The FCA and PRA have announced their second enforcement action in relation to outsourcing failures by the retail bank R. Raphael & Sons plc (“Raphaels“). The firm failed to manage its outsourcing arrangements properly, in breach of FCA Principles 2 and 3, the applicable provisions of Chapter 8 of the FCA’s Senior Management Arrangements, Systems and Controls sourcebook (“SYSC 8”), and PRA Fundamental Rules 2, 5 and 6. Raphaels received separate fines of £775,100 from the FCA and £1,112,152 from the PRA in respect of the breaches, resulting in a combined fine of £1,887,252. Raphaels agreed to resolve the matter with its regulators and therefore qualified for a 30% discount in the fines imposed by both regulators.
Background and outsourcing requirements for regulated firms
Raphaels is a retail bank providing banking and related financial services in the UK and Europe. These services include prepaid card and charge card programmes, in respect of which the bank relies on outsourced service providers to perform critical operational functions such as the authorisation and processing of card transactions.
In connection with the FCA’s publication of the Final Notice against Raphaels, Mark Steward, the FCA’s Executive Director of Enforcement and Market Oversight, emphasised that the standard for outsourced systems and controls cannot be lower than when firms conduct the operations themselves and that firms are therefore accountable for failures by their outsourcing providers.
The joint FCA and PRA investigation found that in the period between April 2014 and December 2016, Raphaels failed to have in place adequate processes supporting the oversight and governance of its outsourcing arrangements, leading to “unnecessary and avoidable” harm and inconvenience to customers.
Specifically, Raphaels neglected to understand and assess the business continuity and disaster recovery arrangements of its outsourced service providers – particularly how they would support the continued operation of the bank’s card programmes during a disruptive event. The absence of such processes posed a risk to the bank’s operational resilience, which crystallised when a technology incident occurred at a card processor, resulting in the complete failure – for eight hours on 24 December 2015 – of the authorisation and processing of card transactions at point of sale terminals, cash machines and online (the “IT Incident“).
It is worth noting that the regulators accept that Raphaels was unaware of the risk prior to the IT Incident, and therefore could take no steps to manage or mitigate it. They found, however, that the bank ought to have been aware of the risk from April 2014 – when a similar IT failure, albeit with less severe impact on customers, occurred – and that the bank’s specific failings in relation to the incident resulted from “deeper flaws” in its governance and oversight of outsourcing risk from Board level downwards. The specific weaknesses identified included:
- a lack of adequate consideration by Raphaels’ Board of when the use of outsourcing exceeded the level of risk the bank was willing and able to accept;
- failure to adequately articulate its outsourcing risk appetite and tolerance levels, particularly in relation to critical outsourcing. Outsourcing risks must be explicitly referred to – general references to “operational losses” or “compliance failures” are not sufficient;
- inadequate service level agreements with service providers contrary to the firm’s outsourcing policy;
- service levels between card programme managers and the card processor (i.e., sub-contractors) did not align with Raphaels’ requirements and the firm had no involvement in setting or approving these. The bank relied on service providers to conduct ongoing due diligence of sub-contractors but did not stipulate any parameters as to how this should be undertaken;
- the absence of a process to identify critical outsourced services;
- the failure of the outsourcing policy to provide staff guidance on how to identify critical outsourced services;
- the failure to adequately consider business continuity arrangements in initial due diligence of service providers and in ongoing monitoring;
- a focus in business continuity and disaster recovery planning on services performed directly by the firm, notwithstanding the bank’s heavy reliance on outsourced services and the interdependence of those services;
- the failure to respond appropriately to a previous incident by remedying business continuity and disaster recovery arrangements, increasing the impact of the later incident; and
- inadequate disaster recovery testing meant that no workarounds or contingency plans were in place to deal with a disruption of the nature of the IT Incident.
The regulators concluded that the above failings meant that Raphaels was not in a position properly to assess or monitor the business continuity and disaster recovery arrangements for its critical outsourced services, thereby expositing the bank and its customers to risk. Although the IT incident only affected one card processor, the failings were found to have a wider significance because of the risk posed by the “serious systemic weaknesses” in the bank’s governance of critical outsourced service providers, which applied across all the card programme managers and processors on which the bank relied.
Aggravating and mitigating factors
A significant aggravating factor in this case was the fact that Raphaels had already been investigated and fined £1,278,165 by the PRA for failing to manage and oversee the risks associated with outsourcing important operational functions. The FCA also highlighted its issue – in July 2014, prior to the IT Incident – of a publication titled “Considerations for firms thinking of using third-party technology (off-the shelf) banking solutions”, which raised concerns around firms’ arrangements for outsourced service resilience, disaster recovery and business continuity planning. It is therefore arguable that Raphaels should not have been surprised by the outcome of the present enforcement action.
Although Raphaels helped facilitate customers’ access to alternate funds during the IT Incident, this was only communicated to those customers who called the customer services team. Raphaels did not seek to investigate whether customers of the impacted card programmes suffered any detriment as a result of the IT Incident and did not proactively contact customers to offer redress.
The regulators concluded that all customers who had a transaction declined or who were otherwise unable to access their funds suffered inconvenience. The FCA also highlighted that the affected customers would likely have included vulnerable customers who were both more likely to be adversely affected by the incident and at the same time less likely to take action to seek redress.
Action taken by Raphaels following the IT Incident
In January 2017, Raphaels began to implement significant changes to its outsourcing framework. These included new outsourcing procedures for managing risks to critical outsourced services; revised due diligence procedures; increased focus on the business continuity plans of critical outsourced service providers; and the allocation of first-line responsibility for outsourcing to a Senior Management Function holder.
Over the last few years, the industry has witnessed increasing regulatory attention on the ability of firms to appropriately manage and oversee outsourcing arrangements. It is worth noting that since the breaches referred to in the Raphaels case, the regulatory expectations of firms’ outsourcing arrangements has been tightening up. Indications of this were visible as early as 2013, with the FCA’s Thematic Review of outsourcing in the asset management industry, the above-mentioned publication on “considerations for firms thinking of using third-party technology” and a 2015 review of outsourcing in the general insurance market, all of which were published prior to Raphaels’ IT incident. More recently, evidencing that the focus on this area is far from diminishing, the FCA has published guidance for firms when outsourcing to the cloud and other third-party IT services and, in its 2018/19 Business Plan, the FCA highlighted as one of its cross-sector priorities “assessing the risks of outsourcing and third-party providers”.
In light of these progressively strengthening signals from the regulator, the action taken against Raphaels shows the potential consequences for firms of failing to monitor and review existing outsourcing arrangements on an ongoing basis. This is likely to become even more pertinent with the entry into force of the EBA Guidelines on Outsourcing Arrangements in September.
The Raphaels case also serves as a clear reminder that firms cannot seek to pass the blame for an incident to an outsourced service provider. This is the case even where the incident is the result of an IT failure on the part of the service provider and the regulated firm was unaware of the risk that such a failure might occur.