PRA fines the former Chief Information Officer of TSB Bank

Senior Manager breaches Senior Manager Conduct Rule 2

The Prudential Regulation Authority (the PRA) has taken the first enforcement action against a Senior Manager for breach of the Senior Manager Conduct Rules.

In an outcome that confirms the importance of Statements of Responsibilities for Senior Managers, the PRA imposed a financial penalty of £116,600 (reduced by 30% to £81,620) on the former Chief Information Officer (CIO) of TSB, Mr Carlos Abarca, on 13 April 2023. The financial penalty was imposed for failing to comply with Senior Manager Conduct Rule 2 between March 2016 and April 2018.

Senior Manger Conduct Rule 2 requires that Senior Managers must take reasonable steps to ensure that the business of the firm for which they are responsible complies with the relevant requirements and standards of the regulatory system. This includes ensuring that the business has the appropriate operating procedures and systems in place and that any issues are dealt with in a timely and appropriate manner.

IT Migration from the Lloyds IT Platform

Following its divestment from Lloyd’s Banking Group in June 2014, TSB continued to receive its core IT services from Lloyds, utilising the Lloyds IT platform.

In March 2015, TSB received a takeover bid from the Spanish bank, Sabadell, and, in December 2015, TSB decided to migrate its IT services from the Lloyds IT platform to a new purpose-built UK version of Sabadell’s Proteo platform. TSB entered into an outsourcing arrangement with Sabadell’s IT service subsidiaries, SABIS Spain and SABIS UK (together ‘SABIS’), to design, build and operate the new Proteo4UK Platform.

The migration, which took place over the weekend of 20th to 22nd April 2018, almost immediately encountered serious and well-publicised issues, including failures with online, telephone and mobile banking services, branch technology failures, and consequential issues with payment and debit card transactions.

As a result, the PRA decided to investigate whether Mr Abarca, as TSB CIO performing a senior management function (‘SMF’), took reasonable steps in carrying out his responsibilities (particularly those in relation to the migration).

Under the Senior Managers and Certification Regime (SM&CR), Mr Abarca held SMF18 (Other Overall Responsibility) from 7 March 2016 to 9 August 2019. According to his Senior Management Regime Statement of Responsibilities, he had responsibilities, as CIO, for TSB’s information technology and for IT Business Continuity Planning. Amongst other things, he was responsible for:

• Providing leadership and strategic direction to the IT function and ensuring alignment with overall TSB strategy;
• Designing and managing the migration; and
• Being accountable for information technology within TSB to deliver the organisation’s strategic goals.

For the migration, Mr Abarca was (amongst other things):

• Accountable for the building and effective implementation of the migration;
• Responsible for TSB’s key outsourcing relationship with SABIS (as part of his responsibility for TSB’s performance of its obligations under the PRA’s Outsourcing Rules);
• Accountable for the overall Bank Executive Committee migration governance, communication and decision-making process; and
• The owner of the material risk that ‘migration causes operational instability or a degradation in resilience and poor customer outcomes’ under TSB’s Material Risk Register.

How Mr Abarca breached Senior Manager Conduct Rule 2

The PRA’s investigation identified that Mr Abarca breached Senior Manager Conduct Rule 2 of the PRA Rulebook because he:

• Failed to take reasonable steps to ensure that TSB complied with the PRA’s Outsourcing Rules in adequately managing and appropriately supervising its outsourcing arrangement with SABIS;.
• Failed to ensure that he or his CIO team obtained sufficient assurance from SABIS in relation to its readiness to operate the Proteo4UK Platform;.
• Did not give sufficient consideration to the appropriateness of relying on SABIS’s confirmation without further investigation or challenge and was indeed over-reliant on that confirmation. It was insufficient for Mr Abarca to rely on the fact that the fourth parties were engaged under contracts which conformed to the PRA’s Outsourcing Rules; and.
• Failed to ensure that TSB formally and adequately reassessed SABIS’s capabilities on an ongoing basis or take a holistic view of the risks associated with TSB’s outsourcing arrangement by considering SABIS’s capabilities with respect to the remaining services to be delivered.

The PRA found that Mr Abarca’s failings undermined TSB’s operational resilience and contributed to the significant disruption TSB experienced to the provision of critical functions.

Reasons why the PRA has taken action

Key points included:

• The PRA’s rules on outsourcing apply whether a service provider is an independent third party or an intragroup provider. The fact that a firm and its service provider are within the same group does not do away with the need for a careful assessment of whether the service provider has the ability, capacity, resources and appropriate organisational structure to support the performance of the outsourced functions, and for this assessment to be revisited where appropriate.
• TSB’s migration to the Proteo4UK Platform and the provision of IT services and outsourcing arrangements with SABIS were critical to TSB’s ability to provide continuity of banking services, and therefore to its safety and soundness. Mr Abarca’s conduct fell outside the range of reasonable responses for a CIO in his position in a PRA authorised firm, and contributed to the disruptions to the continuity of TSB’s core banking functions post-migration.
• For the migration, the PRA required a CIO to act reasonably in carrying out their role and responsibilities, in a manner that was commensurate with the degree of risk of a complex, large scale IT change management programme.
• Mr Abarca had specific migration-related responsibilities for TSB’s outsourcing relationship with SABIS. The PRA required him to take reasonable steps to ensure effective management of the migration process, including identifying and mitigating risks from an IT perspective. The PRA required him to take reasonable steps to ensure TSB’s compliance with the PRA’s Outsourcing Rules, including obtaining sufficient assurance from third party providers to reduce the risk of operational disruption and the potential impact on financial stability.

What does this mean for firms?

The action which the PRA has taken emphasises the importance of ensuring that senior individuals in a firm take reasonable steps to ensure that the firm complies with the relevant regulatory requirements and standards, in compliance with Senior Manager Conduct Rules. It is significant that the PRA focused on Mr. Abarca’s Statement of Responsibilities and confirms the attention which the regulators will pay to individuals’ Statements of Responsibilities in such cases against individuals. The PRA has also outlined the clear importance of compliance with their Outsourcing Rules, which requires active management. Firms and individuals cannot simply rely on confirmation from providers without investigation or challenge.

We can expect to see more outcomes against senior individuals in the coming months. Doyle Clayton’s regulatory expertise means we are well placed to support our clients with any queries relating to the Senior Managers and Certification Regime (SM&CR).

Please contact Charlie Herbert or your usual Doyle Clayton contact to discuss how we can help you.