The Financial Conduct Authority (FCA) has issued a £16.4 million fine against Tesco Personal Finance plc (Tesco Bank) this week (link to the FCA’s Final Notice available here). This fine is highly significant, given that it is the first fine which the FCA has issued in respect of cyber failings.
The fine pertained to a cyber-attack on Tesco Bank’s customers which occurred in November 2016. Fraudsters unlawfully obtained £2.26 million by taking advantage of shortcomings in Tesco Bank’s design of its debit card, its financial crime controls and in its financial crime operations team. Customers with personal current accounts with Tesco Bank were susceptible to the attack.
What actions were the FCA concerned with?
The FCA concluded that Tesco Bank had failed to exercise due skill, care and diligence in protecting its customers, commenting that it is crucial that customers of banks are safe from financial crime. The FCA also emphasised the need for effective cyber-resilience procedures.
In particular, the FCA was concerned that the attack was both avoidable and a foreseeable risk. Mark Steward, FCA Executive Director of Enforcement and Market Oversight stated that “the FCA has no tolerance for banks that fail to protect customers from foreseeable risks.”
The attack was foreseeable because Tesco Bank had received a warning about the attack – Visa had issued a warning about fraudulent transactions in Brazil and the US. Tesco Bank reacted appropriately in relation to credit cards by implementing a rule to block these transactions on its credit cards. However, it did not do the same in respect of debit cards.
The FCA was concerned that Tesco Bank did not respond to the attack “with sufficient rigour, skill and urgency.” Tesco Bank’s Financial Crime Operations Team did not contact their Fraud Strategy Team until 21 hours after the attack had begun. During those 21 hours, no action was taken to stop the attack. The FCA also took issue with the design and distribution of Tesco Bank’s debit card and the configuration of specific authentication and fraud detection rules.
What principle(s) did Tesco Bank breach?
The FCA held that Principle 2 of the FCA Handbook had been breached by Tesco Bank. This Principle imposes a duty to conduct business with due skill, care and diligence and, in the opinion of the FCA, Tesco Bank had failed to do this.
In particular, Tesco Bank was found to have failed to exercise due skill and care in relation to the following:
1. The design and distribution of its debit card: the debit card was not intended for contactless use but customers could still use it in this way. Further, debit cards had inadvertently been issued with sequential PAN numbers, which contributed to the likelihood of an attack.
2. The configuration of specific authentication and fraud detection rules: Tesco Bank’s system for checking expiry dates of cards and its fraud analysis management system were inappropriate and insufficient.
3. Tesco Bank failed to take appropriate action to prevent the foreseeable risk of fraud.
4. Tesco Bank failed to respond to the cyber-attack with sufficient rigour, skill and urgency.
Action taken by the FCA and Tesco Bank’s response
A financial penalty of £16.4 million was imposed on Tesco Bank. The fine would have been substantially higher at £33.6 million but for the fact that Tesco Bank cooperated with the FCA in its inquiry, fully compensated customers and stopped a large number of fraudulent transactions. All of this resulted in the FCA giving Tesco Bank a 30% credit for mitigation. Further, Tesco Bank agreed to an early settlement.
Tesco Bank has since implemented measures to strengthen its financial crime systems and controls and the skills of relevant individuals to ensure the security of Tesco Bank accounts.
Practical significance of the financial penalty
The FCA fine serves as a cautionary tale for firms who do not prioritise cyber security or otherwise have weaknesses in their financial crime controls. The General Data Protection Regulation has also considerably raised the stakes in terms of the potential fines that can be imposed by data protection supervisory authorities, the requirements around data breach notification and the clearer rights that individuals have to seek compensation for damage.
Further, it is now clear that if a risk is foreseeable, the FCA will not hesitate to take action where a firm does not take steps protect its customers’ security. Documented crisis management procedures are an essential component of an effective cyber-incident response framework. The fact that Tesco Bank did not act in response to a warning was a key part of the FCA’s adverse finding.