages meant these sometimes did not take place. Where they did take place, they failed to address BCP issues adequately (since there was no guidance as to what they should look for) and failed to notice for example that one of the BCP was out of date.
• In the FCA’s view, things were made worse by Raphaels because they ignored the lessons that should have been learnt from an earlier IT incident. In April 2014 there was an IT outage that affected 57 customers. Raphaels failed to:
  • Take steps to identify the underlying cause.
  • Review the supplier’s BCP to manage future incidents.
  • Ascertain the impact of the outage on the affected customers.
  • Insist on further remedial action instead of just accepting an undertaking from the supplier to provide email and SMS notification of future IT incidents.
• When there was a further IT incident in December 2015 it was clear that there were no contingency plans or workarounds available because the parties had not tested the specific scenario that arose. Furthermore, the supplier did not even have the means to communicate with Raphaels out of office hours. Raphaels were unaware of the incident until informed by the supplier at 9am, nearly 5 hours after the incident started.
• Following the incident, Raphaels asked for a root cause analysis of the fault and corrective action and identification of lessons learned. Crucially however in the FCA’s view, the firm did not investigate whether customers had suffered any detriment. Consequently, no redress was offered to those customers even though they may have suffered loss, inconvenience or distress.
• Finally, an external review was commissioned by Raphaels. As a result of it, a number of changes were made:
  • Outsourcing risk was identified separately as a risk in the firm’s overall risk strategy.
  • Revised due diligence to ensure a more holistic and comprehensive review.
  • Enhancement of BCP for critical outsourcing suppliers.
  • Allocation of first line responsibility for outsourcing to a senior manager.

Commentary:

What is noticeable is that Raphaels had not been wholly cavalier with regard to their outsourcing. They had processes in place to check and oversee their contracts. Also, the IT outage occurred in the small hours, at a time most would consider low risk. That said, the FCA determined that the real failure was a systemic one applicable to all Raphaels’ card outsourcing arrangements. The monitoring and oversight they had in place was insufficient; above all their BCP plans failed to mesh with those of their suppliers. This failure was in respect of a critical service, and as a result the FCA’s fine reflected their view of the seriousness of these failings.

If you’d like further information or advice relating to any of the issues dealt with above, please don’t hesitate to contact a member of Geldards’ Technology, Media & Telecoms Team.