Tesco could be potentially be hit with a multi-million pound fine by City regulators in the wake of an unprecedented attack on its banking arm that saw money taken from about 20,000 current accounts.

The lender was plunged into chaos and was forced to suspend all online transactions from current accounts after it detected online criminal activity over the weekend.

Benny Higgins, head of Tesco Bank, said that about 40,000 accounts were affected, with money taken from half of them, although the bank gave few details about the nature of the attack.

If regulators find that failures in Tesco Bank’s systems and controls contributed to the incident the lender could be in hit with a penalty, on top of the cost of refunding customers affected and any other compensation.

The Financial Conduct Authority (FCA) is leading the City’s response to the attack although the Bank of England’s Prudential Regulation Authority (PRA) is also in touch with the firm. Two years ago, the FCA and PRA fined Royal Bank of Scotland a combined £56m after a computer systems failure lasting a number of weeks affected 6.5m customers.

Mr Higgins told the BBC’s Today programme that the cost of refunding customers was “a big number but not a huge number”. It began the process this afternoon and aims to have returned all the missing funds to customers by the end of tomorrow.