PRA Enforcement Against Mr Carlos Abarca: A Reminder of the Importance of Accountability and Operational Resilience

On 13 April 2023, the Prudential Regulation Authority (“PRA”) fined Mr Carlos Abarca, the former Chief Information Officer of TSB Bank plc (“TSB”) £81,620 for breaching PRA Senior Manager Conduct Rule 2. The PRA found that he failed to take reasonable steps to ensure that TSB adequately managed and supervised appropriately its outsourcing arrangement in relation to the migration of its core IT services. This follows fines imposed on TSB by both the PRA and the Financial Conduct Authority for failings related to the same IT migration.

Background

• The enforcement action was taken in relation to the migration of TSB Bank plc’s core IT platform from the Lloyds Banking Group (“LBG”) (who sold the bank in 2013) to the IT platform of Sabadell, TSB’s new owner. It was decided to design and create a new version of Sabadell’s IT platform adapted for TSB and the UK market; this new platform was called Proteo4UK. The migration project was aimed to be completed in April 2018.
• TSB engaged a Sabadell subsidiary, SABIS Spain (“SABIS”), to design, build and test the Proteo4UK platform and migrate TSB’s data to it. SABIS would also operate the platform following migration.
• However, the migration did not proceed as planned, and numerous issues arose during the process. As was widely reported at the time, many of TSB’s customers were unable to access their accounts online or via the mobile app. Some of the disruption lasted for several weeks, and a significant proportion of its 5.2 million customers were affected.
• Carlos Abarca was TSB’s Chief Information Officer at the time and had responsibility for the IT Migration Project. Following the customer disruption, the PRA conducted an investigation into the IT migration project and the role of Mr Abarca.

The PRA Findings

• The PRA found that Mr Abarca breached Senior Manager Conduct Rule 2 of the PRA Rulebook, which states that: “You must take reasonable steps to ensure that the business of the firm for which you are responsible complies with the relevant requirements and standards of the regulatory system.”
• The PRA concluded that he failed to take reasonable steps to ensure that TSB complied with the PRA’s Outsourcing Rules in adequately managing and appropriately supervising its outsourcing arrangement with SABIS and other service providers that were contracted by SABIS under sub-outsourcing arrangements (“Critical Forth Parties”).
• Mr Abarca received assurances from SABIS that it had obtained confirmations from Critical Forth Parties that they were confident that their infrastructure was fit for purpose and that they were prepared for the expected volumes. However, he took no steps to investigate those assurances in more detail and challenge SABIS or the Critical Forth Parties’ readiness for the IT migration. This was despite problems that had been experienced during the migration of some IT functionality prior to the full IT migration. The PRA also noted that Mr Abarca had been aware that there were certain tasks and tests that had not been completed at the time of the confirmations.
• The PRA conclude that Mr Abarca was too reliant on the fact that the Critical Forth Parties were engaged under contracts which conformed to the PRA’s Outsourcing Rules and did not take a more holistic view of the risks associated with TSB’s outsourcing arrangement by considering SABIS’s capabilities with respect to the remaining services to be delivered.
• Mr Abarca did not ensure that TSB formally and adequately reassessed SABIS’s ability and capacity on an ongoing basis including in light of service level breaches encountered.
• The PRA stated that he did not have sufficient regard to the risks to which TSB was exposed through the supply chain. The PRA thought that TSB’s oversight of SABIS was not sufficiently engaged and proactive given that TSB was reliant on SABIS to manage fourth parties.

Key Takeaways

• Regulatory expectations in relation to intra-group outsourcing. Whilst the outsourcing arrangement with SABIS was intra-group, the PRA’s rules on outsourcing apply whether a service provider is an independent third party or an intragroup provider. The PRA are clear that when regulated firms enter into intragroup services, they expect outsourcing arrangements to fully comply with the PRA’s Outsourcing Rules, including performing a careful assessment of whether the service provider has the ability, capacity, resources and appropriate organisational structure to support the performance of the outsourced functions, and for this assessment to be revisited where appropriate. We note that this is not just the case for PRA regulated firms, as the FCA have similar expectations.
• Senior managers must critically assess and challenge statements of third parties. The PRA were unimpressed that Mr Abarca simply relied upon confirmations provided by outsource providers rather than critically assessing their ability to deliver. This was despite ‘red flags’ indicating that the service providers were struggling to meet the required standard. Senior Managers need to critically assess and record the basis on which they have determined that a service provider is going to deliver the expected services levels.
• Visibility over sub outsourcing arrangements. Mr Abarca did not adequately consider the risk imposed by the sub-outsourcing arrangements and took too great a comfort from the fact that the outsourcing agreements provided for due diligence and termination as required by the regulatory rules. Firms and Senior Managers need to ensure that they have sufficient oversight of sub-outsourcing and don’t simply rely on the outsource provider to oversee and assess the arrangements. This will include understanding exactly how the outsource provider monitors performance on a day-to-day basis.

Further Information