Release Date: 30th May 2019

To access the original FCA document, click here.

Summary

The Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) have jointly fined R. Raphael & Sons plc (Raphaels) £1,887,252 for failing to manage its outsourcing arrangements adequately between April 2014 and December 2016. Raphaels was fined £775,100 by the FCA and £1,112,152 by the PRA.

Mark Steward, FCA Executive Director of Enforcement and Market Oversight, highlighted that Raphaels’ inadequate systems and controls in overseeing its outsourcing arrangements exposed customers to unnecessary harm and inconvenience. Sam Woods, Deputy Governor for Prudential Regulation and CEO of the PRA, stressed the importance of managing outsourcing of critical activities for operational resilience, especially given Raphaels’ reliance on outsourcing in its business model.

Raphaels, a retail bank, relies on outsourced service providers for critical functions in its Payment Services Division (PSD), which operates prepaid and charge card programs in the UK and Europe. These critical functions include authorisation and processing of card transactions. The FCA and PRA found that Raphaels failed to have adequate processes to assess the business continuity and disaster recovery arrangements of its outsourced service providers. This failure posed a significant risk to the bank’s operational resilience and customer safety.

The risks materialised on December 24, 2015, when a technology incident at a card processor caused an eight-hour failure of authorisation and processing services. This incident left 3,367 customers unable to use their prepaid and charge cards, resulting in 5,356 failed transactions at point-of-sale terminals, ATMs, and online. The incident severely impacted seasonal workers relying on prepaid cards for wages, especially given its occurrence on Christmas Eve.

Raphaels’ failings were rooted in deeper issues in its management and oversight of outsourcing risks from the Board level down. The joint investigation revealed systemic weaknesses in Raphaels’ outsourcing systems and controls, including inadequate consideration of outsourcing within risk appetites, lack of processes for identifying critical outsourced services, and flaws in due diligence of service providers. These issues persisted until the end of 2016, by which time Raphaels had implemented new outsourcing policies and procedures.

Raphaels agreed to resolve the matter, qualifying for a 30% discount on the fines. Without this discount, the combined fine would have been £2,709,574.

Key Takeaways for Other Firms:

In conclusion, the substantial fines imposed on Raphaels underscore the critical need for rigorous management and oversight of outsourcing arrangements. Financial institutions must ensure robust systems, due diligence, and continuity plans to protect customers and maintain operational resilience.

Back to the Dear CEO letter archives.