Raphaels fined £1.89m for outsourcing failings

The Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) have fined Raphaels Bank £1.89 million for failing to manage its outsourcing arrangements properly between April 2014 and December 2016.

Raphaels received separate fines of £775,000 from the FCA and £1.1 million from the PRA in respect of these breaches.

The bank’s Payment Services Division (PSD) operates prepaid card and charge card programmes in the UK and Europe, relying on outsourced service providers to perform certain critical functions, including the authorisation and processing of card transactions.

Raphaels was found to have failed to have adequate processes to understand and assess the business continuity and disaster recovery arrangements of its outsourced service providers – particularly how they would support the continued operation of its card programmes during a disruptive event.

The absence of such processes posed a risk to Raphaels’ operational resilience and exposed its customers to a serious risk of harm, according to the regulators. These risks crystallised on the 24 December 2015 when a technology incident occurred at a card processor.

The incident caused the complete failure of the authorisation and processing services it provided to Raphaels and lasted over eight hours. During this period, 3,367 customers were unable to use their prepaid cards and charge cards. In total, the card processor could not authorise 5,356 customer card transactions attempted at point of sale terminals, ATM machines and online.

Raphaels’ specific failings in relation to the incident resulted from deeper flaws in its overall management and oversight of outsourcing risk from board level down. The joint FCA and PRA investigation identified weaknesses throughout the firm’s outsourcing systems and controls which Raphaels ought to have known about since April 2014.

These included a lack of adequate consideration of outsourcing within its board and departmental risk appetites, the absence of processes for identifying critical outsourced services and flaws in its initial and on-going due diligence of outsourced service providers.

Raphaels’ outsourcing arrangements continued to be inadequate until the end of 2016, by which time it had designed new outsourcing policies and procedures to remedy the failings.

Raphaels agreed to resolve this matter and therefore qualified for a 30 per cent reduction in the fines imposed by both regulators. Without this discount, the combined fine imposed would have been £2.7 million.

Mark Steward, FCA executive director of enforcement and market oversight, said: “There is no lower standard for outsourced systems and controls and firms are accountable for failures by outsourcing providers.”

Sam Woods, deputy governor for prudential regulation and chief executive of the PRA, said: “Firms’ ability to manage outsourcing of any critical activities is a vital part of maintaining their safety and soundness – such outsourcing is an important part of a firm’s operational resilience, and particularly so in the case of Raphaels given the level of reliance on outsourcing in its business model.”

    Share Story:

Recent Stories


Banking's GenAI evolution: Beyond the hype, building the future
In the first episode of a three-part video podcast series sponsored by HCLTech, Sudip Lahiri, Executive Vice President & Head of Financial Services for Europe & UKI at HCLTech explores how financial institutions can navigate the transformative potential of Generative AI while building lasting foundations for innovation.

Beyond compliance: Transforming document management into a strategic advantage for financial institutions
In this exclusive fireside chat, John Rockliffe, Pre-Sales Manager at d.velop, discusses the findings of Adapting to a Digital-Native World: Financial Services Document Management Beyond 2025 and explores how FSIs can turn document workflows into a competitive advantage.

Sanctions evasion in an era of conflict: Optimising KYC and monitoring to tackle crime
The ongoing war in Ukraine and resulting sanctions on Russia, and the continuing geopolitical tensions have resulted in an unprecedented increase in parties added to sanctions lists.

Achieving operational resilience in the financial sector: Navigating DORA with confidence
Operational resilience has become crucial for financial institutions navigating today's digital landscape riddled with cyber risks and challenges. The EU's Digital Operational Resilience Act (DORA) provides a harmonised framework to address these complexities, but there are key factors that financial institutions must ensure they consider.