Independent retail bank fined for continued failure to address Operational Resilience

The Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) have jointly fined Raphael & Sons plc (Raphaels) £1.89m due to the continued failings to manage the risk posed by its outsourcing arrangements between April 2014 and December 2016.

Rapheals provide banking and related financial services, which includes a Payment Services Division that issues prepaid cards and charge cards in the UK and Europe. As of 2016, the Firm had c. 5.3 million prepaid cards in issue with average monthly transaction volumes of over £450 million.

The final straw

A number of incidents occurred in the documented period, a key one on the 24 December 2015, causing the complete failure of the authorisation and processing services, that lasted over eight hours. During this period, 3,367 customers were unable to use their prepaid cards and charge cards. In total, the card processor could not authorise 5,356 customer card transactions attempted at point of sale terminals, ATM machines and online.

In the Final Notice, dated 29 May 2019, the PRA stated that Raphaels failed to have “adequate processes to enable it to understand and assess the business continuity and disaster recovery arrangements of its outsourced service providers, particularly how they would support the continued operation of its card programmes during a disruptive event”.

Supervision of operational resilience

The PRA continues to advance its plans to bring a comparable level of oversight to operational resilience (OR) as they do to financial resilience. On the 14th of May 2019, Nick Strange, (Director, Supervisory Risk Specialists) delivered a speech at the 21st Annual Operational Risk Europe Conference, in London, that reported on the progress of the PRA’s OR plans.

Mr Strange referred to the BoE discussion paper from 2018 that sets out their objectives, and in that piece added additional definition of operational resilience as ‘the ability of firms, Financial Market Infrastructures and the sector as a whole to prevent, respond, recover and learn from operational disruption’.

Firms now have to consider beyond business continuity and disaster recovery, they must consider all risks to the business, have a response, and continue to test and learn about their risk exposure and response. Failure to do so will result in fines, maybe prosecution, certainly reputational damage.

Invocation

The Daisy Group (the UK’s largest provider of business continuity, resilience and availability services) produced some interesting stats this year that demonstrate the change in Business Continuity (BC) invocation/incident causes between 2012 and 2018. Hardware failure at 14% of total types of incidents, down from 45% in 2012. Yet, in the same period, planned maintenances has risen from 14% in 2012, to 28% in 2018. Virus and Malware only accounted for 2% of DR 2018, up from 0% in 2012.

Overall in the 7-year period, hardware and data failures accounted for 30% of all incidents and invocations. That is significant considering that most organisations are running multiple data centres, resilient platforms (often with redundancy) and multiple instances.

Viruses and Malware although small in percentage, is rising and as we know, can have farther reaching impact than the low percentage suggests against say, power failure at 19%, which is likely to be recovered in a matter of hours. What is interesting is that the Daisy Group stats does not capture third-party caused incidents as a percentage…yet.

Suitable due diligence

Raphaels specific failings in relation to the incident resulted from deeper flaws in its overall management and oversight of outsourcing risk from Board level down. It was a continued lack of commitment to addressing the firm’s continuity plans, and specifically that they did not include the outsourced supplier that contributed to the investigation and significant fine. Any organisation that is not managing the risk posed by their third parties, and specifically outsourced services is unintentionally exposing their customers to risk and could see them punished for any exposure in the future.

In terms of the PRA’s expectations, it states that a prudently managed firm will carry out suitable due diligence on any party to which it intends to outsource any part of its business functions or services, including adequate oversight, which should be properly documented.

You can outsource the function, not the responsibility

Meeting the BoE’s expectations regarding OR may have far reaching effects to the way firms currently manage their own resilience, and specifically their third-party risk. This could include:

• The contracting and terms of outsourced services, including such things as cloud services.
• The development of continuity plans, incident response plans and disaster recovery plans. Including how they are maintained, and improved.
• Third party risk assessments, on boarding/off boarding policies and processes.
What is clear is that the PRA and the FCA are very serious about investigating and punishing cases where failures to deliver services to the customers fall short, no matter if it is done by someone else on their behalf.

Fifth Step are experts in resilience, continuity and third-party risk management in the Financial Services sector. If you would like to discuss operational resilience or the risk posed by your third party, or your plans for addressing operational resilience as defined by the PRA, get in touch.