Who'd have thought: the UK has its own version of the USA's OFAC and, like OFAC, it's part of the Treasury. It's called "The Office of Financial Sanctions Implementation" (OFSI) and although it's been around a long time, it's still sharpening its teeth to use new enforcement powers granted in Policing and Crime Act 2017. The first case it brought, concluded on 25 February this year when it gave Raphaels Bank a waters-testing penalty (it's not a fine) of GBP10,000. The bank's offence was dealing with funds belonging to a person designated as blocked under EU financial sanctions. It might seem as if it's a tiny penalty for a major breach but some perspective is needed. A transaction involving "funds belonging to a person designated under regulation 3 of the Egypt (Asset-Freezing) Regulations 2011 (S.I. 2011/887) which is the UK's Regulation implementing EU the relevant EU sanction. The amount transacted was GBP200 - yes, two hundred pounds. The bank realised what it had done, told OFSI and OFSI said "Thanks - here's a penalty notice, give us 10,000 quid" or words to that effect. But then OFSI decided that in all the circumstances, not the least of which was that the bank had reported itself, and "cooperated with the investigation," OFSI reduced the penalty by 50%, making the amount payable GBP5,000.

That was pretty much the only bit of good luck Raphaels Bank has had for some years.

In 2015, the Prudential Regulation Authority fined the bank GBP1,278,165 for potentially putting its safety and soundness at risk by failing to properly manage its outsourcing arrangements." A statement issued 27 November 2015 says "As at April 2014, Raphaels owned 334 ATMs in the UK for public use in locations such as bureaux de change, railway stations and airports. Raphaels also owns mobile ATMs which are used at major sporting and other events. In September 2006, Raphaels agreed to enter into a joint venture with another company in its parent's group (the "Group") (Company C) to provide ATMs in various locations around the UK. Raphaels outsourced its ATM finance function to a team within Company C but did not have appropriate controls around this arrangement. Raphaels failed to enter appropriately into suitable written agreements or undertake suitable due diligence around the outsourcing. "

The problem was that certain employees from "company C" "improperly transferred funds without the knowledge or consent of Raphaels and took steps to conceal their actions. The PRA has seen no evidence that anyone else in the Group was aware of their actions. The funds were transferred from Raphaels to deal with cash flow problems in Company C. This meant that Raphaels was exposed to Company C, which would have led to severe financial repercussions if Company C had become insolvent." The case, then, was that Raphaels was put at risk because a subcontractor (abeit one within the same Group structure) committed an offence against it. In short, its failure to adequately supervise the transactions turned it from victim to innocent contributor. That is highly reministent of Thomas Renyi explaining how employees ran a massive money laundering scheme from within Bank of New York," we trusted people; that trust was misplaced."

But the situation regarding Raphaels ran deep: the PRA said "As a result of the failings around its outsourcing, these breaches meant that Raphaels had inadequate oversight and control over its regulatory capital position. Specifically, from May 2011 to November 2013, Raphaels failed to understand and accurately report its capital requirement and failed to understand that it had a large exposure to the Group of more than 25% of its capital resources. "

It is that failure to adequately supervise outsourced contracts that has come back to bite it again. On 30 May 2019, a combined investigation by the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) (the separated conjoined twins from the Financial Services Authority that are finding that they might be two bodies but they share a heart) has resulted in legally discrete but actually combined fines : GBP775,100 from the FCA and GBP1,112,152 from the PRA.

The situation, like the ATM case, arises out of the fact that Raphaels puts its name on services and holds the regulatory approval but it doesn't have the staff, arguably doesn't have the expertise, to perform those services so it gets outside specialists to do it. The problem is that, as has long been said, you can outsource functions but you can't outsource responsibility.

It's problems included

- a failure to assess the business continuity and disaster recovery arrangements of those who provided services on its behalf

- of particular concern to the regulators was a lack of understanding " how they would support the continued operation of its card programmes during a disruptive event. "

That, the regulator said, " posed a risk to Raphaels’ operational resilience and exposed its customers to a serious risk of harm."

But so what, these things never happen, right?

Well, ironically just days after the previous decision relating to failure to supervise the ATM business, "a technology incident occurred at a card processor" resulting in the risks crystallising on 24th December 2015.

According to the PRA "The incident caused the complete failure of the authorisation and processing services it provided to Raphaels and lasted over eight hours. During this period, 3,367 customers were unable to use their prepaid cards and charge cards. In total, the card processor could not authorise 5,356 customer card transactions attempted at point of sale terminals, ATM machines and online. Seasonal workers, who depended on their cards to receive their wages, used the largest prepaid card programme affected by the incident. The timing of the incident, on Christmas Eve, is likely to have exacerbated the impact of the outage."

"Raphaels agreed to resolve this matter and therefore qualified for a 30% reduction in the fines imposed by both regulators. Without this discount, the combined fine imposed by the FCA and PRA would have been GBP2,709,574."

The circumstances leading to the fines were during the period April 2014 to December 2016, showing that, even after the failure, and the 2015 case, the bank did not take its supervision of outsourced services by the scruff of the neck for some time. But there was also the fact that addressing the problems faced by customers after the Christmas Eve crisis did not happen quickly enough for the FCA's liking. Sam Woods, Deputy Governor for Prudential Regulation and Chief Executive Officer of the PRA, said that regulated companies' "ability to manage outsourcing of any critical activities is a vital part of maintaining their safety and soundness. Such outsourcing is an important part of a firm’s operational resilience, and particularly so in the case of Raphaels given the level of reliance on outsourcing in its business model. In addition, this was a repeat failing which demonstrates a lack of adequate and timely remediation. This is a significant aggravating factor in this case, leading to an uplift in the penalty."

In short, if you are going to put your name and authorisation on a service performed by someone else, you've got to supervise and manage it properly.

Further Reading:
https://assets.publishing.serv...
https://www.bankofengland.co.u...