Operational resilience fail leads to £48.6M fine
TSB Bank in the UK has been hit with an astounding £48,650,000 fine for operational risk management and governance failures that resulted in customers losing access to bank accounts and services.
TSB's failures were related to an ambitious upgrade to the bank’s IT systems, during which all corporate and customer services data was migrated to a new platform. While the migration itself was a success, the new system was immediately plagued by technical issues, disrupting all levels of banking services – from branch and telephone to digital – and affecting the vast majority of the bank’s 5.2 million customers.
Regulators at both the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) found that TSB had failed to meet the required operational resilience standards to manage the risks associated with such a large-scale IT change management project. The bank’s ability to deliver continuity of its services was dependent on the project’s success, with no backup plan.
“The failings in this case were widespread and serious which had a real impact on the day-to-day lives of a significant proportion of TSB’s customers, including those who were vulnerable. The firm failed to plan for the IT migration properly, the governance of the project was insufficiently robust and the firm failed to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems,” said Mark Steward, FCA Executive Director of Enforcement and Market Oversight.
Operational resilience remains a key priority for regulators
TSB’s hefty fine correlates with the harmful impact this incident had on their customers, illustrating the importance of undertaking robust scenario planning and setting impact tolerances for operational resilience. It also demonstrates that for regulators, operational resilience is no longer optional. A disaster recovery plan, ISO accreditation and yearly audits are not enough - they are the bare minimum.
The FCA’s new regulatory standards for operational resilience came into effect in March of last year, giving financial services firms three years to embed appropriate metrics and controls to measure ‘important business services’ and set ‘impact tolerances’. Compliance with these standards ensures that if a critical system fails, firms can continue to operate while minimising the negative impact on the business and its customers.
More than just a regulatory requirement, operational resilience is an opportunity and long-term strategy for progressing on wider goals and interests, including ESG and sustainability.
The scope of operational resilience provides a comprehensive lens across the multitude of macroeconomic and systemic issues, showing organisations how they can and will perform in the case of a critical event or emergency.
Comments