The Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) have fined TSB Bank plc (“TSB”) a total of £48,650,000 for operational risk management and governance failures. These included management of outsourcing risks, relating to the bank’s IT upgrade programme.
This fine comes two weeks after another high street bank, Santander was fined by the FCA. While Santander’s fine was a result of AML negligence, customers were impacted in a similar way. In the TSB case, technical failures in its IT system ultimately resulted in customers being unable to access banking services.
In April 2018, TSB updated its IT systems. It migrated the data for its corporate and customer services on to a new IT platform (the “Migration Programme”). While the data itself migrated successfully, the platform immediately experienced technical failures. This resulted in significant disruption to the continuity of TSB’s banking services, including branch, telephone, online and mobile banking.
All of TSB’s branches and a significant proportion of its 5.2 million customers were affected by the initial issues. Some customers continued to be affected by some issues and it took until December 2018 for TSB to return to business-as-usual. TSB has paid £32.7million in redress to customers who suffered detriment.
TSB’s IT migration programme was an ambitious and complex IT change management programme carrying a high level of operational risk. Its success was critical to TSB’s ability to provide continuity of critical functions and safety and soundness. However, the regulators’ found that TSB failed to organise and control the IT migration programme adequately, and it failed to manage the operational risks arising from its IT outsourcing arrangements with its critical third-party supplier.
Operational resilience is a priority for both the FCA and PRA. As demonstrated by this incident, operational disruption can cause wide-ranging harm and it is critically important firms invest in their resilience.
Failing to meet expectations
Mark Steward, FCA executive director of enforcement and market oversight said:
“The failings in this case were widespread and serious. They had a real impact on the day-to-day lives of a significant proportion of TSB’s customers. Especially those who were vulnerable.
“The firm failed to plan for the IT migration properly, the governance of the project was insufficiently robust and the firm failed to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.”
Sam Woods, deputy governor for prudential regulation and chief executive officer of the PRA, said:
“The PRA expects firms to manage their operational resilience as well as their financial resilience. The disruption to continuity of service experienced by TSB during its IT migration fell below the standard we expect banks to meet.”
TSB was fined £29,750,000 by the FCA and £18,900,000 by the PRA. TSB agreed to resolve this matter with the FCA and PRA qualifying it for a 30 per cent discount in the overall penalty imposed by both regulators. Without this discount, the FCA and PRA would have imposed a combined financial penalty of £69,500,000 (£42,500,0000 by the FCA and £27,000,000 by the PRA).
Bill Wilson, head of data and sustainability solutions at NTT DATA UK&I commented on TSB’s £49million fine saying:
“Three years on and the after-effects of TSB’s botched platform migration are still being felt. The lesson for businesses is obvious. The underlying data migration needs plenty of care and attention to ensure that business as usual can carry on through low-risk phased migrations.
“It’s unfortunate that situations like these in the banking industry have not only put the banks’ reputations at risk, but they have also impacted customers’ experiences too. As a result, many have been unable to access their banking services.
“However, this does not mean that organisations should shy away from digital transformation. There were good reasons for TSB starting down the path to modernisation. With the right partner in place, data migration projects can run very smoothly, avoiding the risk of failure for essential services and, in the case of TSB, negating the threat of regulatory fines.
“Successful strategies should follow a step-by-step process. They must understand where data can be decoupled to allow for phased migrations. They must have the transition approach as a driver of the programme plan, not an afterthought. Building in resilience to negate such risks is critical. It’s clear that when platform migration projects fail, everybody loses out.