The FCA has fined Tesco Personal Finance PLC (Tesco Bank) £16.4m for failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyber attack.
The cyber attack – which took place in November 2016 – exploited deficiencies in the design of Tesco Bank’s debit card, its financial crime controls and its financial crime operations team to carry out the attack.
The FCA said the deficiencies left the bank’s personal current account holders vulnerable to a largely avoidable incident that occurred over 48 hours and which netted the cyber attackers £2.26m.
The regulator found that Tesco Bank had breached Principle 2 because it failed to exercise due skill, care and diligence to:
• design and distribute its debit card
• configure specific authentication and fraud detection rules
• take appropriate action to prevent the foreseeable risk of fraud
• respond to the November 2016 cyber attack with sufficient rigour, skill and urgency.
Following the attack, the bank immediately put in place a comprehensive redress programme, devoted significant resources to improving the deficiencies and instituted a comprehensive review of its financial crime controls.
The FCA said that the bank provided a high level of cooperation to the regulator and its redress programme fully compensated customers.
In acknowledgment that it stopped a significant percentage of unauthorised transactions, the regulator granted the bank 30% credit for mitigation.
The bank also agreed to an early settlement, which made it eligible for a 30% discount under the FCA’s executive settlement procedure, meaning Tesco Bank avoided a full penalty of over £33m.
“The fine the FCA imposed on Tesco Bank today [1st October] reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks,” said Mark Steward, executive director of enforcement and market oversight at the FCA.
“In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started.
“This was too little, too late.
“Customers should not have been exposed to the risk at all.”
Mark added that banks must ensure that their financial crime systems – and the individuals who design and operate them – worked to substantially reduce the risk of such attacks occurring in the first place.
“The standard is one of resilience, reducing the risk of a successful cyber attack occurring in the first place, not only reacting to an attack.
“Subsequently, Tesco Bank has strengthened its controls with the object of preventing this type of incident from being repeated."
SIGN UP TO OUR NEWSLETTER TO RECEIVE MORE NEWS LIKE THIS STORY
Nationwide partners with seven fintechs to support financially squeezed
Nationwide Building Society has selected seven fintech companies to create apps that will increase financial capability...
Metro Bank to open first store in Liverpool
Metro Bank is set to open a new store in Liverpool on Paradise Street...
Investec removes SVR from all new fixed rate mortgages
Investec Private Bank has removed the standard variable rate (SVR) on its two-, three-, four-, five- and 10-year fixed rate product range for all new clients...
Mid-size automotive manufacturers miss out on £25bn in revenues
UK mid-sized automotive manufacturers could be missing out on £25bn in revenues as a result of insufficient access to funding, according to research from Wyelands Bank...
Leek United hires new finance director
Leek United Building Society has named Rob Broadbent (pictured above) as its new finance director...
Handelsbanken posts 7% lending surge
Handelsbanken has revealed in its latest quarterly results that its UK lending increased by 7% to £21.1bn in Q1 2019 compared with the same period last year...
Al Rayan Bank expands Birmingham headquarters
Al Rayan Bank has expanded its operational headquarters in Edgbaston, Birmingham...
Cynergy Bank bolsters senior leadership team
Cynergy Bank has strengthened its senior leadership team with two new appointments...
Dispelling overseas property investment myths
When people talk about overseas buyers ‘snapping up’ UK property, assumptions about their supposed negative impact on the housing market abound...
Arbuthnot Latham appoints private banker to Manchester office
Arbuthnot Latham has announced the appointment of Barry Grieve as senior private banker to its Manchester office...
United Trust Bank launches exclusive broker promotion
United Trust Bank (UTB) has launched its 2019 ‘Live and Learn’ broker promotion...