• wblogo
  • wblogo
  • wblogo

FCA investigating TSB over IT meltdown

Chris Hamblin, Editor, London, 8 June 2018

articleimage

TSB, the British retail and commercial bank which is a subsidiary of the Spanish Sabadell Group, is under investigation for the disastrous way in which it moved its online and mobile channels from an old Lloyds system to Sabadell's Proteo4 system. Millions of customers recently suffered a loss of contact with their online accounts, whetting the appetite of the regulator for punitive action.

The bank tried to move as many services as it could to the new system gradually, but it had to 'bite the bullet' and move its customers' data from one platform to another all at one weekend. This step, taken around 20 April, was the moment of meltdown.

Going public - a risky strategy?

The FCA has taken the unusual step of publicising its investigation, which began in earnest on 25 April. This either means that the regulator is very annoyed with TSB or that it is desperate for the public to believe that it is doing something to mop up a disaster that it should have seen coming.

The problems at TSB affected many customers in its mobile, web and telephonic 'banking channels' and in branches and at cashpoints as well. They found it especially hard to gain access to web and mobile banking and to make ad-hoc payments. Some - perhaps as many as 400 - were able to see the details of other people's accounts. The firm has notified the Information Commissioner's Office. People who tried to ring TSB up were cut off in their droves, often after long waits. By 30 May, when Andrew Bailey, the FCA's CEO, wrote a now-public letter to the Parliamentary Treasury Committee on the subject, more than 40% of calls were still being abandoned and waiting times were still longer than 30 minutes. Online services had still not quite returned to pre-crisis levels in the first few days of May.

Bailey wrote in his letter: "We understand that the new system was designed by TSB to provide consistent data across all channels. The anticipated benefit for customers is that TSB staff will have access to the same customer data regardless of the channel; however, it meant that when some of the problems occurred, they seem to have impacted all channels."

Preparations for disaster: the regulator's intimate involvement

The FCA did plenty of work at TSB in the run-up to the so-called 'IT migration.' It held 38 meetings with the firm's executive team, board members and external auditors on the subject of TSB's "governance and accountability for migration," as it puts it. It looked at TSB's plan to test the new system before it moved its customers onto it; as a result, the firm put 'D Day' off for six months until April.

When it thought that it was ready, TSB presented the FCA with something that Bailey calls "an assurance matrix of responsibilities." All twelve members of its business executive committee, covering all functions, attested personally to the firm's readiness to go ahead with the crossover. People from the risk and audit departments backed up their assertions. The FCA, in Bailey's words, "monitored the decision-making process closely."

As it was intimately involved in TSB's 'migratory' process, the FCA seems to have tried to distance itself from the disaster by staging a sharp backlash against the firm immediately after the crisis began. It pronounced itself dissatisfied with the way in which TSB was trying to communicate with its stricken customers and thought that the bank was not being open with them about its problems. In his letter Bailey points to TSB saying that the 'vast majority' of its customers could still see their accounts online, whereas in fact only half of them could even log on.

Matters came to a head on 25 May, when the FCA asked TSB to send over its 'communications strategy' forthwith. It also handed the bank a list of eight onerous and bureaucratically-worded 'principles' for it to consider (i.e. adhere to).

In his letter, Bailey also goes out of his way to mention that the chairman (who performs senior management function/SMF 9), the chairman of the risk committee (SMF 10), and the chairman of the audit committee (SMF 11), "authorised the initiation of migration." This sounds ominous for these people, who might now be fined or otherwise punished. This is especially likely because the Parliamentary Committee took exception to the testimony of Sabadell executive Miquel Montes, who said that "a project as complex as that cannot be seen as a responsibility that can be divided." The British banking fraternity has been in the grip of the FCA's Senior Managers and Certification Regime since March 2016.

The lost Eurydice?

Bailey, who used to run the Prudential Regulation Authority, mentions the FCA's close collaboration with that body again and again in his letter. He never specifies any reason for a prudential regulator to be involved in an obviously operational disaster such as this one, which suggests that he might be sorry that David Cameron's Coalition Government split the old Financial Services Authority in two in 2013. In its pronouncements on its website the FCA is constantly referring to the need to collaborate with the PRA over various things, even when they appear to have little to do with threats to banks' capital stocks or the stability of markets, and this might be a sign that its board is interested in a return to the grim past.

Next steps for the twins

Both regulators are therefore keeping a close superintending eye on TSB's hiring of IBM to help it diagnose and remedy its many technical problems. They are monitoring TSB's complaint-handling procedures. They are also constantly harrassing the bank to encourage it to be honest with its customers in general and to elicit explanations from it about the way it handles incidents of fraud. The FCA and the PRA between them have 14 people (Bailey's letter, somewhat confusingly, refers to 'up to 14' people) at the bank.

Fraud focus

Since TSB's meltdown began, more and more of its customers have suffered from fraud. Bailey's letter contains no further details about their plight, but suggests that the IT disaster has touched off a flurry of fraud reforms at the bank, with the FCA as the likely instigator. The regulator is 'working with' the bank on its refund and remediation strategy; TSB is going to set up a telephone line for new fraud reports; and both bank and regulator have agreed between them that whenever a TSB customer rings up the FCA's contact centre about a fraud, the FCA will pass his details (if he consents) to TSB so that the bank can investigate. TSB is also talking to the police 'actively,' whatever that means, about the prospect of someone-or-other investigating the flow of money and is trying to persuade other banks that receive fraudulent funds to try to find out how those funds have landed in TSB's accounts.

TSB, according to the regulator, has not obeyed the Payment Services Regulations 2017 in that it has failed to refund every relevant customer by the end of the next business day after it became aware of the fraud. The bank has promised the FCA that it will clear its backlog in early June and the FCA is keeping a close eye on this matter, receiving information about frauds that occur at TSB every day.

Latest Comment and Analysis

Latest News

Award Winners

Most Read

More Stories

Latest Poll