The Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) have fined Raphaels Bank £1.89m.
The fine relates to failures to manage its outsourcing arrangements properly between April 2014 and December 2016.
“Raphaels’ systems and controls supporting the oversight and governance of its outsourcing arrangements were inadequate. This exposed customers to unnecessary and avoidable harm and inconvenience.
“There is no lower standard for outsourced systems. Controls and firms are accountable for failures by outsourcing providers,” says Mark Steward, FCA Executive Director of Enforcement and Market Oversight.
Raphaels’ Payment Services Division (PSD) operates prepaid card and charge card programmes in the UK and Europe. The PSD relies on outsourced service providers to perform certain functions critical to the operation of its card programmes.
These functions include the authorisation and processing of card transactions, a service performed by third party card processors.
Raphaels failed to have adequate processes to enable it to understand and assess the business continuity and disaster recovery arrangements. In particular, it failed to assess how its outsourced service providers would support the continued operation of its card programmes during a disruptive event.
Raphaels Bank fined: over 3,000 customers affected
This posed a risk to Raphaels’ operational resilience and exposed its customers to a serious risk of harm. These risks crystallised on the 24 December 2015 when a technology incident occurred at a card processor.
The incident caused the complete failure of the authorisation and processing services provided to Raphaels and lasted over eight hours. During this period, 3,367 customers were unable to use their prepaid cards and charge cards.
The joint FCA and PRA investigation identified weaknesses throughout the Firm’s outsourcing systems and controls
Raphaels ought to have known about these since April 2014. These included a lack of adequate consideration of outsourcing within its Board and departmental risk appetites.
In addition, it included the absence of processes for identifying critical outsourced services and flaws in its initial and on-going due diligence of outsourced service providers.
Raphaels’ outsourcing arrangements continued to be inadequate until the end of 2016. By this time Raphaels had designed new outsourcing policies and procedures to remedy the failings.