The Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) have fined R. Raphael & Sons plc (“Raphaels”) for failing to manage its outsourcing arrangements properly between April 2014 and December 2016. Raphaels has received separate fines of £775,100 from the FCA and £1,112,152 from the PRA in respect of these breaches (resulting in a combined fine of £1,887,252).
Mark Steward, FCA Executive Director of Enforcement and Market Oversight said:
‘Raphaels’ systems and controls supporting the oversight and governance of its outsourcing arrangements were inadequate and exposed customers to unnecessary and avoidable harm and inconvenience. There is no lower standard for outsourced systems and controls and firms are accountable for failures by outsourcing providers.’
Sam Woods, Deputy Governor for Prudential Regulation and Chief Executive Officer of the PRA, said:
‘Firms’ ability to manage outsourcing of any critical activities is a vital part of maintaining their safety and soundness. Such outsourcing is an important part of a firm’s operational resilience, and particularly so in the case of Raphaels given the level of reliance on outsourcing in its business model.
In addition, this was a repeat failing which demonstrates a lack of adequate and timely remediation. This is a significant aggravating factor in this case, leading to an uplift in the penalty.’
Raphaels is a retail bank providing banking and related financial services. Its Payment Services Division (PSD) operates prepaid card and charge card programmes in the UK and Europe. The PSD relies on outsourced service providers to perform certain functions that are critical to the operation of its card programmes. These functions include the authorisation and processing of card transactions, a service performed by third party card processors.
Raphaels failed to have adequate processes to enable it to understand and assess the business continuity and disaster recovery arrangements of its outsourced service providers - particularly how they would support the continued operation of its card programmes during a disruptive event. The absence of such processes posed a risk to Raphaels’ operational resilience and exposed its customers to a serious risk of harm. These risks crystallised on the 24 December 2015 when a technology incident occurred at a card processor.
The incident caused the complete failure of the authorisation and processing services it provided to Raphaels and lasted over eight hours. During this period, 3,367 customers were unable to use their prepaid cards and charge cards. In total, the card processor could not authorise 5,356 customer card transactions attempted at point of sale terminals, ATM machines and online. Seasonal workers, who depended on their cards to receive their wages, used the largest prepaid card programme affected by the incident. The timing of the incident, on Christmas Eve, is likely to have exacerbated the impact of the outage.
Raphaels’ specific failings in relation to the incident resulted from deeper flaws in its overall management and oversight of outsourcing risk from Board level down. The joint FCA and PRA investigation identified weaknesses throughout the Firm’s outsourcing systems and controls which Raphaels ought to have known about since April 2014. These included a lack of adequate consideration of outsourcing within its Board and departmental risk appetites, the absence of processes for identifying critical outsourced services and flaws in its initial and on-going due diligence of outsourced service providers. Raphaels’ outsourcing arrangements continued to be inadequate until the end of 2016, by which time Raphaels had designed new outsourcing policies and procedures to remedy the failings.
Raphaels agreed to resolve this matter and therefore qualified for a 30% reduction in the fines imposed by both regulators. Without this discount, the combined fine imposed by the FCA and PRA would have been £2,709,574.
Notes to editors
- Final Notice from the PRA. Final Notice from the FCA
- Raphaels is a retail bank authorised by the PRA and jointly regulated by the FCA and PRA.
- This was a joint investigation by the FCA and PRA. Raphaels has been fined according to the FCA and PRA penalty regimes which each have five steps to calculate the level of the fines imposed. The detailed calculations are set out in both the PRA and FCA Final Notices.
- The PRA has previously fined Raphaels for historic failings in relation to its governance and oversight of outsourced functions – see PRA Final Notice dated 12 November 2015.
- In July 2018, the PRA and FCA published the Operational Resilience: Impact tolerances for important business services discussion paper. This included guidance to firms to recognise the significance that third party service provision can play in operational resilience. Feedback has been received and the FCA and PRA are expected to publish a consultation paper on this topic later in 2019.
- On 1 April 2013, the FCA became responsible for the conduct supervision of all regulated financial firms and the prudential supervision of those not supervised by the Prudential Regulation Authority (PRA).
- The FCA has an overarching strategic objective of ensuring the relevant markets function well. To support this it has three operational objectives: to secure an appropriate degree of protection for consumers; to protect and enhance the integrity of the UK financial system; and to promote effective competition in the interests of consumers.
- Find out more information about the FCA and about the PRA.