Fine for former CIO at TSB breathes new life into senior manager conduct rules

Regulator’s action may consider rethink on outsourcing as senior manager accountability moves centre stage.

On April 13, 2023, the UK PRA announced that it had fined Carlos Abarca, the CIO of TSB Bank in office for the period in which the bank had been fined almost £50m ($62.35m) for failing to conduct proper due diligence for operational risk in a significant data migration project.

The fine of £116,000 ($145,000) – reduced to £81,620 ($102,000) after Abarca agreed to settle – was imposed for the CIO’s mismanagement of the event, which ultimately saw TSB customers unable to access their accounts for prolonged periods. Moreover, the initial action taken against TSB Bank was the first of its kind to apply current operational resilience expectations for outsourcing to a data migration event that occurred in 2018, drawing questions around the retroactive application of regulation.

To recap, TSB was acquired in 2015 by a Spanish financial services company. As part of this acquisition, TSB was required to transfer the data of its 1.3 billion customers away from a legacy system to a new platform. TSB sought the services of a third-party provider to migrate and maintain this customer data.

“The governance of the project was insufficiently robust.”

PRA and FCA

The data migration was planned over a period of three years, however the “Main Migration Event”, which took place in 2018, ultimately failed leaving customers and bank branches unable to access accounts.

In its initial judgment against TSB, the PRA and FCA determined that TSB had failed to consider the third party’s “capability to deliver” on the data migration. Specifically, TSB’s “governance of the project was insufficiently robust” and failed to acknowledge that the third party had “no experience of managing service delivery from a large number of UK subcontractors”. The bank had failed to implement “adequate risk management systems” when conducting the data migration.

Landmark fine

Specifically, the CIO held SMF18 (other overall responsibility) under the Senior Managers and Certification Regime (SMCR) and was responsible for “TSB’s key outsourcing relationships” and “the operational relationship with third parties in relation to IT” under the PRA’s Outsourcing Rules.

By extension, the CIO was also required by the PRA’s Senior Manager Conduct Rules to “take reasonable steps to ensure that the business of TSB for which he was responsible complied with relevant regulatory requirements and standards”.

By virtue of this suite of rules and responsibilities, the PRA found that the CIO was, amongst other things, accountable for:

  • the building and implementation of the migration;
  • the outsourcing relationship with the third party;
  • the migration governance, communication, and decision-making process;
  • the risks were the migration to cause “operational instability or a degradation in resilience and poor customer outcomes”.

After the Main Migration Event failed, the PRA determined that the CIO had subsequently failed to take reasonable steps to oversee that the programme complied with the above rules. He had not obtained assurance from the third-party vendor that they had the resources, experience, or capability to operate following the migration event.

Of particular note here is a section within the PRA’s Final Notice entitled “Reasons why the PRA has taken action”, which offers an insight into the PRA’s rationale – perhaps in acknowledgement of this landmark action.

The Final Notice highlights operational resilience as “an integral part of the PRA’s assessment of a firm’s safety and soundness” which extends to outsourcing agreements with third parties – and fourth parties, too.

“Where a firm is reliant on an outsourced service provider to manage fourth parties, a sufficiently engaged and proactive approach to oversight of the outsourced service provider is required to ensure that the firm’s interests and needs are met.”

PRA

The PRA says: “Where a firm is reliant on an outsourced service provider to manage fourth parties, a sufficiently engaged and proactive approach to oversight of the outsourced service provider is required to ensure that the firm’s interests and needs are met.”

It added that TSB’s migration to a third-party platform, and the associated outsourcing arrangements, were critical to its ability to provide continuity of banking services and therefore its safety and soundness. The PRA required the CIO to act in a manner that was “commensurate with the degree of risk of a complex, large scale IT change management programme”. The CIO did not meet the PRA’s expectations.

It is likely that what we are seeing here is an important test case, which will doubtless make an example of TSB as a warning shot to other firms regarding regulatory expectation – and a hint at the force with which the regulator will act.

Lessons to learn

So, what does this mean for other CIOs and senior managers, and how can similar fines be avoided? Since the implementation of SMCR and Senior Manager Conduct Rules, regulatory obligations have been clear, but a lack of enforcement action for these rules has left many questioning the credence of the framework. The PRA’s fine for TSB’s former CIO should leave no doubt as to the weight that compliance teams should be placing on conduct and accountability for senior managers. This is especially true where projects concern operational resilience or outsourcing.

For CIOs – and indeed any senior manager charged with overseeing third-party relationships – operational resilience should be top of mind when looking to allocate critical services to third parties.

To avoid facing similar regulatory action, senior managers should be placing due diligence and Know Your Vendor practices at the forefront of outsourcing projects. In particular, ask whether the third party has demonstrable experience of conducting similar services; whether they have the resources and foundations to see it from inception to success; and whether you have a BCP plan that sets out a clear path to recovery in the event that the project fails. Testing will be key here.

The UK government’s recent proposals to reform financial services regulation – the Edinburgh Reforms – led to speculation that SMCR would be revisited, loosened, or even scrapped. As above, an absence of enforcement action has seen some question the effectiveness of the framework. The PRA’s action against this former CIO shows that senior manager accountability is still a key consideration for regulators. There may be life yet for SMCR.