Les difficultés rencontrées par les systèmes informatiques de banques, que cela soit à cause de défaillances internes ou d'attaques externes, continuent à alimenter l'actualité. Savoir gérer correctement les risques informatiques, implique, d'abord, prendre toutes les mesures raisonnablement nécessaires pour réduire la possibilité de leur survenance et, ensuite, limiter les conséquences néfastes pour la banque et les clients de celle-ci s'ils venaient à se réaliser.

Dans ce contexte une décision de sanction rendue par la Financial Conduct Authority à l'encontre de la Tesco Bank (amende de 16.4 millions UK£) mérite d'être signalée. Lire ici

La décision illustre de façon claire le rôle des trois lignes de défense. On relèvera les passages suivants :

2.1 Tesco Bank was the subject of a Cyber Attack in November 2016. The attackers most likely used an algorithm which generated authentic Tesco Bank debit card numbers and, using those “virtual cards”, they engaged in thousands of unauthorised debit card transactions. The attackers exploited deficiencies in Tesco Bank’s design of its debit card, its financial crime controls and in its Financial Crime Operations Team to carry out the attack. Those deficiencies left Tesco Bank’s personal current account holders vulnerable to a largely avoidable incident that occurred over 48 hours and which netted the attackers £2.26 million. The attack did not involve the loss or theft of customers’ personal data.

Although Tesco Bank’s controls stopped almost 80% of the unauthorized transactions, the Cyber Attack affected 8,261 out of 131,000 Tesco Bank personal current accounts. Personal current account holders received text messages which were likely to cause customers distress in the early hours of the morning. Some customers suffered embarrassment and inconvenience when they were unable to make payments using their debit cards. Some experienced long call queues and did not always receive the help they needed from Tesco Bank’s call centre.

4.67. Tesco Bank’s_ _Financial Crime Policy sets out the Board’s financial crime risk appetite: “The Bank is committed to preventing and minimising external fraud losses in keeping with its risk appetite, whilst also considering the implications to customers. Risk appetite limits are approved by the Board and reviewed at least annually, as part of the risk appetite governance process”. Tesco Bank’s risk appetite for external fraud risk loss for the 2016/17 financial year was £13m (1.6% of its income). Tesco Bank stayed within its risk appetite for external fraud losses taking into account both the losses arising from the Cyber Attack and all other external fraud losses arising that financial year.

4.72. Internal Audit raised concerns about the financial crime risks involving the debit card (referred to as the “PCA”) as early as its launch date. An internal audit report entitled “PCA Financial Crime (January 2014)” found “weaknesses in the design with unclear accountability for key financial crime risks such as Internal Fraud, Stores and Digital (e-crime)”. More specifically, it noted that there was “no end to end view of the financial crime risks faced by Tesco Bank as a result of launching PCA”. It recommended that management should assess the “end to end financial crime risks associated with launching PCA and agree accountabilities for all of these including those which are out of scope [of the audit]. Accountable owners should then provide evidence of how these risks are being managed”. Tesco Bank’s senior management acknowledged the issue and instructed Operational Risk to carry out such a review

Sur le thème du risque informatique, on mentionnera également les documents suivants:

- une conférence du BaFIN : lire ici 

- Discussion Paper de la Prudential Regulation Authority/Bank of England :
Building the UK financial sector’s operational resilience 5 juillet 2018. Lire ici 

- un discours :
François Villeroy de Galhau: Silos, security of systems, speed
Key notes by Mr François Villeroy de Galhau, Governor of the Bank of France, at the Working Group on Cyber Resilience round table, Paris, 14 September 2018. Lire ici