The latest resilience news from around the world

PRA fine shows how individual UK executives are liable for operational resilience failings

Details
Published: Friday, 14 April 2023 09:06

The UK Prudential Regulation Authority (PRA) has announced that it has fined Mr Carlos Abarca, the former chief information officer (CIO) of TSB Bank plc (TSB), £81,620 for his role in operational resilience failings at the bank.

The fine was specifically for breaching PRA Senior Manager Conduct Rule 2 as Mr Abarca failed to take reasonable steps to ensure that TSB adequately managed and supervised appropriately its outsourcing arrangement in relation to its 2018 IT migration programme.

This follows on closely from the enforcement action taken in December 2022 against TSB for operational resilience failings, which resulted in a joint financial penalty of £48,650,000 imposed by the PRA and Financial Conduct Authority (FCA).

As CIO of TSB, Mr Abarca had responsibility for TSB complying with the PRA’s outsourcing rules. In particular, he was responsible for TSB’s key outsourcing relationship with its main third-party supplier for the IT migration programme. As part of this, he gave assurance to the TSB Board that the third party, as key supplier, was prepared for migration. However, he failed to ensure that TSB had itself obtained sufficient assurance from the third party before doing so.

Sam Woods, Deputy Governor for Prudential Regulation and Chief Executive Officer of the PRA, said: “Senior managers have an essential role to play in ensuring that firms manage and supervise outsourcing effectively. In this case, the PRA has fined Mr Abarca because his management of a key outsourcing relationship fell below the standard we expect.”

Mr Abarca’s Senior Manager Conduct Rule 2 failing undermined TSB’s operational resilience says the PRA and it contributed to the significant disruption TSB experienced.

Mr Abarca agreed to resolve this matter with the PRA, and therefore qualified for a 30 percent reduction in the overall fine imposed by the PRA. Without this discount, the financial penalty would have been £116,600.

More details.

This fine from the PRA shows how operational resilience responsibilities in UK regulated entities are individual as well as corporate. Executives have to take responsibility for ensuring that effective operational resilience processes are in place and ensure that their decisions and actions do not undermine operational resilience.



Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

Cyber Response Guide
The Business Continuity Business Case

Additional Resources

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.