FCA fines Tesco Bank £16.4m over cyber attack

Its investigation found that the Bank failed to exercise due skill, care and diligence in protecting its current account holders, who lost £2.26m over the 48 hour attack.

The fine was initially reported to be around £30m, however the FCA noted that Tesco Bank provided a 'high level of cooperation as well as a comprehensive redress programme which fully compensated customers, and as a result granted the bank 30% credit for mitigation.

In addition, Tesco Bank agreed to an early settlement of this matter which qualified for a 30% discount under the FCA’s executive settlement procedure. Without the mitigation credit and discount, the FCA would have imposed a penalty of £33,562,400.

Mark Steward, executive director of enforcement and market oversight at the FCA, said: "The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks. In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all.

"Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place. The standard is one of resilience, reducing the risk of a successful cyber attack occurring in the first place, not only reacting to an attack. Subsequently, Tesco Bank has strengthened its controls with the object of preventing this type of incident from being repeated."