PRA fines chief information officer (CIO)

£80k fine for Chief Information Officer who mismanaged IT migration

The Prudential Regulation Authority has fined the former Chief Information Officer of TSB £81,620 for his role in the mismanagement of a 2018 IT migration which saw hundreds of customers unable to access funds.

17 April 2023 7 mins read
By Jennie Clarke

In brief

The PRA has issued a £80,000 fine to the Chief Information Officer who was responsible for overseeing a failed IT migration project

The failed project saw TSB pay almost £50 million in regulatory fines towards the end of 2022

The PRA has found that the CIO breached Senior Manger Conduct Rules in his management of the project

The case breathes life into the often-criticized Senior Manager Certification Regime, but raises questions of retrospective application

– The case may cause other senior managers to think twice when outsourcing critical operations

In December 2022, the UK’s Financial Conduct Authority (FCA) and PRA issued almost £50 million in fines against TSB Bank for operational resilience and governance failures. Amid increased regulatory focus for operational resilience within UK financial services, this was the first case of its kind to call out operational resilience failures that fell short of current regulatory expectations. The case in question received significant industry attention, not least because it appeared to retroactively apply current standards to historical actions.

On April 13, 2023, the PRA further extended the reach of this case by announcing that it had fined the CIO in office at the time, for his mismanagement of the event that caused the operational resilience failures.

What went wrong?

To recap, in 2015 TSB was acquired by a Spanish financial services company and set about migrating its 1.3 billion customer records from its old systems to a new one. TSB employed the services of a third-party platform to migrate its data.

While the IT migration took three years of planning, on the day of the “Main Migration Event” the data migration succeeded but the third-party platform experienced technical failures, which caused an outage to TSB’s services. As a result, many customers were unable to access funds, and prolonged outages followed.

The PRA and FCA said in December 2022 that:

[TSB] failed to plan for the IT migration properly, the governance of the project was insufficiently robust and the firm failed to take reasonable care to organize and control its affairs responsibly and effectively, with adequate risk management systems.”

Mark Steward, FCA Executive Director of Enforcement and Market Oversight

Among other things, the regulators found that that TSB had not conducted a “formal, comprehensive due diligence exercise to understand [the third party’s] capability to deliver”. As well as this, the third party it had selected had “no experience of managing service delivery from a large number of UK subcontractors”.

The next chapter

Following on from this landmark £48 million fine for TSB, the PRA has now issued a further £80,000 fine to the CIO who was “accountable for TSB’s information technology and IT business continuity planning” at the time.

Under the Senior Managers and Certification Regime, the CIO held SMF18 (other overall responsibility). He was also responsible for TSB’s performance of its obligations under the PRA’s Outsourcing Rules, a responsibility that he shared with another senior manager. This split saw that the CIO was responsible for “TSB’s key outsourcing relationship” with the elected third party, and “accountable for the operational relationship with third parties in relation to IT”.

Under the PRA’s Senior Manager Conduct Rules, the PRA also required the CIO, as a senior manager, “to take reasonable steps to ensure that the business of TSB for which he was responsible complied with relevant regulatory requirements and standards”.

The PRA found that the CIO was, amongst other things, accountable for:

– the building and effective implementation of the migration

– the outsourcing relationship with the third party

– the migration governance, communication, and decision-making process

– the material risks were the migration to cause “operational instability or a degradation in resilience and poor customer outcomes”.

After the IT migration failed, the PRA found that the CIO “failed to take reasonable steps” to ensure that TSB complied with the above rules, and failed in “adequately managing and appropriately supervising its outsourcing arrangement” with the third party. In particular, he failed to obtain sufficient assurance from the third party that they were able to operate following the migration.

A test case for the PRA

Within its final notice, the PRA offers an explanatory glimpse into why it has taken action in this case, perhaps in acknowledgement of its landmark decision.

The PRA notes that “the manner in which a firm manages operational resilience is an integral part of the PRA’s assessment of a firm’s safety and soundness”. This extends to firms that enter into outsourcing arrangements, who must be prepared to comply with the PRA’s Outsourcing Rules. This is not limited to just third parties, but fourth parties, too.

“Where a firm is reliant on an outsourced service provider to manage fourth parties, a sufficiently engaged and proactive approach to oversight of the outsourced service provider is required to ensure that the firms interests and needs are met.”

It added that TSB’s migration to a third-party platform, and the associated outsourcing arrangements, were critical to its ability to provide continuity of banking services and therefore its safety and soundness. The PRA required the CIO to act reasonably in managing the migration and in a manner that was “commensurate with the degree of risk of a complex, large scale IT change management programme”. The CIO did not meet the PRA’s expectations.

It is often seen within regulatory enforcements that the regulator will make an example of a firm to clearly lay the foundations for future expectation. There is little doubt that the UK regulators’ enforcement against TSB, and subsequently its former CIO, serve as an important test case for operational resilience action to come.

What does this mean for other CIOs and senior managers: how can similar fines be avoided?

Regulatory expectations under SMCR and Senior Manager Conduct Rules are clear, but an absence of regulatory action around these rules may have left some questioning the weight to which they should give them. The PRA’s fine suggests that it is focussing in on conduct and accountability for senior managers, especially where operational resilience is concerned.

Most firms will have clear roles and responsibilities allocated under SMCR. However, this Final Notice might serve as a notice to ensure those roles and responsibilities are being properly carried out.

For CIOs, Chief Compliance Officers, Chief Risk Officers – or any other senior manager – operational resilience should be a continued area of focus.

This is especially true when outsourcing critical third parties. On April 11, 2023, the Bank of England published a Discussion Paper seeking to analyze the benefits of a critical third-party regime in the UK. If one thing is clear, it is that outsourcing is at the forefront of the regulator’s priorities.

Avoiding similar fines is simple, on paper; when outsourcing to third parties, do your research. Can the firm provide the service they promise? Do they have sufficient experience in similar operations?  Have you tested the program? And do you have a business continuity plan in the event the third party fails?

Breathing life into SMCR

The final takeaway from the PRA’s action is around the relevance of SMCR. The advent of the Senior Managers Certification Regime (SMCR) in 2016 was initially seen as a pivotal moment for individual accountability and liability in the event of non-compliance.  However, after a few years the industry started to question the strength of SMCR. While implementation of the new regime was burdensome, the UK regulators seldom made reference to the regime, and enforcement action for those who breached SMCR was almost non-existent.

When the UK government recently announced far-reaching changes to UK financial services in the Edinburgh Reforms, many speculated whether SMCR would be on the chopping block – or at least reconsidered.

The PRA’s action, however, may prove there is life yet.