The UK Financial Conduct Authority (FCA) announced at the start of last month that it had fined Tesco Bank £16.4 million for a cyber-attack that occurred two years ago.
In November 2016, 8,261 personal current accounts at Tesco Bank were compromised. Attackers obtained customers’ debit card details and entered into thousands of unauthorised transactions.
This is the first cyber-attack-related fine to be imposed on a UK bank by the FCA. The fine was reduced from the initial draft penalty of £23.5 million on the basis that Tesco Bank agreed to settle at an early stage, to be cooperative, and to compensate customers.
FCA’s Final Notice
The FCA set out its findings and enforcement action in its Final Notice dated 1 October 2018.
The fine was issued on the basis that Tesco Bank breached the FCA’s second Business Principle, which provides that a firm must conduct its business with due skill, care and diligence.
FCA Enforcement Director Mark Steward commented that the FCA has “no tolerance for banks that fail to protect customers from foreseeable risks”.
The FCA criticised Tesco Bank, saying that the cyber-attack was “largely avoidable”. The failings of Tesco Bank to conduct its business with due skill, care and diligence included:
- issuing debit cards with sequential card numbers, meaning that hackers could more easily work out details of active cards;
- configuring its authorisation system to check only that a card’s expiry date was in the future, and not that the date was correct;
- taking action to block the specific type of fraudulent transaction for its credit cards, but failing to do the same for its debit cards; and
- not responding to the attack with sufficient “rigour, skill and urgency”. This is because Tesco Bank ineffectively contacted its fraud strategy team – contrary to procedure, used an incorrect code to block the unauthorised transactions, and failed to monitor the rule’s operation and therefore notice that the code was not working properly.
The Final Notice concludes by acknowledging that Tesco Bank’s cyber-crime framework was appropriate but that it was, in fact, individuals within the bank who had failed to exercise the required due skill, care and diligence.
Tesco Bank has since changed its issuing practice and no longer issues cards with sequential card numbers. It has also changed its authorisation system, and now checks that the expiry date is correct.
Application of the GDPR and NIS Regulations
This attack occurred before the EU General Data Protection Regulation 2016/679 (GDPR) and UK Network and Information Systems Regulations 2018 (NIS Regulations) were in force.
Despite being right on point by requiring prevention and notification of cyber-attacks, the NIS Regulations would not have applied in this instance.
The banking and financial market infrastructures sectors are largely exempt from the NIS Regulations on the basis that existing and equivalent UK regulations already exist and apply to cyber-attacks (pursuant to recital 9 and article 1(7) Directive (EU) 2016/1148 (NIS Directive)).
Depending on the regulatory status of a particular firm, equivalent regulations would be contained in the FCA Handbook and the Committee on Payments and Market Infrastructures’ Guidance on cyber-resilience for financial market infrastructures.
Such firms will continue to be subject to the enforcement and supervisory functions of the FCA and the Bank of England.
If the attack were to happen again today, it is likely that Tesco Bank’s conduct would constitute a breach of the GDPR. Article 32 of the GDPR covers information security by requiring organisations that handle personal data to implement technical and organisational security measures to safeguard against harming individuals’ fundamental rights to data protection and privacy.
Furthermore, the concept of ‘data protection by design’, as set out in article 25 of the GDPR, requires these security measures to be embedded into the fabric of an organisation at the design and architecture level. In a business context, this would mean that a technologically reliant bank such as Tesco Bank should incorporate information security defences at the technology infrastructure layer of its core banking platform, rather than as a later bolt-on at the application layer.
A cyber-attack of Tesco Bank’s scale is likely to infringe both articles, although that is currently untested.
It is also worth mentioning the concept of ‘data protection by default’, which sits alongside the by-design concept within the GDPR. This concept requires organisations to ensure that data protection is included as a factor within any business risk assessment. One aspect of this concept requires organisations to adopt a ‘privacy-first approach’ within the default settings of their systems and applications.
Tesco Bank’s practice of issuing cards with sequential card numbers and not adequately checking a card’s expiry date was probably put in place to save cost and increase the speed of fraud prevention checks.
These practices provide a good example of where privacy considerations should prevail over business efficiency, which would have resulted in Tesco breaching article 25 of the GDPR, if it had applied.
The FCA’s fine demonstrates that conducting a financially regulated business with due skill, care and diligence now extends to its technology systems, the protections put in place around them and how staff implement them.
With the level of fine in this case and the other recent examples of IT failures by high street banks, this only highlights that the FCA considers technology to be an intrinsic aspect of running a financial services business, rather than just a tool to increase customer engagement.
As such, we only expect enforcement action by UK regulators (whether it is the FCA or the ICO) against IT failures and data breaches to increase and for penalties to cut deeper, when applied.