As many of you will have seen, TSB was fined a total of £48,650,000 by the FCA and the PRA on 20th December for Operational Resilience failings following its botched IT platform migration exercise in April 2018.
Apart from the fact that this is the big Operational Resilience scalp we at Aldbury International have been predicting, there are a number of messages in this, simply from the regulators’ press release quite apart from the body of the Final Notices released by the FCA and PRA.
The incident occurred in April 2018 and it wasn’t until the end of the year that TSB had managed to get everything back on an even keel. In April 2018, the FCA and PRA rules hadn’t even hit the Discussion Paper stage, let alone Consultation Paper or Policy Statement. The Notes to Editors in the press release relating to the fine refer extensively to the new rules which came into force in March 2021. Reading through the FCA Final Notice it is however apparent that while qualitatively it frequently refers to detail covered in the new rules, “quantitatively” it relies on the existing and much used “Systems & Controls” clauses which have existed since Pontius did his first solo around the airfield. The PRA at least acknowledge the disparity in dates throughout their Final Notice but effectively say “tough” to TSB.
Translated, this means that the regulators (plus or minus) know what they want you to do and it doesn’t matter when you did or didn’t do something. They will catch you anyway if something goes wrong – and it most certainly did with TSB. As ever, a significant amount of 20:20 hindsight is in evidence throughout the findings.
Taking this last point logically, it clearly means that it doesn’t matter if you are in scope or out of scope of the new rules. If something goes wrong, inadequate Systems & Controls will catch you out as it always has done in the past.
Reading through the Final Notices (they are long and repetitive), it is interesting that while the heading of the press release is about “Operational Resilience” (which was undoubtedly rubbish in this case), most of the body of the documents is about poor project planning and execution of a major IT integration project. In other words, the regulators are overtly sending a message about Operational Resilience that you would be foolish to ignore – especially with a chunky fine attached to it.
Moving away from the lessons that can be gleaned from the press release and taking a more detailed look at the Final Notices, there are some really significant Operational Resilience points that should not be lost on anybody. I’ll precis them here as they largely speak for themselves but they are all quotes or near quotes from the Final Notices:
TSB’s BCP was inadequate for the scale of the incident.
TSB did not assess SABIS’s incident response capability (SABIS was a/the key 3rd party IT provider).
SABIS itself had 85 3rd Part suppliers (4th Party suppliers to TSB) and TSB did not take adequate steps to understand the risks posed by these suppliers despite knowing that SABIS’s supply chain management was inadequate.
Insufficient consideration was given to customer communications beyond a 48hr incident.
TSB's incident management plans were insufficiently robust and were ineffective.
TSB struggled to identify and prioritise vulnerable customers.
TSB’s testing of its incident management capability was limited.
Although TSB commissioned externally run incident management exercises, they assumed resolution of events in a few days and did not include SABIS.
Customer relations planning was limited to a 24hr incident.
Pre-prepared customer communication work was limited and only assumed minor issues would occur.
During the incident it took TSB 4 days to overhaul their communication strategy and create a Customer War Room.
TSB assumed that any incident would only lead to a doubling of customer complaints and there were no contingency plans to involve external complaints handlers.
These are a mix of general and specific issue criticisms but they are damning to TSB and more pertinently, should act as a major shot across the bow to the wider Financial Services industry. Any COO who doesn’t at least have a small “there but for the grace of God” moment on reading these notices, probably hasn’t had a close enough look and should read them again.
The scalp we expected has been taken; it would be foolish to become the next one. Aldbury International can help you put the structure in place and help you (in that much maligned phrase), think the unthinkable. We can help you put in stretching scenarios, we can train the incident management team, we can ensure your BCP is robust enough but most importantly, we are not you and therefore not subject to the “groupthink” that occurs to one degree or another in every organisation – even the very best. We don’t subscribe to the “it couldn’t happen here” argument as that is akin to the “unsinkable” Titanic.
Call us on 020 3475 2953 to find out more about what we do, who we are and between us, we can work out how we can best help you.