Following a joint investigation, the PRA and FCA have fined TSB Bank plc a total of £48,650,000 for what they described as operational risk management and governance failures. TSB was fined £29,750,000 by the FCA and £18,900,000 by the PRA. TSB agreed to resolve this matter with the FCA and PRA qualifying it for a 30% discount in the overall penalty imposed by both regulators. Without this discount, the FCA and PRA would have imposed a combined financial penalty of £69,500,000.
Readers will recall extensive media coverage in April 2018 of what was described at the time as an "IT meltdown". Technical failures in TSB's IT systems in April 2018, following a botched migration to a new platform, affected TSB's branch, telephone, online and mobile banking services. Millions of customers were prevented from accessing their accounts and carrying out transactions. Some services were disrupted for a number of weeks and TSB did not return to normal operations until December 2018.
In addition to the adverse media coverage, the bank received 222,492 complaints from customers and paid a total of £32m in compensation.
TSB was spun out from Lloyds Banking Group in June 2014. Following the divestment, TSB continued to receive its core IT services from Lloyds using the Lloyds IT Platform.
In 2015 TSB was acquired by a Spanish bank Sabadell, which had a history of migrating banks on to its IT banking platform Proteo and aimed to transfer TSB's systems to Proteo by the end of 2017. TSB engaged Sabadell’s subsidiary, SABIS Spain, to design, build and test the new Proteo UK Platform and migrate TSB’s data to it. SABIS would also operate the platform following migration. In their findings, the regulators described the plans as "ambitious" presenting "significant operational risk to the firm".
In the event, migration took place on 20-22 April 2018, during which TSB migrated the majority of the operations of its corporate systems, customer services and customer data to the new UK Platform.
From an early point after the system went live on 22 April 2018, TSB encountered serious issues which significantly impacted the ability of some customers to access and use their accounts.
The Regulators determined that the direct cause of the technical problems related to issues with IT configuration, capacity and coding. However, the PRA and FCA identified a number of key failures which led to or contributed to the technical problems:
- Planning – the ambitious migration project developed delays from the outside and fell behind programme timing. Whilst the bank re-planned the migration following the delays, there was inadequate consideration of the reasons why the programme fell behind schedule and critical testing plans and principles had to be deviated from to keep track. The bank adopted an overly "right to left approach" in planning for migration (ie by working back from a target date) rather than by implementing a "left to right approach" (ie assessing how long the project should take based on realistic timings for each stage). This approach continued even when the bank had to replan.
- Testing – testing did not always keep up with timelines and changes were made to the scope of testing in order to keep up. Some testing (how the platform was able to operate at load/volume) was reduced in scope with decisions taken outside the appropriate governance forum. In addition, changes to testing responsibilities were made without the bank's board or relevant sub-committees being aware.
- Risk Management – the bank did not explicitly assess risks arising from its outsourcing arrangements with SABIS (a Sabadell subsidiary) with no experience of managing delivery from a large number of UK subcontractors, nor did it address risks from TSB's limited experience of supplier oversight. Governance was insufficiently robust with insufficient involvement and challenge by the TSB board.
- Outsourcing – TSB was criticised for failing to undertake a due diligence exercise to understand SABIS's capability to deliver the migration. SABIS relied extensively on 85 suppliers to deliver the systems required for the migration and the operation of the platform. By February 2018, TSB had still not ensured that SABIS’s supplier management model was fully developed and complied with TSB Group Outsourcing policy. Supplier risk issues were not fully resolved prior to migration.
- Business Continuity Planning – There was insufficient contingency planning. TSB’s internal assurance reviews identified deficiencies in incident management processes between April and November 2017, but the issue was considered low impact and audit actions were closed ahead of migration, apparently without considering what impact this might have in the scenario of multiple IT incidents occurring of the severity of those which arose. TSB’s failures in planning impacted the ability of TSB to deal with customer issues.
TSB breached:
- the FCA's Principle 2 and the PRA's Fundamental Rule 2 (a firm must conduct its business with due skill care and diligence).
- the FCA's Principle 3 (a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems) and the PRA's Fundamental Rule 6 (a firm must organise and control its affairs responsibly and effectively).
Comment
The Regulators are increasingly taking action against firms for inadequate project planning and poor execution of important IT projects. This action follows that brought by the FCA against Citibank for failures resulting from poor project management in implementing new trade surveillance requirements. Given the very serious impact on consumers resulting from TSB's failures, disciplinary action was virtually inevitable.
The root cause appears to have been a "deliberately ambitious" timetable which TSB admits was intended to act as a "forcing mechanism" to ensure that the business and suppliers worked "at pace" but which the PRA viewed as being "based on very little information".
Some of the blame lies with Sabadell's subsidiary SABIS, over which the FCA and PRA have no powers of enforcement and accordingly, the PRA and FCA have followed their tried and tested formulation of fining the regulated firm for failure properly to manage an outsourced function. It is also a further reminder that firms must adopt the same disciplined approach to outsourcing, even where the supplier is another group company. This includes carrying out appropriate due diligence prior to engagement.
This is another joint investigation brought by the FCA and PRA into a banking failure and which has resulted in two sets of final notices and fines. As with cases brought against Goldman Sachs and Raphaels Bank the subject and focus of the PRA and FCA investigations are the same and the findings are virtually identical. In each of the Goldman Sachs and Raphaels Bank final notices large chunks of text were identical between the PRA and FCA notices. In this TSB case some effort appears to have been taken to draft notices using slightly different language to give an appearance of independent thought although the substance of the findings are virtually identical.
This is the first published joint FCA/PRA decision following the Upper Tribunal's judgment in Forsyth v FCA and PRA where Judge Herrington recommended that "The approach to joint investigations should be reviewed. Where the conduct concerned falls equally within the scope of both Regulators consideration should be given as to whether there should be a single investigation by one of the Regulators and a single regulatory decision".
In response to that decision the FCA stated that "On a case-by-case basis, Enforcement will continue to consider at a senior level whether it is appropriate for there to be a joint investigation or a single investigation, in consultation with the PRA and taking all relevant matters into consideration."
Whilst the investigation in this case would have commenced prior to the Forsyth decision, nevertheless, the FCA and PRA decided to continue its joint investigation resulting in two materially similar notices – although to what end is unclear.