FCA issue fine against Tesco Bank: the importance of prioritising cyber security

The Financial Conduct Authority (FCA) has issued a £16.4 million fine against Tesco Personal Finance plc (Tesco Bank) this week (link to the FCA’s Final Notice available here). This fine is highly significant, given that it is the first fine which the FCA has issued in respect of cyber failings.

The fine pertained to a cyber-attack on Tesco Bank’s customers which occurred in November 2016. Fraudsters unlawfully obtained £2.26 million by taking advantage of shortcomings in Tesco Bank’s design of its debit card, its financial crime controls and in its financial crime operations team. Customers with personal current accounts with Tesco Bank were susceptible to the attack.

What actions were the FCA concerned with?

The FCA concluded that Tesco Bank had failed to exercise due skill, care and diligence in protecting its customers, commenting that it is crucial that customers of banks are safe from financial crime. The FCA also emphasised the need for effective cyber-resilience procedures.

In particular, the FCA was concerned that the attack was both avoidable and a foreseeable risk. Mark Steward, FCA Executive Director of Enforcement and Market Oversight stated that “the FCA has no tolerance for banks that fail to protect customers from foreseeable risks.”

The attack was foreseeable because Tesco Bank had received a warning about the attack – Visa had issued a warning about fraudulent transactions in Brazil and the US. Tesco Bank reacted appropriately in relation to credit cards by implementing a rule to block these transactions on its credit cards. However, it did not do the same in respect of debit cards.

The FCA was concerned that Tesco Bank did not respond to the attack “with sufficient rigour, skill and urgency.” Tesco Bank’s Financial Crime Operations Team did not contact their Fraud Strategy Team until 21 hours after the attack had begun. During those 21 hours, no action was taken to stop the attack. The FCA also took issue with the design and distribution of Tesco Bank’s debit card and the configuration of specific authentication and fraud detection rules.

What principle(s) did Tesco Bank breach?

The FCA held that Principle 2 of the FCA Handbook had been breached by Tesco Bank. This Principle imposes a duty to conduct business with due skill, care and diligence and, in the opinion of the FCA, Tesco Bank had failed to do this.

In particular, Tesco Bank was found to have failed to exercise due skill and care in relation to the following:

1. The design and distribution of its debit card: the debit card was not intended for contactless use but customers could still use it in this way. Further, debit cards had inadvertently been issued with sequential PAN numbers, which contributed to the likelihood of an attack.

2. The configuration of specific authentication and fraud detection rules: Tesco Bank’s system for checking expiry dates of cards and its fraud analysis management system were inappropriate and insufficient.

3. Tesco Bank failed to take appropriate action to prevent the foreseeable risk of fraud.

4. Tesco Bank failed to respond to the cyber-attack with sufficient rigour, skill and urgency.

Action taken by the FCA and Tesco Bank’s response

A financial penalty of £16.4 million was imposed on Tesco Bank. The fine would have been substantially higher at £33.6 million but for the fact that Tesco Bank cooperated with the FCA in its inquiry, fully compensated customers and stopped a large number of fraudulent transactions. All of this resulted in the FCA giving Tesco Bank a 30% credit for mitigation. Further, Tesco Bank agreed to an early settlement.

Tesco Bank has since implemented measures to strengthen its financial crime systems and controls and the skills of relevant individuals to ensure the security of Tesco Bank accounts.


Practical significance of the financial penalty

The FCA fine serves as a cautionary tale for firms who do not prioritise cyber security or otherwise have weaknesses in their financial crime controls. The General Data Protection Regulation has also considerably raised the stakes in terms of the potential fines that can be imposed by data protection supervisory authorities, the requirements around data breach notification and the clearer rights that individuals have to seek compensation for damage.

Further, it is now clear that if a risk is foreseeable, the FCA will not hesitate to take action where a firm does not take steps protect its customers’ security. Documented crisis management procedures are an essential component of an effective cyber-incident response framework. The fact that Tesco Bank did not act in response to a warning was a key part of the FCA’s adverse finding.

This article was co-written by Charlotte Fleming.

Expertise in all financial matters

Our banking lawyers are recognised for their in-depth expertise and experience across a wide range of financing matters, including corporate banking, project finance, property finance, cross-border financing and much more.

Latest updates from @MacRoberts

  • Yesterday, the Government announced much-needed measures to support self-employed workers through this period of un… https://t.co/qJvw9jMWbs 27/03/2020
  • Have you caught up with our latest #Employment #Law & #HR Update webinars? Listen now for an overview of recent inf… https://t.co/VbLYFF1BjW 27/03/2020
  • In these uncertain and challenging times, #caveats are a sensible step for peace of mind & risk management for all… https://t.co/D5gbb42nIQ 27/03/2020
  • Do you have questions about the Coronavirus Job Retention Scheme? Our #Employment #Law team looks at the key points… https://t.co/iGNopWPPzQ 27/03/2020
  • Do you have questions about how COVID-19 will impact your business? Our dedicated hub seeks to provide answers to s… https://t.co/tMZ4g8RqIl 27/03/2020
  • This week has seen everyone at MacRoberts make the transition to #workingfromhome in order to safely continue to pr… https://t.co/m7tsMBnIQE 27/03/2020
  • As organisations readjust their working practices within the context of COVID-19, we look at the status and importa… https://t.co/XPOAvnpWVy 26/03/2020
  • Another day of #LockdownLife down: we are checking in with our team members regularly to make sure everyone is doin… https://t.co/IXKyD65rpQ 26/03/2020
  • Do you have questions about how COVID-19 will impact your business? Our team answers some of the most frequently as… https://t.co/J19yrHqtvx 26/03/2020
  • The Government has set out a number of measures designed to support businesses through COVID-19 disruption, namely… https://t.co/aMgmu3kR5n 25/03/2020
  • We are continuing to provide our clients with expert legal advice during these challenging times, and everyone at M… https://t.co/YaJ6CQojog 25/03/2020
  • How could a #caveat help you? In these uncertain and challenging times, having a caveat in place can ensure… https://t.co/nZ0tbecskX 24/03/2020
  • Everyone at MacRoberts is working from home & we will continue to provide our clients with expert legal advice duri… https://t.co/UaIZMXrs3x 24/03/2020
  • MacRoberts is here to support you, your families & your businesses: Our guide contains answers to some of the most… https://t.co/PGXzegaT3P 24/03/2020
  • On Friday, the Government announced a new #Coronavirus Job Retention Scheme to provide support for #employers and… https://t.co/Eya9WIna6H 23/03/2020