Contributors
A former Chief information Officer (CIO), Mr Carlos Abarca, was personally fined by the Prudential Regulation Authority (PRA) for breaching the PRA's Senior Management Conduct Rules.
Background
The PRA, which is part of the Bank of England, has imposed an £81,620 fine on the former CIO of a leading retail bank. Mr Abarca was the CIO of the bank when it suffered an IT failure following a system migration. The bank had also been fined as a result of the IT failure.
Mr Abarca was the most senior executive responsible for the bank's data migration programme. The PRA stated that, as CIO, Mr Abarca "had responsibility" for the bank's compliance with the PRA’s outsourcing rules.
However, it is unusual for regulators to penalise senior managers within businesses in addition to the wider fines the business itself faced. The Chief Executive Officer of the PRA, said:
"Senior managers have an essential role to play in ensuring that firms manage and supervise outsourcing effectively. In this case, the PRA has fined Mr Abarca because his management of a key outsourcing relationship fell below the standard we expect."
Mr Abarca was found to have breached the PRA’s Senior Manager Conduct Rule 2 because he "failed to take reasonable steps" to ensure that the PRA Outsourcing Rules were complied with. In particular, Mr Abarca did not:
- Ensure that the third party provider’s ability and capacity were adequately reassessed on an ongoing basis
- Ensure that the bank had obtained sufficient assurance from the third party provider in relation to its readiness to operate the new IT platform
- Give sufficient consideration to whether further investigation was required before giving assurance to the Board as to the third party provider’s readiness for migration.
Mr Abarca was initially fined £116,600 but he qualified for a 30% reduction in the overall fine as he did not dispute the fine and agreed to settle with the PRA.
Implications
The fine the PRA imposed on Mr Abarca as CIO is a clear warning to senior managers in prominent roles. Whilst regulators may have the power to target individuals within a business, the power to hold managers personally accountable when things go wrong is not often used.
Senior managers should therefore heed the warning that is made by the fine imposed on a business' CIO. Whilst fines for egregious behaviour may be expected, this matters shows that senior managers who may have acted in good faith can still be penalised if their actions fall short of the expectations on an individual in this type of role. This is in addition to any penalties levied directly against the business.
Senior business managers should therefore keep the following points in mind:
- Fully investigate your business' position before reporting to the Board. Actively question statements to ensure accurate information is being conveyed, as opposed to the message that people want to hear.
- Maintain oversight of outsourced services, as senior managers will still be held responsible for services that fall under their responsibility, even if these are outsourced to external providers.
- Obtain documents where you can to evidence the steps taken to get to the root of any issues, and follow up on questions these may raise.
- If any verbal or written assurances are given, ensure these are kept up to date and re-visit key stakeholders as often as is necessary to ensure assurances are still accurate.
- If risks are highlighted, fully investigate these before action is taken, even if there are pressured deadlines.
- Ensure your business has effective Directors and Officers insurance and that all appropriate actions are taken to maintain that insurance. However, whilst insurance may cover the cost of a regulatory investigation, insurance providers will be unlikely to pay the cost of a penalty if one is imposed.
- Take advice from professionals where needed or if there is uncertainty. WBD has an experienced team of regulatory, commercial and digital lawyers that can provide expert advice tailored to your business' needs.
