The Financial Conduct Authority (FCA) has fined Tesco Personal Finance plc (Tesco Bank) £16.4m for failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyber attack in November 2016.
The attackers exploited deficiencies in the bank’s design of its debit card, its financial crime controls and in its Financial Crime Operations Team. The bank’s personal current account holders were left vulnerable to a largely avoidable incident that occurred over 48 hours and which netted the cyber attackers £2.26m, the regulator said.
Mark Steward, Executive Director of Enforcement and Market Oversight at the FCA, said the fine reflected the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks. “In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all.
“Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place. The standard is one of resilience, reducing the risk of a successful cyber attack occurring in the first place, not only reacting to an attack. Subsequently, Tesco Bank has strengthened its controls with the object of preventing this type of incident from being repeated.”
The FCA found that Tesco Bank breached Principle 2 (requiring a firm to conduct its business with due skill, care and diligence) because it failed to exercise due skill, care and diligence to:
Design and distribute its debit card.
Configure specific authentication and fraud detection rules.
Take appropriate action to prevent the foreseeable risk of fraud.
Respond to the November 2016 cyber attack with sufficient rigour, skill and urgency.
After the attack, Tesco Bank put in place a redress programme and devoted resources to improving the deficiencies that left the bank vulnerable to the attack and reviewed its financial crime controls. It has made improvements both to enhance its financial crime systems and controls and the skills of those who operate them, the FCA said.
Tesco Bank cooperated with the FCA. Plus in acknowledgment that it stopped a significant percentage of unauthorised transactions, the FCA granted the bank 30pc credit for mitigation.
