TSB Operational Resilience Fine – What Lessons Can Insurers Learn From This?

by | Jan 18, 2023 | Compliance, FCA, Insurers, Operational Resilience, Operations, Prudential Regulation Authority

Justice

In the wake of the extensive, and sometimes painful, Operational Resilience projects which have been undertaken by the financial services sector over the last 18 months, comes a sobering reminder of why this regulation is so important.

In December 2022, the PRA and FCA published the details of fines incurred by TSB (£18.9m and £29.75m respectively) related to the mis-managed operational risks and governance associated with its IT upgrade programme; risks the regulators now refer to collectively as ‘Operational Resilience’. These included failings relating to planning, testing, governance, risk management, third party oversight, lack of visibility and management of fourth party risks, and poor preparation for incident management.

Background

In April 2018, TSB completed an IT systems and data migration project, moving its corporate and personal customer servicing onto a new platform. While this, in itself, was successful, technical failures were soon being flagged, causing significant disruption to TSB’s banking services; branch, telephone, online and mobile banking.

A significant proportion of TSB’s 5.2 million customers were impacted by the initial issues and it was December 2018 before normal working order was fully restored. This came at no small cost to TSB, with £32.7m being paid to customers in redress for detriment caused.

The Regulator’s Response

Recognising the complexity and ambition of the change programme, the regulators noted the necessity for guaranteeing continuity of services during this time. Ensuring the migration programme was managed effectively, understanding the operational risks related to IT outsourcing arrangements and identifying critical third, and fourth-party, suppliers were key to a smooth transition and appear to have been woefully lacking.

Although the specific expectations related to Operational Resilience weren’t in force until March 2021 – three years hence TSB’s operational failings – these are referenced multiple times within the statement and were, to some degree, a driver for the perceived need by the PRA given the challenges being faced by TSB at the time. This is important to recognise; while the regulators rely on the incumbent clauses included in the ‘Systems and Controls’ section of the handbook to determine the severity of failings and use these to justify their ultimate sanction, assessing the damage in the context of 20:20 vision and some new goal posts offers a cautionary warning.

Within the Final Notices from the PRA and FCA, much of the detail is focussed on poor change management protocols, execution of a major IT project and inadequate incident management, breaching Fundamental Rules 2 and 6.

Specifically, TSB were considered to have mismanaged the following aspects of the migration

  • Entering and appropriately managing an outsourcing arrangement
  • Adequately assessing the universe of risks of the migration programme
  • Recognising, and assessing risk from, the full supply chain, i.e. third and fourth parties
  • Anticipating and mitigating against large scale migration failure – TSB BCP plan just didn’t consider such a large-scale event

Understanding the profile of vulnerable customers was also cited. Inadequate controls supporting the BCP framework likely exacerbated this blind spot and should be a key takeaway for insurers around the dependencies between these. Without strong controls over outsourcing risk and third-party management, this made it all the harder to identify.

Both the PRA and FCA stated that Operational Resilience is critical for firms to demonstrate and must be considered as important as ensuring financial resilience, commenting that the disruption experienced by TSB fell well below expected standards.

Lessons For Insurers

The regulators have used the extent of TSB’s mismanagement of the upgrade programme to demonstrate the scope of Operational Resilience and the regard that anyone responsible for Operational Risk/Resilience in their organisation should attach to ensuring their ship is in better order.

Against each of the aforementioned bullet points, those with operational ownership should be asking themselves the following questions.

Outsourcing Arrangements

    • Is your list of outsourcing arrangements/critical third party list current and when was it last reviewed and assessed? Have critical fourth parties been identified?
    • Has each key outsourcing provider/critical third-party contract been subject to review and updated in accordance with regulatory expectations? [SS2/21 Outsourcing and third party risk management]
    • When was an audit of services last performed, and have previous recommendations been actioned?
    • Is clear ownership of outsourcing arrangements/third party management in place and documented? Is each critical service actively monitored?

Change Management Risk

    • Does your risk management framework comprehensively identify all risks related to change and migration risk?
    • When was the associated risk and control framework tested and reported on?
    • Are major change programmes subject to rigorous governance and oversight controls?

Supply Chain Risk

    • Is the extent of your supply chain identified and understood?
    • How are any dependencies/vulnerabilities being managed and resolved?

Business Continuity Risk

    • When were your business continuity plans last reviewed and tested?
    • Is clear ownership of business continuity arrangements documented?
    • Are communication protocols established?
    • Are assumptions included in the business continuity plans stressed as part of scenario testing?

The operational risks associated with managing the areas above might be well-understood from a siloed perspective by business owners, but when aggregated and considered in the context of overarching operational resilience through the service chain – a more holistic lens is needed. Is there the same level of confidence that each component complements the others and that the handover between operational responsibilities doesn’t create vulnerabilities? Or if it does, that these are well understood and mitigated. Concentration risk, in each of the above areas, is another key area of consideration. Again, how well is this understood, why might they materialise and how can they be addressed?

Conclusion

Even if there is little exposure to ‘consumer’ customers, regulators still expect services to be available to all customers, regardless of their type or size, especially where products are time critical or less available. Without a detailed breakdown and assessment of the customer base, potential for harm may be difficult to identify.

If TSB’s fine has got you wondering whether your firm could find itself in a similar position or you would like to understand more about how your firm should go about answering the questions posed above, please do get in touch with us at ICSR. We would be happy to discuss any concerns you have related to your firm’s readiness to manage such a situation as TSB found itself.

If you think you might benefit from a health check of your Operational Resilience project, this is something we would also be able to assist with.

This article has been authored by Claire King, with support from Operational Resilience specialist and Talent Pool member Yvonne Lancaster.

Kenneth Underhill, Director
Read full bio

Claire King

Risk Director

07376 942 456
[email protected]
Connect with Claire
Kenneth Underhill, Director
Read full bio

Yvonne Lancaster

Talent Pool Member

Connect with Yvonne

Advisory & Resourcing

Pin It on Pinterest

Share This