By Ashley Young-
The Financial Conduct Authority (FCA) fined Tesco Bank £16.4m for its incompetence in adequately protecting customers from a 2016 cyber attack, which saw fraudsters claim over £2.2m worth of transactions over a 48-hour period.
The fine is a reminder to organisations of their duty to operate in a manner that takes account of their employees and customers. The failure of Tesco Bank to exercise due skill, care and diligence in protecting its personal current account holders in what was described as “largely avoidable” has cost the company dearly, but it is deserved. Tesco bank had the means , money and technology to prevent the cyber attack, but failed to do so.
Cyber criminals as a result exploited deficiencies in the design of its debit card, its financial crime controls and the competence of its Financial Crime Operations Team.Those deficiencies should not have been there, but would have cost money that amounted to peanuts for Tesco to address. Instead, their failure to act exposed customers to the fraudulent actions of the cyber criminals.
ALGORITHIM
According to the regulator’s 1 October enforcement notice, the attackers used an algorithm that generated authentic Tesco Bank debit card numbers and, using those “virtual cards”, they engaged in thousands of unauthorized debit card transactions. Tesco Bank should have safeguarded the interest of their customers and prevented cyber criminals from penetrating their systems.
Tesco bank were actually lucky to avoid a fine of around £33.5m, having qualified for a discount due to its agreement to settle early and the level of cooperation with the regulator.
Executive director of enforcement and market oversight at the FCA Mark Steward said the value of the fine “reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks”.He added: “In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all.”
Specifically, Tesco Bank was in breach of the regulator’s “Principle 2”, which requires a firm to conduct its business with due skill, care and diligence.
‘Due Skill, Care And Diligence’
The FCA found that Tesco Bank breached Principle 2 because it failed to exercise due skill, care and diligence with respect to the design and distribute its debit card, its failure to configure specific authentication and fraud detection rules, and its failure to take appropriate action to prevent a foreseeable risk of fraud. It added that Tesco Bank also failed to respond to the 2016 cyber attack with “sufficient rigour, skill and urgency”.
However, according to the FCA, Tesco Bank put in place a “comprehensive redress programme and devoted significant resources to improving the deficiencies that left the bank vulnerable” immediately after the attack.
It said: “[Tesco Bank] has made significant improvements both to enhance its financial crime systems and controls and the skills of the individuals who operate them.”
Steward added: “Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place.
“The standard is one of resilience, reducing the risk of a successful cyber attack occurring in the first place, not only reacting to an attack.
“Subsequently, Tesco Bank has strengthened its controls with the object of preventing this type of incident from being repeated.