The Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) have taken joint action to fine a retail bank for failing to manage its outsourcing arrangements properly. The failings lasted for more than two years, between April 2014 and December 2016.
The total fine is £1,887,252, of which £1,112,152 is payable to the PRA and £775,100 to the FCA.
The bank has a Payment Services Division (PSD) that operates pre-paid card and charge card programmes in the UK and Europe. The PSD relies on outsourced service providers to perform functions such as the authorisation and processing of card transactions.
The bank failed to assess the effectiveness of the business continuity and disaster recovery arrangements of its outsourced service providers. The regulator has specified a 26-month period over which inappropriate contingency plans were in place, however the issue came to a head on Christmas Eve 2015.
On this day, there was a complete failure of the processing services provided to the bank by one of its third parties. For more than eight hours, some 3,367 customers were unable to use their prepaid cards and charge cards; and a total of 5,356 customer card transactions could not be authorised. The FCA says that the incident had a particularly severe effect on Christmas seasonal workers, who depended on their cards to receive their wages.
A previous IT incident occurred in April 2014 at the same card processor. The FCA and PRA say that the bank failed to properly investigate the earlier incident and that had it done so, it may have been able to remedy the deficiencies in the third party’s business continuity and disaster recovery arrangements.
The FCA and PRA add that their investigation identified widespread weaknesses with the bank’s outsourcing systems. The regulators say that there was inadequate consideration of outsourcing issues at Board level.
Mark Steward, FCA Executive Director of Enforcement and Market Oversight, said:
“[Name of bank]’s systems and controls supporting the oversight and governance of its outsourcing arrangements were inadequate and exposed customers to unnecessary and avoidable harm and inconvenience. There is no lower standard for outsourced systems and controls and firms are accountable for failures by outsourcing providers.”
Sam Woods, Deputy Bank of England Governor for Prudential Regulation and Chief Executive Officer of the PRA, said:
“Firms’ ability to manage outsourcing of any critical activities is a vital part of maintaining their safety and soundness. Such outsourcing is an important part of a firm’s operational resilience, and particularly so in the case of [name of bank] given the level of reliance on outsourcing in its business model.
“In addition, this was a repeat failing which demonstrates a lack of adequate and timely remediation. This is a significant aggravating factor in this case, leading to an uplift in the penalty.”
The bank issued a press release saying that the firm “fully accepts the findings contained in the Final Notices of the PRA and FCA and regrets any inconvenience suffered by customers as a result of any failures to meet relevant regulatory standards.” The CEO added that “we have since significantly improved outsourcing controls within the Bank.”
Although this issue concerns a bank, there are lessons to be learnt by all regulated firms. Any firm that outsources some of its services and operations will still be held responsible by the FCA if there are any issues at the third-party firm. The FCA has previously issued guidance on IT outsourcing.
The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article