16 May 2023
The PRA has used its powers under the Senior Managers and Certification Regime to fine TSB's ex-CIO £81,620 for failures relating to TSB's IT meltdown in 2018 (Decision). The Decision is the first time that the PRA has taken action for a breach of its Senior Manager Conduct rules and sends a clear message of the importance of firms' conducting appropriate diligence and oversight of their third party outsourced IT suppliers, including intragroup IT services.
In 2015 following TSB's takeover by Sabadell, TSB decided to migrate its IT services to a new platform based on Sabadell's IT banking platform, Proteo. Migration involved a major IT change programme, largely via a single main migration event, with some functionality transferred through earlier transition events.
TSB entered into an outsourcing arrangement wit Sabadell's IT service subsidiaries, SABIS Spain and SABIS UK (together "SABIS"), to design, build and operate the new platform. The arrangement provided for SABIS to engage external third party service providers to deliver certain systems and services required for the new platform and migration.
Mr Abarca was TSB's CIO and SMF18, and accountable for TSB's IT and IT business continuity planning during and in the run up to the incident. Although his responsibility for complying with the PRA's Outsourcing Rules was split with another Senior Manager, he was responsbile for operational relationships with third party IT providers and TSB's outsourcing relationship with SABIS.
When the migration took place on 20 – 22 April 2018, TSB encountered serious issues, including failures with online, telephone and mobile banking, branch technology failures and payment transaction issues. Disruption to customers and consumers was significant and received widespread attention.
The PRA had already fined TSB £27,000,000 in December 2022 (reduced to £18,900,000 upon settlement) for regulatory failings relating to the incident.
On 13 April 2023, the PRA imposed a penalty of £116,600 (reduced to £81,620) on Mr Abarca under s66 Financial Services and Markets Act 2000 for failings under Senior Manager Conduct Rule 2.
This requires that each Senior Manager takes reasonable steps to ensure that the business of the firm for which the Senior Manager is responsible complies with the relevant requirements and standards of the regulatory system.
In this case, the relevant requirements and standards included the PRA's Outsourcing Rules.
In arriving at its decision, the PRA considered Mr Abarca's roles and responsibilities, including his Senior Manager's Statement of Responsibilities, his specific responsibilities for the migration, his accountabilities and responsibilities under TSB's Responsibilities Map and TSB's Material Risk Register.
The PRA found that he had not:
The PRA concluded that his failings undermined TSB's operational resilience, potentially impacting on financial stability.
The PRA adopted a "range of reasonable responses" test in interpreting what "reasonable steps" means and concluded that although he had taken certain steps to mitigate risk and obtain assurance from SABIS (see below), this was not considered adequate and his conduct fell "outside the range of reasonable responses for a CIO in his position in a PRA authorised firm".
The PRA Outsourcing Rules require firms to obtain sufficient assurance from suppliers to reduce operational risk. In this case, the supply chain of service providers (SABIS and fourth parties) exposed TSB to operational risk, but Mr Abarca failed to obtain sufficient assurance. But what constitutes sufficient assurance for these purposes?
Importantly, the level of oversight will depend upon the circumstances. In this case, Mr Abarca's oversight was not consistent with the "importance and scale" of TSB's migration, given the IT platform was critical to TSB's ability to provide continuity of banking services, and therefore its safety and soundness.
Below are some of the key takeaways for firms and Senior Managers on how this played out in the Decision:
Regulatory requirements on outsourcing and operational resilience (that entered into force after TSB's IT failure) have increased the level of third party oversight required. The level of assurance necessary will depend upon the particular circumstances, including the nature, scope and complexity of the firm's activities, and the criticality or importance of the IT functions.
Senior Managers need ensure the firm's operating procedures include well-defined steps for managing ICT supplier risk; this might include risk matrix to assess relevant third and fourth parties depending upon the level of risk and criticality.
By reinforcing the potential for personal liability, the Decision is likely to focus minds on firms' obligations to assess, monitor and scrutinise their ICT suppliers.
ICT suppliers (both third party and intra-group) should therefore expect increased scrutiny across the entire lifecycle of ICT arrangements. This could include enhanced scrutiny on confirmatory and assurance statements, greater oversight of fourth parties, scrutiny of testing, and greater reassessment of capabilities following incidents or service level breaches.
In the context of wider requirements around operational resilience, outsourcing, and the potential for direct regulation of 'critical third parties', compliance and assurance should be a key priority for ICT suppliers.
by multiple authors