TSB migration disaster: how to avoid CIO’s costly mistake
TSB's former CIO has been personally fined for TSB's migration nightmare. Here's how to avoid his costly error.
TSB’s former CIO, Calos Abarca, was personally fined £81,620 in April for his failure to adhere to industry compliance standards when managing a migration to a new banking platform. This serves as a stern warning to senior technology professionals who could be held personally liable under the conduct rules of various industry bodies. Here we examine what happened and how it could have been avoided.
Abarca was fined under the British Senior Managers Regime (SMR) conduct rules. The SMR, a regulatory framework, allows the Prudential Regulation Authority (PRA) at the Bank of England to fine senior leaders within financial institutions to ensure that they are held accountable for their actions and decisions. In this case, his misconduct set him back £81,620.
The crisis occurred in April 2018 after TSB, under the relatively new ownership of Spanish bank Sabadell, transferred millions of its customer accounts from Lloyds Bank’s systems to a newly developed core banking platform, Proteo4UK. It was supposed to be a modern platform suitable for the digital era.
However, soon after the system went live on 22 April 2018, TSB encountered serious issues. Although the data migration itself was successful, 1.9 million of their 5.2 million customers were locked out of their accounts. There were also data breaches, failures with digital banking services and telephone banking, branch technology failures, and issues with payment and debit card transactions.
The TSB CIO’s fine was as a result of his breaches of Senior Manager Conduct Rule 2 because he had failed to ensure that the TSB complied with the PRA Outsourcing Rule. TSB had outsourced the migration to SABIS, Sabadell’s IT division design, who built and tested Proteo4UK, based on its proprietary Proteo platform.
How could this have been avoided?
Here are some key points for senior managers to take note of to avoid being fined under industry or legal bodies:
1. Understand your responsibilities – It is important to know what is expected of you under the SMR as a senior manager. As with any regulations, compliance is key. Understanding the parameters of a regulation and how you operate within them will ensure you do not breach the regulations or risk the heavy cost of a potential fine.
2. Foster a culture of compliance – If you aim to be complaint on a personal level, you will create the foundation of a compliance culture in your organisation. Promote this culture by ensuring that all employees understand the importance of observing both legal and industry regulations, as well as knowing their responsibilities. This requires an understanding of all potential and actual risks that could ultimately lead to fines and tarnishing of the company’s reputation. A culture of compliance goes hand in hand with a culture of risk aversion, which in turn leads to a culture of impact assessment and systems testing.
3. Conduct regular training – Regularly train all employees on the SMR and other similar frameworks, including their responsibilities and the consequences of non-compliance. Training should not just be about learning rules and regulations; it should include discussion of actual incidents, consequences of non-compliance, learning and sharing, and development of skills to avoid breaches and failures. It’s also a good idea to focus on “near misses” where learning can mitigate the risk of non-compliance in the future.
4. Keep accurate records – Ensure that all relevant records are kept up to date and accurate. This includes records of your responsibilities, training, and any relevant decision-making. Further requirements here include knowing where records are kept, who is responsible for maintaining the records, and what reports are generated from these records.
5. Monitor your team – Monitor your team’s compliance with the SMR and take appropriate action if any issues arise. Ensure that you are informed of any potential breaches of the regulations and take swift action to address them. If you do not have an incident reporting system – GET ONE! Encourage reporting, ensuring everyone knows it’s a key part of their role to report both incidents and “near misses” to give assurance of risk mitigation.
6. Seek advice – If you are unsure about any aspect of the SMR, seek advice from a legal or regulatory expert. It is better to ask before making decisions that could ultimately lead to non-compliance. There is no shame in admitting you are unsure about something and all regulatory authorities and legal institutes would rather someone put their hand up and seek advice.
Following the above guidelines is a good start to ensuring that you and your organisation remain compliant with applicable regulations and avoid fines or other sanctions. Senior professionals need to be mindful of this new landscape and it remains to be seen whether the fine coming from the TSB migration is a precedent or an exceptional circumstance.
As cloud migrations continue to increase and many organisations struggle to successfully implement cloud transformation, it is important to keep the benefits and risks in mind for any large scale migration project.
Our data governance and compliance specialists have considerable experience in guiding those who are unsure of their responsibilities relating to UK GDPR, EU GDPR, the DPA 2018, ISO 27001, 9001 or even Health and Safety. If you have questions about compliance, then we’re here to help.
Our specialists have the answer