In late December last year, the UK FCA and Prudential Regulatory Authority (PRA) delivered an early ‘insight’ present to busy compliance and technology teams with a stunning enforcement action in terms of size, scope and precedent. TSB Bank was fined £48.6m ($60.1m) for operational risk management and governance failures.
The regulatory requirements related to operational resilience had been increasing steadily ahead of the pandemic. They have accelerated since and this action offers real insights related to projects of this type where dependence is placed on critical third parties and damage to consumers can result from any systems and controls failure.
There is growing concern among regulators globally that risk connected to widespread use of outsourcing arrangements could lead to systemic risks that could undermine confidence in financial markets. Moreover, this fine is another example of the trend towards proactivity in compliance which will disturb financial services firms where resources are already stretched and stakeholders are demanding more from less in terms of personnel and technology.
Four pillars
The technical failure of the platform that TSB selected for its mass data migration highlighted four key vulnerabilities:
- Inadequate testing: in preparation for the mass migration, deadlines were missed; sequential testing was done in parallel; testing was descoped.
- Risk management: TSB failed to identify the obvious inexperience of the third party vendor, and this weakness extended to the bank itself in delivering a project of this magnitude.
- Outsourcing: insufficient due diligence was conducted based on the criticality of the service and this migration to the stability and operation of TSB’s banking service. This was complicated by the critical third party’s further dependence on 85 fourth/fifth parties. This should have been a vibrant red flag if proper due diligence had been conducted.
- Business continuity planning failure: as the platform could not cope and the situation swiftly descended into a crisis, it was evident TSB was not prepared and had not role-played the potential ‘worst case’ scenarios.
Some of the words in the FCA’s press release are instructive and should serve as alerts for IT teams contemplating projects of this ilk in future. This one was “ambitious and complex … carrying a high level of operational risk”. The regulators remind firms to “invest in their resilience”.
The severity of the fine is clearly related to the outcome in this instance.
The language that the PRA uses in connection with incident management is particularly telling, indicating that it “expected the Firm to be proactive” in making sure not only that the third party supplier had an adequate framework in place, but that this framework could actually be used effectively.
The severity of the fine is clearly related to the outcome in this instance. All of TSB’s branches were affected, as well as the majority of the bank’s 5.2 million retail customers. To compound this, some of the issues persisted and business as usual did not return until eight months later.
Outcomes have been prominent in regulator rhetoric of late and this case is a great example of the need for firms to risk manage properly to avoid hugely negative outcomes. Fine size here was magnified by the profile of those affected – not only retail customers but in some cases the vulnerable.
Key takeaways
Due diligence of critical third parties. It is clear that more time and attention needs to be taken over this in terms of depth, frequency and validation. TSB chose a vendor that had no previous experience of delivering a project of this scale, did not have the tools and documentation required to complete it successfully, and was using an unestablished platform.
Dependencies from fourth and fifth parties. The critical third party that TSB relied on was itself outsourcing to no less than 85 other vendors (11 of which were material subcontractors). This considerable ‘tail’ had not been considered or evaluated by TSB – the consequence of this enforcement is the reality that this supply chain of potential risk is now very much an additional area that will require firms’ attention for similar critical projects.
In addition to existing operational resilience requirements, when planning projects similar to the scale of the TSB migration, firms must be aware of developing practice driven by future regulatory change. Critical projects with extensive time horizons need to account for new standards as they take shape in order to be achieve future-proof compliance. Examples in this area include:
- Outsourcing by investment advisers in the US. The SEC’s proposed Rule 206(4)-11 requires investment advisers who outsource certain critical covered functions to comply with an oversight framework to ensure both compliance with the regulations as well as the adequate management of risk. Under this new rule, an adviser is required to conduct advance due diligence to show that it is both appropriate to outsource the covered function, and to employ the specific service provider selected.
- Outsourcing of critical functions in financial services in the UK. The Financial Services and Markets Bill (FSM), currently at committee stage in the House of Commons, includes a statutory framework for the management of risk posed by third parties that are designated as critical by the UK Treasury. The FCA, together with the Bank of England and the PRA, is analysing feedback received on a discussion paper published in 2021. Under this new regulatory framework, minimum resilience standards, new reporting and testing obligations, engagement with regulators, as well as exposure to potential enforcement action, are some of the measures being considered.
- Outsourcing in financial services as well as critical sectors in the EU. The Digital Operational Resilience of the Financial Sector Directive (DORA) introduces an oversight framework for third party providers considered critical. Those deemed to be delivering services that are critical are subject to more robust rules, including adequate security measures, quantifiable performance targets, and reporting obligations.
The High Common Level of Cybersecurity Directive (NIS2) extends stricter requirements beyond the confines of the financial sector. More rigorous supervision and stringent requirements for third parties are intended to bolster supply chain security and help prevent systemic risk emerging in economic sectors that are themselves considered critical. The new measures also implement robust reporting requirements, as well as better information sharing for all parties in connection with cyber-attacks.
Conclusions
- Firms cannot outsource their regulatory responsibilities – vendors have become an extension of the regulated entity.
- Operational resilience is very high on the regulatory radar now and is not going away.
- Regulatory requirements are increasing in relation to vendor due diligence and use of critical third parties (CTPs) – doing the bare minimum and hoping for a good outcome will not satisfy regulators, a lesson that TSB has learnt the hard way in this instance.
- Regulators are demanding that firms and their executives are more thoughtful in examining their compliance obligations – this trend is evident in other regulatory themes such as SMCR, ESG and the new Consumer Duty. In this area firms must look beyond the obvious, test and role-play robustly to identify and risk manage the worst possible outcomes.
Originally published by Thomson Reuters © Thomson Reuters.