Carlos Abarca fined for breach of PRA’s Senior Manager and Certification Conduct Rules
3 May 2023
The Prudential Regulation Authority (‘PRA’) has imposed a fine of £81,620 on the former Chief Information Officer (‘CIO’) at TSB Bank plc because of his failures in overseeing an IT migration project in 2018, causing significant disruption to millions of customers. Accordingly, he was found to have breached Senior Manager Conduct Rule 2 of the PRA Rulebook which states that “reasonable steps” must be taken to ensure that “the business of the Firm for which you are responsible complies with the relevant requirements and standards of the regulatory system”. This is the first Senior Manager’s case outcome under SMCR for breach of the Senior Manager Conduct rules.
Facts
In March 2015, TSB Bank plc (‘TSB’) was subject to a takeover bid from Spanish bank, Banco de Sabedell (‘Sabedell’). In order to align with Sabedell’s online banking model, TSB migrated its customer data to a new IT platform (‘Proteo4UK platform’) for its corporate and customer services. TSB entered into an outsourcing agreement with SABIS, a subsidiary of Sabedell, to design, build and operate the platform. It was decided that the migration would take place over one weekend between 20and 22 April 2018 in a single main migration event to avoid any disruption to its customers.
The data migration was problematic from the outset and the platform immediately encountered technical failures, resulting in the disruption of TSB’s services including online, telephone and mobile banking services, branch technology failures, and consequential issues with payment and debit card transactions. The extent of the issues was vast as TSB hosts over five million customers across 550 UK based branches, many of whom were affected by the service issues. The problems persisted and TSB was not running ‘as normal’ until December 2018. As a result of the technical failures, TSB paid out significant amounts of compensation to its customers.
PRA investigation
An investigation was carried out by the PRA over concerns around TSB’s failure to comply with its obligations under the PRA outsourcing rules (‘the Rules’). Carlos Abarca, who was TSB’s CIO at the time of the technical failures, was held responsible for migration failure.
Mr Abarca’s duties as CIO included responsibility for the design, building and implementation of the data migration system as well as a responsibility for any outsourced work. He was therefore held accountable for SABIS’ failure to implement the Proteo4UK platform correctly as part of his responsibility for TSB’s performance under the Rules.
The PRA also highlighted Mr Abarca’s failure to properly assess whether SABIS had the ability and capacity to deliver the migration services to TSB. To make matters worse, Mr Abarca gave assurances to the board that TSB was ‘migration ready’ in early 2018 without consulting with SABIS. Mr Abarca’s management of the outsourcing to SABIS fell below the standard expected by senior managers in the industry.
PRA decision
As a result, the PRA found that Mr Abarca had breached Senior Manager Conduct Rule 2 of the PRA Rulebook which states that “reasonable steps” must be taken to ensure that “the business of the Firm for which you are responsible complies with the relevant requirements and standards of the regulatory system”.
In their investigatory report, the PRA focussed on Mr Abarca’s failure to:
- ensure that the third party’s ability and capacity were adequately reassessed on an ongoing basis;
- ensure that TSB obtained sufficient assurance from the third party in relation to its readiness to operate the new IT platform; and
- give sufficient consideration to whether further investigation was required before giving assurance to the TSB Board as to the third party’s readiness for migration.
The PRA initially issued a penalty of £116,600 to Mr Abarca. However, after Mr Abarca accepted his shortcomings and agreed to resolve this matter with the PRA, he qualified for a 30% reduction in the fine imposed by the PRA. Mr Abarca’s fine follows on from a £48.7m fine imposed on TSB in December 2022 for ‘operational resilience’ failures relating to the failed data migration project.
The Birketts view
The regulators have faced some criticism for lack of enforcement against Senior Managers and this is the first case whereby it has issued a fine to a Senior Manager since SMCR was introduced in 2016. It is also interesting to note that although the failings were primarily caused by a firm not regulated by the FCA or PRA, the regulators had no hesitation in holding members of staff responsible at the regulated firm who had responsibility for the project, accountable. We anticipate seeing further examples of the regulators taking enforcement action against Senior Managers as they seek to demonstrate their willingness to do so.
Services
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at May 2023.