The recent Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) reform of regulations applying to operational resilience and outsourcing, reflect the regulators’ heightened focus on these issues following high-profile incidences of IT disruption, such as the TSB IT migration in 2018. According to TSB’s annual reports following the incident, the estimated quantifiable costs of the incident are over £300 million, and the regulatory investigations have resulted in significant fines, first against TSB and now against a senior manager. The regulatory findings represent the first major fines for operational resilience failings after recent reforms in this area.
The decisions are of wider importance within the context of the Senior Manager Conduct Rules (SMCR) not least because of the limited number of fines against individual senior managers. Although, the fine reflects the extent to which the IT migration represented a large-scale operation posing significant risk of disruption to consumers and financial stability, the decisions suggest that senior managers must be fully informed of relevant governance risks. In turn, assurances to the board may be insufficient and further information should be considered depending on the magnitude of the risks.
The decision also shows that it may not be appropriate to rely on the fact that a contract used to engage a fourth party was one which conformed to the PRA’s Outsourcing Rules and again, further investigation may be required to fully assess the relevant issues. In this blog, we summarise recent developments in this area and assess lessons from the TSB incident, particularly for senior managers.
The TSB IT Migration
TSB conducted the migration of an IT system following a takeover by the Spanish bank, Sabadell Group. The project involved the transfer of c. 5 million customer accounts to a new IT system, Proteo, which had been used to integrate several banks in the Sabadell Group. The exercise was overseen by SABIS, a sister company of TSB and technology service provider to Sabadell. Although the migration of customer records proceeded as planned, there were significant problems. The issues included: (i) customers experienced difficulties using their accounts online and via TSB’s Mobile App; (ii) extended call times, with customers reporting on-average 90-minute call waits; (iii) an increase in opportunistic fraud attacks (reporting 70 times higher than usual level); and (iv) many services were unavailable in branch. By the second week after the migration TSB had received over 33,000 customer complaints, which was more than 10 times its usual levels. The migration resulted in a Treasury Select Committee investigation and caused significant reputational damage to the bank as well as substantial financial losses.
The Regulatory Findings
In 22 December 2022, the FCA imposed a fine of £276 million and the PRA a fine of £18.9 million against TSB. Most recently, on 13 April 2023, the PRA announced it had also imposed a fine against Carlos Abarca, the former Chief Information Officer (CIO) of TSB, of £81,620 for breaching PRA SMCR Rule 2 by failing to take reasonable steps to manage and supervise the project. In summary, the PRA Final Notice explains that the CIO did not adequately:
- oversee third parties conducting the migration;
- reassess plans for the migration on an ongoing basis;
- give sufficient consideration to whether further investigation was required before giving assurance to the TSB Board on the migration; and
- ensure that the TSB Board understood and appreciated the risks and necessary safeguards to complete the project.
The IT Migration Programme was of a scale and complexity that was unprecedented in the UK. With TSB seeking to migrate customers off a third-party platform via a predominantly single migration event to a newly built platform. As a result, the project created significant risk if any major issues arose. Given the level of risk, the PRA Final Notice against the CEO (the “PRA Final Notice”) explains that “Mr Abarca’s conduct fell outside the range of reasonable responses for a CIO in his position in a PRA authorised firm, and contributed to the disruptions to the continuity of TSB’s core banking functions post-MME. For the Migration Programme, the PRA required a CIO to act reasonably in carrying out their role and responsibilities, in a manner that was commensurate with the degree of risk of a complex, large scale IT change management programme”.
Senior Management Responsibility for Operational Resilience
The PRA’s decision against the former TSB CIO illustrates that regulators will closely assess the “reasonable steps” a relevant manager has taken when assessing potential breaches of the SMCR regulatory standards. Within this context, operational resilience is fundamental to the PRA’s objective of “promoting the safety and soundness” of regulated firms. The PRA states that senior managers are crucial for “leading the change required to improve operational resilience”.
The PRA Final Notice indicates that the TSB CIO failed to take reasonable steps by relying on confirmations from SABIS in relation to its readiness to operate the new IT platform and by not conducting ongoing assessment of SABIS’s capabilities. It is implicit from the PRA Final Notice that the CIO should have investigated further and actively challenged SABIS, particularly given the problems experienced during the process of preparing for the migration. It was insufficient for the former CIO to rely on the fact that fourth parties engaged by SABIS had executed contracts which conformed to the PRA's Outsourcing Rules.
The PRA Final Notice against TSB also observed that for senior managers in areas “involving highly specialised technical expertise, which is not shared across the firm’s executive and board, it is all the more important for the SMF to recognise whether the decision is his or her own to take, whether it should be escalated to a different governance forum, and the importance of explaining the risks involved in the decision to other SMFs and the board”.
The PRA Final Notice is clear that whilst the rules on outsourcing should apply in a proportionate manner in an intra-group situation, this does not reduce the importance of “careful assessment of whether the service provider has the ability, capacity, resources and appropriate organisational structure to support the performance of the outsourced functions, and for this assessment to be revisited where appropriate”. In addition, where a firm is reliant on an outsourced service provider to manage fourth parties, a sufficiently engaged and proactive approach to oversight of the outsourced service provider is required. The PRA Final Notice against TSB likewise observed “boards should be suitably empowered and informed to discharge their responsibility to act in the best interests and safeguarding the safety and soundness of the firm for which they are responsible”.
The findings in respect of intra-group outsourcing show that regulators will expect firms to apply oversight robustly even in relation to intra-group arrangements. Boards must ensure they obtain adequate information to assess and oversee operations and cannot simply rely on untested assurances from intra-group entities. Even outside the context of intra-group outsourcing, the decision sends a wider signal regarding the PRA’s high expectations of the steps senior managers should follow to exercise adequate oversight of operations. In short, unquestioning reliance on internal confirmations and/or reassurances from reputable third parties are likely to be inadequate. Senior managers should actively engage with and understand all aspects of important operational changes that may cause significant disruption, investigating further where required.
The IT Migration was significantly reliant on fourth parties, involving 85 sub-contractors through SABIS and 11 material subcontractors of critical or important functions under the PRA regulatory outsourcing requirements. The reliance on SABIS to oversee additional parties (fourth parties to TSB) (the “Fourth Parties”) required TSB and the CIO to exercise careful oversight over the arrangements. The PRA Final Notice explains that “[w]here a firm is reliant on an outsourced service provider to manage fourth parties, a sufficiently engaged and proactive approach to oversight of the outsourced service provider is required to ensure that the firm’s interests and needs are met”. The important role of Fourth Parties necessitated that both TSB and the CIO assess the project carefully at all stages and not simply rely on confirmations in respect of the sub-contract arrangements.
Lessons from the TSB Incident
Senior managers need to tackle the novel issues arising from technological change and the increasing and evolving focus of regulators on operational resilience. As with UK regulators, US and EU regulators are also emphasising the importance of adequate oversight by senior management. In the US, recent guidance states that boards should continually assess tolerance for disruption and oversee the implementation of systems and controls that identify critical operations and permit the firm to maintain those operations within defined tolerances. The EU also recently adopted the Digital Operational Resilience Act (DORA), which requires financial entities to have comprehensive internal governance and control frameworks for the “effective and prudent” management of ICT risks. The DORA regulations suggest that ultimate responsibility will be upon senior management to oversee implementation of all arrangements relating to the ICT risk management framework.
The difficulties of maintaining ownership of operations in large and complex organisations present significant challenges for boards. To respond to developments, senior managers should consider the increasingly consistent expectations that are emerging internationally.
The following pointers may be useful to note when assessing how to meet these expectations in practice:
- Understand – gather and assess information to gain the requisite understanding of operations. If necessary, obtain third party expert advice even where there is expertise on aspects of operations within an organisation’s intra-group structure.
- Challenge –question critically plans and require change where necessary to counter potential problems that may arise during operational change.
- Re-evaluate – return to previous plans to response to disruption to reflect recent developments.
- Coordination - aim to implement a single framework and approach across intra-group structures that includes necessary enhancements.
- Third party focus – provide appropriate attention and challenge to third party service providers. Material relationships should be subject to audits and contractual safeguards that are tested and overseen in accordance with regulatory expectations.
- Ongoing review – set and comply with clear timescales for reviewing frameworks used to maintain adequate operational resilience.
- Governance – senior management cannot be passive reviewers of guidance provided by teams overseeing operations; they need to ensure their understanding of critical services can respond to evolving risks and that an appropriate risk appetite for disruption is systematically applied across the firm.
- Culture – meet regulators’ expectations that firms will embed the principles of safety and soundness in the culture of the whole organisation.