TSB has agreed to pay a £48.65m fine from the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) for operational risk management and governance failures, including management of outsourcing risks, relating to the bank’s IT upgrade programme in 2018.
In April 2018, TSB underwent a migration of its core IT platform for corporate and customer services - covering critical banking functions and data - to match that of its Spanish owner Sabadell Bank. While the data itself migrated successfully, the platform immediately experienced technical failures.
This resulted in significant disruption to the continuity of TSB’s banking services, including branch, telephone, online and mobile banking, which only stabilised after eight months, in December of the same year. The initial disruption affected all branches of the bank and ‘a significant proportion’ of its then 5.2 million customers, the FCA reported. TSB has already paid out £32.7m in redress to customers who suffered detriment.
An IBM report released two months after the migration found the management's lack of understanding of the containerization technologies it was trying to implement as partly to blame.
Regulators have since found that TSB failed to organise and control the IT migration programme adequately, and it failed to manage the operational risks arising from its IT outsourcing arrangements with its critical third-party supplier.
“The failings in this case were widespread and serious which had a real impact on the day-to-day lives of a significant proportion of TSB’s customers, including those who were vulnerable,” said Mark Steward, executive director of enforcement and market oversight at the FCA (pictured). “The firm failed to plan for the IT migration properly, the governance of the project was insufficiently robust and the firm failed to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.”
Sam Woods, CEO of the PRA, said: “The PRA expects firms to manage their operational resilience as well as their financial resilience. The disruption to continuity of service experienced by TSB during its IT migration fell below the standard we expect banks to meet.”
TSB was issued a total fine of £69,500,000, however, as it agreed to resolve the matter with the FCA and PRA, a 30% discount in the overall penalty imposed by both regulators was applied, reducing the fine to £29,750,000 by the FCA and £18,900,000 by the PRA.