The UK’s Financial Conduct Authority (FCA) said it fined Edinburgh-based Tesco Personal Finance plc (Tesco Bank) £16.4 million for “failing to exercise due skill, care and diligence in protecting its personal current account holders” against a cyber attack in November 2016.
The FCA said the fine would have been £33.5 million had Tesco Bank not given a “high level of cooperation” to its investigation and agreed to an early settlement.
“Cyber attackers exploited deficiencies in Tesco Bank’s design of its debit card, its financial crime controls and in its Financial Crime Operations Team to carry out the attack,” said the FCA.
“Those deficiencies left Tesco Bank’s personal current account holders vulnerable to a largely avoidable incident that occurred over 48 hours and which netted the cyber attackers £2.26m.”
Mark Steward, executive director of enforcement and market oversight at the FCA, said: “The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks.
“In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started.
“This was too little, too late. Customers should not have been exposed to the risk at all.
“Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place.
“The standard is one of resilience, reducing the risk of a successful cyber attack occurring in the first place, not only reacting to an attack.
“Subsequently, Tesco Bank has strengthened its controls with the object of preventing this type of incident from being repeated.”
The FCA added: “Tesco Bank provided a high level of cooperation to the FCA.
“Through a combination of this level of cooperation, its comprehensive redress programme which fully compensated customers, and in acknowledgment that it stopped a significant percentage of unauthorised transactions, the FCA granted the bank 30% credit for mitigation.
“In addition, Tesco Bank agreed to an early settlement of this matter which qualified for a 30% (Stage 1) discount under the FCA’s executive settlement procedure.
“But for the mitigation credit and the Stage 1 discount, the FCA would have imposed a penalty of £33,562,400.”
In a statement, Tesco Bank said it accepted the settlement.
“In November 2016, Tesco Bank was the victim of a sophisticated criminal fraud attack,” said Tesco Bank.
“This fraud did not involve the theft or loss of any customers’ data, but led to 34 transactions where funds were debited from customers’ accounts, and other customers having normal service disrupted.
“The FCA recognised in the notice that, once senior management were aware, Tesco Bank responded quickly to stop the fraudulent transactions, updating customers regularly and deploying significant resources to return customers to their previous financial position.
“Tesco Bank considers this a reflection of its customer centric culture.”
Tesco Bank CEO Gerry Mallon said: “We are very sorry for the impact that this fraud attack had on our customers.
“Our priority is always the safety and security of our customers’ accounts and we fully accept the FCA’s notice.
“We have significantly enhanced our security measures to ensure that our customers’ accounts have the highest levels of protection.
“I apologise to our customers for the inconvenience caused in 2016.”