Lessons from the TSB IT Migration Disaster

Yesterday’s news that Spanish owned UK bank TSB is set to be fined nearly £49m (which would have been £69.5m if it had not been resolved with the regulators) following its failed IT migration project in 2018 that left up to 1.9m customers unable to bank online reveals the full extent of what has been dubbed one of the “worst case scenarios for major IT projects”.

The fine, which is approximately £30m from the FCA and approximately £19m from the PRA gives one of the first indications of how regulators will approach governance and outsourcing fines following the recent major changes in outsourcing and operational resilience regulation.  Sam Woods, deputy governor for Prudential Regulation at PRA said “[we] expect firms to manage to operational resilience as well as their financial resilience.  The disruption to continuity of service experienced by TSB during its IT migration fell below the standard we expect banks to meet.”

The FCA found that “TSB failed to organise and control the IT migration programme adequately, and it failed to manage the operational risks arising from its IT outsourcing arrangements with its critical third party supplier.”  The fines therefore reflect the regulators’ decision that substantial failings of operational risk management, governance failures, failure to manage outsourcing risks occurred and the significance of the disruptions to customers as a result. 

TSB’s failures occurred at the principles for business level in the FCA and PRA handbooks, being the obligations for firms to conduct business with due skill, care and diligence (Principle 2 FCA) and the firm being required to take reasonable care to organise and control its affairs responsibly and effectively, with risk management systems (Principle 3) and equivalent PRA fundamental principles for business.  The FCA report identifies failings on this basis with nearly all of the Principles of SYSC 8.1 and Articles 30 and 31 of the MiFID Org Regulation and other systems and controls failings. 

The decisions reinforce that key principle that the regulated firm will ultimately be responsible for the failures and cannot contract out of this risk.

Key points for consideration include:

• This is a very good case study for firms and vendors in the light of the increased regulatory focus on operational resilience and outsourcing. It emphasises the need for clear governance to be set up, and followed, and for decisions to be taken consistently within the governance framework at all times.  Ultimately, firms must plan in some detail for the very worst when considering outsourcing arrangements and complex transformation.
• Firms should also consider whether some projects are simply too big or ambitious to consider without very detailed planning and contingency.  The TSB migration was unusually significant because it involved migration to a UK version of its new Spanish owner’s systems which had to be specifically bespoked for UK business.  As such, it was not a neat transition to a “bank in a box” and other or existing systems that were guaranteed to work.  Other options such as remaining within the Lloyds Banking Group IT environment or securing a carve-out of this system were considered, but increased regulatory capital requirements could have resulted,  and therefore this may have been one of the factors driving the parties to consider different technical options. 
• Complex technical decisions often have regulatory impacts leading to a difficult balance between cost, thoroughness and ensuring customer service continuity.  These decisions will inevitably have to be looked at in more detail on complex migrations. For example, in the TSB migration, the risk of having to stop live services or test on live services was considered too significant to do wholesale testing of all the data centre and network configuration.  As such, only part of the active/active configuration was tested because the parties relied on incomplete assurances from experts, as the risk to customer disruption on already live services on full testing was significant.  In the end, the decisions were not fully documented through the formal governance process which was a material failing. 
• Supply chain complexity was identified but not fully dealt with.  In this case, TSB was relying on up to 85 sub-contractors at the “fourth party” level through its owner SABIS.  11 of these were material sub-contractors i.e. suppliers of critical important functions under regulatory outsourcing requirements.  There was insufficient control of the length of the supply chain, and despite steps to provide additional resources to ensure that the controlled environment was properly regulated, this risk was ultimately not fully managed. 
• We would expect that as part of the EU’s new Digital Operational Resilience Act (DORA) likely to come in to force in 2025 and UK equivalents, that understanding supply chain and oversight of it when regulating critical third parties will have to become a greater focus.  This will have implications for all parties in the supply chain, including more effective flowing down of contractual provisions and the practical oversight of the vendors. 
• If the worst does happen, fuller contingency planning is essential.  TSB did not prepare an adequate communication strategy, expecting around 2,000 complaints in the first week following the services but it received approximately 37,000 claims in the end.  In the end, the fine exceeds the compensation given to customers, and the reputational impacts will continue for many years. 

Careful review of the detail will ultimately help parties to identify issues that the regulators will be concerned about, and it may be that as a result of this, costs for managing very complex migrations could increase, and timetables will have to be extended.  There were frequent slippages in and replanning of the TSB programme, and difficult decisions will have to be taken by Boards to manage ICT risk against the inevitable desire for complex programmes to be effected on time and to budget.  However, managing this expectation and cost implications will ultimately be a focus for those responsible for delivering complex IT change programmes and communication with regulators will obviously be required on complex programmes when commercial imperatives such as managing capital requirements and increased operational resilience concerns will need active regulator input to ensure success and to protect firms undergoing necessary and complex change.