Raphaels Bank received two separate fines from both the FCA (£775,100) and the PRA (£1,112,152) for failing to manage its outsourcing arrangements properly between April 2014 and December 2016.
What did the regulators have to say?
Mark Steward, FCA Executive Director of Enforcement and Market Oversight said:
‘Raphaels’ systems and controls supporting the oversight and governance of its outsourcing arrangements were inadequate and exposed customers to unnecessary and avoidable harm and inconvenience. There is no lower standard for outsourced systems and controls and firms are accountable for failures by outsourcing providers.’
Sam Woods, Deputy Governor for Prudential Regulation and Chief Executive Officer of the PRA, said:
‘Firms’ ability to manage outsourcing of any critical activities is a vital part of maintaining their safety and soundness. Such outsourcing is an important part of a firm’s operational resilience, and particularly so in the case of Raphaels given the level of reliance on outsourcing in its business model.
‘In addition, this was a repeat failing which demonstrates a lack of adequate and timely remediation. This is a significant aggravating factor in this case, leading to an uplift in the penalty.’
What details do we know about these failings?
As a retail bank providing banking and related services it operates prepaid cards and charge card programmes in the UK and Europe through its Payment Services Division (PSD). The PSD relies on outsourced service providers to perform certain functions, such as authorisation and processing of card transactions, which are crucial to the operation of its card programmes.
The regulators found that Rapaels failed to have in place adequate processes to enable it to understand and access the business continuity and disaster recovery arrangements of its outsourced service providers. Predominantly, how would they support the continued operation of its card programme during a disruptive event? The absence of processes such as this exposed its customers to a serious risk of harm as the bank was facing a risk to its operational resilience.
These risks materialised on the 24th December 2015 when a technology incident occurred at a card processor. The incident caused the complete failure of the authorisation and processing services provided to Raphaels bank. This lasted over eight hours and impacted 3,367 customers, who were unable to use their prepaid or charge cards. In total the card processor was unable to authorise 5,356 customer card transactions that were attempted. The timing of the incident, Christmas Eve, is thought to have exacerbated the impact of the incident.
The regulators found that the specific failings in this incident came from deeper flaws within the overall management and oversight of outsourcing risk from Board level down. The joint regulatory investigation identified weaknesses throughout the frim’s outsourcing systems and controls that the regulators believe should have been identified by the firm. These included a lack of adequate consideration of outsourcing within its Board and departmental risk appetites, the absence of processes for identifying critical outsourced services and flaws in its initial and on-going due diligence of outsourced service providers.
Raphaels’ outsourcing arrangements continued to be inadequate until the end of 2016, by which time Raphaels had designed new outsourcing policies and procedures to remedy the failings.
What can the industry take from this action?
There is a key message being emphasised here, it is the responsibility of the firm to ensure that the outsourced services they use are sufficient and have the appropriate safeguards and processes in place to protect both customers and the business.
Any firms that are utilising outsourced providers as part of their business model should ensure that there is sufficient knowledge and understanding of the risks involved. This knowledge should run throughout the business and not just kept at one level of the business. This will help to ensure that they have sufficient policies and processes in place to protect their customers.
If a firm has any concerns, now is the time to act, as the regulators will take the view that any delay in responding to a potential issue by a firm demonstrates a lack of adequate and timely remediation.
If you are interested in refreshing your team’s knowledge on managing the risks of outsourcing in Financial Services please take a look at our 1 day training session. Alternatively if you have any other concerns or would like support with anything bespoke to your existing processes and arrangements please contact us today to discuss your requirements.
Raphaels agreed to resolve this matter and therefore qualified for a 30% reduction in the fines imposed by both regulators. Without this discount, the combined fine imposed by the FCA and PRA would have been £2,709,574.