The Prudential Regulatory Authority (PRA) has issued a fine against an individual under the Senior Managers & Certification Regime (SM&CR) for breach of the Senior Managers Conduct Rules. The SM&CR was introduced in 2016 with the objective of increasing individual accountability for senior individuals at regulated firms. This is the first fine that we are aware of to be issued to penalise an individual’s conduct under the regime.
The PRA has fined Carlos Abarca for a failure to take reasonable steps to ensure that TSB Bank plc (TSB) adequately managed and supervised an IT outsourcing arrangement relating to its IT platform migration. Problems with that migration led to well-publicised IT failings at TSB in April 2018, which caused significant disruption for TSB’s customers. Mr Abarca was TSB’s Chief Information Officer and held Senior Manager Function 18 (Other Overall Responsibility) under the SM&CR at the time. TSB itself was fined by both the PRA and the Financial Conduct Authority for its failures in relation to the incident.
Mr Abarca was responsible for compliance with the PRA’s Outsourcing Rules. The PRA found that he did not appropriately supervise outsourcing arrangements in relation to the IT migration project. He gave an attestation of readiness to TSB’s board based on an external provider’s letter of confirmation, which itself included confirmations from third parties instructed by TSB’s IT outsourcer. The PRA considered that Mr Abarca did not sufficiently consider whether it was appropriate to rely on this letter without further investigation or challenge, and that in fact he was over-reliant on it. It is also suggested that the letter itself ought to have been provided to TSB’s board. The PRA said that “Mr Abarca’s failings undermined TSB’s operational resilience”, contributed to the disruption that resulted, and was a factor contributing to some of TSB’s regulatory breaches for which it was separately fined.
It is interesting to see this first decision under the SM&CR, although each case turns on its own facts and so the guidance to be distilled from it is limited. In this instance, the PRA made direct findings against Mr Abarca, that he ought not to have provided assurance to TSB’s board in the manner that he did. What might be interesting to see in future cases, however, is whether a person holding a Senior Manager Function (SMF) might be held liable for conduct failings by those for whom they are directly or indirectly responsible under the SM&CR.
The FCA published its response  to a Freedom of Information request for data on enforcement investigations into senior managers in May 2022. That response confirmed that as of 27 April 2022 there were 47 open investigations into individuals holding a SMF and 16 into other individuals under the SM&CR regime. We can therefore expect more fines under the SM&CR in the next 12 to 24 months.