TSB fined £48.65m by the FCA and PRA for operational resilience failings
The Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) have fined TSB Bank plc (TSB) a total of £48,650,000 for operational risk management and governance failures. TSB were deemed to have failed in multiple areas, including management of outsourcing risks relating to the bank’s IT upgrade programme.
The technical failures in TSB’s IT system left many customers unable to access fully-functioning banking services for over half a year.
What is operational resilience?
The FCA defines operational resilience as:
‘the ability of firms, financial market infrastructures and the financial sector as a whole to prevent, adapt and respond to, recover and learn from operational disruption.’
It is critical for consumers, firms and financial markets that the UK financial sector is operationally resilient, especially in times of increased cyber risk. Operational disruption and the unavailability of key business services has the potential to cause far reaching harm to consumers and it poses a risk to market integrity, damages viability of firms and creates instability in the financial system.
What are the operational resilience requirements for firms?
With effect from 31 March 2022, the FCA now assesses firms’ operational resilience capabilities against its Policy Statement, Building Operational Resilience (PS21/3), which defines industry practices aligned to their existing rules and expectations.
According to the FCA, to be operationally resilient, firms which are subject to their rules must:
- Identify important business services that, if disrupted, could cause harm to consumers or pose a risk to market integrity;
- Set maximum impact tolerances;
- Carry out mapping and testing;
- Conduct lessons learnt exercises;
- Develop internal and external communications plans; and
- Prepare self-assessment documentation
In July 2015, TSB was acquired by the Spanish bank, Sabadell, who had limited experience in the UK banking market. Sabadell had a history of migrating banks on to its Proteo banking platform.
TSB expected improved financial returns from a full migration of its IT services on to Proteo, and the target deadline for completing the migration was by the end of 2017.
While Sabadell had experience of delivering large and complex platforms in Spain (Proteo (Spain)), in this case the migration involved the creation of a newly built version of the Proteo platform which was unproven. This had to be tailored for the UK banking market, required vast customisation and a large number of external suppliers to be manged. This new version of Proteo was known as Proteo4UK.
Between 2015 and 2018, TSB undertook a major IT change programme, involving the design, build and testing of the new Proteo4UK Platform.
This was followed by migration of TSB’s corporate and customer services on to the new platform over the weekend of 20 – 22 April 2018. TSB engaged Sabadell’s subsidiary, SABIS Spain, to design, build and test the Proteo4UK Platform and migrate TSB’s data to it. SABIS also operated the platform following migration.
In the first few days after the system went live on 22 April 2018, TSB encountered major issues which significantly impacted the ability of customers to access and use their accounts. These issues included data breaches, failures with digital (internet and mobile) banking services, failures in telephone banking, branch technology failures, and problems with payment and debit card transactions.
The failures in digital services had a compounding effect. Instead of online banking, customers attempted telephone banking, but many customers faced longer wait times and abandoned calls due to a mixture of other IT issues and the overwhelming of TSB’s systems by the sheer volume of customer calls. When telephone banking attempts failed, many customers tried to visit their local TSB branch, which created long queues in branches that were already struggling as a result of multiple IT failures.
Certain customer services remained highly disrupted during the first week after migration, with problems continuing in the following days and weeks. Overall, TSB did not return to business as usual until 10 December 2018. Some customers suffered significant detriment. Between 22 April 2018 and 7 April 2019, TSB received 225,492 complaints from customers and paid a total of £32,705,762 in redress during that period.
The direct causes of the technical problems experienced during the migration mainly related to issues with IT configuration, coding and capacity. However, in addition there were also numerous failings in the run up, and excessive operational risk ahead of the migration by the point of going live. These failings were present in planning, testing, risk management, and outsourcing. Risks went undetected or were inadequately dealt with, and there were certain governance failures in escalation and challenge.
As a result, TSB went live having undertaken insufficient contingency planning that would have made it adequately prepared for the events that took place, which had serious negative consequences for some of TSB’s customers.
Two of TSB’s main failures were:
- The decision, made outside the appropriate governance forum in February 2018, which reduced the scope of non-functional testing of the digital channels to one of TSB’s two data centres. Had this testing been conducted, it is likely that it would have identified the problem in the configuration of certain components in the data centres, which was later found to have caused the unavailability to customers of internet and mobile banking for periods following going live; and
- TSB’s identification of programme risks did not explicitly address:
- risks arising from its outsourcing arrangements with SABIS, a service provider with zero experience of managing service delivery from a large number of UK subcontractors; or
- risks from TSB’s limited experience of supplier oversight in an IT change management project of this scale and complexity.
Other examples of TSB’s failings included:
- Going live despite consistently running behind schedule;
- Failing to review the reasoning for falling behind, and including this within ongoing planning;
- Failure to test and identify risks;
- A narrow scope of risk assessments; and
- Inadequate business continuity planning for the scale of the incident that occurred.
FCA Handbook Principles and PRA Rulebook Fundamental Rules breached by TSB
Principle 2 of the FCA Handbook provides that a firm must conduct its business with due skill, care and diligence; and Principle 3 provides that a firm take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.
Due to the failings above, the FCA held that TSB failed to conduct its business with due skill, care and diligence, in breach of Principle 2. TSB were also found to have failed to comply with Principle 3.
The PRA carried out its own investigation, and found that TSB breached Fundamental Rules 2 and 6 of the PRA Rulebook. In breach of Fundamental Rule 2, TSB failed to manage appropriately and effectively its services and outsourcing arrangements with SABIS and the risks, including operational risk, arising from the arrangements.
In addition, in breach of Fundamental Rule 6, TSB had failed to organise and control the migration programme responsibly and effectively.
The FCA and PRA’s enforcement action
As a result of the breaches, the FCA handed TSB a financial penalty of £29.75 million, and the PRA imposed a financial penalty of £18.9 million – a total of £48.65 million.
TSB agreed to resolve this matter with the FCA and PRA, therefore qualifying it for a 30% discount in the overall penalty imposed by both regulators.
Were it not for this discount, the FCA and PRA would have imposed a combined financial penalty of £69,500,000 (£42,500,0000 by the FCA and £27,000,000 by the PRA).
In a statement issued to the press, Mark Steward, FCA Executive Director of Enforcement and Market Oversight commented:
‘The failings in this case were widespread and serious which had a real impact on the day-to-day lives of a significant proportion of TSB’s customers, including those who were vulnerable.’
The Deputy Governor for Prudential Regulation and Chief Executive Officer of the PRA, Sam Woods, added:
‘The PRA expects firms to manage their operational resilience as well as their financial resilience. The disruption to continuity of service experienced by TSB during its IT migration fell below the standard we expect banks to meet.’
You can read the press release here, the FCA’s notice here, and the PRA’s notice here.
Can we help?
If you have any IT projects related queries, please do not hesitate to get in touch with one of our experienced IT & Technology lawyers.