The cyber attack – which took place in November 2016 – exploited deficiencies in the design of Tesco Bank’s debit card, its financial crime controls and its financial crime operations team to carry out the attack.

The FCA said the deficiencies left the bank’s personal current account holders vulnerable to a largely avoidable incident that occurred over 48 hours and which netted the cyber attackers £2.26m.

The regulator found that Tesco Bank had breached Principle 2 because it failed to exercise due skill, care and diligence to:

• design and distribute its debit card
• configure specific authentication and fraud detection rules
• take appropriate action to prevent the foreseeable risk of fraud
• respond to the November 2016 cyber attack with sufficient rigour, skill and urgency. 

Following the attack, the bank immediately put in place a comprehensive redress programme, devoted significant resources to improving the deficiencies and instituted a comprehensive review of its financial crime controls. 

The FCA said that the bank provided a high level of cooperation to the regulator and its redress programme fully compensated customers.

In acknowledgment that it stopped a significant percentage of unauthorised transactions, the regulator granted the bank 30% credit for mitigation. 

The bank also agreed to an early settlement, which made it eligible for a 30% discount under the FCA’s executive settlement procedure, meaning Tesco Bank avoided a full penalty of over £33m.

“The fine the FCA imposed on Tesco Bank today [1st October] reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks,” said Mark Steward, executive director of enforcement and market oversight at the FCA.

“In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started.  

“This was too little, too late.  

“Customers should not have been exposed to the risk at all.”

Mark added that banks must ensure that their financial crime systems – and the individuals who design and operate them – worked to substantially reduce the risk of such attacks occurring in the first place.

“The standard is one of resilience, reducing the risk of a successful cyber attack occurring in the first place, not only reacting to an attack. 

“Subsequently, Tesco Bank has strengthened its controls with the object of preventing this type of incident from being repeated."