Regulatory enforcement action against Raphaels Bank for IT failures – key points for FS firms and tech suppliers

In May 2019, the FCA and PRA issued final notices against Raphaels Bank for failing to adequately manage its outsourcing arrangements. We summarise the regulatory action, and set out key points for FS firms and their tech suppliers and outsourcers to consider.

13.11.2019

The facts

Earlier this year, Raphaels was fined a combined total of just under £1.9 million by the FCA (Financial Conduct Authority) and the PRA (Prudential Regulation Authority) for failing to implement and maintain adequate systems and controls in respect of its outsourcing arrangements. As part of its banking activities, Raphaels offers prepaid and charge card programmes throughout Europe, in respect of which it outsources several ‘critical’ functions.

One of its outsourced card processors suffered an IT failure on Christmas Eve 2015, which resulted in customers being unable to use their cards in shops, online or at ATM machines for a period of eight hours. The same processor had suffered a similar IT failure the previous year, which affected Raphaels’ customers, albeit in significantly smaller numbers.

The regulations

The Bank was found to have breached the following regulatory provisions:

  • FCA Principles 2 (skill, care and diligence) and 3 (management and control);
  • certain provisions of Chapter 8 of the FCA’s Senior Management Arrangements, Systems and Controls sourcebook (SYSC 8); and
  • PRA Fundamental Rules 2 (skill, care and diligence), 5 (risk strategies and risk management systems) and 6 (responsible and effective organisation and control).
The failings

The Bank’s following failures contributed to the regulators’ decisions to issue a fine:

Risk management

  • Raphaels failed to adequately record its risk appetite/tolerance levels for risk in outsourced services within its internal policies.

Instruction, oversight and monitoring

  • The Bank’s internal outsourcing policy contained no practical guidance on how to apply its requirements or how to identify whether outsourced services were “critical” and therefore subject to stricter regulation.

Business continuity and disaster recovery

  • Initial due diligence on the outsourced providers’ continuity and disaster recovery plans were insufficient.
  • The Bank’s continuity plans did not provide for failings by its outsourced providers; they focussed solely on functions performed by the Bank itself.
  • There were failings in Raphaels’ ongoing monitoring of its outsourced providers. In particular, there was a failure to carry out annual due diligence forms for the outsourced card processors as they were not considered to be high risk, despite no consideration being given to whether their services constituted “critical” outsourcing.
  • The Bank also gave no guidance to staff on how outsourced providers’ business continuity plans should be assessed.
The message

The key message to be taken from this enforcement action is that FS firms must take the control and oversight of outsourcing risk seriously and ensure that appropriate processes are put in place to assess and manage this risk. Outsourcing risks should be subject to equally as stringent assessments as internal processes.

The take-away points for FS firms
  • The key message from the regulators’ enforcement notices was that FS firms need to take outsourcing risk just as seriously as they take internal risk, particularly where they are outsourcing business-critical functions. This responsibility lies primarily with the board or senior management.
  • FS firms need to ensure that their internal policies provide adequate guidance on assessing whether an externally outsourced service is critical and how to adequately monitor outsourced providers to ensure they are meeting agreed service standards. They should ensure that these policies are implemented effectively in practice.
  • Whilst contractual terms in outsourcing agreements will not, in the absence of other measures, be a sufficient means of protection from regulatory enforcement action, FS firms should ensure that appropriate service level provisions are included in the relevant contracts.
  • Firms’ business continuity and disaster recovery plans should reflect the distribution of internal and outsourced functions, i.e. if the majority of services are outsourced then plans should focus on what action should be taken following the failing of an outsourced provider.
The take-away points for tech/outsourced suppliers
  • FS firms will not automatically or necessarily be punished for failings by outsourced providers; it is the management and monitoring of the risk of failure through practical steps such as clear internal risk policies that is important.
  • In contractual negotiations with FS firms, suppliers should therefore be conscious of the fact that a one-off service failure on its behalf would not necessarily result in regulatory action against the firm and so strict contractual obligations aimed at preventing such a failure may not always be necessary.
  • It will therefore be important to consider the impact of these issues on indemnities that suppliers might provide, especially those covering regulatory fines.
  • If the FCA/PRA’s approach to fining continues this trend then it may lead to an uptick in certain terms like audit rights becoming more important to FS firms. It will be important not to think that such rights would not be exercised, and so to carefully consider the scope, appropriate restrictions and cost allocations if they are exercised.