The Bank of England has imposed its first-ever fine on a financial market infrastructure firm, penalising Mastercard-owned Vocalink £11.9 million for failing to adequately address risk management and governance weaknesses.

The penalty relates to Vocalink's failure to comply with a regulatory direction issued by the central bank requiring the company to fix identified systems and controls issues by 28 February 2022. The firm, which operates critical UK payment infrastructure, fell short of meeting the Bank of England's requirements despite implementing a remediation programme.

"Vocalink fell short of its obligation to have adequate risk management and governance arrangements when responding to the Bank's direction," said Sarah Breeden, deputy governor for financial stability. "Its failure to comply with that direction in full has resulted in a significant fine."

The Bank of England found that Vocalink's non-compliance stemmed from an ineffective risk management framework, combined with weaknesses in controls, governance arrangements and escalation processes. The investigation identified that the company failed to implement a sufficiently integrated risk management framework for its remediation programme, which would have ensured risks could be properly understood, monitored and shared among the three lines of defence.

The central bank also criticised failures to escalate key risks and information to senior committees, which undermined the firm's ability to fully comply with the regulatory direction. The Bank of England stated that Vocalink's governance arrangements fell below the standards expected of a financial market infrastructure firm.

Vocalink, which was acquired by Mastercard in 2017, operates crucial UK payment systems that process over 90 per cent of British salaries, more than 70 per cent of household bills and 98 per cent of state benefits. The company's infrastructure underpins the Bacs direct debit system, the UK Faster Payments system and the Link ATM network.

The fine could have been significantly higher, but Vocalink's cooperation throughout the investigation and early admission of the compliance failure resulted in a 15 per cent reduction. The company also qualified for a further 30 per cent reduction by agreeing to resolve the matter. Without these reductions, the penalty would have been £20 million.

"We are pleased to resolve this matter which relates to issues identified in 2020," a Vocalink spokesperson said. "Since then, we've delivered a number of improvements, as recognised in the Bank's final notice. The historic issues related to internal systems and controls had no impact on the service we delivered to UK consumers and businesses."

The Bank of England noted that Vocalink has invested significantly in remediating the issues that led to both the original direction and the subsequent compliance failure. The company has been regulated by the Bank of England since April 2018 as a specified service provider, a type of financial market infrastructure firm involved in operating UK payment systems.

---