Inside the Raphaels £1.9 million outsourcing fine
Chris Hamblin, Editor, London, 11 June 2019
The Financial Conduct Authority and the Prudential Regulation Authority of the UK recently fined R Raphael & Sons plc (whose motto is 'private Bankers since 1787') for failing to manage its outsourcing arrangements properly between April 2014 and December 2016.
Raphaels has had to pay separate fines of £775,100 to the FCA and £1,112,152 to the PRA in respect of these transgressions (resulting in a combined fine of £1,887,252).
The FCA says that the systems and controls that helped Raphael's oversee and govern its outsourcing arrangements were inadequate and exposed customers to unnecessary and avoidable harm and inconvenience. As ever, it holds firms accountable for failures by outsourcers. The phrase "operational resilience" - a favourite FCA phrase nowadays - is to be found a few times in the decision notice.
Raphael's uses contractors to provide services crucial for the performance of its Payment Services Division. On Christmas Eve 2015, something that the FCA euphemistically calls a 'technology incident' occurred at a card processing contractor's office, resulting in a complete failure of all services that it provided to the firm for the most important eight hours of the year. As a result, 3,367 of Raphaels’ customers (the bank is a very small one) were unable to use their prepaid cards and charge cards. The card processing company could not authorise 5,356 card transactions that customers tried to make at point-of-sale terminals, automated teller machines and online (worth an aggregated value of £558,400). The blowout also prevented them from seeing their card balances online.
Eight hours on the most important day of the year
The FCA finds enormous fault with the length of the outage, saying that it betrays a woeful lack of knowledge on the part of the bank about the card processor's business continuity and disaster recovery arrangements. The regulator says that the bank had hardly any idea of how to proceed during such an emergency. It describes the bank's inability to foresee a glitch such as this as an exposure of its customers to "a serious risk of harm." A similar glitch had happened 20 months before.
The regulator has decided that Raphael's failed to 'govern' its crucial outsourced services in six ways.
- It made statements - presumably to the regulators at an earlier date - about its risk appetite and tolerance that were too vague.
- Its service level agreements with the contractors were not 'appropriate.'
- It followed no processes by which it could "identify its critical outsourced services and functions," whatever that means.
- Its plans for continuing its business and recovering from disasters only took account of the services that it performed directly.
- "Raphaels’ initial due diligence on Card Programme Managers and Card Processors did not involve adequate consideration of business continuity arrangements, and its ongoing monitoring of such arrangements was flawed."
- It failed to respond adequately to the earlier outage, which happened in April 2014.
The FCA accuses Raphael's of failing to comply with its "principles for business" 2 and 3, as well as the applicable provisions of Chapter 8 of the part of it consolidated rulebook that deals with senior management arrangements, systems and controls (SYSC).
Throughout the document the FCA refers to the bank's "card programmes" but does not explain what these are or what the term means. Some of its customers, according to one reference, were also customers of three of these programmes that the outage affected. The FCA's care for these customers is very evident from the following passage.
"All customers who had a transaction declined or who were otherwise unable to access their funds suffered inconvenience. Many are likely to have suffered distress, and some may have suffered financially. As noted above, the affected customers are likely to have included vulnerable customers. Such customers are more likely to be adversely affected than others, at the same time as being less likely to be able to take action to seek redress. Nevertheless, Raphaels took no steps to offer redress to those customers notwithstanding any loss, inconvenience or distress they experienced."
Principle 2 requires every firm, in the vaguest of terms, to conduct its business with due skill, care and diligence. The FCA always reserves the right to decide in every case what the word 'due' means, and its judgments veer wildly from one extreme to the other. Raphaels, it says, flouted principle 2 by failing to take proper steps in response to the IT incident of 2014 to investigate its underlying cause and the effect that it had on its customers. The bank's failure to "review the adequacy of the card processor’s business continuity and disaster recovery arrangements to manage similar future incidents" fits in here.
Principle 3 requires a firm to take reasonable steps to ensure that it has organised its affairs responsibly and effectively, with adequate risk management systems. The FCA suggests that its failure to obey SYSC 8.1.1R (which required it to avoid undue additional operational risk when relying on another firm to perform activities that the FCA regulates) was an automatic breach of that principle.
Like most firms, Rapahels capitulated to all FCA demands as soon as the incident came to the regulator's attention and therefore benefits from the usual 30% discount, were it not for which the FCA would have docked it £1,107,414.
The much larger PRA fine is also the result of a discount of the same percentage. The bank allegedly contravened PRA Fundamental Rules 2, 5 and 6, which are to be found in the PRA’s rulebook. It did not manage its outsouring risk, instruct, oversee and monitor its outsourced service providers, or manage, oversee and monitor its business continuity and disaster recovery arrangements.