The FCA has fined Tesco Personal Finance PLC (Tesco Bank) £16.4m for failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyber attack.
The cyber attack – which took place in November 2016 – exploited deficiencies in the design of Tesco Bank’s debit card, its financial crime controls and its financial crime operations team to carry out the attack.
The FCA said the deficiencies left the bank’s personal current account holders vulnerable to a largely avoidable incident that occurred over 48 hours and which netted the cyber attackers £2.26m.
The regulator found that Tesco Bank had breached Principle 2 because it failed to exercise due skill, care and diligence to:
• design and distribute its debit card
• configure specific authentication and fraud detection rules
• take appropriate action to prevent the foreseeable risk of fraud
• respond to the November 2016 cyber attack with sufficient rigour, skill and urgency.
Following the attack, the bank immediately put in place a comprehensive redress programme, devoted significant resources to improving the deficiencies and instituted a comprehensive review of its financial crime controls.
The FCA said that the bank provided a high level of cooperation to the regulator and its redress programme fully compensated customers.
In acknowledgment that it stopped a significant percentage of unauthorised transactions, the regulator granted the bank 30% credit for mitigation.
The bank also agreed to an early settlement, which made it eligible for a 30% discount under the FCA’s executive settlement procedure, meaning Tesco Bank avoided a full penalty of over £33m.
“The fine the FCA imposed on Tesco Bank today [1st October] reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks,” said Mark Steward, executive director of enforcement and market oversight at the FCA.
“In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started.
“This was too little, too late.
“Customers should not have been exposed to the risk at all.”
Mark added that banks must ensure that their financial crime systems – and the individuals who design and operate them – worked to substantially reduce the risk of such attacks occurring in the first place.
“The standard is one of resilience, reducing the risk of a successful cyber attack occurring in the first place, not only reacting to an attack.
“Subsequently, Tesco Bank has strengthened its controls with the object of preventing this type of incident from being repeated."
SIGN UP TO OUR NEWSLETTER TO RECEIVE MORE NEWS LIKE THIS STORY
OakNorth adds former PRA director to advisory board
OakNorth has appointed Martin Stewart as an independent adviser on its advisory board...
HM Treasury to discuss diversity at FP Show
Representatives from HM Treasury’s Women in Finance Charter team will take part in a panel discussion on the role of diversity targets at the Finance Professional Show...
Aldermore agrees over £200m of new invoice finance facilities
Aldermore has announced that it has delivered over £200m of new invoice finance facilities to UK SMEs in the last 12 months...
CYBG completes acquisition of Virgin Money
CYBG has completed its acquisition of Virgin Money...
Penta raises €7m in latest investment round
Business bank account Penta has announced that it has raised €7m for its Series A investment round...
STB Commercial Finance opens Leeds office
Secure Trust Bank (STB) Commercial Finance has opened a new office in Leeds as it continues its national expansion...
Starling expands payment services and banking-as-a-service offer
Starling Bank is expanding its banking-as-a-service and payment services offer to enable other companies to offer retail banking and make payments...
Tandem launches Journey Card
Digital bank Tandem has launched a new credit card to help users who don’t have a credit history to build a strong profile...
Starling set to launch business accounts for multi-director limited companies
Starling Bank has announced that the bank would soon open its business accounts for limited companies with multiple directors...
Aldermore increases rates on business savings products
Aldermore has increased rates across its fixed rate and customised fixed rate (CFRA) business savings accounts...
Teachers Building Society amends lending criteria
Teachers Building Society has updated and amended its lending criteria to provide intermediaries with a detailed overview of its requirements for both teacher and non-teacher applicants...