On 13 April 2023, Prudential Regulators (“PRA) has fined Carlos Abarca, the former chief information officer of TSB Bank plc (“TSBs”) £81,620 for breach of PRA Senior Managers Code of Conduct 2. The PRA has taken reasonable steps to ensure that TSB adequately manages and supervises outsourcing arrangements in relation to the transition of its core IT services. This follows fines imposed on TSB by both the PRA and the Financial Conduct Authority for failures related to the same IT migration.
- The enforcement action was taken in connection with the transition of TSB Bank plc’s core IT platform from Lloyds Banking Group (“LBGMore) (which sold the bank in 2013) was transferred to TSB’s new owner Sabadell’s IT Platform. It was decided to design and create a new version of Sabadell’s IT platform adapted for the TSB and UK markets. This new platform was called Proteo4UK. The migration project was targeted for completion in April 2018.
- TSB is a subsidiary of Sabadell, SABIS Spain (“service”), designing, building and testing the Proteo4UK platform and migrating TSB’s data onto it. SABIS will also operate the post-migration platform.
- However, the migration did not go as planned and many problems were encountered along the way. As was widely reported at the time, many of TSB’s customers were unable to access their accounts online or via his mobile app. Some of the disruption lasted for weeks and affected most of our 5.2 million customers.
- Carlos Abarca was TSB’s Chief Information Officer at the time and was responsible for the IT migration project. Following the client’s confusion, PRA conducted an investigation into his IT migration project and his role for Mr. Abarca.
- The PRA found that Mr. Abarka had violated Senior Manager Conduct Rule 2 in the PRA rulebook.You must take reasonable steps to ensure that the business of the company for which you are responsible complies with the relevant requirements and standards of the regulatory system.“
- PRA will ensure that TSB complies with the PRA’s Outsourcing Rules in properly managing and supervising the outsourcing agreements with other service providers contracted by SABIS under the Outsourcing Agreement and Sub-Outsourcing Agreement with SABIS. concluded that it did not take reasonable steps to ensure thatImportant Forth Party”).
- Abarca was assured by SABIS that he had confirmation from the Critical Forth parties that they were confident their infrastructure was fit for purpose and capable of handling the expected volume. However, he investigated these assurances in more detail and took no action to challenge the readiness of SABIS or the Critical Forth parties for his IT migration. This was despite the problems he experienced during the migration of some of his IT functions prior to his complete IT migration. PRA also noted that Abarca was aware of certain tasks and tests that had not been completed at the time of review.
- The PRA relied too much on the fact that Mr. Abarca had engaged material Forth parties under contracts that complied with the PRA’s outsourcing rules, and respectfully advised SABIS of the risks associated with TSB’s outsourcing contracts. have not had a more holistic view by considering the ability of to the rest of the services provided.
- Mr. Abarca did not ensure that the TSB would continue to formally and properly reassess SABIS’ competence and competence.
- The PRA said it did not fully consider the risks TSB was exposed to through its supply chain. The PRA believed that TSB’s oversight of her SABIS was not sufficiently engaged and proactive given that TSB relied on her SABIS for fourth-party control.
- Regulatory expectations for intra-group outsourcingAlthough the outsourcing agreement with SABIS was intragroup, the PRA’s rules on outsourcing apply whether the service provider is an independent third party or an intragroup provider. The PRA has clarified that it expects outsourcing arrangements to comply fully with his PRA’s Outsourcing Rules when regulated companies enter intra-group services. the performance of the outsourced functions and that this evaluation be revisited as necessary; This is not unique to his PRA-regulated companies, as the FCA has similar expectations.
- Senior management should critically evaluate and challenge statements made by third parties. The PRA was unimpressed that Mr. Abarca relied solely on confirmations provided by the outsourcing provider, rather than critically assessing the outsourcing provider’s ability to deliver. This was despite ‘red flags’ that service he providers struggled to meet the required standards. The senior manager should critically evaluate and record the basis for determining that the service provider will provide his level of service expected.
- Visibility into sub-outsourcing contractsMr. Abarca did not fully consider the risks posed by sub-outsourcing arrangements and took too much comfort from the fact that outsourcing agreements stipulate the due diligence and termination required by regulatory rules. Firms and senior managers should closely monitor sub-outsourcing and not simply rely on outsourcing providers to monitor and evaluate contracts. This includes understanding exactly how outsourcing providers monitor performance on a daily basis.