This enforcement action is the first of its kind under the SM&CR Conduct Rule 2 and is a stark reminder to individuals who are subject to the regime of the powers that the PRA has.
In 2015, a UK retail bank undertook a migration of its IT systems to a new purpose-built version of its parent company’s platform. This project was outsourced to a number of service providers and the CIO was responsible for the outsourcing relationship with the service providers.
Whilst the migration was ultimately completed in 2018, the bank encountered significant issues and disruption to its online, telephone and mobile banking services, as well as branch technology failures and consequential issues with payment and debit card transactions. Some of the issues improved within a few days of the migration taking place, however some lasted for many months.
Questioning the bank’s financial stability, the PRA launched an investigation into whether the CIO, performing a ‘Senior Management Function’ (SMF), took the appropriate steps in carrying out their responsibilities and whether the CIO was compliant with the relevant requirements in the PRA Rulebook. We explore this in more detail later in this article.
According to the CIO’s Senior Management Regime Statement of Responsibilities, the CIO was responsible for:
It was apparent from the PRA’s final notice, there were some delays in the commencement of the migration programme and some of the critical testing plans for the migration “had to be deviated from…”.1 The testing was the responsibility of the supply chain of service providers and by deviating from this, exposed the bank to operational risk.
Upon conclusion of the investigation, the PRA found that the CIO had breached Senior Manager Conduct Rule 2 under the SM&CR in relation to the migration programme and its responsibilities of adequately managing and supervising the outsourcing arrangements. It is interesting to note that the context of the enforcement action arose from a breach of Conduct Rule 2, as opposed to the “duty of responsibility”. It remains to be seen whether the HM Treasury’s recent “Call for Evidence”2, in which they are seeking feedback on the SM&CR and ways to potentially improve the Regime, will show that the “duty of responsibility” continues to serve a useful purpose under the Regime.
The CIO’s fine follows enforcement action taken jointly by the Financial Conduct Authority (FCA) and the PRA in December 2022 against the UK retail bank3, for its operational and resilience failings when it undertook the major migration of its IT systems causing the significant disruption to banking services for its corporate and personal customers.
The SM&CR regime was introduced in the wake of the 2008 financial crisis and replaced the previous “Approved Persons” regime. The SM&CR applied to the banking sector from March 2016 and was implemented to ensure that all Senior Managers are approved by the regulator and can be held accountable if their responsibilities do not meet the standard which the regulator expects.
The enforcement discussed in this article relates to Senior Managers Conduct Rule 2 which specifies that “you must take reasonable steps to ensure that the business of the firm for which you are responsible complies with the relevant requirements and standards of the regulatory system.”4 In this case, the CIO was fined for failing to take reasonable steps to ensure that the bank adequately managed and supervised its outsourcing arrangement in relation to the IT migration.
In the Bank of England’s recent statement published on 13 April 2023, the Deputy Governor and Chief Executive of the PRA stated “Senior managers have an essential role to play in ensuring that firms manage and supervise outsourcing effectively…” and that the management of the outsourcing relationship “fell below the standard we expect”.5
So, what about insurance – the FCA/PRA prohibit the use of insurance to pay or indemnify against an FCA/PRA fine.6 However, the FCA do permit the use of insurance to pay or indemnify a person against the costs of defending an FCA enforcement action. Financial Institutions (FIs) should carefully consider their insurance policies to determine what level of cover they have available to them. Whilst the vast majority of cyber policies do provide coverage for regulatory investigations, most are limited to those regulators that enforce data protection legislation and not necessarily financial conduct regulators, such as the FCA/PRA.
Cyber events can trigger more than one policy. Third party claims and significant incident response costs can arise as a result of specific events such as data breaches, cyber-attacks, including ransomware and denial of service attacks, and (subject to terms and conditions), cyber insurance can be an effective risk transfer solution to the extent FIs are alleged to be liable, or need to respond effectively, in relation to such claims. Directors & Officers (D&O) (subject to terms and conditions) policies can also play their part in providing coverage in relation to regulatory investigations against senior individuals, as well as potential shareholder actions.
Often, these types of events can cause the share price to drop significantly, or perhaps where a senior director/officer has misled its shareholders on the financial stability of the firm, or how secure the systems are in terms of a cyber breach.
Talk to WTW or your Claims Advocate about your coverage and what solutions are available to you.
1 Final notice from PRA to Carlos Abarca
2 Senior Managers & Certification Regime: a Call for Evidence
3 Final notice from PRA to TSB Bank
4 COCON 2.2 Senior manager conduct rules - FCA Handbook
6 See chapter 6.1.5 of Chapter 6 - Insurance against financial difficulties
WTW offers insurance-related services through its appropriately licensed and authorised companies in each country in which WTW operates. For further authorisation and regulatory details about our WTW legal entities, operating in your country, please refer to our WTW website. It is a regulatory requirement for us to consider our local licensing requirements. The information given in this publication is believed to be accurate at the date of publication shown at the top of this document. This information may have subsequently changed or have been superseded and should not be relied upon to be accurate or suitable after this date.
