Outsourcing Failures leave Raphaels Bank with £1.89m Fine

Raphael & Sons plc (the “Bank“) has been hit by separate fines from the Financial Conduct Authority and the Prudential Regulation Authority (together, the “Regulators“) of £775,100 and £1,112,152 respectively.

An IT issue with one of the Bank’s third party card processor’s left over 3,300 customers unable to use their prepaid cards on Christmas Eve in 2015.

This event crystallised the risks that the Bank had failed to manage, but the Bank’s failings went deeper than that. The Regulators found that the Bank, “failed to have adequate processes to enable it to understand and assess the business continuity and disaster recovery arrangements of its outsourced service providers” but the management failings and oversights came from “Board level down“.

There was an absence of processes, flaws in the Bank’s due diligence (both initial and ongoing) and an overall lack of consideration of the risks of outsourcing. The Bank’s systems and controls were inadequate and exposed its customers to a serious risk of harm.

These failings continued from April 2014 through to the end of 2016. The Regulators’ investigation found that there was a previous incident in 2014, which should have led to the Bank resolving the issues then. The Regulators have stated that the repeat failings of the Bank were an aggravating factor in this case, which led to an increased penalty.

Nevertheless, the Bank’s co-operation with the Regulators resulted in a 30% reduction of the fines imposed, which would have otherwise totalled over £2.7m.

Comment

This regulatory investigation highlights the level of internal governance and controls required for any outsourcing arrangements, and the serious risks involved if these are insufficient.

Regulators are becoming more and more concerned with the “operational resilience” of firms, particularly after some recent high profile failures (the chaos caused by TSB’s IT upgrade issues last year, to name just one). Both Regulators have identified this topic as one of their priorities this year, which they state should be “viewed as no less important than financial resilience“.

FCA found partially liable for loss caused by errors in Financial Services Register

The Financial Regulators Complaints Commissioner has recommended that the Financial Conduct Authority makes an ex gratia payment of £6,500 to an individual complainant. The recommended payment represents 50% of the total loss suffered by the Complainant as a result of errors in the Financial Services Register.

The Complaints Commissioner acknowledged that the FCA should not be deemed to generally warrant the accuracy of the Register. However, this was “not an ordinary case”, as the Register inaccuracies stemmed from “two serious errors” made by the FCA. The Complaints Commissioner also recommended that the FCA should undertake “a review of its processes to reduce the risks”. Continue Reading

Doubling down? FCA contemplates more criminal AML investigations

When FCA Director of Enforcement and Market Oversight Mark Steward spoke in London last month, his comments could hardly have been more timely. Hot on the heels of his remarks on dual-track (civil and criminal) AML investigations came a significant fine arising out of a firm’s AML systems and controls. It also came as the countdown to entry into force of the fifth AML directive continues; and his observations on escalation protocols highlight the continuing importance of the senior managers’ and certification regime (SMCR). Continue Reading

Employment Appeal Tribunal provides guidance on the FCA’s ‘fit and proper person’ test

In Radia v Jeffries International Limited, UKEAT/0123/18 the Employment Appeal Tribunal (“EAT”) held that an employer, Jeffries International Limited (“Jeffries”), properly dismissesd an employee where Jeffries considered that the employee fell short of the Financial Conduct Authority’s (“FCA”) ‘fit and proper person’ requirements that are set out in the FCA Handbook.

Judge holding gavel in courtroom

Continue Reading

The Partly Contested Process – a part success?

A recent speech by the Director of Enforcement and Market Oversight at the Financial Conduct Authority (“FCA”) has highlighted the progress of the partly contested process for disciplinary action. The first three cases using the process have now completed, although only details as to the first two cases were available as the time of going to press.

FCA

Continue Reading

FCA gives a final warning on misleading adverts

Back in January, the Financial Conduct Authority (“FCA”) published a letter to the CEOs of regulated firms warning them against misleading financial promotions. As we noted in our previous blog, onthe subject, the letter specifically concerned firms not making clear which parts of their business are subject to FCA regulation and, importantly, which are not.

It appears that the letter may not have had the desired effect.

FCA

Continue Reading

FCA hands out second large fine in as many weeks for transaction reporting failures

The Financial Conduct Authority has imposed a fine of £34,344,700 on Goldman Sachs International (“GSI”) for breaches of transaction reporting obligations. The fine comes just over a week after the FCA imposed a £27,599,400 fine against UBS (which we considered in an earlier blog post).

Both fines result from breaches of obligations imposed by MiFID (the Markets in Financial Instruments Directive (2004/39/EC), as well as a breach of Principle 3 of the FCA’s Principles of Business, under which firms must take reasonable care to organize and control their affairs responsibly and effectively, with adequate risk management systems.  Continue Reading

FCA insights on cyber risk

The Financial Conduct Authority (“FCA”) has just published an Industry Insights document (“Insights”) on cyber security. Whilst not containing any formal guidance or rules, the Insights highlight the risks of cyber attacks to FCA regulated firms and confirms industry best practice around the key areas relating to cyber resilience: governance, identification, protection, detection, situational awareness, response and recovery, and testing.

FCA

Continue Reading

LexBlog