Tesco's banking arm is facing the City regulator's biggest-ever cyberattack-related fine two years after its online services were hacked by criminals attempting to steal funds from customers.

Sky News has learnt that the Financial Conduct Authority (FCA) has warned Tesco that it is considering imposing a penalty of more than £30m on the company.

It follows an incident in November 2016 when Tesco Bank was forced to suspend all online transactions after it detected criminals trying to access its services.

The lender revised the number of customers whose savings were stolen downwards from initial estimates of 40,000 and subsequently 20,000.

Tesco Bank is understood to have eventually put the figure at fewer than 50 customers, all of whom were refunded within days, while no customer data was compromised.


A legal source said on Monday that Tesco Bank was contesting the scale of the FCA's proposed penalty and was in active negotiations with the watchdog about it.

A "substantially lower" sum could be agreed within the next few weeks although there was no guarantee that the issue could be resolved swiftly, according to the legal insider.

The size of the fine originally proposed by the FCA is likely to send shockwaves through City boardrooms, given the relatively limited extent of the Tesco Bank episode.

One analyst suggested that based on the number of customers who were affected, the FCA's initial proposal implied that Britain's biggest banks would in future face fines of hundreds of millions, or even billions, of pounds if they were hit by a large-scale cyberattack.

One bank executive said that such a large fine would send an "extraordinary" message to the UK's challenger banking sector at a time when ministers are desperate to improve competition across Britain's retail and small business banking industries.

A fine running into tens of millions of pounds for Tesco Bank would also look disproportionate in the context of a £500,000 penalty imposed by the Information Commissioner's Office last week on Equifax, the credit rating agency, which was hit last year by one of the biggest-ever corporate data breaches.

Since 2016, dozens of banks and other financial services institutions which handle consumers' money have been targeted by online criminals, forcing companies to allocate billions of pounds to bolstering their defences.

Regulators have warned bosses that they expect to see their firms demonstrating greater resilience to cyberattacks, and have begun working increasingly closely with officials at the National Cyber Security Centre on better prevention techniques.

Last December, Megan Butler, the FCA's director of supervision, said the regulator believed that there was "currently a material under-reporting of successful cyberattacks" by British banks.

"The number of breaches relayed back to us looks modest when you set it against the number of attacks on the industry."

Tesco Bank has a total of six million customers across products such as current and savings accounts, credit cards and loans.

It made more than £200m in profit for its parent - currently the UK's largest retailer - during the last financial year, and has set out plans to expand its presence during the coming years.

Benny Higgins, Tesco Bank's high-profile chief executive at the time of the 2016 incident, has since retired from the role, and been replaced by Gerry Mallon, who joined from Ulster Bank.

At the time of the cyberattack, Andrew Bailey, the FCA chief executive, said it looked "unprecedented in the UK" and required urgent attention, although the sophistication and intensity of such incidents has evolved at a rapid pace in the nearly-two years since then.

Regulators have also become increasingly concerned about the number of IT systems failures which are unrelated to criminal activity.

Last week, millions of UK customers of banks including Barclays and NatWest - owned by the state-backed Royal Bank of Scotland - were temporarily left without access to their online accounts because of technical failures.

Nicky Morgan, the Conservative MP who chairs the Treasury Select Committee, said the problems were "yet another addition to the litany of failures of banking IT systems".

TSB, the UK's sixth-biggest bank, has struggled for months with the fallout from a systems transfer which has tarnished its reputation for customer service, raising the prospect of a swingeing FCA penalty.

The FCA and Tesco Bank refused to comment on Monday.