Last month, the UK’s Prudential Regulation Authority (PRA) fined TSB’s former Chief Information Officer (CIO), Carlos Abarca, £81,620 in connection with the disrupted migration of TSB’s core IT systems to a replacement solution. Details of the decision can be found here.
The decision concerns a breach of ‘PRA Senior Manager Conduct Rule 2’ of the Senior Managers and Certification Regime (SMCR), which requires compliance with requirements and standards of the regulatory system.
The decision contains a number of learnings for Senior Manager Functions (SMF) in respect of migration programmes, outsourcing arrangements and expectations of SMFs more broadly. Interestingly, the decision is the first to provide some guidance on “reasonable steps”, a key concept underpinning the Senior Manager Conduct Rules. In this note we explore what the decision means for SMFs and in particular, what it means in practice to take reasonable steps to ensure compliance with the regulatory system.
In April 2018, TSB migrated millions of customer accounts from the Lloyds Bank system to a new core banking platform, Proteo4UK. Over a five-day period following the migration, TSB customers experienced failures with online services, telephone and mobile banking services, branch technology, and consequential issues with payment and debit card transactions.
During the relevant period, Mr Abarca was the CIO and holder of SMF18 (Other Overall Responsibility). The PRA relied heavily on the Senior Management Statement of Responsibilities and the firm’s material risk register to assess responsibilities connected to the role. Those documents confirmed the role included responsibility for TSB's IT function and business continuity planning, but also compliance with the PRA's Outsourcing Rules including the migration programme and associated key outsourcing relationships, in addition to migration governance, communication, risks, decision-making processes and outcomes.
The PRA found that this required the CIO to take reasonable steps to “ensure effective management of the migration process, including identifying and mitigating risks from an IT perspective” and “ensure TSB’s compliance with the PRA’s Outsourcing Rules, including obtaining sufficient assurance from third party providers to reduce the risk of operational disruption and the potential impact on financial stability”.
However, the conduct in question fell below the expected standard and “outside the range of reasonable responses for a CIO in his position”, which contributed to the disruptions to TSB’s core banking functions.
It should be noted that the CIO held some of the responsibilities jointly but unfortunately the PRA did not take the opportunity to provide clarification as to the approach to be taken to joint responsibilities.
In the context of migration programmes and outsourcing, SMFs are expected to ensure:
For CIOs, Chief Compliance Officers, Chief Risk Officers, Data Protection Officers, or any other individuals involved in outsourcing of critical functions to third parties, operational resilience should be a continued area of focus.
It is important that SMFs:
Although this is the first enforcement action taken by the PRA for a breach of the Conduct Rules, it follows a continued focus of the FCA to investigate individual wrongdoing at the same time as it conducts investigations into firms.
The decision therefore signals that the number of SMCR investigations into individuals will continue to rise in the upcoming years.
If you have any questions or would like to discuss, please do reach out to Gareth.Oldale@TLT.com, or Chantal.Peters@TLT.com
The views, opinions and positions expressed within guest blogs are those of the authors and do not necessarily represent those of the BSA.