Former TSB CIO fined for migration meltdown

The Prudential Regulation Authority (PRA) at the Bank of England has fined the former CIO of TSB bank £81,620 for his part in the catastrophic migration of the bank’s IT to a new system.

In the final notice sent to the former CIO Carlos Abarca, the PRA said the action it has taken “emphasises the importance of ensuring that senior individuals in a firm take reasonable steps to ensure that the firm complies with the relevant regulatory requirements and standards, in compliance with Senior Manager Conduct Rules”.

The PRA’s investigation found that Abarca breached the PRA’s Senior Manager Conduct Rule 2 because he failed to take reasonable steps to ensure that TSB complied with the PRA Outsourcing Rule.

Sam Woods, deputy governor for Prudential Regulation and CEO of the PRA, said: “Senior managers have an essential role to play in ensuring that firms manage and supervise outsourcing effectively. In this case, the PRA has fined Mr Abarca because his management of a key outsourcing relationship fell below the standard we expect.”

In April 2018, TSB moved millions of customer accounts from the systems of Lloyds Bank – which had hosted them since TSB was separated from Lloyds – to a new core banking platform from its current owner, Spanish bank Sabadell.

Prior to this migration, Paul Pester, TSB Bank CEO, said that the new platform, called Proteo4UK, was already being used to support a number of core services. He said the migration required “over 2,500 man years of effort by TSB, Sabadell and our technology partners, [meaning] TSB will be the first major bank in the UK to have designed and built a new banking platform for the digital age”.

But over a five-day period following the migration, customers were locked out of their accounts and experienced money disappearing from accounts. Some were even able to see other customers’ accounts.

All of TSB’s branches and a significant proportion of its 5.2 million customers were affected by the initial issues. Some customers continued to be affected by some issues and it took until December 2018 for TSB to return to business as usual. TSB paid £32.7m in redress to customers who suffered detriment.

The new core banking system, Proteo4UK, was built as a UK-specific version of Sabadell’s existing core banking system. The PRA said that TSB’s migration to the Proteo4UK Platform and the provision of IT services and outsourcing arrangements with Sabis, the IT arm of Sabadell, were critical to TSB’s ability to provide continuity of banking services, and therefore to its safety and soundness.

“Mr Abarca’s conduct fell outside the range of reasonable responses for a CIO in his position in a PRA authorised firm, and contributed to the disruptions to the continuity of TSB’s core banking functions post-MME [main migration event],” it said. The fine was originally set at £116,600 but was reduced by 30% because Abarca agreed to settle with the PRA.

On 20 December 2022, the PRA and the Financial Conduct Authority imposed a joint financial penalty on TSB of £48.65m (reduced from £69.5m upon settlement). The PRA said it found that TSB breached Fundamental Rule 2 because it failed to exercise due skill, care and diligence in managing appropriately and effectively the outsourcing arrangements with, and services provided by, Sabis and the risks arising from this, including operational risk.

“TSB’s breach of Fundamental Rule 2 stemmed from an undue reliance on Sabis as an intragroup provider, which in turn led to a level of oversight that was not consistent with the importance and scale of the migration programme,” the regulator stated.

In an interview with Computer Weekly in 2017, conducted prior to the disastrous IT migration, Abarca observed that, “Perfection doesn’t exist in technology, but we are taking all the reasonable steps.”

Abarca left TSB in December 2019 to join Sabadell as its chief technology officer. He left the company in January this year.