Financial Conduct Authority fines Tesco Bank £16.4 million for failures in 2016 cyber attack

The Financial Conduct Authority (FCA) has fined Tesco Personal Finance plc (Tesco Bank) £16,400,000 for “failing to exercise due skill, care and diligence” in protecting its personal current account holders against a cyber attack that took place in November 2016.

During the episode, cyber attackers exploited deficiencies in Tesco Bank’s design of its debit card, its financial crime controls and in its Financial Crime Operations Team in order to carry out the targeted attack. Those deficiencies left Tesco Bank’s personal current account holders vulnerable to a largely avoidable incident that occurred over 48 hours and which netted the cyber attackers £2.26 million.

Mark Steward, executive director of enforcement and market oversight at the FCA, said: ‘The fine that the FCA has imposed on Tesco Bank reflects the fact that we have no tolerance for banks that fail to protect customers from foreseeable risks. In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all. Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place. The standard is one of resilience, reducing the risk of a successful cyber attack occurring in the first place, not only reacting to an attack. Subsequently, Tesco Bank has strengthened its controls with the objective of preventing this type of incident from being repeated.”

Principle 2 requires a firm to conduct its business with due skill, care and diligence. Tesco Bank is in the business of banking and fundamental to that business is protecting its customers from financial crime.

The FCA found that Tesco Bank breached Principle 2 because it failed to exercise due skill, care and diligence to design and distribute its debit card, configure specific authentication and fraud detection rules, take appropriate action to prevent the foreseeable risk of fraud and respond to the November 2016 cyber attack with sufficient rigour, skill and urgency.

Cyber security requires resilience

Cyber security requires resilience. A financial institution’s Board is ultimately responsible for ensuring that its cyber crime controls are designed to meet standards of resilience. The Board must set an appropriate cyber crime risk appetite and ensure that its institution’s cyber crime controls are designed to anticipate and reduce the risk of a successful attack.

Where an attack is successful, the Board should ensure that the bank’s response plans are clear, well designed and well-rehearsed and that the bank recovers quickly from the incident. Following an attack, the financial institution should commission a root cause analysis and understand and ameliorate the vulnerabilities that made the institution susceptible to the attack in order to reduce the risk of future attacks.

Following the attack, Tesco Bank immediately put in place a comprehensive redress programme and devoted significant resources to improving the deficiencies that left the bank vulnerable to the attack and instituted a comprehensive review of its financial crime controls. It has made significant improvements both to enhance its financial crime systems and controls and the skills of the individuals who operate them.

Tesco Bank provided a high level of co-operation to the FCA. Through a combination of this level of co-operation, its comprehensive redress programme which fully compensated customers, and in acknowledgement that it stopped a significant percentage of unauthorised transactions, the FCA granted the bank 30% credit for mitigation.

In addition, Tesco Bank agreed to an early settlement of this matter which qualified for a 30% (Stage 1) discount under the FCA’s executive settlement procedure. But for the mitigation credit and the Stage 1 discount, the FCA would have imposed a penalty of £33,562,400.

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts