Private bank Raphaels has been fined £1.89m for poor controls over its outsourcing arrangements.
The 230-year old bank was fined £775,100 by the Financial Conduct Authority (FCA) and £1.1m by the Prudential Regulation Authority (PRA) in connection with the failings between April 2014 and December 2016.
The weaknesses in its systems came to light on Christmas Eve 2015 when a card processor it used for its prepaid card and charge card programmes was hit by a technical breach that lasted for eight hours.
During this time 3,367 customers were unable to use their prepaid cards and charge cards and a total of 5,356 customer card transactions could not be authorised.
The joint FCA and PRA investigation into the incident found deeper flaws in the overall management and outsourcing of risk from board level down.
Raphaels outsourcing systems continued to be inadequate until the end of 2016, by which time the bank had designed new outsourcing policies and procedures to remedy the failures.
The bank agree to resolve the matter and therefore received a 30 per cent reduction in the fines imposed by the regulators.
Without the discount, the total fine would have been £2.7m.
Mark Steward, FCA executive director of enforcement and market oversight, said: “Raphaels’ systems and controls supporting the oversight and governance of its outsourcing arrangements were inadequate and exposed customers to unnecessary and avoidable harm and inconvenience. There is no lower standard for outsourced systems and controls and firms are accountable for failures by outsourcing providers.”
Sam Woods, Deputy Governor for Prudential Regulation and Chief Executive Officer of the PRA, said: ”Firms’ ability to manage outsourcing of any critical activities is a vital part of maintaining their safety and soundness. Such outsourcing is an important part of a firm’s operational resilience, and particularly so in the case of Raphaels given the level of reliance on outsourcing in its business model.
“In addition, this was a repeat failing which demonstrates a lack of adequate and timely remediation. This is a significant aggravating factor in this case, leading to an uplift in the penalty.”
Mike Redican, chief executive of Raphaels, said: “Following a thorough review of all our business operations, the bank's board of directors decided to withdraw from the activities on which the investigation focused in order to de-risk the ongoing business and this process is almost completed. I can assure all our stakeholders that the bank manages its operations effectively and meets its regulatory and capital requirements”.