The chief executive of TSB Bank has apologised to customers after being hit by a £48.6m fine in the UK for operational risk management and resilience failures.
“We’d like to apologise again to TSB customers who were impacted by issues following the technology migration in 2018,” said Robin Bulloch, CEO of TSB.
“We worked hard to put things right for customers then and have since transformed our business.”
The penalty was issued by the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA), and relates to TSB’s handling of an IT system migration in 2018.
After agreeing to resolve the matter with the regulators, TSB qualified for a 30 percent discount on the overall penalty imposed by the FCA and the PRA.
Ultimately, TSB was fined £29.7m by the FCA and £18.9m by the PRA, although without the discount, the bank would have faced a combined penalty of £69.5m.
In April 2018, TSB updated its IT systems and migrated the data for its corporate and customer services to a new IT platform.
As the FCA said in a statement, although the data itself migrated successfully, the platform immediately experienced technical failures.
This resulted in significant disruption to the continuity of TSB’s banking services, including branch, telephone, online and mobile banking.
According to the FCA, all of TSB’s branches and a significant proportion of its 5.2m customers were affected by the disruptions.
For some customers, these issues continued until December 2018, forcing TSB to issue £32.7m in redress payments to those affected.
“TSB’s IT migration programme was an ambitious and complex IT change carrying a high level of operational risk,” said the FCA.
“Its success was critical to TSB’s ability to provide continuity of critical functions and safety and soundness.
“However, the regulators found that TSB failed to organise and control the IT migration programme adequately, and it failed to manage the operational risks arising from its IT outsourcing arrangements with its critical third-party supplier.”
Nisha Sanghani, a partner at Ashurst Risk Advisory, told VIXIO that the case shows that operational risk management is not merely a “business-as-usual” concern, and could in fact pose an even greater threat during periods of change.
"The eye-watering £49m fine issued to TSB and the £32.7m paid in customer redress are stark reminders of the consequences of badly executed change,” said Sanghani.
“In this case, as part of an upgrade in IT systems, whilst data was migrated successfully, the technical failures that followed on the system led to a significant disruption in banking services.
“These disruptions were unexpected, and had likely not been planned for during operational resilience testing over the new system.”
Sanghani added that, when implementing any operational changes, the risk of service disruption to customers is both “substantial and unpredictable”.
Both the FCA and the PRA said that operational resilience is a priority for them, especially when it involves the management of outsourcing risks.
For TSB and other firms going forward, the PRA emphasised the importance of its Supervisory Statement on Operational Resilience, published in March this year.
This latest rulebook updates the provisions of the PRA’s Statement of Policy on Operational Resilience that was published in March 2021.
“Operational resilience is the ability to prevent, adapt and respond to, and recover and learn from operational incidents, including but not necessarily limited to those relating to cyber and technology,” said the PRA.
“Managing operational resilience adequately is a way firms can reduce the number and impact of IT or operational incidents.
“The way in which a firm manages operational resilience is an integral part of the PRA’s assessment of a firm’s safety and soundness.”