R. Raphael & Sons plc (Raphaels) has received fines totalling £1,887,252 from the FCA and PRA for repeated failings in relation to inadequate systems and controls supporting the oversight and governance of its outsourcing arrangements.
Raphaels outsourced certain functions that supported payment services for its prepaid and charge card programmes in the UK and Europe to a service provider. These functions included the authorisation and processing of transactions made by users on these cards and management of the card programme (Card Services). From 2016, Raphaels had 5.3 million prepaid cards in issue in the UK and other European countries with average monthly transaction volumes of over £450 million.
On Christmas Eve 2015, Raphaels’ service provider for the Card Services suffered an IT incident. The IT incident led to the failure of all Card Services for over eight hours, during which time 3,367 of Raphaels’ customers were unable to use their cards. In the period during the IT incident, 5,356 customer card transactions were attempted at point of sale terminals, ATM machines and online (with an aggregate value of £558,400). These transactions could not be authorised and were declined.
Following the incident, the FCA and PRA investigated the systems and controls that had been put into place by Raphaels and their service provider. The investigation revealed that Raphaels’ understanding of the business continuity and disaster recovery arrangements of the service provider was fundamentally mistaken. Raphaels’ contractual agreements with the service provider failed to include appropriate service level agreements governing the provision of critical outsourced services. In particular, there was no process in place for identifying how much outsourcing risk Raphaels was exposed to. The investigation also revealed that a previous incident in 2014 had not spurred Raphaels to remedy these failings, which should have been identified then.
This fine underlines the interest regulators have in the outsourcing of critical functions by those in the commercial banking and retail banking sectors. The PRA, in its final notice, reiterated its expectation that regulated firms carry out appropriate due diligence of prospective service providers and, from an early stage, set clear divisions in oversight responsibilities. Entities involved with outsourcing of such functions, or considering outsourcing, would also be well served by considering the European Banking Authority’s new guidelines on outsourcing, here.
We have written a quickfire briefing for those interested in learning lessons from this most recent regulatory intervention into an outsourcing.