FCA issue fine against Tesco Bank: the importance of prioritising cyber security

The Financial Conduct Authority (FCA) has issued a £16.4 million fine against Tesco Personal Finance plc (Tesco Bank) this week (link to the FCA’s Final Notice available here). This fine is highly significant, given that it is the first fine which the FCA has issued in respect of cyber failings.

The fine pertained to a cyber-attack on Tesco Bank’s customers which occurred in November 2016. Fraudsters unlawfully obtained £2.26 million by taking advantage of shortcomings in Tesco Bank’s design of its debit card, its financial crime controls and in its financial crime operations team. Customers with personal current accounts with Tesco Bank were susceptible to the attack.

What actions were the FCA concerned with?

The FCA concluded that Tesco Bank had failed to exercise due skill, care and diligence in protecting its customers, commenting that it is crucial that customers of banks are safe from financial crime. The FCA also emphasised the need for effective cyber-resilience procedures.

In particular, the FCA was concerned that the attack was both avoidable and a foreseeable risk. Mark Steward, FCA Executive Director of Enforcement and Market Oversight stated that “the FCA has no tolerance for banks that fail to protect customers from foreseeable risks.”

The attack was foreseeable because Tesco Bank had received a warning about the attack – Visa had issued a warning about fraudulent transactions in Brazil and the US. Tesco Bank reacted appropriately in relation to credit cards by implementing a rule to block these transactions on its credit cards. However, it did not do the same in respect of debit cards.

The FCA was concerned that Tesco Bank did not respond to the attack “with sufficient rigour, skill and urgency.” Tesco Bank’s Financial Crime Operations Team did not contact their Fraud Strategy Team until 21 hours after the attack had begun. During those 21 hours, no action was taken to stop the attack. The FCA also took issue with the design and distribution of Tesco Bank’s debit card and the configuration of specific authentication and fraud detection rules.

What principle(s) did Tesco Bank breach?

The FCA held that Principle 2 of the FCA Handbook had been breached by Tesco Bank. This Principle imposes a duty to conduct business with due skill, care and diligence and, in the opinion of the FCA, Tesco Bank had failed to do this.

In particular, Tesco Bank was found to have failed to exercise due skill and care in relation to the following:

1. The design and distribution of its debit card: the debit card was not intended for contactless use but customers could still use it in this way. Further, debit cards had inadvertently been issued with sequential PAN numbers, which contributed to the likelihood of an attack.

2. The configuration of specific authentication and fraud detection rules: Tesco Bank’s system for checking expiry dates of cards and its fraud analysis management system were inappropriate and insufficient.

3. Tesco Bank failed to take appropriate action to prevent the foreseeable risk of fraud.

4. Tesco Bank failed to respond to the cyber-attack with sufficient rigour, skill and urgency.

Action taken by the FCA and Tesco Bank’s response

A financial penalty of £16.4 million was imposed on Tesco Bank. The fine would have been substantially higher at £33.6 million but for the fact that Tesco Bank cooperated with the FCA in its inquiry, fully compensated customers and stopped a large number of fraudulent transactions. All of this resulted in the FCA giving Tesco Bank a 30% credit for mitigation. Further, Tesco Bank agreed to an early settlement.

Tesco Bank has since implemented measures to strengthen its financial crime systems and controls and the skills of relevant individuals to ensure the security of Tesco Bank accounts.


Practical significance of the financial penalty

The FCA fine serves as a cautionary tale for firms who do not prioritise cyber security or otherwise have weaknesses in their financial crime controls. The General Data Protection Regulation has also considerably raised the stakes in terms of the potential fines that can be imposed by data protection supervisory authorities, the requirements around data breach notification and the clearer rights that individuals have to seek compensation for damage.

Further, it is now clear that if a risk is foreseeable, the FCA will not hesitate to take action where a firm does not take steps protect its customers’ security. Documented crisis management procedures are an essential component of an effective cyber-incident response framework. The fact that Tesco Bank did not act in response to a warning was a key part of the FCA’s adverse finding.

This article was co-written by Charlotte Fleming.

Expertise in all financial matters

Our Banking lawyers are recognised for their in-depth expertise and experience across a wide range of financing matters, including corporate banking, project finance, property finance, cross-border financing and much more.

Latest updates from @MacRoberts

  • To celebrate the Olympic Games in Tokyo, we're delighted to launch our latest sporting challenge in support of our… https://t.co/Y8IEq3eT53 23/07/2021
  • MacRoberts is recruiting! We are currently looking for a Real Estate Planning Solicitor to join the MacRoberts tea… https://t.co/ioGQaF2hQc 23/07/2021
  • The countdown is on! With just 100 days to go, we’re looking forward to #COP26 in Glasgow! ♻️ As a firm accredite… https://t.co/Ooldhmo8tW 22/07/2021
  • Has lockdown led you to consider a move to the countryside? From discussing a possible purchase to obtaining the… https://t.co/patbF42pjk 22/07/2021
  • Have you seen our latest vacancies? 💼 We currently have opportunities in various departments across the firm. Fin… https://t.co/NpiWs2sphg 21/07/2021
  • Acas has published new guidance for employers with helpful information on #flexibleworking & #hybridworking. With t… https://t.co/SoX87hFkko 20/07/2021
  • Busting the myth that a career in law is only for the privileged few: @marikaflawyer is speaking at this morning’s… https://t.co/awfcub4cw0 19/07/2021
  • MacRoberts is recruiting! We are currently looking for a Support Services Assistant to join our team in Edinburgh.… https://t.co/DJ27fRmmdb 16/07/2021
  • MacRoberts is pleased to have been part of the team advising @HV_Systems in its £5m capital boost from Beehive Equi… https://t.co/BxcwjCgIVk 15/07/2021
  • MacRoberts is recruiting! We are currently looking for a NQ Solicitor to join our Conveyancing & Private Client te… https://t.co/zubGY4zo0D 14/07/2021
  • For the last of our IGTV mini-series, we hear from Katie MacLeod. She will be giving an insight into what it’s like… https://t.co/0v2nNQ9zzZ 14/07/2021
  • RT @marikaflawyer: Exciting opportunity for Associate in our award winning Family Law team #familylaw #LegalCareer https://t.co/z3WEtfFJUo 14/07/2021
  • MacRoberts is recruiting! We are currently looking for an Associate to join our Family Law team in Edinburgh or Gl… https://t.co/CaitiMeVBs 14/07/2021
  • Last week, the UK Government took the decision to relax the rules on the length of time lorry drivers can work as a… https://t.co/o559McerYg 13/07/2021
  • Did you know that we are on Instagram?😜 Follow our page for all the latest legal updates, exclusive IGTV’s and mor… https://t.co/Xx2xOMGBZg 09/07/2021