FCA fines Tesco Bank £16.4m

The Financial Conduct Authority (FCA) has fined Tesco Bank £16.4 million for failings related to a cyber attack in 2016 which left customer data vulnerable.

The financial watchdog issued the penalty to Tesco’s banking arm over its “foreseeable” failure to exercise “due skills, care and diligence” in protecting customers from the cyber-attack.

It had been reported last week that the FCA was mulling a fine as high as £30m, reflecting the severity of the incident, which resulted in hackers making off with £2.26m.

The attack, which occurred over a two day period in November 2016, targeted deficiencies in the design of Tesco Bank’s current account debit card along with its financial crime controls and its financial crime operations team.

The FCA said such weaknesses in Tesco Banks defences left personal current account holders vulnerable to a “largely avoidable incident”.

Mark Steward, executive director of enforcement and mark oversight at the FCA, said the fine reflects the fact that the FCA has “no tolerance” for banks that fail to protect customers from foreseeable risks and added that Tesco Bank had been warned specifically about the issue, which was not addressed properly until after the attack started.

“This was too little, too late”, he said, adding: “Customers should not have been exposed to the risk at all.”

Steward explained that banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place.

“The standard is one of resilience, reducing the risk of a successful cyber attack occurring in the first place, not only reacting to an attack. Subsequently, Tesco Bank has strengthened its controls with the object of preventing this type of incident from being repeated," he added.

    Share Story:

Recent Stories


Banking's GenAI evolution: Beyond the hype, building the future
In the first episode of a three-part video podcast series sponsored by HCLTech, Sudip Lahiri, Executive Vice President & Head of Financial Services for Europe & UKI at HCLTech explores how financial institutions can navigate the transformative potential of Generative AI while building lasting foundations for innovation.

Beyond compliance: Transforming document management into a strategic advantage for financial institutions
In this exclusive fireside chat, John Rockliffe, Pre-Sales Manager at d.velop, discusses the findings of Adapting to a Digital-Native World: Financial Services Document Management Beyond 2025 and explores how FSIs can turn document workflows into a competitive advantage.

Sanctions evasion in an era of conflict: Optimising KYC and monitoring to tackle crime
The ongoing war in Ukraine and resulting sanctions on Russia, and the continuing geopolitical tensions have resulted in an unprecedented increase in parties added to sanctions lists.

Achieving operational resilience in the financial sector: Navigating DORA with confidence
Operational resilience has become crucial for financial institutions navigating today's digital landscape riddled with cyber risks and challenges. The EU's Digital Operational Resilience Act (DORA) provides a harmonised framework to address these complexities, but there are key factors that financial institutions must ensure they consider.