Financial Conduct Authority
FCA fines Tesco Bank £16.4m for failures in 2016 cyber attack
The Financial Conduct Authority (FCA) has fined Tesco Personal Finance plc (Tesco Bank) £16,400,000 for failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyber attack. The cyber attack took place in November 2016.
Cyber attackers exploited deficiencies in Tesco Bank’s design of its debit card, its financial crime controls and in its Financial Crime Operations Team to carry out the attack. Those deficiencies left Tesco Bank’s personal current account holders vulnerable to a largely avoidable incident that occurred over 48 hours and which netted the cyber attackers £2.26m.
Mark Steward, Executive Director of Enforcement and Market Oversight at the FCA, yesterday said:
'The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks. In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all.
'Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place. The standard is one of resilience, reducing the risk of a successful cyber attack occurring in the first place, not only reacting to an attack. Subsequently, Tesco Bank has strengthened its controls with the object of preventing this type of incident from being repeated.'
Principle 2 requires a firm to conduct its business with due skill, care and diligence. Tesco Bank is in the business of banking and fundamental to that business is protecting its customers from financial crime.
The FCA found that Tesco Bank breached Principle 2 because it failed to exercise due skill, care and diligence to:
- Design and distribute its debit card.
- Configure specific authentication and fraud detection rules.
- Take appropriate action to prevent the foreseeable risk of fraud.
- Respond to the November 2016 cyber attack with sufficient rigour, skill and urgency.
Cyber security requires resilience. A financial institution’s board is ultimately responsible for ensuring that its cyber crime controls are designed to meet standards of resilience. The board must set an appropriate cyber crime risk appetite and ensure that its institution’s cyber-crime controls are designed to anticipate and reduce the risk of a successful attack. Where an attack is successful, the board should ensure that the bank’s response plans are clear, well designed and well-rehearsed and that the bank recovers quickly from the incident. Following an attack the financial institution should commission a root cause analysis and understand and ameliorate the vulnerabilities that made the institution susceptible to the attack to reduce the risk of future attacks.
Following the attack, Tesco Bank immediately put in place a comprehensive redress programme and devoted significant resources to improving the deficiencies that left the bank vulnerable to the attack and instituted a comprehensive review of its financial crime controls. It has made significant improvements both to enhance its financial crime systems and controls and the skills of the individuals who operate them.
Tesco Bank provided a high level of cooperation to the FCA. Through a combination of this level of cooperation, its comprehensive redress programme which fully compensated customers, and in acknowledgment that it stopped a significant percentage of unauthorised transactions, the FCA granted the bank 30% credit for mitigation. In addition, Tesco Bank agreed to an early settlement of this matter which qualified for a 30% (Stage 1) discount under the FCA’s executive settlement procedure. But for the mitigation credit and the Stage 1 discount, the FCA would have imposed a penalty of £33,562,400.
Notes to editors
- The Final Notice for Tesco Personal Finance plc.
- The FCA, Prudential Regulation Authority and Bank of England published a joint discussion paper, Building the UK financial sector’s operational resilience (July 2018). The discussion paper emphasises their focus on operational resilience. Following the Financial Policy Committee of the Bank of England, the DP provides notes that: Effective resilience requires firms to be able to: prevent material incidents from occurring; continue to provide services and functions in the event of an incident; prevent an increase in the level of fraud during an incident; return to normal operations promptly when the incident is over; and learn from incidents, in order to limit the chances of them happening again in future. Firms have primary responsibility for their ability to resist and recover from cyber incidents. The supervisory authorities expect boards to take responsibility for the cyber resilience of their firms”. DP18/4: Building the UK financial sector’s operational resilience
- On 1 April 2013, the FCA became responsible for the conduct supervision of all regulated financial firms and the prudential supervision of those not supervised by the Prudential Regulation Authority (PRA).
- The FCA has an overarching strategic objective of ensuring the relevant markets function well. To support this, it has three operational objectives: to secure an appropriate degree of protection for consumers; to protect and enhance the integrity of the UK financial system; and to promote effective competition in the interests of consumers.
- Find out more information about the FCA.
Latest News from
Financial Conduct Authority
FCA confirms greater access for SMEs to the Financial Ombudsman Service17/10/2018 10:25:00
The Financial Conduct Authority (FCA) yesterday confirmed plans to extend access to the Financial Ombudsman Service (‘the ombudsman service’) to more small and medium-sized enterprises (SMEs).
FCA opens a discussion on the impact of climate change and green finance on financial services16/10/2018 10:20:00
The Financial Conduct Authority (FCA) yesterday published a Discussion Paper on climate change and green finance.
The FCA consults on its approach ahead of the UK’s exit from the EU11/10/2018 10:25:00
The Financial Conduct Authority (FCA) yesterday published two consultation papers, setting out its proposals in the event the UK leaves the European Union on 29 March 2019 without an implementation period. It also set out its approach to the regulation of Credit Rating Agencies, Trade Repositories and Data Reporting Services Providers.
FCA consults on new rules to improve the approach to open-ended funds investing in illiquid assets09/10/2018 10:25:00
The Financial Conduct Authority (FCA) is consulting on new rules and guidance to reduce the potential for harm to investors in funds that hold illiquid assets, particularly under stressed market conditions. These measures will also support the FCA’s market integrity objective and help address financial stability concerns.
FCA and SFC sign MoU on United Kingdom-Hong Kong Mutual Recognition of Funds08/10/2018 14:10:00
The Financial Conduct Authority (FCA) and the Securities and Futures Commission (SFC) have entered into a Memorandum of Understanding on Mutual Recognition of Funds (MoU), which will allow eligible Hong Kong public funds and United Kingdom retail funds to be distributed in each other’s market through a streamlined process.
FCA confirms final rules on improving the quality of pension transfer advice05/10/2018 10:25:00
The Financial Conduct Authority (FCA) yesterday published feedback and final rules and guidance from its consultation on improving the quality of pension transfer advice.
Financial Conduct Authority publishes Decision Notice concerning Linear Investments Limited28/09/2018 14:10:00
The Financial Conduct Authority (FCA) yesterday published a Decision Notice concerning Linear Investments Limited. Linear failed to take reasonable care to organise and control its affairs responsibly and effectively to ensure potential instances of market abuse could be detected and reported.
The FCA announces outcome of investigation into 4 life insurance companies20/09/2018 11:25:00
The Financial Conduct Authority (FCA) yesterday announced that its remaining investigations into firms, following its thematic review into the fair treatment of longstanding customers in the life insurance sector, have each been closed.
Michael Nascimento sentenced to 11 years’ imprisonment in FCA prosecution of £2.8m investment fraud18/09/2018 11:10:00
Michael Nascimento yesterday sentenced to 11 years’ imprisonment for his role in a share fraud carried out through a series of boiler room companies which led to the loss of more than £2.8 million of investors’ money. He was the controlling mind, instigator and the main beneficiary of the fraud.