Summary of FCA Final Notice: TSB Bank plc – 20 December 2022

On 20 December 2022, the Financial Conduct Authority (FCA) imposed a financial penalty of £29.75 million on TSB Bank plc (TSB) for operational failings linked to its failed IT migration in April 2018. TSB agreed to settle at Stage 1 of the FCA’s enforcement process, receiving a 30% discount. Without this, the fine would have been £42.5 million.

TSB was originally part of Lloyds Banking Group (LBG), from which it was divested in 2014. Until its IT separation, TSB continued to rely on the LBG IT platform under an outsourcing agreement. After being acquired in 2015 by Banco Sabadell, TSB initiated a programme to migrate its banking services to a new IT system called Proteo4UK—a UK-customised version of Sabadell’s Spanish banking platform. This transition was overseen by Sabadell’s technology subsidiary, Sabadell Information Systems (SABIS).

TSB executed its Main Migration Event (MME) over the weekend of 20–22 April 2018. Immediately after go-live on 22 April, widespread system failures affected digital banking (internet and mobile app access), telephone banking (interactive voice response and agent systems), and in-branch technology. Customers faced login errors, data inconsistencies, payment issues, long call wait times, and extended disruption. TSB reported receiving 225,492 complaints (around 4.3% of its customer base), and paid over £32.7 million in redress for inconvenience, expenses, and compensation.

The FCA found that the migration incident stemmed from a series of failings across governance, risk management, programme delivery, and supplier oversight. These included:

• Inadequate planning and unrealistic timelines: TSB adopted an aggressive migration deadline despite being behind schedule and lacking complete requirements documentation. Delays in the Integrated Master Plan (IMP) led to the development of the “Defender Plan,” which still did not fully address resource constraints or programme readiness.

• Testing failures: Functional testing phases such as User Acceptance Testing (UAT) and Migrated Data Testing (MDT) ran late or were altered. A final regression test phase was abandoned due to time pressure. Non-functional testing, including performance testing, was reduced in scope and not conducted in Active-Active configuration—a data resilience setup designed to prevent service failures during infrastructure outages.

• Outsourcing risks: TSB relied heavily on SABIS, which had no UK-based operational experience and used 85 subcontractors. TSB failed to conduct adequate due diligence on SABIS’s capability to deliver and operate Proteo4UK. Fourth-party risk assessments (i.e. SABIS’s subcontractors) were incomplete or delayed.

• Governance gaps: The TSB Board did not sufficiently interrogate assumptions or challenge incomplete testing and risk mitigation. Risk Oversight and Internal Audit identified concerns, but these were not always escalated or resolved before MME.

• Business continuity shortcomings: Although TSB planned for manageable issues, it was unprepared for multi-channel failures and could not roll back to LBG’s systems post-migration. TSB’s incident management playbooks and communications strategies were insufficient for the scale of the crisis.

TSB was found to have breached Principle 2 (failing to conduct its business with due skill, care and diligence) and Principle 3 (failing to organise and control its affairs responsibly, with adequate risk management systems) under the FCA’s Principles for Businesses.