Enforcement action

FCA fines round-up

FCA regulatory fines for 2018 now total  £22.4m. The following fines and related enforcement actions have been announced in the past month:

Tesco Personal Finance plc On 1 October, the FCA fined Tesco Personal Finance plc (Tesco Bank) £16.4 million for failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyber-attack. The cyber-attack took place in November 2016, when the cyber attackers exploited deficiencies in Tesco Bank’s design of its debit card, its financial crime controls and in its Financial Crime Operations Team to carry out the attack. The deficiencies left Tesco Bank’s personal current account holders vulnerable to a largely avoidable incident that occurred over 48 hours and which netted the cyber attackers £2.26m.

The FCA found that Tesco Bank breached Principle 2 because it failed to exercise due skill, care and diligence to:
  • Design and distribute its debit card.
  • Configure specific authentication and fraud detection rules.
  • Take appropriate action to prevent the foreseeable risk of fraud.
  • Respond to the November 2016 cyber-attack with sufficient rigour, skill and urgency.
The FCA states that a financial institution’s board is ultimately responsible for ensuring that its cyber-crime controls are designed to meet standards of resilience. The board must set an appropriate cyber-crime risk appetite and ensure that its institution’s cyber-crime controls are designed to anticipate and reduce the risk of a successful attack. Where an attack is successful, the board should ensure that the bank’s response plans are clear, well designed and well-rehearsed and that the bank recovers quickly from the incident.  Following an attack the financial institution should commission a root cause analysis and understand and ameliorate the vulnerabilities that made the institution susceptible to the attack to reduce the risk of future attacks.

[email protected]