The PRA has used its powers under the Senior Managers and Certification Regime to fine TSB's ex-CIO £81,620 for failures relating to TSB's IT meltdown in 2018 (Decision). The Decision is the first time that the PRA has taken action for a breach of its Senior Manager Conduct rules and sends a clear message of the importance of firms' conducting appropriate diligence and oversight of their third party outsourced IT suppliers, including intragroup IT services.
Context: TSB's 2018 IT failure
In 2015 following TSB's takeover by Sabadell, TSB decided to migrate its IT services to a new platform based on Sabadell's IT banking platform, Proteo. Migration involved a major IT change programme, largely via a single main migration event, with some functionality transferred through earlier transition events.
TSB entered into an outsourcing arrangement wit Sabadell's IT service subsidiaries, SABIS Spain and SABIS UK (together "SABIS"), to design, build and operate the new platform. The arrangement provided for SABIS to engage external third party service providers to deliver certain systems and services required for the new platform and migration.
Mr Abarca was TSB's CIO and SMF18, and accountable for TSB's IT and IT business continuity planning during and in the run up to the incident. Although his responsibility for complying with the PRA's Outsourcing Rules was split with another Senior Manager, he was responsbile for operational relationships with third party IT providers and TSB's outsourcing relationship with SABIS.
When the migration took place on 20 – 22 April 2018, TSB encountered serious issues, including failures with online, telephone and mobile banking, branch technology failures and payment transaction issues. Disruption to customers and consumers was significant and received widespread attention.
Enforcement action: PRA willingness to pursue Senior Managers for outsourcing failings
The PRA had already fined TSB £27,000,000 in December 2022 (reduced to £18,900,000 upon settlement) for regulatory failings relating to the incident.
On 13 April 2023, the PRA imposed a penalty of £116,600 (reduced to £81,620) on Mr Abarca under s66 Financial Services and Markets Act 2000 for failings under Senior Manager Conduct Rule 2.
This requires that each Senior Manager takes reasonable steps to ensure that the business of the firm for which the Senior Manager is responsible complies with the relevant requirements and standards of the regulatory system.
In this case, the relevant requirements and standards included the PRA's Outsourcing Rules.
Senior Management Conduct Rule 2
In arriving at its decision, the PRA considered Mr Abarca's roles and responsibilities, including his Senior Manager's Statement of Responsibilities, his specific responsibilities for the migration, his accountabilities and responsibilities under TSB's Responsibilities Map and TSB's Material Risk Register.
The PRA found that he had not:
- ensured that SABIS's ability and capacity were adequately reassessed on an ongoing basis
- ensured that TSB obtained sufficient assurance from SABIS in relation to its readiness to operate the new IT platform
- given sufficient consideration to whether further investigation was required before giving assurance to the TSB Board as to SABIS’s readiness for migration.
The PRA concluded that his failings undermined TSB's operational resilience, potentially impacting on financial stability.
The PRA adopted a "range of reasonable responses" test in interpreting what "reasonable steps" means and concluded that although he had taken certain steps to mitigate risk and obtain assurance from SABIS (see below), this was not considered adequate and his conduct fell "outside the range of reasonable responses for a CIO in his position in a PRA authorised firm".
Trust but verify: What constitutes "sufficient assurance" on ICT and supplier risk?
The PRA Outsourcing Rules require firms to obtain sufficient assurance from suppliers to reduce operational risk. In this case, the supply chain of service providers (SABIS and fourth parties) exposed TSB to operational risk, but Mr Abarca failed to obtain sufficient assurance. But what constitutes sufficient assurance for these purposes?
Importantly, the level of oversight will depend upon the circumstances. In this case, Mr Abarca's oversight was not consistent with the "importance and scale" of TSB's migration, given the IT platform was critical to TSB's ability to provide continuity of banking services, and therefore its safety and soundness.
Below are some of the key takeaways for firms and Senior Managers on how this played out in the Decision:
- Reassess capabilities, including in light of service level breaches. Prior to the full 2018 migration, a report found there had been various issues relating to the initial transition events. TSB did not re-assess SABIS's capability to deliver the main migration in light of these issues.
- Testing, including root cause analysis. SABIS was responsible for testing to ensure readiness of the new platform, including to prove resilience and performance. TSB did obtain various assurances from SABIS on testing and readiness, but these were not always adequate. For example, many assurances were caveated with a number of outstanding tests that had not yet been completed. Where incidents did occur, root cause analysis was not always identified or addressed via testing.
- Scrutiny of confirmatory statements. The PRA cited Mr Abarca's reliance on SABIS's confirmation of readiness to proceed with the migration. However the PRA noted confirmations from SABIS and critical fourth parties were "forward looking statements of good intention or expectations", rather than statements of fact about readiness activities undertaken. Senior managers need to actively scrutinise assurance provided by third parties, rather than taking statements at face value.
- Oversight of fourth parties. Where a firm relies on an outsourced provider to manage fourth parties, the firm needs to ensure a sufficiently "engaged and proactive" approach to oversight of the fourth parties to ensure the firm's interests and needs are met. In this case, 85 fourth parties were subcontracted under the SABIS arrangements, including 11 subcontractors considered material. The PRA cites the fact that Mr Abarca relied on fourth party confirmations given to SABIS, without verifying whether SABIS had critically assessed these. For example he did not ask SABIS to obtain further comfort from the 11 critical fourth parties to confirm readiness for the migration.
- Timing. The original migration plan included a significant focus on testing and resilience. However, as plans fell behind schedule, critical testing plans and principles had to be deviated from to keep on track.
- Intra-group outsourcing and 'undue reliance' on intragroup providers. The Decision highlights that outsourcing to group members still requires a careful assessment of the provider's ability, capacity, resources and appropriate organisational structure to ensure the performance of the outsourced functions.
- Governance, documentation and internal assurance. Senior managers must document the evidence upon which their decisions are based, and keep management and boards informed of relevant risks. For example the PRA criticised that Mr Abarca's CIO attestation referred to SABIS's confirmation, but did not annex the letter itself or include the letter in any of the papers for the Board.
Regulatory requirements on outsourcing and operational resilience (that entered into force after TSB's IT failure) have increased the level of third party oversight required. The level of assurance necessary will depend upon the particular circumstances, including the nature, scope and complexity of the firm's activities, and the criticality or importance of the IT functions.
Senior Managers need ensure the firm's operating procedures include well-defined steps for managing ICT supplier risk; this might include risk matrix to assess relevant third and fourth parties depending upon the level of risk and criticality.
Implications for ICT service providers
By reinforcing the potential for personal liability, the Decision is likely to focus minds on firms' obligations to assess, monitor and scrutinise their ICT suppliers.
ICT suppliers (both third party and intra-group) should therefore expect increased scrutiny across the entire lifecycle of ICT arrangements. This could include enhanced scrutiny on confirmatory and assurance statements, greater oversight of fourth parties, scrutiny of testing, and greater reassessment of capabilities following incidents or service level breaches.
In the context of wider requirements around operational resilience, outsourcing, and the potential for direct regulation of 'critical third parties', compliance and assurance should be a key priority for ICT suppliers.
