FCA and PRA jointly fine bank for repeated outsourcing failings
R. Raphael & Sons PLC (Raphaels), one of the UK's oldest lenders, has been criticised and fined jointly by the FCA and PRA after it was found that the bank had failed to manage its outsourcing arrangements properly.
The Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) has criticised and fined Raphaels for failing to manage its outsourcing arrangements properly between April 2014 and December 2016.
Raphaels contracted with outsourced providers to deliver services which were vital for the performance of its Payment Services Division. These outsourced services included the authorisation of payment transaction requests from Card Payment Systems on behalf of the bank (the service was ultimately sub-contracted). It was held that Raphaels failed to have appropriate processes in place to enable it to understand and assess the business continuity and disaster recovery arrangements of its outsourced service providers, specifically how they would manage the ongoing operation of their card programmes if a system failure were to occur.
The absence of such processes came to light on Christmas Eve 2015 when Raphaels' card processor was hit by a technology problem that caused a complete failure of the authorisation and processing services provided to Raphaels.
The incident lasted over eight hours, during which time 3,367 customers were unable to use their prepaid card and charge cards. A total of 5,356 transactions were attempted and failed. There is unlikely to have been a worse day for this to happen given the last minute Christmas shopping that would have undoubtedly have been taking place.
Mark Steward, FCA Executive Director of Enforcement and Market Oversight said: "Raphaels systems and controls supporting the oversight and governance of its outsourcing arrangements were inadequate and exposed customers to unnecessary and avoidable harm and inconvenience. There is no lower standard for outsourced systems and controls and firms are accountable for failures by outsourcing providers."
Whilst Sam Woods, Chief Executive Officer of the PRA, said: "Firms ability to manage outsourcing of any critical activities is a vital part of maintaining their safety and soundness. Such outsourcing is an important part of a firms operational resilience, and particularly so in the case of Raphaels given the level of reliance on outsourcing in its business model.
In addition, this was a repeat failing which demonstrates a lack of adequate and timely remediation. This is a significant aggravating factor in this case, leading to an uplift in the penalty."
In fact, the incident in question took place just one month after the FCA had fined Raphaels £1,300,000 for "potentially putting its safety and soundness at risk" after it failed to properly manage an outsourcing deal for its cash machines.
The fines and decisions from the FCA and PRA should put regulated firms (and in particular financial institutions and investment managers who regularly use outsourcing services under the Payment Services Regulations) on alert to ensure adequate and appropriate systems are in place for outsourcing activities. The investigation was also critical of the deeper flaws in Raphaels' overall management and oversight of outsourcing risk across all levels; something that other firms will need to consider if they wish to avoid similar criticism.
The joint FCA and PRA investigation identified weaknesses throughout Raphaels' outsourcing systems and controls which the firm ought to have known about since April 2014. These included:
a lack of adequate consideration of outsourcing within its Board and departmental risk appetites;
the absence of processes for identifying critical outsourced services;
and flaws in its initial and on-going due diligence of outsourced service providers.