Retail bank R Raphael & Sons has been fined a total of £1.8m by the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) for failing to manage its outsourcing arrangements properly, with the failings leading to thousands of customers being unable to use their cards on Christmas Eve 2015
Raphaels’ payment services division (PSD) operates prepaid card and charge card programmes in the UK and Europe. The PSD relies on outsourced service providers to perform certain functions that are critical to the operation of its card programmes, including the authorisation and processing of card transactions.
The regulators became involved following a technology incident which occurred at a card processor on 24 December 2015. The incident caused the complete failure of the authorisation and processing services it provided to Raphaels and lasted over eight hours.
During this period, 3,367 customers were unable to use their prepaid cards and charge cards. In total, the card processor could not authorise 5,356 customer card transactions attempted at point of sale terminals, ATM machines and online. Seasonal workers, who depended on their cards to receive their wages, used the largest prepaid card programme affected by the incident.
An investigation found Raphaels failed to have adequate processes to enable it to understand and assess the business continuity and disaster recovery arrangements of its outsourced service providers - particularly how they would support the continued operation of its card programmes during a disruptive event. The absence of such processes posed a risk to Raphaels’ operational resilience and exposed its customers to a serious risk of harm.
Raphaels’ specific failings in relation to the incident resulted from deeper flaws in its overall management and oversight of outsourcing risk from board level down, the regulators found.
The joint FCA and PRA investigation identified weaknesses throughout the firm’s outsourcing systems and controls which Raphaels ought to have known about since April 2014. These included a lack of adequate consideration of outsourcing within its board and departmental risk appetites, the absence of processes for identifying critical outsourced services and flaws in its initial and on-going due diligence of outsourced service providers.
Raphaels’ outsourcing arrangements continued to be inadequate until the end of 2016, by which time Raphaels had designed new outsourcing policies and procedures to remedy the failings.
Raphaels agreed to resolve this matter and therefore qualified for a 30% reduction in the fines imposed by both regulators. Without this discount, the combined fine imposed by the FCA and PRA would have been £2,709,574. The FCA imposed a fine of £775,100 while the PRA sought £1,112,152 in respect of these breaches.
Mark Steward, FCA executive director of enforcement and market oversight said: ‘Raphaels’ systems and controls supporting the oversight and governance of its outsourcing arrangements were inadequate and exposed customers to unnecessary and avoidable harm and inconvenience. There is no lower standard for outsourced systems and controls and firms are accountable for failures by outsourcing providers.'
Sam Woods, deputy governor for prudential regulation and chief executive officer of the PRA, said: ‘'Firms’ ability to manage outsourcing of any critical activities is a vital part of maintaining their safety and soundness. Such outsourcing is an important part of a firm’s operational resilience, and particularly so in the case of Raphaels, given the level of reliance on outsourcing in its business model.
'In addition, this was a repeat failing which demonstrates a lack of adequate and timely remediation. This is a significant aggravating factor in this case, leading to an uplift in the penalty.'
Survey findings - third-party incidents
A newly published survey from Deloitte based on over 1,000 responses from 19 countries around the world suggests 83% of organisations globally have experienced a third party incident – such as a supplier losing data after falling victim to a cyber-attack – in the past three years. The figure rises to 90% of all UK based respondents.
Almost half of those incidents globally (46%) have resulted in a high or moderate business impact such as significant impairment to customer service, material financial losses, reputational damage or a regulatory breach.
According to Deloitte’s calculations, fines issued directly from third party failures have ranged from £1.3m to £35m, reaching £650m for those firms operating internationally, and an average share price drop of 2.55%.
The survey suggests that the majority of organisations have insufficient visibility of their supply chains and the potential risks they face from within these networks. In particular, only 10% have a reasonable ongoing knowledge and awareness of their subcontractors – typically referred to as fourth/fifth parties – engaged by their third parties.
Kristian Park, extended enterprise risk management (EERM) partner at Deloitte, said: ‘Companies across the world are increasingly relying on an ever-growing number of third, fourth and fifth parties to supply everything from readily available consumables like office stationery, to bespoke and highly critical products and services.
‘However, many are not “brilliant at the basics” and don’t have appropriate oversight of what is happening across their organisations, leaving them exposed to potential failures they may be held accountable for.’
By Pat Sweet