According to The Financial Conduct Authority, the bank had failed to exercise the due skill, care and diligence in protecting its personal current account holders.
The fraudsters got away with $2.9mn. Tesco Bank stated that all the money since then had been refunded to account holders.
The company issued an apology – stating that it was “very sorry” for the impact the attack had on customers. The FCA stated that the attack had been largely avoidable and that Tesco had not responded to it with the requisite skill, not the required urgency.
Mark Steward, executive director of enforcement and market oversight at the FCA, stated that the regulator would not put up with such behaviour.
“The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks,” he said.
“In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all.” He added.
The FCA stated that the cyber attackers had exploited deficiencies in Tesco Bank’s design of its debit card, its financial crime controls and in its financial crime operations team. Tesco Bank in itself stated that it had been the victim of what it called a “sophisticated criminal fraud”.
While there was no theft or loss of any customer data, there were 34 transactions where funds were debited from customers’ accounts. The bank added that other customers had their normal service disrupted.
Gerry Mallon, Tesco Bank’s chief executive, stated: “We are very sorry for the impact that this fraud attack had on our customers. Our priority is always the safety and security of our customers’ accounts and we fully accept the FCA’s notice.”
“We have significantly enhanced our security measures to ensure that our customers’ accounts have the highest levels of protection. I apologise to our customers for the inconvenience caused in 2016.” He added.
Tesco Bank’s co-operation with the FCA’s inquiry, and its agreement to an early settlement, meant the fine was reduced from its initial $43mn—to the current $21mn.