On 1st October 2018, the FCA fined Tesco Bank £16.4 million for its role in failing to prevent a November 2016 cyber attack. The fine happens to be the 1st of its kind to be issued by the regulator. The FCA has never issued any financial services industry player a cyber fraud-related fine. The fine comes in the midst of increasing focus on information security after several high-profile data breaches took place in UK multinationals.
The fine also comes with the GDPR taking effect under which organisations face fines up to 2% of the annual worldwide turnover for failing to take the necessary security measures to safeguard personal client/consumer data.
Tesco Bank was penalised for failing to take the necessary measures to safeguard its customers (specifically, current A/C holders) against an attack that was avoidable. The attack exploited shortfalls in its financial crime controls, debit cards, and financial crimes operation team.
According to the FCA’s notice on the issue, Tesco Bank didn’t take adequate action to prevent an anticipated risk of fraud after receiving a specific warning about fraudulent transactions carried out in the United States and Brazil. Tesco Bank’s inaction was a breach of the FCA’s Principle 2, Principles for Businesses which demands regulated firms to do business with care, diligence, and skill. 
The cyber attack occurred over a two day period in November 2016 resulting in a loss of approximately 2.26 million pounds. According to the regulator, a series of mistakes made Tesco’s financial crimes operations team to spend over 24 hours to initiate contact with their fraud strategy counterparts who then used the wrong currency code to stop fraudulent transactions stemming from Brazil.
8,261 of Tesco’s 131,000 personal current accounts were affected resulting in an average of £9,000 in interest and charges as well as 668 unpaid debits on Tesco Bank’s customers’ accounts. After the attack, Tesco reimbursed all customers who faced direct losses and compensated others for inconveniences and distress. The bank also assessed payments for resulting losses on a case-by-case basis and cooperated with the regulator and agreed on an early settlement after which its final fine was reduced from £33.6 million.
FCA fines on data security
Although the Tesco Bank fine was the first ever to be issued by the regulator in relation to cyber fraud, several financial services companies have been fined for data security failings. They include;
HSBC: In 2009, HSBC was fined £3 million for a number of data security failings that included; sending unencrypted client data via post, losing storage discs containing customer information and failing to keep sensitive customer information safely (in locked cabinets).
In 2010, Zurich Insurance was fined £2.275 million for inaction in preventing loss of sensitive details belonging to approximately 46,000 customers during an insurance data outsourcing operation with Zurich Insurance, South Africa.
Norwich Union Life: In 2007, Norwich Union Life faced a £1.26 million fine for its weak systems and controls that made it easy for criminals to use publicly available data to impersonate its clients and acquire sensitive personal information.
Nationwide: 2007 also saw Nationwide suffer a £980,000 fine after a theft incident involving a laptop with confidential customer details.
Capita Financial Administrators: In 2006, Capita Financial Administrators were fined £300,000 after some of their employees made away with the identities of customers and made fraudulent payments amounting to £328,000.
Given the magnitude of Tesco Bank’s penalty, the regulator has put Britain’s financial services industry on notice. Security failings (more so, weak cyber defences) will see financial services players pay fines rivalling those applicable under the GDPR. All organisations in Britain must, therefore, enforce cybersecurity firmly as part of their boardroom agenda and take continuous measures to keep away bad actors looking to penetrate their defences.
Lenders have been at the centre of the FCA’s focus. The regulator has been targeting payday loan lenders for a while now to curb the overcharging menace. For years, payday loan lenders were overcharging their clients. In 2014, the FCA introduced a cap that has brought back sanity to the industry. The recent focus on cybercrime will hopefully reduce cyber fraud incidences in the financial services industry as players take more stringent measures to protect their customers. Hopefully, the FCA will then turn its attention to formulating policy to reduce household debt burden.