TSB Fined £48.65m For Operational Resilience Failings
What has happened?
In December 2022, the FCA and the PRA fined TSB Bank plc £48,650,000 (£29,750,000 by the FCA and £18,900,000 by the PRA) for operational risk management and governance failures, including in the Bank’s management of outsourcing risks relating to the bank’s IT upgrade programme. Technical failures in TSB’s IT system resulted in customers being unable to access banking services.
What are the key points for firms?
In April 2018, TSB updated its IT systems and migrated the data for its corporate and customer services onto a new IT platform. While the data migrated successfully, the platform immediately experienced technical failures, which resulted in significant disruption to the continuity of TSB’s banking services, including branch, telephone, online and mobile banking. All of TSB’s branches and a significant proportion of its 5.2 million customers were affected by the initial issues. Some customers continued to be affected by some issues, and it took until December 2018 for TSB to return to business as usual.
TSB paid £32.7m in redress to customers who suffered detriment from these issues.
TSB’s IT migration programme was an ambitious and complex IT change management programme carrying a high level of operational risk. Its success was critical to TSB’s ability to provide continuity of critical functions. However, the regulators found that TSB failed to organise and control the migration programme adequately and failed to manage the operational risks arising from its IT outsourcing arrangements with its critical third-party supplier.
This should be a wake-up call for all firms that are in scope of the new Operational Resilience rules. Operational resilience is a key focus for the regulators, and it is therefore paramount that firms ensure that they are ready and organised to comply, including the consideration of the impact of any third-party service providers where they are involved in the provision of those important business services, or as part of any change programme.
In March 2021, the FCA published its final Operational Resilience rules and policy and a shared policy summary alongside the Bank of England and the PRA. The regulatory updates apply to banks, building societies, PRA-designated investment firms, insurers, Recognised Investment Exchanges, enhanced scope SMCR firms, and entities authorised and registered under the Payment Services Regulations 2017 and the Electronic Money Regulations 2011.
The FCA rules and guidance came into force on 31 March 2022. In-scope firms, as soon as reasonably practicable and by no later than 31 March 2025, will need to have:
- performed mapping and testing so that they can remain within impact tolerances for each important business service, and
- made the necessary investments to be able to operate consistently within their impact tolerances.
Such firms must already have:
- identified important business services that, if disrupted, could cause intolerable harm to consumers or risk to market integrity, threaten the viability of firms or cause instability in the financial system,
- set impact tolerances for the maximum tolerable disruption to these services,
- carried out mapping and testing to a level of sophistication necessary to identify important business services, set impact tolerances and identify any vulnerabilities in their operational resilience,
- conducted lessons learnt exercises to identify, prioritise, and invest in their ability to respond and recover from disruptions as effectively as possible,
- developed internal and external communications plans for when important business services are disrupted, and
- prepared self-assessment documentation
How can we help you?
It will soon be one year since the new rules came into effect. If you have yet to identify and map your important business services, identify weaknesses and vulnerabilities, set tolerance thresholds, prepare scenario analysis and complete your self-assessment document, from these regulatory updates then you need to start now.
If you’d like to know more about how we can help you with your operational resilience arrangements or any other regulatory updates and compliance issues, our specialist team is here to help.
Contact us today on 020 7436 0630 – or email info@thistleinitiatives.co.uk.