Skip to content

Search the site

ex-TSB CIO first IT leader fined under senior managers regime

"A gap in the control environment which was proving difficult to close..."

Former TSB CIO Carles Abarca has been personally fined £81,620 for his role in a botched 2018 TSB IT migration – with the Prudential Regulation Authority (PRA) saying that he “failed to ensure that he or his CIO team obtained sufficient assurance” from outsourcers in relation to their readiness to operate a new core banking platform.

He is the first CIO to be fined under 2016's Senior Managers and Certification Regime, which embeds "greater individual accountability by ensuring authorised firms allocate clear responsibilities to key decision-makers."

TSB’s primary outsourcer, SABIS, contracted a further 85 “fourth party” suppliers to support the complex migration by the retail bank from multiple, third-party legacy systems to a single new platform, which hit serious hurdles in April 2018, resulting in “significant levels of disruption and inconvenience” to customers.

Former TSB CIO fined: Fourth-party risk inadequately tracked

The PRA report reveals that in October 2017 TSB’s Chief Risk Officer warned that TSB was “still not able to understand the risk exposure of the full SABIS IT service provision… including in relation to fourth parties.”

Just eight weeks ahead of the migration “TSB had still not ensured that SABIS’s supplier management model was fully developed and complied with TSB Group Outsourcing policy" the PRA's April 13 notice says.

“SABIS acknowledged there was a gap in the control environment which was proving difficult to close. Although TSB and SABIS took steps to address that gap, the issues were not fully resolved before MME [migration].”

TSB CIO fined
TSB's assurance matrix framework for the first line to give a "comprehensive overview of all the assurance parameters required for.. validation of the Migration Programme deliverables", per the PRA final notice.

“As CIO of TSB, Mr Abarca had responsibility for TSB complying with the PRA’s outsourcing rules,” the PRA said.

“In particular, he was responsible for TSB’s key outsourcing relationship with its main third-party supplier… he gave assurance to the TSB Board that the third party, as key supplier, was prepared for migration. However, he failed to ensure that TSB had itself obtained sufficient assurance from the third party before doing so.”

TSB in 2015 received a takeover bid from Spain’s Sabadell group, which subsequently planned for a migration of banking systems to a purpose built UK version of Sabadell’s Proteo platform. The PRA and Financial Conduct Authority (FCA) in December 2022 fined TSB £48,650,000 for operational resilience failings over the migration; the bank has also had to pay out £32.7 million in compensation to customers in the wake of the disruption.

Abarca went on to hold a role as CTO at TSB’s parent company until January 2023.

The Stack has contacted him for comment.

(The bank moved swiftly in the wake of a blistering 2019 post-mortem, hiring Suresh Viswanathan, a Barclays and Citi veteran as Chief Operating Officer, Robin Bulloch from Lloyds as its Customer Banking Director, and a new CEO, Debbie Crosbie, from Clydesdale & Yorkshire Banks in 2019 to lead a rebuild of both trust and technology at the retail bank. The Stack interviewed the then-TSB COO about this rebuilt back in 2021, read it here.)

Join peers following The Stack on LinkedIn

The Senior Managers and Certification Regime was introduced in 2016 for banking institutions to embed greater individual accountability by ensuring authorised firms allocate clear responsibilities to key decision-makers. Under this regime, firms must allocate ‘prescribed responsibilities’ – specified in the PRA Rulebook – to Senior Managers. One of these is responsibility for the firm’s performance of its obligations under the PRA’s rules relating to outsourcing. Its latest supervisory statement on strengthening individual accountability is here.