• Home
  • News
  • First SMCR enforcement decision for failure to take "reasonable steps"

19 Apr 2023

First SMCR enforcement decision for failure to take "reasonable steps"

Linkedin

On 13 April 2023, the Prudential Regulation Authority ("PRA") published a Final Notice in relation to Mr. Carlos Abarca ("CA") imposing a financial penalty of £81,620 (after 30% discount for early settlement) for failing to comply with the PRA's Senior Manager Conduct Rule 2, which requires that a Senior Manager must take reasonable steps to ensure that the business of the firm for which they are responsible complies with the relevant requirements and standards of the regulatory system.

Factual background

As is well known, in the course of migrating IT services to a new platform in April 2018 ("Full Migration"), TSB encountered serious issues including failures with online, telephone and mobile banking services, branch technology failures, and consequential issues with payment and debit card transactions (the "Migration Incident").

In December 2022, the PRA imposed a financial penalty of £18.9 million on TSB in respect of the Migration Incident for breach of Fundamental Rule 2 in failing to exercise due skill, care and diligence in managing appropriately and effectively its outsourcing arrangements and the risks arising from this.

CA had SMF18 (Other Overall Responsibility) status under the Senior Managers and Certification Regime ("SMCR") as Chief Information Officer ("CIO") at TSB. CA was jointly responsible with another Senior Manager for TSB’s performance of its obligations under the PRA’s Outsourcing Rules. CA also had specific responsibility for a key outsourcing arrangement with two of its new parent company's IT service subsidiaries, together "SABIS", to design, build and operate a new IT platform at TSB. SABIS in turn engaged third party service providers (migration TSB’s "fourth parties").

Outsourcing: third party assurances

TSB sought to mitigate its operational risk, including by obtaining formal assurance in the two weeks leading up to the Full Migration as to the readiness of SABIS to operate the new platform. This included: (a) a letter from SABIS (the "SABIS Confirmation") stating confidence as to the migration readiness of the platform, providing an early report on certain test results (noting that some tests were still to be completed) and referring to confirmations of readiness received or anticipated from fourth party suppliers whom SABIS considered to be critical (‘Critical Fourth Parties’); and (b) a paragraph in CA's own attestation ("CA's Attestation") to TSB management that formed part of a memorandum recommending to proceed with the Full Migration, which asserted that SABIS was ready to do so and, without any further explanation, that CA himself was satisfied that the SABIS Confirmation could be relied upon.

However, and critically, the PRA point to the fact that the SABIS Confirmation and the Critical Fourth Parties' confirmations referred to were "to some extent" forward looking statements of good intention or expectation rather than statements of fact about the completeness of readiness activities undertaken. In addition, the underlying statements made by the Critical Fourth Parties included caveats.

While TSB continued to have ongoing dialogue in the run-up to the Full Migration with SABIS and the Critical Fourth Parties, CA relied on the fact that fourth party confirmations had been given by SABIS without verifying whether SABIS itself had critically assessed them.

Failure to take reasonable steps

In terms of CA's failings, the PRA determined that he failed to ensure that he or his CIO team obtained sufficient assurance from SABIS in relation to its readiness to operate the platform.

As well as the criticisms of the SABIS Confirmation above, CA's Attestation only referred to SABIS Confirmation in a single paragraph and did not annex the SABIS Confirmation itself; nor was it included in the papers for the Board.

The PRA noted that in the course of the migration programme, there were issues encountered with a limited number of services which had already gone live and were being run prior to full migration. Despite this, the PRA say that CA did not ensure that TSB formally re-assessed SABIS’s ability and capacity to deliver the Full Migration on an ongoing basis.

The PRA assert that CA did not give sufficient consideration to the appropriateness of relying on the SABIS Confirmation without further investigation or challenge, and was over-reliant on that confirmation. It is also said that it was also insufficient to rely on the fact that the Critical Fourth Parties were engaged under contracts conforming to the PRA’s Outsourcing Rules.

Further, CA failed to ensure that TSB formally and adequately reassessed SABIS’s capabilities on an ongoing basis, including in light of the earlier problems encountered before the Full Migration, nor did he take a holistic view of the relevant risks by considering SABIS’s capabilities with respect to the remaining services to be delivered. CA knew that one of those risks was whether SABIS’s supplier management gave TSB sufficient visibility over the risks associated with the fourth parties.

Overall, it is said CA's’ failings undermined TSB’s operational resilience and contributed to the significant disruption TSB experienced as a result of the Migration Incident, and potentially impacting on financial stability.

Analysis

As far as we are aware, this Final Notice is the first published outcome in relation to the Senior Manager Conduct Rule 2 requiring that Senior Managers must take "reasonable steps". While to some extent the decision is fact/case specific, and resulted from a settlement rather than a contested case, it is helpful in shedding some light on the regulators' approach to this new(ish) and seldom used weapon in its enforcement armoury.

The PRA's reliance on CA's Statement of Responsibility is perhaps unsurprising, and a key message we see coming from it is that while delegation of performance by means of outsourcing is permissible, responsibility and oversight remains that of the Senior Manager and subject to the reasonable steps threshold.

It is also interesting that this is the first and so far, only enforcement decision made in relation to the SMF Conduct Rule 2 failure to take reasonable steps conduct rule, some six years after the SMCR first went live. No breach was asserted under Section 66B of the Financial Services and Markets Act 2000, the so-called "duty of responsibility", nor under SMF Conduct Rule 3, requiring a Senior Manager to take reasonable steps to ensure that any delegation of their responsibilities is to an appropriate person and to oversee the discharge of the delegated responsibility effectively.

The Notice serves as a timely reminder that "Individuals performing SMFs cannot outsource their responsibilities". The old mantra of one being able to delegate but not abdicate responsibility remains true. Senior Managers are reminded of the importance of assessing the reasonableness of any outsourcing arrangements, of seeking appropriate assurances as to progress and completion, and of "investigating and challenging" assurances that are received before reliance is placed on such assurances. Having the audit trail as to the steps taken in that regard will be equally important.

Linkedin