UK regulator FCA fines Tesco Bank £16.4m for cyber-attack, financial crime failures
02 Oct 2018

The Financial Conduct Authority (FCA) has fined Tesco Personal Finance plc (Tesco Bank) £16,400,000 for failing to protect its customers against a November 2016 cyber attack and the resulting financial crimes that occurred.

The banking watchdog found that cyber attackers exploited deficiencies in Tesco Bank’s design of its debit card, its financial crime controls and in its Financial Crime Operations Team to carry out the attack.

Those deficiencies left Tesco Bank’s personal current account holders vulnerable to a ‘largely avoidable incident’ that occurred over 48 hours and which netted the cyber attackers £2.26m.

FCA standards require firms to conduct their business with due skill, care and diligence.

Tesco Bank is in the business of banking and fundamental to that business is protecting its customers from financial crime, the regulator said.

As such, it found that Tesco failed to exercise due skill, care and diligence to configure specific authentication and fraud detection rules, and also to take appropriate action to prevent the foreseeable risk of fraud, amongst other items.

Mark Steward, Executive Director of Enforcement and Market Oversight at the FCA, said: “Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place.

“The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks. In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all,” he explained.

Commenting on the FCA’s notice, Gerry Mallon, Tesco Bank Chief Executive, said: “We are very sorry for the impact that this fraud attack had on our customers.

“We have significantly enhanced our security measures to ensure that our customers’ accounts have the highest levels of protection.”

Read more:

Credit Suisse trouble over money laundering, beneficial ownership regarding FIFA

Money laundering: Wild, wacky compliance failures from ING, Danske banks

Money laundering: ING bank fined €775m over due diligence, client on-boarding

Advance your CPD minutes for reading this article, by signing up and using the CPD Wallet

FREE CPD Wallet

You must be logged in to post a comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed.