Telephone 020 3813 2890 for a free no obligation chat about your regulatory requirements with one of our compliance consultants.
Registered in England and Wales as limited company number 07626537 - Registered Office 120 Pall Mall, London, SW1Y 5EA
Here to help with Regulation and Compliance
Cyber Attack: FCA Fines Tesco £16.4 Million
1st October 2018
Cyber Crime: Tesco fails to exercise due skill, care & diligence
The FCA has today fined Tesco Personal Finance plc £16.4 million for failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyber-attack. Had it not been for agreeing to settle early and for a mitigation credit awarded by the FCA, the fine would have totalled over £33.5 Million.
Back in November 2016, a cyber attacker exploited the weaknesses in Tesco Bank’s design of its debit card, its financial crime controls and its Financial Crime Operations Team to carry out an attack. The deficiencies in these areas left Tesco Bank’s personal current account holders vulnerable to an otherwise largely avoidable incident that occurred over a 48 hour period that netted the criminals £2.26 million.
The Executive Director of Enforcement and Market Oversight at the FCA, Mark Steward, said that the fine they had imposed on Tesco, “reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks”.
It this particular instance, the cyber-attack was the subject of a ‘very specific warning that Tesco Bank did not properly address until after the attack started”. Unfortunately it was too late and not enough could be done to prevent the cyber attackers.
The FCA made it clear that customers should not have been exposed to these risks at all. In the FCA’s findings, it was found that Tesco had breached Principle 2 that requires a firm to conduct its business with due skill, care and diligence by:
- The design and distribution of its debit card
- Configure specific authentication and fraud detection rules
- Take appropriate action to prevent the foreseeable risk of fraud; and
- Respond to the November 2016 cyber attack with sufficient rigour, skill and urgency.
Fundamental to the business of banking is ensuring that customers are protected from financial crime. In addition, the cyber security put in place by the board of a financial institution should be designed to meet standards of resilience with attack response plans clear and well-rehearsed so that individuals can respond quickly and efficiently to reduce the impact of an attack.
It should be noted that following the attack, Tesco Bank immediately put into place a comprehensive redress programme and devoted significant resources to improving its deficiencies thus significantly improving both its financial crime systems and the controls and skills of those individuals who operate them.
Please contact our Compliance Support Team for a free no obligation discussion of your regulatory requirements and how our regulatory & compliance consultants can help your business move forward compliantly.
Call by Telephone:
(020) 3813 2890
Read our latest articles, news and views affecting compliance and regulation in the UK Financial Services Industry.
Comment from the FCA:
“Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place. The standard is one of resilience, reducing the risk of a successful cyber attack occurring in the first place, not only reacting to an attack. Subsequently, Tesco Bank has strengthened its controls from being repeated.”
Mark Steward, FCA, October 2018