The Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) have fined TSB Bank plc (“TSB”) a total of £48,650,000 for operational risk management and governance failures, including management of outsourcing risks, relating to the bank’s IT upgrade programme. Technical failures in TSB’s IT system ultimately resulted in customers being unable to access banking services.
In April 2018, TSB updated its IT systems and migrated the data for its corporate and customer services on to a new IT platform (the “Migration Programme”). While the data itself migrated successfully, the platform immediately experienced technical failures. This resulted in significant disruption to the continuity of TSB’s banking services, including branch, telephone, online and mobile banking.
All of TSB’s branches and a significant proportion of its 5.2 million customers were affected by the initial issues. Some customers continued to be affected by some issues and it took until December 2018 for TSB to return to business-as-usual. TSB has paid £32.7m in redress to customers who suffered detriment.
TSB’s IT migration programme was an ambitious and complex IT change management programme carrying a high level of operational risk. Its success was critical to TSB’s ability to provide continuity of critical functions and safety and soundness. However, the regulators’ found that TSB failed to organise and control the IT migration programme adequately, and it failed to manage the operational risks arising from its IT outsourcing arrangements with its critical third-party supplier.
Operational resilience is a priority for both the FCA and PRA. As demonstrated by this incident, operational disruption can cause wide-ranging harm and it is critically important firms invest in their resilience.
Mark Steward, FCA Executive Director of Enforcement and Market Oversight said:
'The failings in this case were widespread and serious which had a real impact on the day-to-day lives of a significant proportion of TSB’s customers, including those who were vulnerable.
'The firm failed to plan for the IT migration properly, the governance of the project was insufficiently robust and the firm failed to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.'
Sam Woods, Deputy Governor for Prudential Regulation and Chief Executive Officer of the PRA, said:
'The PRA expects firms to manage their operational resilience as well as their financial resilience. The disruption to continuity of service experienced by TSB during its IT migration fell below the standard we expect banks to meet.'
TSB was fined £29,750,000 by the FCA and £18,900,000 by the PRA. TSB agreed to resolve this matter with the FCA and PRA qualifying it for a 30% discount in the overall penalty imposed by both regulators. Without this discount, the FCA and PRA would have imposed a combined financial penalty of £69,500,000 (£42,500,0000 by the FCA and £27,000,000 by the PRA).
Notes to editors
- FCA Final Notice to TSB Bank PLC
- PRA Final Notice to TSB Bank PLC
- TSB Bank PLC (“TSB”) is regulated by the Prudential Regulation Authority (PRA) for prudential purposes and by the Financial Conduct Authority (FCA) for conduct matters.
- PRA Statement of Policy: 'Operational resilience' March 2021. The PRA’s outsourcing rules during the relevant period under investigation applied specifically to the ‘performance of operational functions which are critical for the performance of relevant services and activities’. Although the PRA’s current, overarching operational resilience framework was introduced after the migration incidents (specifically, in 2021), the PRA’s requirements and expectations as regards to managing operational resilience consolidate many long standing and well understood areas of prudential regulation that have formed part of the PRA Rulebook for several years, including during the relevant period under investigation. These areas include governance, operational risk management, business continuity planning and the management of outsourced relationships.
- Supervisory Statement: Operational resilience: Impact tolerances for important business service. March 2022. In pursuing its objectives, the PRA places a high priority on developing and embedding operational resilience in its supervisory approach in order to mitigate the risk of disruption to the provision of critical functions. Operational resilience is the ability to prevent, adapt and respond to, and recover and learn from operational incidents, including but not necessarily limited to those relating to cyber and technology. Managing operational resilience adequately is a way firms can reduce the number and impact of IT or operational incidents. The way in which a firm manages operational resilience is an integral part of the PRA’s assessment of a firm’s safety and soundness.
- TSB is a UK retail bank that provides various services to its customers including personal current accounts; business banking; savings accounts; mortgages; insurance; loans; and credit cards. TSB’s customers accessed services through digital channels (both through internet-banking and through its mobile app), telephone banking and by visiting branches.
- The FCA’s Approach to Enforcement
- The FCA Enforcement information Guide
- The PRA’s statutory supervisory powers
- The PRA’s Approach to Enforcement
- Find out more information about the FCA.