Release Date: 1st October 2018
To access the original FCA document, click here.
Summary
Tesco Personal Finance plc (Tesco Bank) was fined £16.4 million by the Financial Conduct Authority (FCA) for failing to exercise due skill, care, and diligence in protecting its personal current account holders during a cyber attack in November 2016. The cyber attackers exploited deficiencies in Tesco Bank’s debit card design, financial crime controls, and its Financial Crime Operations Team, resulting in the theft of £2.26 million over 48 hours.
Key Takeaways for Other Firms:
- Robust Cyber Security: Firms must ensure their financial crime systems are resilient and can prevent foreseeable risks.
- Proactive Risk Management: Address warnings and vulnerabilities promptly, rather than reacting after an incident occurs.
- Board Responsibility: The board must set a clear cyber crime risk appetite, design effective controls, and ensure quick recovery plans are in place.
- Continuous Improvement: Conduct root cause analyses post-attack to identify and mitigate vulnerabilities, and continuously improve systems and controls.
In conclusion, the FCA’s action against Tesco Bank highlights the importance of proactive and robust cyber security measures to protect customers from financial crime.
Back to the Dear CEO letter archives.