The UK Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) on December 20, 2022, announced fines totaling £48.65 million ($59 million) on TSB Bank plc (TSB) for operational resiliency failures, after an IT upgrade led to customers being unable to access core banking services.
The bank previously formed part of the Lloyds Banking Group before it was spun out in 2014 and then purchased by Spanish banking group Sabadell in 2015. In April 2018, the bank updated its IT system and migrated its corporate and customer service data to a new platform provided by Sabadell. Although the migration of data was successful, the platform soon experienced technical issues that disrupted TSB’s branch, telephone, online, and mobile banking services.
A significant portion of TSB’s then 5.2 million customers were affected by the issues, with problems persisting through December 2018. During this time, fraudsters saw an opportunity in the confusion and a number of customers were the victims of scams. Following the incident, TSB paid out £32.7 million ($39.7 million) in redress to its customers.
The FCA handed down its second-largest penalty for operational failures at £29.75 million ($36.12 million) and the PRA its largest-ever fine for the same at £18.9 million ($22.95 million). TSB agreed to settle with the regulators, meaning that these figures are discounted from the original combined £69.5 million ($84.37 million) that the regulators would have been entitled to impose.
This outcome will be cause for concern for any financial services providers looking to make a similar transition to a new IT platform. Therefore, it is crucial to first understand what the regulators felt were TSB’s failings in preparing for and implementing the transformational IT change, and then mitigate against those failings.
The regulators acknowledged that all large-scale and complex IT change management programs inherently carry a high degree of operational risk. However, the specific issues in the TSB migration stemmed from the following:
- Failure to properly plan for and organize the transition
- Failure to implement sufficiently robust governance to control the transition once live
- Failure to responsibly and effectively manage operational risks arising from critical third-party IT outsourcings
It is clear that proper planning and governance of IT change management processes, including in respect of critical third parties, are key to mitigating against any potential penalties imposed by the FCA and PRA.
In April 2021 we reported on the UK regulators issuing policy summary and consultation papers on operational resilience in the financial services sector, an act that reaffirmed their focus on operational resilience. It is clear that this continues to be a priority for the FCA and PRA; now more than ever, it is critical that regulated UK entities invest in, and plan for, operational resilience.