What has happened?
Raphaels Bank has been fined £775,000 by the Financial Conduct Authority (FCA) and £1,112,152 by the Prudential Regulation Authority (PRA) for not managing its outsourcing arrangements properly between April 2014 and December 2016.
What does this mean?
Raphaels is a small retail bank and operates prepaid and charge card programmes in the UK and Europe.
Its card programmes rely on outsourced service providers for certain key functions, including the authorisation and processing of card transactions, a service performed by third-party card processors.
The two regulators said that Raphaels failed to adequately understand and assess the business continuity and disaster recovery arrangements of its outsourced service providers - particularly how they would support the continued operation of its card programmes during a disruptive event.
"The absence of such processes posed a risk to Raphaels’ operational resilience and exposed its customers to a serious risk of harm," the FCA said in a press release.
These risks crystallised on 24 December 2015, when a technology incident at a card processor caused the complete failure of the authorisation and processing services it provided to Raphaels and lasted over eight hours.
During this time, 3,367 customers could not use their card and, in total, the card processor could not authorise 5,356 customer card transactions attempted at point of sale terminals, ATM machines and online.
Seasonal workers, who depended on their cards for their wages, used the largest prepaid card programme affected by the incident.
The joint FCA and PRA investigation found that Raphaels’ failings in relation to the incident resulted from "deeper flaws in its overall management and oversight of outsourcing risk from Board level down".
The regulators found weaknesses throughout the bank's outsourcing systems and controls that it should have known since April 2014, including a lack of adequate consideration of outsourcing within its Board and departmental risk appetites, the absence of processes for identifying critical outsourced services and flaws in its initial and ongoing due diligence of outsourced service providers.
According the FCA and PRA, the bank's outsourcing arrangements carried on being inadequate until the end of 2016, by which time it had designed better outsourcing policies and procedures.
Commenting on the developement, Hogan Lovells Technology Partner John Salmon said:
"These actions from the PRA and FCA show how seriously the regulators are taking the issue of outsourcing of critical functions and that there are real consequences where this is not managed properly. Coupled with the increased focus and requirements of the new EBA Guidelines on Outsourcing it is clear that banks must be very careful to manage the risks of outsourcing appropriately and ensure that this is managed on an on-going basis."
As Raphaels had agreed to resolve this matter, it qualified for a 30% reduction in the fines imposed by the regulators.
Without this discount, the combined fine would have been about £2.7 million.
In March, the Office of Financial Sanctions Implementation, the UK's sanctions watchdog, fined Raphaels £5,000 for breach of financial sanctions, after the bank handled just £200 of assets frozen in connection with a sanctioned Egyptian individual.
In 2015, the PRA also fined Raphaels for historic failings in relation to its governance and oversight of outsourced functions.
Please contact us if you would like to know more about this developement, or how we can help you get ready for the new requirements under the EBA Guidelines on Outsourcing.
For more news and analysis that is tailored to you, as well as access to Hogan Lovells' cutting-edge interactive Lawtech tools, register for free on Engage.
You can also keep track of all the Engage content by following our LinkedIn page.