The Prudential Regulation Authority (PRA) has fined Mr Carlos Abarca, the former Chief Information Officer (CIO) of TSB Bank plc (TSB), £81,620 for breaching PRA Senior Manager Conduct Rule 2 as he failed to take reasonable steps to ensure that TSB adequately managed and supervised appropriately its outsourcing arrangement in relation to its 2018 IT migration programme.
This follows on closely from the enforcement action taken in December 2022 against TSB for operational resilience failings, which resulted in a joint financial penalty of £48,650,000 imposed by the PRA and Financial Conduct Authority (FCA).
As CIO of TSB, Mr Abarca had responsibility for TSB complying with the PRA’s outsourcing rules. In particular, he was responsible for TSB’s key outsourcing relationship with its main third-party supplier for the IT migration programme. As part of this, he gave assurance to the TSB Board that the third party, as key supplier, was prepared for migration. However, he failed to ensure that TSB had itself obtained sufficient assurance from the third party before doing so.
Sam Woods, Deputy Governor for Prudential Regulation and Chief Executive Officer of the PRA, said:
‘Senior managers have an essential role to play in ensuring that firms manage and supervise outsourcing effectively. In this case, the PRA has fined Mr Abarca because his management of a key outsourcing relationship fell below the standard we expect.’
In April 2018, TSB updated its IT systems and migrated the data for its corporate and customer services on to a new IT platform. While the data itself migrated successfully, the platform immediately experienced technical failures. This resulted in significant disruption to the continuity of TSB’s banking services, including branch, telephone, online and mobile banking.
All of TSB’s branches and a significant proportion of its 5.2 million customers were affected by the initial issues. Some customers continued to be affected by some issues and it took until December 2018 for TSB to return to business-as-usual. TSB has paid £32.7m in redress to customers who suffered detriment.
The PRA’s investigation found that Mr Abarca breached the PRA’s Senior Manager Conduct Rule 2 because he failed to take reasonable steps to ensure that TSB complied with the PRA Outsourcing Rules. In particular, Mr Abarca did not:
- ensure that the third party’s ability and capacity were adequately reassessed on an ongoing basis;
- ensure that TSB obtained sufficient assurance from the third party in relation to its readiness to operate the new IT platform; and
- give sufficient consideration to whether further investigation was required before giving assurance to the TSB Board as to the third party’s readiness for migration.
Mr Abarca’s Senior Manager Conduct Rule 2 failing undermined TSB’s operational resilience and contributed to the significant disruption TSB experienced.
Mr Abarca agreed to resolve this matter with the PRA, and therefore qualified for a 30% reduction in the overall fine imposed by the PRA. Without this discount, the financial penalty would have been £116,600.
Notes to editors
- PRA Final Notice to Carlos Abarca
- PRA Final Notice to TSB Bank Plc
- FCA Final Notice to TSB Bank Plc
- The Senior Managers and Certification Regime was introduced in 2016 for banking institutions to embed greater individual accountability by ensuring authorised firms allocate clear responsibilities to key decision-makers. Under this regime, firms must allocate ‘prescribed responsibilities’ – specified in the PRA Rulebook – to Senior Managers. One of these is responsibility for the firm’s performance of its obligations under the PRA’s rules relating to outsourcing. The PRA latest supervisory statement setting out its expectations and approach to strengthening individual accountability in banking can be located here.
- SS2/21 'Outsourcing and third party risk management' Intragroup outsourcing is subject to the same requirements and expectations as outsourcing to service providers outside a firm’s group, and should not be treated as being inherently less risky.
- The PRA Rulebook can be located here.
- The PRA’s statutory supervisory powers and The PRA’s Approach to Enforcement.
- The PRA, alongside the FCA have issued a Discussion Paper on the Review of the SM&CR. The regulators welcome feedback to the Discussion Paper until 1st June, which will help inform any future policy changes to the regime.