A joint investigation of the PRA and the FCA has resulted in R. Raphael & Sons plc (“Raphaels”) being fined a total of £1,896,612 for failures in the management of its outsourcing risk and arrangements.
This is Raphaels’ second fine since 2015 for failures in relation to its governance and oversight of outsourced functions.
This case is of particular interest in the context of the entry into force of the EBA Guidelines on Outsourcing on 30 September 2019. The PRA’s and the FCA’s findings are well aligned to key areas of focus of the EBA Guidelines, which raise the bar in terms of regulatory expectations and risk. This case also illustrates the very real consequences of non-compliance.
Summary of Facts
Raphaels’ Payment Services Division operates prepaid and charge card programmes in the UK and Europe and outsources a number of critical functions for its card programmes to third parties (including the authorisation and processing of card transactions).
In the early hours of 24 December 2015, a technology failure at a card processor resulted in a complete failure of all authorisation and card processing services which the card processor provided to Raphaels. Over a period of eight hours, 3000+ of Raphael’s customers were unable to use their prepaid cards and charge cards, with 5000+ customer card transactions attempted which could not be authorised.
An investigation by the PRA and FCA identified that Raphaels had inadequate systems and controls in place to support the oversight and governance of its outsourcing arrangements. In particular there was:
- inadequate consideration of outsourcing within Raphaels’ Board and departmental risk appetites. This meant a failure to articulate risk tolerance and parameters for the type and extent of outsourcing that was acceptable. In turn, Raphaels’ operational framework was not set up to manage outsourcing risk appropriately;
- an absence of processes for identifying critical or important outsourced services;
- flawed initial and on-going due diligence of outsourced service providers;
- a failure to consistently include appropriate service level agreement in outsourcing contracts;
- unsophisticated business continuity and disaster recovery planning, leaving Raphaels highly exposed to incidents; and
- failure to learn from and act upon historic mistakes – if there had been more thorough investigation and remediation of a prior incident in 2014 (involving the same card processor), the latest incident either would not have occurred or could have been better managed.
Together, these factors posed a risk to Raphaels’ operational resilience which continued until the end of 2016 when Raphaels designed new outsourcing policies and procedures to remedy failings.
Mark Steward, FCA Executive Director of Enforcement and Market Oversight said of the investigation: “Raphaels’ systems and controls supporting the oversight and governance of its outsourcing arrangements were inadequate and exposed customers to unnecessary and avoidable harm and inconvenience. There is no lower standard for outsourced systems and controls and firms are accountable for failures by outsourcing providers.”
Sam Woods, Deputy Governor for Prudential Regulation and Chief Executive Officer of the PRA, said: “Firms’ ability to manage outsourcing of any critical activities is a vital part of maintaining their safety and soundness. Such outsourcing is an important part of a firm’s operational resilience, and particularly so in the case of Raphaels given the level of reliance on outsourcing in its business model.”
Some Points of Interest
The Final Notices of the FCA and PRA make interesting reading. They bring to life the need both to have in place comprehensive policies and procedures and to ensure these operate in a coordinated, meaningful and decisive manner.
Some particular points meriting pause for thought are:
- Magnitude of Financial & Reputational Risk
This case serves as a reminder and useful example of how the FCA and the PRA determine fines and the potential size of these fines. The value of the failed transactions caused by the technology failure was £558,400 but the total amount of fines imposed on Raphaels was the much greater figure of £1,896,612. Both the PRA and the FCA found that there were significant aggravating factors. The PRA applied an uplift of 40% to the fine due to Raphaels’ failure to implement proper remediation after a previous PRA fine for outsourcing failings. The FCA applied a 15% uplift also in part because of the distress and financial suffering caused by the technology failure, including amongst seasonal workers whose wages were paid using the prepaid card programme. Raphaels would in fact have had to pay £2,709,574 were it not for a 30% discount for settling at an early stage.
Financial exposure is therefore considerable and scales up with the size of a business given that the starting point for calculating a fine is to assess the firm’s relevant revenues.
Reputational exposure for firms, their Boards and senior personnel is also significant. Both the PRA and the FCA identified failings at Board and Executive Committee level, in particular failing to set clear risk appetites for outsourcing of critical services and failing to ensure that risk tolerances were appropriately cascaded and applied
- Business Continuity & Disaster Recovery
The case identifies practices (which may be common) which are unacceptable to the regulators and present high risk:
- a firm’s internal business continuity and disaster recovery plan must take account of outsourcing arrangements (rather than being purely internally focussed). It must enable the workaround and mitigation of problems effectively, wherever they originate;
- in respect of each outsourced service provider’s business continuity and disaster recovery plan, the following are all important:
- visibility and scrutiny of the plan (and any updates to them) before and during contract lifetime;
- that the plans:
- ensure meaningful and effective action when issues arise (not just identification and notification of issues), with specific targets to resolve issues/outages;
- are effective throughout the outsourced service provider’s supply chain.
Raphaels was found to have no adequate processes for capturing and assessing information (whether before or after entering into contracts) regarding business continuity and disaster recovery arrangements, particularly how a card processor would support the operation of Raphaels’ cards during a disruptive event. This exposed Raphaels to an unacceptable level of risk, meaning it could take no steps to manage the outage or mitigate the harm which materialised.
- Putting Policy into Practice
The Raphaels case demonstrates the high risk of having elements of an appropriate risk framework and an outsourcing policy in place but not embedding them into working practices and culture. For instance:
- not properly recognising and quantifying risk from outsourcing in individual cases or in aggregate;
- policy not being backed up by practical guidance and training to staff on how to put policy requirements into action – for instance in respect of:
- distinguishing outsourcing critical or important functions from other outsourcings; and
- putting in place appropriate service level agreements with different types of outsourced service providers;
- failing to diligence properly the arrangements that service providers had with sub-contractors (in this case, card processors);
- having standard processes and documents e.g. an annual ongoing due diligence/monitoring process and form, which are used formulaically and not tailored as necessary to identify contextual risks;
- having procedures and policies which are not followed.
- Adequacy of contracts
It is apparent from this case that Raphaels had not put in place necessary and practicable contractual protections with respect to business continuity, service levels/performance management and chain outsourcing. Some protections were absent, others were not sufficiently tailored or detailed to address and manage risks.
- Board and senior person responsibility
The regulators made specific reference to Board accountability for failures connected to outsourcing. They also noted the importance of first line senior responsibility of a nominated person in a Senior Management Function (by virtue of SMCR) for outsourcing.
Future Influence of EBA Guidelines on Outsourcing (the “Guidelines)
This action by the UK regulators serves as a timely reminder of the importance of comprehensive and sophisticated outsourcing frameworks, as embodied by the forthcoming entry into force of the Guidelines.
The Guidelines, which will take effect on 30 September 2019, provide a detailed set of requirements relating to outsourcing, both in terms of governance and the contractual arrangements with outsourcers themselves. Firms need to have upgraded their outsourcing governance by 30 September 2019. New outsourcing contracts after that date must be fully compliant while pre-existing contracts must be remediated by December 2021.
All of the issues which we have commented upon above in relation to the Raphaels case are considered at length in the Guidelines, which elaborate upon regulatory expectations. The Guidelines will no doubt fuel further regulatory oversight, investigations and enforcement action.
You can read more on the Guidelines in our article available here.
Simmons & Simmons’ are working with a number of clients on implementation of the EBA Guidelines and are available to assist with your implementation planning and execution.
This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.