• news-banner

    Expert Insights

Lessons from the TSB IT Migration Disaster

Yesterday’s news that Spanish owned UK bank TSB is set to be fined nearly £49m (which would have been £69.5m if it had not been resolved with the regulators) following its failed IT migration project in 2018 that left up to 1.9m customers unable to bank online reveals the full extent of what has been dubbed one of the “worst case scenarios for major IT projects”.

The fine, which is approximately £30m from the FCA and approximately £19m from the PRA gives one of the first indications of how regulators will approach governance and outsourcing fines following the recent major changes in outsourcing and operational resilience regulation.  Sam Woods, deputy governor for Prudential Regulation at PRA said “[we] expect firms to manage to operational resilience as well as their financial resilience.  The disruption to continuity of service experienced by TSB during its IT migration fell below the standard we expect banks to meet.”

The FCA found that “TSB failed to organise and control the IT migration programme adequately, and it failed to manage the operational risks arising from its IT outsourcing arrangements with its critical third party supplier.”  The fines therefore reflect the regulators’ decision that substantial failings of operational risk management, governance failures, failure to manage outsourcing risks occurred and the significance of the disruptions to customers as a result. 

TSB’s failures occurred at the principles for business level in the FCA and PRA handbooks, being the obligations for firms to conduct business with due skill, care and diligence (Principle 2 FCA) and the firm being required to take reasonable care to organise and control its affairs responsibly and effectively, with risk management systems (Principle 3) and equivalent PRA fundamental principles for business.  The FCA report identifies failings on this basis with nearly all of the Principles of SYSC 8.1 and Articles 30 and 31 of the MiFID Org Regulation and other systems and controls failings. 

The decisions reinforce that key principle that the regulated firm will ultimately be responsible for the failures and cannot contract out of this risk.

Key points for consideration include:

  • This is a very good case study for firms and vendors in the light of the increased regulatory focus on operational resilience and outsourcing. It emphasises the need for clear governance to be set up, and followed, and for decisions to be taken consistently within the governance framework at all times.  Ultimately, firms must plan in some detail for the very worst when considering outsourcing arrangements and complex transformation.
  • Firms should also consider whether some projects are simply too big or ambitious to consider without very detailed planning and contingency.  The TSB migration was unusually significant because it involved migration to a UK version of its new Spanish owner’s systems which had to be specifically bespoked for UK business.  As such, it was not a neat transition to a “bank in a box” and other or existing systems that were guaranteed to work.  Other options such as remaining within the Lloyds Banking Group IT environment or securing a carve-out of this system were considered, but increased regulatory capital requirements could have resulted,  and therefore this may have been one of the factors driving the parties to consider different technical options. 
  • Complex technical decisions often have regulatory impacts leading to a difficult balance between cost, thoroughness and ensuring customer service continuity.  These decisions will inevitably have to be looked at in more detail on complex migrations. For example, in the TSB migration, the risk of having to stop live services or test on live services was considered too significant to do wholesale testing of all the data centre and network configuration.  As such, only part of the active/active configuration was tested because the parties relied on incomplete assurances from experts, as the risk to customer disruption on already live services on full testing was significant.  In the end, the decisions were not fully documented through the formal governance process which was a material failing. 
  • Supply chain complexity was identified but not fully dealt with.  In this case, TSB was relying on up to 85 sub-contractors at the “fourth party” level through its owner SABIS.  11 of these were material sub-contractors i.e. suppliers of critical important functions under regulatory outsourcing requirements.  There was insufficient control of the length of the supply chain, and despite steps to provide additional resources to ensure that the controlled environment was properly regulated, this risk was ultimately not fully managed. 
  • We would expect that as part of the EU’s new Digital Operational Resilience Act (DORA) likely to come in to force in 2025 and UK equivalents, that understanding supply chain and oversight of it when regulating critical third parties will have to become a greater focus.  This will have implications for all parties in the supply chain, including more effective flowing down of contractual provisions and the practical oversight of the vendors. 
  • If the worst does happen, fuller contingency planning is essential.  TSB did not prepare an adequate communication strategy, expecting around 2,000 complaints in the first week following the services but it received approximately 37,000 claims in the end.  In the end, the fine exceeds the compensation given to customers, and the reputational impacts will continue for many years. 

Careful review of the detail will ultimately help parties to identify issues that the regulators will be concerned about, and it may be that as a result of this, costs for managing very complex migrations could increase, and timetables will have to be extended.  There were frequent slippages in and replanning of the TSB programme, and difficult decisions will have to be taken by Boards to manage ICT risk against the inevitable desire for complex programmes to be effected on time and to budget.  However, managing this expectation and cost implications will ultimately be a focus for those responsible for delivering complex IT change programmes and communication with regulators will obviously be required on complex programmes when commercial imperatives such as managing capital requirements and increased operational resilience concerns will need active regulator input to ensure success and to protect firms undergoing necessary and complex change.

Our thinking

  • Women in Leadership: Planning for the future

    Sarah Wigington

    Events

  • In-House Insights: Legal operations at work - how to do more with less

    Megan Paul

    Events

  • Property Patter – Filming Agreements Part 2

    Naomi Nettleton

    Podcasts

  • Charles Russell Speechlys Paris significantly strengthens litigation practice with notable team hire led by Frédéric Dereux

    Frédéric Dereux

    News

  • Thomas Snider and Dalal Alhouti write for New Law Journal on international arbitration trends

    Thomas R. Snider

    In the Press

  • Trade Credit Insurance – Protection, Economic Instability and Increased Demand

    Mary Barrett

    Insights

  • Consumer Duty - FCA warns that some firms are “lagging behind”

    Richard Ellis

    Insights

  • UK Government AI Regulation Response & Roadmap – Is the Government behind the wheel?

    Mark Bailey

    Insights

  • Remote Hearings – factors to consider

    Richard Kiddell

    Insights

  • Richard Davies writes for City AM on the lessons that the Premier League can learn from the Super Bowl and NFL

    Richard Davies

    In the Press

  • Charles Russell Speechlys advises the management sellers of Membr on its sale to Xplor Technologies

    Andrew Clarke

    News

  • Fortune quotes Richard Davies on sponsorship deals and the strength of brand/supporter loyalty in football

    Richard Davies

    In the Press

  • Nick White writes an opinion piece for City AM on the EU AI Act

    Nick White

    In the Press

  • Nick White and Olivia Gray write for Law360 on a Supreme Court decision on AI and patents

    Nick White

    In the Press

  • Legal tips and trends for Creative Design Agencies in 2024

    Rebecca Steer

    Insights

  • Charles Russell Speechlys advises Downing LLP on the successful refinancing of its loan facility with Kao Data

    News

  • Kelly Evans and Francesca Heath-Clarke write for People Management on the right to disconnect

    Kelly Evans

    In the Press

  • Charles Russell Speechlys advises Puma Private Equity on its investment into Transreport

    David Coates

    News

  • The Law Society Gazette quotes Tamasin Perkins on The Traitors and its likeness to multi-party litigation

    Tamasin Perkins

    In the Press

  • Artificial Intelligence – What to expect in 2024

    Louise Zafer

    Insights

Back to top