Guest blog by Gareth Oldale, Partner and Head of Data Privacy and Cybersecurity at TLT LLP

Last month, the UK’s Prudential Regulation Authority (PRA) fined TSB’s former Chief Information Officer (CIO), Carlos Abarca, £81,620 in connection with the disrupted migration of TSB’s core IT systems to a replacement solution. Details of the decision can be found here.

The decision concerns a breach of ‘PRA Senior Manager Conduct Rule 2’ of the Senior Managers and Certification Regime (SMCR), which requires compliance with requirements and standards of the regulatory system.  

The decision contains a number of learnings for Senior Manager Functions (SMF) in respect of migration programmes, outsourcing arrangements and expectations of SMFs more broadly.  Interestingly, the decision is the first to provide some guidance on “reasonable steps”, a key concept underpinning the Senior Manager Conduct Rules.  In this note we explore what the decision means for SMFs and in particular, what it means in practice to take reasonable steps to ensure compliance with the regulatory system.    

Background to the fine

In April 2018, TSB migrated millions of customer accounts from the Lloyds Bank system to a new core banking platform, Proteo4UK. Over a five-day period following the migration, TSB customers experienced failures with online services, telephone and mobile banking services, branch technology, and consequential issues with payment and debit card transactions.

During the relevant period, Mr Abarca was the CIO and holder of SMF18 (Other Overall Responsibility).  The PRA relied heavily on the Senior Management Statement of Responsibilities and the firm’s material risk register to assess responsibilities connected to the role. Those documents confirmed the role included responsibility for TSB's IT function and business continuity planning, but also compliance with the PRA's Outsourcing Rules including the migration programme and associated key outsourcing relationships, in addition to migration governance, communication, risks, decision-making processes and outcomes.

The PRA found that this required the CIO to take reasonable steps to “ensure effective management of the migration process, including identifying and mitigating risks from an IT perspective” and “ensure TSB’s compliance with the PRA’s Outsourcing Rules, including obtaining sufficient assurance from third party providers to reduce the risk of operational disruption and the potential impact on financial stability”.

However, the conduct in question fell below the expected standard and “outside the range of reasonable responses for a CIO in his position”, which contributed to the disruptions to TSB’s core banking functions.

It should be noted that the CIO held some of the responsibilities jointly but unfortunately the PRA did not take the opportunity to provide clarification as to the approach to be taken to joint responsibilities.

Key learnings for SMFs in the context of migration programmes and outsourcing arrangements

In the context of migration programmes and outsourcing, SMFs are expected to ensure:

• Any third-party providers’ adequacy, capacity, resources and organisational structure are thoroughly assessed at the outset and kept under active review on an ongoing basis.  This applies even where the service provider is within the same group as the firm.
• They obtain appropriate assurances from third-party providers at relevant milestones regarding readiness to adequately operate the outsourced function.  Confirmations of readiness should be investigated or challenged where they contain forward looking statements of good intention as opposed to statements of fact about activities already undertaken, or where such confirmations are caveated with outstanding tasks.
• That there are appropriate checks and balances and, where necessary, escalation channels within third-party providers to ensure complete readiness for any migration of outsourced activities.
• That they understand and are satisfied with how any fourth parties in an outsourcing arrangement are being managed, monitored and controlled.  

For CIOs, Chief Compliance Officers, Chief Risk Officers, Data Protection Officers, or any other individuals involved in outsourcing of critical functions to third parties, operational resilience should be a continued area of focus.

Key learnings for SMFs more generally

It is important that SMFs:

• Regularly review and scrutinise Statement of Responsibilities to ensure they are up to date, accurate and reflect what is happening in practice.  They should also be consistent with wider governance documents which reference responsibilities.  Any inaccuracies should be escalated and addressed.
• Clearly articulate the boundaries where there are joint responsibilities.
• Ensure any delegated responsibilities are understood and documented.
• Reflect on their areas of responsibility at regular intervals to ensure that risks and issues are identified and addressed.
• Evaluate what triggers may justify more close and continuous oversight.
• Promptly and adequately respond to early warning signs, as regulators will likely take a dim view of missed opportunities.
• Are mindful that risks may require plans and milestones to be revisited and updated.
• Adopt a risk-based approach when carrying out their responsibilities (i.e., relative to the degree of complexity and risk involved) and ensure that key decisions are documented.
• Provide relevant, prompt and sufficiently detailed information to governance fora and senior stakeholders in respect of developments and risks, and when doing so, adequately substantiate any assurances they provide (for example by annexing confirmations provided to them).

Concluding remarks

Although this is the first enforcement action taken by the PRA for a breach of the Conduct Rules, it follows a continued focus of the FCA to investigate individual wrongdoing at the same time as it conducts investigations into firms.

The decision therefore signals that the number of SMCR investigations into individuals will continue to rise in the upcoming years. 

For more information

If you have any questions or would like to discuss, please do reach out to Gareth.Oldale@TLT.com, or Chantal.Peters@TLT.com 
 

The views, opinions and positions expressed within guest blogs are those of the authors and do not necessarily represent those of the BSA.