IT migration and outsourcing - lessons from the latest SMCR enforcement case

On 13 April 2023, the Prudential Regulation Authority (PRA) fined the former Chief Information Officer (CIO) of TSB Bank plc (TSB), Carlos Abarca, £81,620 for failing to take reasonable steps to ensure that TSB adequately managed and supervised appropriately its outsourcing arrangements in relation to its 2018 IT migration programme in breach of PRA Senior Manager Conduct Rule 2 (SMCR 2). SMCR 2 requires that a senior manager, such as Mr Abarca (who held SMF18), must take reasonable steps to ensure that the business of the firm for which they are responsible complies with the relevant requirements and standards of the regulatory system. This decision follows enforcement action against TSB in December 2022 for operational risk management and governance failures, which resulted in a joint fine by the PRA and Financial Conduct Authority (FCA) of £48,650,000.

The case is a reminder of the current regulatory focus on operational resilience, as well as financial resilience, and emphasises in particular the key role that senior managers play in ensuring that firms manage and supervise outsourcing effectively. Ultimately Mr Abarca was fined because the PRA viewed his management of a key outsourcing relationship as falling below the expected standard and "outside the range of reasonable responses for a CIO in his position … and contributed to the disruptions to the continuity of TSB's core banking functions". The decision contains a number of learnings for senior management, and firms, in relation to managing IT migration programmes, and outsourcing arrangements and expectations of senior managers more broadly, which we set out below.

• Background
• Mr Abarca's failings
• Lessons learned from this decision
• Concluding remarks

Background

Between 2015 and 2018, TSB, a UK retail bank, carried out a significant IT change programme which included the creation of a new core banking platform, followed by a migration of TSB's customers' data to that platform. TSB appointed two service subsidiaries within its group to provide the required services in relation to the new platform, SABIS Spain and Sabadell Information Systems Limited (together SABIS). Under the relevant contracts, the SABIS entities' services included the building and testing of the platform and operating the platform following migration. Under the contracts, SABIS relied 'extensively' on third parties (which the PRA describes as TSB's fourth parties) to deliver the systems and services required for the migration and its operation. Indeed, there were 85 fourth parties, 11 of which were material subcontractors.

The migration was to be effected via a predominantly single Main Migration Event (MME), with some functionality migrated through Governed Transition Events (GTEs) prior to this. The GTEs commenced in 2017. The MME took place in April 2018 and, whilst the data migration was successful, the new platform almost immediately experienced serious technical failures, including failures with online, telephone and mobile banking services and consequential issues with payment and debit card transactions. As a result, there was significant disruption to the continuity of TSB's banking services, with all of TSB's branches and a significant proportion of its 5.2 million customers being impacted. It took until December 2018 for TSB to return to business-as-usual and TSB has paid £32.7m in redress to customers who suffered detriment. The direct causes of the technical problems experienced during the MME mainly related to issues with IT configuration, capacity and coding.

Mr Abarca's failings

Under the Senior Managers & Certification Regime (SMCR), Mr Abarca held SMF18 (other overall responsibility) from March 2016 and was the most senior executive responsible for TSB's information technology and IT business continuity planning. He was also responsible for, amongst other things, managing the migration programme and TSB's key outsourcing relationship with SABIS. In the PRA's view, the processes for which Mr Abarca was responsible in performance of his role as CIO were critical to the success of the migration and the knowledge of the risks that TSB understood it was accepting and was willing to accept.

The PRA found that Mr Abarca breached the PRA's SMCR 2 because he failed to take reasonable steps to ensure that TSB complied with the PRA Outsourcing Rules in adequately managing and appropriately supervising its outsourcing arrangement with SABIS. Particular failings included that he did not:

1. ensure that SABIS' ability and capacity were formally and adequately reassessed on an ongoing basis;
2. ensure that TSB obtained sufficient assurance from SABIS in relation to its readiness to operate the new IT platform; and
3. give sufficient consideration to whether further investigation was required before giving assurance to the TSB Board as to SABIS' readiness for migration.

Mr Abarca agreed to settle his case and therefore qualified for a 30% reduction in his fine. Without this discount, the fine would have been £116,600, based on a starting point of 15% of his relevant income.

Lessons learned from this decision

The case contains a number of learnings for senior management, and firms, in relation to managing IT migration programmes, and outsourcing arrangements more broadly. These include:

1. No special treatment for intragroup service providers, which must be assessed on an ongoing basis - The case acts as a reminder for senior managers and firms that the PRA's rules on outsourcing apply whether a service provider is an independent third party or an intragroup provider. The fact that a firm and its service provider are within the same group does not do away with the need for a careful assessment of whether the service provider has "the ability, capacity, resources and appropriate organisational structure to support the performance of the outsourced functions, and for this assessment to be revisited where appropriate".
2. Be sufficiently engaged and proactive where there are fourth parties - Where a firm is reliant on an outsourced service provider to manage fourth parties, a sufficiently engaged and proactive approach to oversight of the outsourced provider is required by senior managers to ensure that the firm's interests are met. This is because a lack of contract with fourth parties delivering services exposes a firm to significant operational and regulatory risk which needs to be mitigated. Senior managers should also consider whether extensive outsourcing could compromise their ability to oversee and monitor an outsourcing arrangement.
   
   In this case, the PRA concluded that Mr Abarca did not appear to have considered whether he needed further information from SABIS in relation to any confirmations they gave that relied on fourth parties. Further, he did not ensure that he or his CIO team obtained sufficient assurance regarding SABIS' management of fourth parties, including whether SABIS had robust testing, monitoring and control over those parties.
3. Challenge forward looking statements - Linked to the previous point, where confirmations of migration or other project readiness are received from third and fourth parties, senior managers must consider whether investigation or challenge of these confirmations is required, particularly were such confirmations contain forward looking statements of good intention or expectation rather than statements of fact about the readiness of activities already undertaken, or where such confirmations are caveated with outstanding tasks or tests which have not yet been completed.
   
   In this case, TSB did obtain formal assurance in the two weeks leading up to the MME as to the readiness of SABIS to operate the relevant platform. As part of this, SABIS provided a letter, which included confirmations from the critical fourth parties, stating confidence as to migration readiness. However, the PRA found that these confirmations were, to some extent, forward looking statements (e.g. that they expected to be ready for migration rather than they were ready) and all but one were caveated with a number of outstanding tasks which had not yet been completed. As a result, the PRA concluded that Mr Abarca was over-reliant on that confirmation. It was insufficient for Mr Abarca to rely on the fact that fourth parties were engaged under contracts which conformed to the PRA's Outsourcing Rules.
4. Respond to early warning signs - Senior managers and firms must adequately respond to any early warning signs in relation to planned IT migrations or other projects, such as any indicators of potential performance or service issues. In this case, problems were experienced for each of the GTEs in the months leading to the MME and a report issued in October 2017 found that, where there were incidents, in some cases the root cause was a build defect that was not identified in testing, such as configuration issues. Despite this, Mr Abarca did not ensure that TSB formally re-assessed SABIS' ability and capacity to deliver the migration.
5. CIOs must act proportionately - Finally, the Notice makes clear that for large and high risk migration projects, such as the one in this case, CIOs are expected to act reasonably in carrying out their role and responsibilities, in a manner which is commensurate with the degree of risk and complexity involved. In this case, the PRA found that Mr Abarca's conduct fell outside the "range of reasonable responses" for a CIO in his position in a PRA authorised firm and that it contributed to the disruptions to the continuity of TSB's core banking functions post MME.

Concluding remarks

It is interesting that the PRA has taken action against Mr Abarca for a breach of SMCR 2, as opposed to for a breach of the duty of responsibility or for being knowingly concerned in TSB's breaches. In addition to the lessons from the case mentioned above, this decision will be of wider interest to senior managers and firms more generally given that there has been such limited successful enforcement action under the SMCR to date. According to a June 2022 Freedom of Information request response, when asked how many successful enforcement actions had been taken due to an investigation under the SMCR where one or more of the individuals investigated was a senior manager, the FCA responded that, as at 27 April 2022, only two senior managers had received a financial penalty or public censure since 2016 (from the date on which the SMCR first became effective), and only one senior manager had received a prohibition. According to another Freedom of Information request response, as at June 2022 there were also only 16 ongoing investigations into non-SMF individuals (which includes Certified Individuals and other staff to whom the FCA Code of Conduct applies).

This decision also comes at a time when the SMCR is under review. In December 2022, the government announced, as part of the Edinburgh Reforms, that HM Treasury (HMT), the FCA and the PRA would commence separate reviews of the SMCR. In line with this, as noted in previous Regulation Tomorrow blogs, on 30 March 2023 the FCA and the PRA published a joint Discussion Paper seeking input on potential ways to improve the SMCR and views on its effectiveness and proportionality. On the same date, HM Treasury published a Call for Evidence on the SMCR to look at the legislative aspects of the regime. Responses to both of these are due by 1 June 2023.

To conclude, our key practical tips for senior managers from this decision are:

• ensure that you can evidence a risk based approach to your responsibilities, including those set out in your Statement of Responsibilities;
• make sure that you understand and are satisfied with how any fourth parties in an outsourcing arrangement are being managed;
• where confirmations are given from third parties, in particular those that rely on fourth parties, ensure that you provide sufficient scrutiny and challenge of these and that this is documented - such assurances must provide sufficient comfort about the steps that have actually been taken, as opposed to merely steps that are planned to be taken;
• revisit assurances given regularly;
• ensure you have reported upwards, including to the board where appropriate, all relevant information;
• stay alert as to whether any reported issues require any revisiting of the plan or arrangements;
• if in any doubt about your responsibilities, or whether you have done enough, consider whether to obtain advice; and
• in the event of any issues, or for your awareness more generally, check the extent to which you may be protected under your firm's D&O policy for any regulatory investigation that may arise (remembering that any penalties will not be covered).