PRA Fines Senior Manager for Conduct Rule Breach
On 13 April 2023 the PRA announced it has fined Mr Carlos Abarca, the former Chief Information Officer of TSB Bank plc (TSB), £81,620 for breaching PRA Senior Manager Conduct Rule 2, which is ‘You must take reasonable steps to ensure that the business of the firm for which you are responsible complies with the relevant requirements and standards of the regulatory system.’
This is due to a historic operational resilience failing when, in April 2018, TSB attempted to migrate their corporate and customer services operations onto a new platform. While the data itself migrated successfully, the platform immediately experienced technical failures. This resulted in significant disruption to the continuity of TSB’s banking services, including branch, telephone, online and mobile banking. It took TSB until December 2018 to fully fix the problem and return services to normal.
As the CIO of TSB, and as outlined in his statement of responsibilities, Mr Abarca had responsibility for taking reasonable steps in relation to outsourcing of IT systems and the PRA found he failed to:
ensure that the third party’s ability and capacity were adequately reassessed on an ongoing basis;
ensure that TSB obtained sufficient assurance from the third party in relation to its readiness to operate the new IT platform; and
give sufficient consideration to whether further investigation was required before giving assurance to the TSB Board as to the third party’s readiness for migration.
Full details of the regulatory action can be found here.
How could Mr Abarca have avoided the fine?
The question most senior managers reading this article will ask themselves is what should the CIO have done to avoid PRA punishment? The answer is to take a proactive approach to ensuring compliance of the area for which they are responsible; the method to do so is to have a clearly defined reasonable steps framework.
The regulators can only punish a senior manager in this way where they have failed to take reasonable steps to fulfil their duty of responsibility, this includes delegating to those with competence, capability, resource, seniority and skill to complete the tasks given and to monitor performance levels. Our Conduct Rules Training For Senior Managers is specifically designed to teach this point, so senior managers can begin to evidence their own reasonable steps.
The level of fine issued in this case was 15% of his salary, giving us an indication of the starting point for non-integrity-based issues and further highlighting the importance of good conduct rules training.
I would also like to take this opportunity to draw your attention to the Banks discussion paper on the review SM&CR, this is part of the Governments Edinburgh reforms.