Earlier this week, the FCA imposed a fine on Tesco Personal Finance Plc (‘Tesco Bank’) in the amount of £16.4 million, pursuant to section 206 of the Financial Services and Markets Act 2000, as the result of its handling of a cyber-attack which occurred in November 2016. The incident is significant because it is the first instance in which the FCA has levied a fine against a regulated institution as the result of a cyber incident.

The cyber-attack, which took place from 5-7 November 2016, is likely to have involved the use of algorithm generated authentic Tesco Bank debit card numbers. Using those card details the perpetrators were able to instigate thousands of unauthorised debit card transactions. Although Tesco Bank’s controls did effectively stop approximately 80% of unauthorised transactions, the attack still affected 8,261 out 131,000 Tesco Bank personal current accounts.

In its Final Notice concerning the incident the FCA stated that incident was ‘largely avoidable’, and recorded that over the course of ‘48 hours and which netted the attackers £2.26 million’. Mark Steward, the FCA’s enforcement director, stated that Tesco Bank’s attempts to resolve the problem were ‘too little, too late’ and that ‘customers should not have been exposed to the risk at all’.

Tesco Bank was yesterday deemed to have breach Principle 2 of the FCA Handbook by failing to exercise due skill, care and diligence to:

  1. Design and distribute its debit card
  2. Configure specific authentication and fraud detection rules
  3. Take appropriate action to prevent the foreseeable risk of point of sale fraud, and
  4. Respond to the cyber-attack with sufficient rigour, skill and urgency.

It is noteworthy that the cyber-attack on Tesco Bank did not result in the ‘loss or theft of customers’ personal data’. Additionally, Tesco Bank cooperated fully with the FCA throughout their investigation, agreed to a settlement and had already compensated customers, otherwise the sanction imposed would have, in all likelihood, been considerably higher.

The decision in this case marks the clear no tolerance stance that the FCA has adopted in respect of cybercrime and organisations having inadequate protections and procedures in place to guard against such eventualities.

Though the financial penalty imposed on Tesco Bank is the first brought by the FCA purely for an organisation’s handling of a cyber-attack, it has previously shown that it will take a hard line on technological deficiencies in financial institutions when it fined RBS, NatWest, and Ulster Bank £42 million for IT outages in 2014. However, by fining Tesco Bank the FCA is once again showing its teeth. The critical message appears to be that it is important for financial institutions to have rigorous protections and policies in place to deal with these sorts of incidents. In ensuring that they are doing so, financial institutions should take account of the level of financial crime risk in their product design, properly evaluate notifications received, and above all act expeditiously.