Raphaels fined £1.9m by FCA and PRA for outsourcing mismanagement
The Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) have fined R. Raphael & Sons (Raphaels) for failing to manage its outsourcing arrangements properly between April 2014 and December 2016.
This resolution was decided nearly post-mortem, as the bank only announced a couple of months ago it was closing down.
Raphaels has received separate fines of £775,100 from the FCA and £1,112,152 from the PRA in respect of these breaches, combining to a total £1,887,252.
The firm agreed to resolve this matter and qualified for a 30% reduction in the fines imposed by both regulators. Without this discount, the combined fine imposed by the FCA and PRA would have been £2,709,574.
“Raphaels systems and controls supporting the oversight and governance of its outsourcing arrangements were inadequate and exposed customers to unnecessary and avoidable harm and inconvenience,” says Mark Steward, FCA executive director of enforcement and market oversight. “There is no lower standard for outsourced systems and controls and firms are accountable for failures by outsourcing providers.”
“The firm’s ability to manage outsourcing of any critical activities is a vital part of maintaining their safety and soundness,” states Sam Woods, deputy governor for prudential regulation and CEO of the PRA. “Such outsourcing is an important part of a its operational resilience, and particularly so in the case of Raphaels, given the level of reliance on outsourcing in its business model.”
Woods adds: “In addition, this was a repeat failing which demonstrates a lack of adequate and timely remediation. This is a significant aggravating factor in this case, leading to an uplift in the penalty.”
Raphaels is a retail bank providing banking and related financial services. Its payment services rely on outsourced service providers to perform certain, including the authorisation and processing of card transactions.
The bank failed to have adequate processes to enable it to understand and assess the business continuity and disaster recovery arrangements of its outsourced service providers, particularly how they would support the continued operation of its card programmes during a disruptive event.
The absence of such processes posed a risk to Raphaels’ operational resilience and exposed its customers to a serious risk of harm, say the regulators.
On 24 December 2015, an incident caused the complete failure of the authorisation and processing services it provided to Raphaels and lasted over eight hours. During this period, 3,367 customers were unable to use their prepaid cards and charge cards.
Raphaels’ specific failings in relation to the incident resulted from deeper flaws in its overall management and oversight of outsourcing risk from board level down, as per the regulators’ statements.
The joint FCA and PRA investigation identified “a lack of adequate consideration of outsourcing within its board and departmental risk appetites, the absence of processes for identifying critical outsourced services and flaws in its initial and on-going due diligence of outsourced service providers”.