TSB fined £48 million for operational resilience failures.
Yesterday the Bank of England announced a whopping £48.65 million in fines for TSB bank in relation to their huge IT outages in 2018.
These fines, plus the £32.7 million paid in compensation to affected customers and other costs means that the bank has now forked out over £378 million due to its operational resilience, risk management and governance failures during the 2018 IT project.
A £378 million outage
TSB’s 2018 ‘Migration Program’ resulted in successful data migration, but the target platform immediately suffered huge failures which left a significant proportion of its 5.2 million customers unable to access banking services.
In 2019 TSB told the BBC that the outage had cost them £330 million, lost them 80,000 customers and caused significant reputational damage. The complexity of the IT migration and the severity of the outage has resulted in a long investigation by the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA).
The FCA and the PRA found that the critical IT failure resulted in significant disruption to the continuity of TSB’s banking services, including its branch network as well as telephone, online and mobile banking. The bank was found to be in breach of Principles 2 and 3 of the FCA’s Principles for Businesses, and PRA Fundamental Rules 2 and 6.
What the regulators had to say
In its Final Notice, the FCA outlined the reasons behind its decision, and there are some important lessons here for a sector facing increasingly stringent resilience regulations:
1) The launch timetable was too ambitious, given known delays to the project.
2) Testing was insufficient, and impacted by the delays to the Migration Programme.
3) There were critical risk management oversights; TSB did not explicitly assess the risks arising from inadequate performance by contractors.
4) Given the scale of the project, TSB failed to perform a comprehensive due diligence exercise on SABIS (third party contractor) and its supplier management model.
5) The decision not to request full design documentation limited TSB’s effectiveness when it came to its incident management response.
6) TSB’s business continuity preparations were inadequate for the scale of the incident which took place.
In its statement, the Bank of England said:
Operational resilience is a priority for both the FCA and PRA. As demonstrated by this incident, operational disruption can cause wide-ranging harm and it is critically important firms invest in their resilience…the regulators’ found that TSB failed to organise and control the IT migration programme adequately, and it failed to manage the operational risks arising from its IT outsourcing arrangements with its critical third-party supplier.
Regulators ramp up scrutiny of firms’ resilience
This year was the year of resilience regulation, with new FCA guidelines coming into force in the UK and the EU formally approving its Digital Operational Resilience Act.
These regulations require financial services firms to have identified their critical business services and ensured that they can remain within defined impact tolerances should an outage occur.
For the FCA and PRA regulations, the implementation period will come to an end in March 2025, by which time regulated firms “must have performed mapping and testing so that they are able to remain within impact tolerances for each important business service. Firms must also have made the necessary investments to enable them to operate consistently within their impact tolerances”.
Though TSB's 2018 incident predates the regulations, TSB’s fine is the largest fine issued to a bank since these regulations came into force, and shows how seriously regulators will take similarly high-impact operational resilience failings.
Avoid multi-million pound fines - assess your resilience readiness
There are a number of dimensions to organisational resilience:
The Cloudsoft Resilience Readiness Assessment assesses your organisation across these dimensions, and rates your resilience maturity and how it aligns to FCA and EU Digital Operational Resilience requirements. You will be given an action plan to mature your operational resilience and technology governance.