The Financial Conduct Authority (FCA) has fined Tesco Bank £16.4m for failing to protect its personal current account holders against a cyberattack.
Tesco Personal Finance (Tesco Bank) has agreed to pay the fine as part of the settlement for the November 2016 attack. Cyber attackers exploited deficiencies in Tesco Bank’s design of its debit card, its financial crime controls and in its Financial Crime Operations Team to carry out the attack.
Those deficiencies left Tesco Bank’s personal current account holders vulnerable. cyber attackers £2.26m.
Tesco claims the attack did not involve the theft or loss of any customers’ data, but led to 34 transactions in which funds were debited from accounts, and other customers having normal service disrupted.
Mark Steward, executive director of Enforcement and Market Oversight at the FCA, said the fine reflects the fact that the ‘FCA has no tolerance for banks that fail to protect customers from foreseeable risks.’
He claims the attack was the subject of a ‘very specific warning’ that Tesco did ‘not properly address’ until after the attack started and it was ‘too little, too late’ Customers should not have been exposed to the risk at all.
‘Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place,” he added. “The standard is one of resilience, reducing the risk of a successful cyber-attack occurring in the first place, not only reacting to an attack. Subsequently, Tesco Bank has strengthened its controls with the object of preventing this type of incident from being repeated.”
Principle 2 requires a firm to conduct its business with due skill, care and diligence. Tesco Bank is in the business of banking and fundamental to that business is protecting its customers from financial crime.
The FCA found that Tesco Bank breached Principle 2 because it failed to exercise due skill, care and diligence to design and distribute its debit card, configure specific authentication and fraud detection rules, take appropriate action to prevent the foreseeable risk of fraud, and respond to the November 2016 cyber-attack with sufficient rigour, skill and urgency.
Following the attack, Tesco Bank immediately put in place a ‘comprehensive redress programme’ and devoted significant resources to improving the deficiencies that left the bank vulnerable to the attack and instituted a comprehensive review of its financial crime controls. It has made significant improvements both to enhance its financial crime systems and controls and the skills of the individuals who operate them.
Copyright © 2018 RegTech Analyst
Copyright © 2018 RegTech Analyst