Video
Let's talk antitrust: Discussing recent cases and emerging competition issues
Recent cases and judgments have shone a light on some emerging themes and trends that companies will want to consider as part of their risk management framework.
United Kingdom | Publication | mei 2023
On 13 April 2023, the Prudential Regulation Authority (PRA) fined the former Chief Information Officer (CIO) of TSB Bank plc (TSB), Carlos Abarca, £81,620 for failing to take reasonable steps to ensure that TSB adequately managed and supervised appropriately its outsourcing arrangements in relation to its 2018 IT migration programme in breach of PRA Senior Manager Conduct Rule 2 (SMCR 2). SMCR 2 requires that a senior manager, such as Mr Abarca (who held SMF18), must take reasonable steps to ensure that the business of the firm for which they are responsible complies with the relevant requirements and standards of the regulatory system. This decision follows enforcement action against TSB in December 2022 for operational risk management and governance failures, which resulted in a joint fine by the PRA and Financial Conduct Authority (FCA) of £48,650,000.
The case is a reminder of the current regulatory focus on operational resilience, as well as financial resilience, and emphasises in particular the key role that senior managers play in ensuring that firms manage and supervise outsourcing effectively. Ultimately Mr Abarca was fined because the PRA viewed his management of a key outsourcing relationship as falling below the expected standard and “outside the range of reasonable responses for a CIO in his position … and contributed to the disruptions to the continuity of TSB’s core banking functions”. The decision contains a number of learnings for senior management, and firms, in relation to managing IT migration programmes, and outsourcing arrangements and expectations of senior managers more broadly, which we set out below.
Between 2015 and 2018, TSB, a UK retail bank, carried out a significant IT change programme which included the creation of a new core banking platform, followed by a migration of TSB’s customers’ data to that platform. TSB appointed two service subsidiaries within its group to provide the required services in relation to the new platform, SABIS Spain and Sabadell Information Systems Limited (together SABIS). Under the relevant contracts, the SABIS entities’ services included the building and testing of the platform and operating the platform following migration. Under the contracts, SABIS relied ‘extensively’ on third parties (which the PRA describes as TSB’s fourth parties) to deliver the systems and services required for the migration and its operation. Indeed, there were 85 fourth parties, 11 of which were material subcontractors.
The migration was to be effected via a predominantly single Main Migration Event (MME), with some functionality migrated through Governed Transition Events (GTEs) prior to this. The GTEs commenced in 2017. The MME took place in April 2018 and, whilst the data migration was successful, the new platform almost immediately experienced serious technical failures, including failures with online, telephone and mobile banking services and consequential issues with payment and debit card transactions. As a result, there was significant disruption to the continuity of TSB’s banking services, with all of TSB’s branches and a significant proportion of its 5.2 million customers being impacted. It took until December 2018 for TSB to return to business-as-usual and TSB has paid £32.7m in redress to customers who suffered detriment. The direct causes of the technical problems experienced during the MME mainly related to issues with IT configuration, capacity and coding.
Under the Senior Managers & Certification Regime (SMCR), Mr Abarca held SMF18 (other overall responsibility) from March 2016 and was the most senior executive responsible for TSB’s information technology and IT business continuity planning. He was also responsible for, amongst other things, managing the migration programme and TSB’s key outsourcing relationship with SABIS. In the PRA’s view, the processes for which Mr Abarca was responsible in performance of his role as CIO were critical to the success of the migration and the knowledge of the risks that TSB understood it was accepting and was willing to accept.
The PRA found that Mr Abarca breached the PRA’s SMCR 2 because he failed to take reasonable steps to ensure that TSB complied with the PRA Outsourcing Rules in adequately managing and appropriately supervising its outsourcing arrangement with SABIS. Particular failings included that he did not:
Mr Abarca agreed to settle his case and therefore qualified for a 30% reduction in his fine. Without this discount, the fine would have been £116,600, based on a starting point of 15% of his relevant income.
The case contains a number of learnings for senior management, and firms, in relation to managing IT migration programmes, and outsourcing arrangements more broadly. These include:
It is interesting that the PRA has taken action against Mr Abarca for a breach of SMCR 2, as opposed to for a breach of the duty of responsibility or for being knowingly concerned in TSB’s breaches. In addition to the lessons from the case mentioned above, this decision will be of wider interest to senior managers and firms more generally given that there has been such limited successful enforcement action under the SMCR to date. According to a June 2022 Freedom of Information request response, when asked how many successful enforcement actions had been taken due to an investigation under the SMCR where one or more of the individuals investigated was a senior manager, the FCA responded that, as at 27 April 2022, only two senior managers had received a financial penalty or public censure since 2016 (from the date on which the SMCR first became effective), and only one senior manager had received a prohibition. According to another Freedom of Information request response, as at June 2022 there were also only 16 ongoing investigations into non-SMF individuals (which includes Certified Individuals and other staff to whom the FCA Code of Conduct applies).
This decision also comes at a time when the SMCR is under review. In December 2022, the government announced, as part of the Edinburgh Reforms, that HM Treasury (HMT), the FCA and the PRA would commence separate reviews of the SMCR. In line with this, as noted in previous Regulation Tomorrow blogs, on 30 March 2023 the FCA and the PRA published a joint Discussion Paper seeking input on potential ways to improve the SMCR and views on its effectiveness and proportionality. On the same date, HM Treasury published a Call for Evidence on the SMCR to look at the legislative aspects of the regime. Responses to both of these are due by 1 June 2023.
To conclude, our key practical tips for senior managers from this decision are:
Video
Recent cases and judgments have shone a light on some emerging themes and trends that companies will want to consider as part of their risk management framework.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023