On 13 April 2023, the Prudential Regulation Authority (PRA) imposed a financial penalty of £116,000 on Carlos Abarca, TSB Bank's former Chief Information Officer (CIO), for his failures overseeing the IT migration in 2018. This led to disruption for millions of the Bank's customers and ongoing disruption to the Bank's 550 branches. This news follows the highly-publicised outcome of the joint investigation by both the PRA and Financial Conduct Authority (FCA) earlier this year, which saw TSB fined a total of £48,650,000 (£29,750,000 by the FCA and £18,900,000 by the PRA) in relation to its role in the project. (Read our commentary here.)
Mr Abarca's penalty was reduced by 30% for early settlement, to £81,620.
The role and responsibilities of Mr Abarca and compliance with the SMCR
Under the Senior Managers Certification Regime ('SMCR'), Mr Abarca was subject to specific Conduct Rules and a Duty of Responsibility.
Role: Mr Abarca's role is captured under SMF18 (Other Overall Responsibility)
Responsibilities: Mr Abarca's responsibilities included, amongst other priorities:
- Providing leadership and strategic direction to the IT function and ensure alignment with overall TSB strategy;
- Designing and managing the Migration Programme; and
- Being accountable for information technology within TSB to deliver the organisation’s strategic goals.
The project experienced significant delay during the planning and pre-planning stages. This was in part due to issues arising from TSB's merger with Banco de Sabadell, where Mr Abarca had previously also held the role of CIO, and ultimately his role with the main third-party supplier, Sabadell Information Systems ('SABIS') where he had previously also held the position of CEO.
The PRA Notice stated that ultimately Mr Abarca did not obtain the necessary assurances that SABIS was in a position to undertake the IT migration of customers. Accordingly, he breached Senior Manager Conduct Rule 2 of the PRA Rulebook which states that "reasonable steps" must be taken to ensure that "the business of the Firm for which you are responsible complies with the relevant requirements and standards of the regulatory system".
Although the migration of data was itself successful, the various resulting issues encountered by TSB were significant. Millions of TSB customers and all 550 TSB branches experienced issues due to "failures with online, telephone and mobile banking services, branch technology failures, and consequential issues with payment and debit card transactions".
Particular failings of Mr Abarca highlighted by the PRA include:
- Failing to ensure that TSB formally and adequately reassessed the supplier's ability and capacity on an ongoing basis, particularly in light of ongoing service level breaches;
- Not ensuring that he obtained sufficient assurance regarding the completeness of readiness activities undertaken by suppliers and sub-contractors; and
- Not taking a holistic view of the risks associated with the outsourcing arrangement and relying on confirmations from the supplier without verification.
This action by the PRA demonstrates an increasing willingness on the part of the PRA and FCA to take enforcement action in respect of failures of project management. Many regulatory actions against individuals involve allegations of lack of integrity, dishonesty, recklessness or other highly egregious behaviour. This case demonstrates that the regulators are also willing to take action against those senior managers who may have acted in good faith but nevertheless fell outside the reasonable range of actions expected of an individual when undertaking this type of role.
The case is also another reminder that the regulators expect firms to treat intra-group outsourcing arrangements in the same manner as they would for third party suppliers. Culturally, it can be difficult for one part of a group business to challenge another, however regulatory expectations are clear. Furthermore, where failure of a project is primarily down to the actions of an outsourced firm which is not regulated by the PRA or FCA, the regulators will inevitably look to blame the regulated firm and its senior managers for failure to manage the relationship.
The regulators have faced some criticism for a lack of enforcement against senior managers following introduction of the SMCR in 2016 and will have been under some pressure to obtain an outcome. Whilst this is the first senior manager's case outcome under the SMCR regime (and surprisingly brought by the PRA rather than the FCA) it is not necessarily a case which could not have been brought prior to the introduction of the SMCR. Conduct Rule 2 is a continuation of the previous APER 7 rule, requiring that significant influence function holders take reasonable steps to ensure that the business of the firm for which they are responsible comply with the relevant requirements and standards of the regulatory system. However, what will have assisted the PRA is the requirement under the SMCR for responsibility maps and statements of responsibility. In this case, the PRA appears to have had no difficulty in establishing Mr Abarca as the senior manager with responsibility for the failings. In the case against TSB itself, both the FCA and PRA took disciplinary action against the bank with cases that were materially the same. However, the FCA has not take action against Mr Abarca in this case. It is hoped that the regulators have heeded Judge Herrington's recommendation in Forsyth v FCA & PRA that "Where the conduct concerned falls equally within the scope of both Regulators consideration should be given as to whether there should be a single investigation by one of the Regulators and a single regulatory decision".