Introduction

A recent decision by the UK financial services regulators, the Financial Conduct Authority and the Prudential Regulation Authority, to fine a retail bank serves as a reminder to both customers and technology vendors and service providers to the financial services sector to ensure that their services and contracts include adequate safeguards.

Background

On May 29, 2019, R. Raphael & Sons plc., a UK independent retail bank, was subject to separate fines of £775,100 from the FCA and £1,112,152 from the PRA, resulting in a combined fine of £1,887,252 for failing to manage certain of its outsourcing arrangements properly between April 2014 and December 2016. It was found that Raphael had failed to have adequate processes in place that would enable it to understand and assess the business continuity and disaster recovery arrangements of its credit card program service providers.

Raphael heavily outsources many critical functions to service providers, including the authorization and processing of credit card transactions. In particular, Raphael did not know how its providers would support the continuing operation of its card programs during a disruptive event. The absence of such processes posed a risk to Raphael’s operational resilience and exposed its customers to a serious risk of harm.

On December 24, 2015, a technology incident occurred at a third-party card processor leading to a complete failure of the authorization and processing services the third party provided to Raphael. This failure lasted over eight hours. During that time, more than 3,300 customers were unable to use their prepaid cards and charge cards, and the third-party processor could not authorize more than 5,300 customer card transactions attempted at point-of-sale terminals, ATM machines and online. In addition, many seasonal workers, who depended on Raphael’s card programs to receive their wages, were affected by the incident. The timing of the incident, on Christmas Eve, is likely to have exacerbated the impact of the outage.

Flaws in management and oversight

Under the PRA Rulebook and FCA Handbook, when a firm chooses to outsource certain functions and services to third parties, the firm still retains full accountability for discharging its regulatory obligations and cannot delegate them to other parties. In particular, when relying on a third party for the performance of critical operational functions, firms must ensure that they have taken reasonable steps to avoid undue additional operational risk. For these purposes, an operational function is regarded as critical if (among other things) a defect or failure in its performance would materially impair the soundness or the continuity of its relevant services and activities.

The joint FCA and PRA investigation found that Raphael’s specific failings in relation to the incident resulted from deeper flaws in its overall management and oversight of outsourcing risk, from board level down. The investigation identified critical weaknesses throughout the firm’s outsourcing systems and controls and noted that Raphael ought to have identified these weaknesses as early as April 2014. Among the issues uncovered in the investigation were a lack of adequate consideration of outsourcing within the board, the absence of processes for identifying critical flaws in outsourced services, and flaws in its due diligence of outsourced service providers. The investigation noted that Raphael’s outsourcing arrangements continued to be inadequate until the end of 2016, by which time the company had designed and put in place new outsourcing policies and procedures to remedy the failings.

Raphael agreed to resolve this matter and therefore qualified for a 30 percent reduction in the fines imposed by both regulators. If it had not agreed, the combined fine imposed by the FCA and PRA would have been £2,709,574.

Takeaways

For businesses looking to outsource regulated activities to third parties, this case demonstrates the importance of setting up outsourcing arrangements in a way that ensures not only the company itself but its service providers are capable of mitigating risk and implementing appropriate incident responses.  The FCA and PRA, along with the Bank of England, are jointly focusing on operational resilience. Given that,  it is essential that regulated entities ensure their outsourcing contracts provide them the ability (in terms of practical steps and also an understanding of the operation) to take appropriate steps to mitigate and remediate any service interruption.

The case is also relevant to fintechs and other businesses looking to supply their services to banks and other regulated entities − especially where the service or solution affects regulated activities. It highlights why their customers will want to understand the supplier’s operational resilience and disaster recovery arrangements and why customers are looking to include provisions on disaster recovery, business continuity and other provisions in their contracts. Businesses aiming to bring new technology solutions to the financial services market could gain a competitive advantage by ensuring that their operations and contract terms include the protections which customers will expect.

By Luke Stubbs, a lawyer in DLA Piper’s Technology and Sourcing team, concentrating on payments and FinTech matters.