Tesco Bank fined £16.4m after hackers siphoned £2.26m from customers in 2016

Mark Steward, executive director of enforcement and market oversight at the FCA, said: “The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks.”

In particular, he noted that Tesco was warned of the attack before it happened but took no action to stop it until after it happened. “The attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all.”

Steward added: “Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place. The standard is one of resilience, reducing the risk of a successful cyber-attack occurring in the first place, not only reacting to an attack. Subsequently, Tesco Bank has strengthened its controls with the object of preventing this type of incident from being repeated.”

The FCA said Tesco had “failed to exercise due skill, care and diligence” in designing and distributing its debit cards, developing suitable authentication methods, fortify against fraud, and respond to the attack.

At the time, 7 November 2016, chief executive Benny Higgins said: "We apologise for the worry and inconvenience that this has caused for customers, and can only stress that we are taking every step to protect our customers’ accounts.”

At the time, some customers noted that as much as £600 had been taken from them. The bank was quick to reimburse the victims of the attack – although with it taking place during the weekend, it was noted that the bank did not act with enough agility.

Nonetheless, the FCA has noted that Tesco has “provided a high level of cooperation to the FCA” which helped lessen the fine, which could have been as high as £33.5m.