The recent PRA decision to fine Mr Carlos Abarca, the former CIO of TSB Bank plc, in connection with TSB’s failed IT migration in 2018 may be a rare example of a Regulator holding an executive personally responsible for an IT failure. However, it demonstrates the FCA's and PRA's high expectations of firms that outsource critical IT functions and serves as a cautionary tale for anyone who negotiates or manages outsourcing contracts (even in non-regulated sectors).
- Treat with caution any non-contractual assurances given by the supplier (e.g. in a letter) about its readiness to migrate. The impact of any caveats should be carefully considered and remedial action taken where necessary (particularly if there are also other known issues).
- Good governance is key (and means that you don't need to rely on non-contractual assurances). A robust governance regime (including risk registers and early warning mechanisms) that is enforced, together with clear, structured migration milestones / plans, acceptance regimes and dependencies, will help to ensure that issues are identified and appropriately escalated ahead of time. Remediation provisions (such as enhanced co-operation and step in) can then be called on (or threatened – we all know that step in, in particular, is a rare occurrence!) for those issues that are not resolved.
- Don't forget the sub-contractors. Migration can hinge on them as much as a prime contractor. Customers should understand what subcontractors there are, the services that they are providing and their impact on the wider service. Supply chain provisions and transparency are standard (including restrictions on use, liability remains with the prime and sub-contractor audit) and to be expected. However, significantly, there should also be an element of customer monitoring / management of subcontractor progress. Whilst it is fairly unusual for customers to be "hands on" when it has appointed a prime contractor, the suggestion (in the financial services sector at least) is that customers may need to be more so in future.
The Decision follows the decisions of the PRA and FCA last year to fine TSB a total of over £48 million for operational resilience failures in its migration from a legacy banking platform to a new system.
The new system was based on the Proteo platform of its Spanish parent, Sabadell and the build and migration work was outsourced to SABIS, Sabadell’s in-house IT service provider.
The migration took place in April 2018 and resulted in days of outages for customers trying to access their accounts, use internet banking and make payments. The FCA found that the outages were caused primarily by IT configuration, capacity and programming, but also by inadequate risk management of the outsourced service.
The PRA’s criticisms:
Failing to follow-up
A key PRA criticism was that, in the run up to the migration, Mr Abarca “failed to ensure that he or his CIO team obtained sufficient assurance from SABIS in relation to its readiness to operate the [new platform]”.
In particular, when reporting to the TSB board, Mr Abarca relied on a letter from SABIS confirming that it was ready to migrate but which was subject to a number of caveats. The PRA held that Mr Abarca should have obtained further assurances from SABIS given the caveats and that he was aware that there were outstanding tests to be completed.
Over-reliance on SABIS to manage its subcontractors
The migration was also dependent on a number of SABIS’s subcontractors. The PRA was critical of the fact that, when deciding whether these subcontractors were ready to begin the migration, Mr Abarca relied on SABIS’s assurance that they were, which was in turn based on assurances from those subcontractors. Mr Abarca did not verify whether SABIS had critically assessed the assurances it was given by the subcontractors, and was therefore unable to properly assess the risk posed to TSB.
Failure to re-assess ongoing risk
The PRA held that Mr Abarca “failed to ensure that TSB formally and adequately reassessed SABIS’s capabilities on an ongoing basis”.
In particular, the Decision points to several service level breaches during transition which should have led to TSB reassessing the risk posed by the outsourcing arrangement.