The UK Prudential Regulation Authority (PRA) has announced that it has fined Mr Carlos Abarca, the former chief information officer (CIO) of TSB Bank plc (TSB), £81,620 for his role in operational resilience failings at the bank.
The fine was specifically for breaching PRA Senior Manager Conduct Rule 2 as Mr Abarca failed to take reasonable steps to ensure that TSB adequately managed and supervised appropriately its outsourcing arrangement in relation to its 2018 IT migration programme.
This follows on closely from the enforcement action taken in December 2022 against TSB for operational resilience failings, which resulted in a joint financial penalty of £48,650,000 imposed by the PRA and Financial Conduct Authority (FCA).
As CIO of TSB, Mr Abarca had responsibility for TSB complying with the PRA’s outsourcing rules. In particular, he was responsible for TSB’s key outsourcing relationship with its main third-party supplier for the IT migration programme. As part of this, he gave assurance to the TSB Board that the third party, as key supplier, was prepared for migration. However, he failed to ensure that TSB had itself obtained sufficient assurance from the third party before doing so.
Sam Woods, Deputy Governor for Prudential Regulation and Chief Executive Officer of the PRA, said: “Senior managers have an essential role to play in ensuring that firms manage and supervise outsourcing effectively. In this case, the PRA has fined Mr Abarca because his management of a key outsourcing relationship fell below the standard we expect.”
Mr Abarca’s Senior Manager Conduct Rule 2 failing undermined TSB’s operational resilience says the PRA and it contributed to the significant disruption TSB experienced.
Mr Abarca agreed to resolve this matter with the PRA, and therefore qualified for a 30 percent reduction in the overall fine imposed by the PRA. Without this discount, the financial penalty would have been £116,600.
This fine from the PRA shows how operational resilience responsibilities in UK regulated entities are individual as well as corporate. Executives have to take responsibility for ensuring that effective operational resilience processes are in place and ensure that their decisions and actions do not undermine operational resilience.