UK Conduct Regulator Fines Retail Bank for Failures During a Cyber Attack

The UK Financial Conduct Authority has published a final notice issued to a UK Retail Bank for breaches of Principle 2 of the FCA's Principles for Businesses. Principle 2 requires authorized firms to conduct their business with due skill, care and diligence. The Bank was subjected to a cyber-attack in November 2016, when attackers deployed an algorithm to generate authentic debit card numbers that were then used to make unauthorized transactions. While the attack did not involve loss or theft of customers' personal data, the FCA found that the attack left the Bank's personal current account holders vulnerable to a largely avoidable incident that occurred over 48 hours.

The FCA has fined the Bank £16.4 million, finding that the Bank breached Principle 2 by failing to exercise due skill, care and diligence to:

• design and distribute its debit card;
• configure specific authentication and fraud detection rules;
• take appropriate action to prevent the foreseeable risk of fraud; or
• respond to the November 2016 cyber-attack with sufficient rigor, skill or urgency.

In a press release accompanying the final notice, the FCA reminds financial institutions that ensuring cyber crime controls are adequately resilient is ultimately a responsibility for the Board.

View the final notice.

View the press release.