The FCA noted that Tesco Bank has failed to exercise due skill, care and diligence in protecting its personal current account holders against a cyber attack, which occurred in November 2016.
Cyber attackers have used defects in the design of Tesco Bank debit card, financial crime controls and financial crime operations team to conduct the attack.
Tesco Bank’s deficiencies resulted in fetching of £2.26m to cyber attackers within 48 hours from the bank’s personal current account holders.
The Principle two mandates the firm to carry out its business with due skill, care and diligence.
The FCA determined that Tesco Bank breached Principle two, as it failed to exercise due skill, care and diligence, including design and distribute its debit card and configure specific authentication and fraud detection rules.
Tesco Bank has also failed to take necessary action to prevent the foreseeable risk of fraud and respond to the November 2016 cyber attack with sufficient rigour, skill and urgency.
Tesco Bank launched a comprehensive redress programme following the attack and appointed significant resources to improve the deficiencies and carried out a comprehensive review regarding its financial crime controls.
In addition, the FCA said that Tesco Bank agreed to an early settlement of this matter that made it to qualify for a 30% discount under its executive settlement procedure.
FCA enforcement and market oversight executive director Mark Steward said: ‘The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks.
“In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started.
“Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place.”