Cadwalader Logo Cabinet News & Views - Informed analysis for the financial services industry
Subscribe
UK Regulators Fine Leading Bank £48m for Operational Failings

The UK’s Financial Conduct Authority (“FCA”) and Prudential Regulation Authority (“PRA”) have together fined a leading bank a total of £48,650,000 for IT failures that left customers unable to access their accounts. The fine would have been £69,500,000 were it not for a 30% discount for early settlement.

In 2018, the bank undertook a single migration of its entire system to a newly-built platform − the failure of which left personal and business banking customers unable to access their accounts. Investigations by the PRC (responsible for the prudential regulation of the bank) and FCA (responsible for conduct of business regulation) found significant operational risk management and governance failures directly led to significant disruption to business as a result of failures to organize and control this significant outsourcing project. Both regulators pointed to the crucial role of prudent management and governance in ensuring safety and soundness and identified insufficiently robust governance as a key element in the incident. The bank’s approach to risk management was also assessed as deficient; examples included the static nature of the programme risks (the list of 22 risks remained unchanged throughout the project) and a lack of visibility over the supply chain.

While the incident pre-dates the PRA’s specific operational resilience framework for banks (in force in 2021) both regulators pointed to pre-existing principles and rules that had been breached. In the case of the PRA, at heart the failures were a result of breaches of Fundamental Rules 2 (business must be conducted with due care, skill and diligence) and 6 (firms must organize their affairs responsibly and effectively). As we move towards full implementation of UK regulators’ rules on identifying and operating within impact tolerances for operational risks to all important business services, this enforcement action serves as a reminder that the universe of these risks requires comprehensive resilience that includes outsourcing and supply chain relationships.

January 5, 2023
© 2024 | Notices | Manage Subscription | Contacts