Industry News

Risk Management Industry News for FCA Regulated Businesses

Risk Management Lessons from the TSB Debacle

Posted by Serina Gill on 03-Jul-2018 10:36:47

adult-blur-boss-288477-254967-editedLast month, the FCA announced it would launch a formal investigation into the IT failure at TSB, which began on 22 April and resulted in some 1.9 million customers being locked out of their accounts.

TSB has been pilloried in the press and now, with a regulatory probe announced, there may be worse to come. The government is now also involved, with chief executive Paul Pester recently being grilled by parliament’s Treasury Select Committee, along with Miguel Montes, chief operating officer of the bank’s parent company, Sabadell.

Pester remains in a difficult position and some have questioned whether he can hang on in the top job. He was criticised by Andrew Bailey, the FCA’s chief executive, who accused him of portraying an overly “optimistic view” of the state of TSB’s services and said “greater caution would have made sense”.

Nicky Morgan MP, chair of the committee, said in a letter to Richard Meddings, the TSB chairman: “The TSB board should give serious consideration as to whether Dr Pester’s position as chief executive of TSB is sustainable.” She added her committee “has lost confidence in his ability to provide a full and frank assessment of the problems at TSB, and to deal with them in the best interests of its customers”.

But while those outside of TSB may be relieved they are not the ones taking flak, risk managers should note that the regulator believes the event has impacted on the whole banking sector.

Transfer Trouble
Problems stemmed from customer data being transferred from an old IT system that was controlled by former owner, Lloyds Banking Group. The new platform, built by Sabadell, was unable to manage the volume of customers when it went live. Now, weeks later, there are still problems for some customers and fraudsters have targeted TSB customers - there was a tenfold increase in phishing between April and May.

Bailey added that the FCA was also “dissatisfied with TSB’s communications with its customers,” saying that it had not met requirements to compensate customers quickly enough.

So, can any lessons be learned? Some of the questions that will no doubt be covered in more depth during the investigation are as follows:

Was there insufficient testing?
According to TSB, the failings were related to the system’s ‘middleware’, the technology sitting between customer facing computer applications and the bank’s back end databases.

But IBM, who was brought in to fix problems, has alleged there was insufficient testing. It was reported: “IBM has not seen evidence of the application of a rigorous set of go-live criteria to prove production readiness.” Experts have also claimed the final stages of testing, known as proof of concepts (PoCs), would have revealed any technology and planning errors. But it is understood that PoCs were not run on test accounts, or potentially staff accounts, before the full release.

Were there too few call centre staff to deal with the crisis?
Customers said they are waiting at least 30 minutes to speak to an agent and many then complained about being disconnected. It was also almost impossible to reach the fraud team

How closely were risk managers connected to the project?
Transferring data from mainframes, which are used by the majority of banks, to either the cloud or a new digital server carries many risks. TSB was attempting to transfer some 1.3 billion customer records, a huge project. It is unclear what contingency plans were in place. Is there anything realistically that the Risk Management team could have done?  Its not known how much involvement the operational risk team had.

It could be argued that given this is a very technical area and IT ultimately own the risk, the degree of influence a 2nd line risk team can have is going to be limited. However, with such a significant upgrade surely the risk team would have been consulted so that their expertise in terms of undertaking comprehensive risk assessments and scenario planning would have been utilised. It demonstrates a common condition that risk owners often don't really understand the risk they are taking or the implications on the rest of the business when things go wrong. 

Time will tell what the impact will be on TSB following the FCA investigation, but no matter what the penalty, for those customers affected, confidence in their bank will have been severely dented.

New Call-to-action