Tesco Bank, was subject to a Cyber Attack in 2016 during which the hackers were able to gain access to a number of debit card numbers. The hackers used these numbers to perform several unauthorised transactions over a period of more than 48 hours resulting in them pocketing a total of £2.26 million.

An investigation by the FCA ensued which resulted in Tesco Bank being fined £16.4 million on October 1, 2018.

Tesco Bank had received a fraud alert from Visa one year prior and, during the attack, had failed to limit the impact due to a mistake in the code. These, amongst others, are why the FCA deemed that Tesco Bank had failed to “configure specific authentication and fraud detection rules”, take “appropriate action to prevent this foreseeable risk of fraud” and respond to the attack with “sufficient rigour, skill and urgency”.

These failures meant that the FCA found that Tesco Bank had not met the FCA’s Principles for Businesses and had, in particular, breached Principle 2 which requires them to conduct the business with ‘due skill, care and diligence’.

Although Tesco Bank was said to be highly cooperative with the FCA during the investigation and implemented a “comprehensive redress programme”, the amount and imposition of the fine “reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks”, according to Mark Steward, Executive Director of Enforcement and Market Oversight at the FCA.