The FCA has fined Tesco Personal Finance PLC (Tesco Bank) £16.4m for failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyber attack.
The cyber attack – which took place in November 2016 – exploited deficiencies in the design of Tesco Bank’s debit card, its financial crime controls and its financial crime operations team to carry out the attack.
The FCA said the deficiencies left the bank’s personal current account holders vulnerable to a largely avoidable incident that occurred over 48 hours and which netted the cyber attackers £2.26m.
The regulator found that Tesco Bank had breached Principle 2 because it failed to exercise due skill, care and diligence to:
• design and distribute its debit card
• configure specific authentication and fraud detection rules
• take appropriate action to prevent the foreseeable risk of fraud
• respond to the November 2016 cyber attack with sufficient rigour, skill and urgency.
Following the attack, the bank immediately put in place a comprehensive redress programme, devoted significant resources to improving the deficiencies and instituted a comprehensive review of its financial crime controls.
The FCA said that the bank provided a high level of cooperation to the regulator and its redress programme fully compensated customers.
In acknowledgment that it stopped a significant percentage of unauthorised transactions, the regulator granted the bank 30% credit for mitigation.
The bank also agreed to an early settlement, which made it eligible for a 30% discount under the FCA’s executive settlement procedure, meaning Tesco Bank avoided a full penalty of over £33m.
“The fine the FCA imposed on Tesco Bank today [1st October] reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks,” said Mark Steward, executive director of enforcement and market oversight at the FCA.
“In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started.
“This was too little, too late.
“Customers should not have been exposed to the risk at all.”
Mark added that banks must ensure that their financial crime systems – and the individuals who design and operate them – worked to substantially reduce the risk of such attacks occurring in the first place.
“The standard is one of resilience, reducing the risk of a successful cyber attack occurring in the first place, not only reacting to an attack.
“Subsequently, Tesco Bank has strengthened its controls with the object of preventing this type of incident from being repeated."
SIGN UP TO OUR NEWSLETTER TO RECEIVE MORE NEWS LIKE THIS STORY
Santander to close 140 branches
Santander has announced that it plans to close 140 branches in the UK as it reshapes its branch network...
British Business Bank UK Network aims to improve funding awareness across UK
The British Business Bank UK Network will help to improve awareness of funding options across the UK by directly approaching business finance professionals...
Building with confidence in challenging times
It is difficult to think of a time in the past three decades when the chasm between the interests of UK business and the Palace of Westminster has been more exposed than the Brexit debacle...
Real Property Finance passes £100m in deals with Cambridge & Counties Bank
Cambridge & Counties Bank has provided more than £100m of loans for the clients of Real Property Finance (RPF)...
Metro Bank reports 48% increase in lending
Metro Bank has reported that its lending increased by 48% in 2018 compared with 2017...
Metro Bank appoints Luke Lloyd-Davies to advisory board
Metro Bank has appointed Luke Lloyd-Davies to its advisory board...
OakNorth: how some of the entrepreneurs we’ve lent to first got started
For many, the new year brings with it new possibilities and the chance to explore new opportunities...
Hanley Economic BS to push self-build offering
Hanley Economic Building Society is set to commence an extensive 2019 self-build campaign as it aims to engage with growing numbers of self-builders...
NatWest offers Esme Loans directly to its SME customers
NatWest will now offer Esme Loans products directly to its existing SME customers...
OSB appoints new NED
OneSavings Bank has announced that it has appointed Sarah Hedger as a non-executive director, with effect from 1st February...
Tandem Bank reaches 500,000 customers
Tandem has announced that it has reached 500,000 customers one year on from being granted a full banking licence...