Following a joint investigation by the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA), R. Raphael & Sons plc (Raphaels), one of the UK’s oldest lenders, has been fined for failing to manage its outsourcing arrangements between April 2014 and December 2016 and exposing customers to unnecessary and avoidable harm and inconvenience.

Raphaels was fined separately by each authority in accordance with their respective penalty regimes. The FCA fined Raphaels £775,100 and the PRA £1,112,152, bringing the total fine to almost £1.9m.

What is Raphaels?

Raphaels is a retail bank with a payment services division operating prepaid card and charge card programmes in the UK and Europe. This payment service division depends on outsourced service providers to perform a number of critical functions regarding the operation of these programmes including the authorisation and processing of card transactions.

What went wrong?

Raphaels had not implemented sufficient processes to understand and evaluate properly the business continuity and disaster recovery measures which its outsourced service providers had in place and crucially, how they would ensure its card programmes continued to operate should there be disruption. Accordingly, Raphaels failed to ensure operational resilience, putting customers at serious risk of harm.

This failure was demonstrated when, on 24 December 2015, a technological issue caused the complete failure of Raphaels’ outsourced authorisation and processing services for over eight hours and prevented thousands of customers from being able to use their cards and receive their wages. The impact of the failure on customers was found to have been particularly exacerbated by its timing on Christmas Eve.

What were the factors taken into account when deciding the fine?

The joint FCA-PRA investigation highlighted weaknesses throughout Raphaels’ outsourcing systems and controls which they should have been aware of since April 2014, emanating from board level down. Issues highlighted included insufficient consideration of outsourcing by its board and departmental risk appetites, the absence of processes for identifying critical outsourced services and flaws in its initial and on-going due diligence of outsourced service providers.

The investigation also found that Raphaels' outsourcing arrangements continued to be inadequate until the end of 2016. It concluded that repeated failings demonstrated a lack of sufficient and timely remediation and this was noted as a significant aggravating factor leading to an uplift in the fine.

Raphaels was found to have breached Principle 2 (Skill, care and diligence) and Principle 3 (Management and control) of the FCA’s Principles for Businesses, as well as chapter 8 (Outsourcing) of its Senior Management Arrangements, Systems and Controls of the FCA Handbook. The PRA found that Raphaels was in breach of Fundamental Rules 2 (Skill, care and diligence), 5 (Effective risk strategies and risk management systems) and 6 (Organise and control its affairs responsibly and effectively) of the PRA Rulebook.

Raphaels would have received an even greater penalty of £2.7m, but was given a 30% reduction for cooperating with the regulators.

What does the future hold?

The issue of operational resilience has become an increasing concern of the regulators following a number of high profile outages in the last year affecting giants such as TSB and VISA. It is likely that the FCA and PRA will publish a joint consultation paper on this issue later this year.

Raphaels’ fine is the second major regulatory fine in less than five years levied for poor outsourcing controls and should serve as a cautionary tale to other financial organisations.