Tesco Bank has been fined £16.4m by the City watchdog over a "largely avoidable" cyber attack on the lender, in the first penalty of its kind.

The Financial Conduct Authority (FCA) said deficiencies at the bank had left account holders vulnerable to an incident that netted cyber criminals £2.26m.

The bank had received a specific warning that was not properly addressed until the attack had started and the response was "too little, too late", the watchdog concluded.

It is the first time the FCA has issued a fine for a cyber-related incident.

Tesco Bank said that since the incident in November 2016 it had "significantly enhanced" security measures, and apologised to customers.


The FCA investigation concluded that the lender failed to exercise due skill, care and diligence in protecting its personal current account holders against a cyber attack.

It said cyber criminals exploited weaknesses in the bank's design of its debit card, its financial crime controls and in its financial crime operations team to carry out the attack over a 48-hour period.

Mark Steward, executive director of enforcement and market oversight at the FCA, said the fine "reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks".

He added: "In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started.

"This was too little, too late.

"Customers should not have been exposed to the risk at all."

He said banks must ensure resilience against such crime "reducing the risk of a cyber attack occurring in the first place, not only reacting to an attack".

The FCA said that Tesco Bank would have been fined £33.6m - in line with a level of potential penalty first reported by Sky News - but for its cooperation with the investigation, a compensation programme for customers, and the fact that it had stopped "a significant percentage" of unauthorised transactions.

Tesco Bank said the cyber attack did not involve the theft or loss of any customers' data but led to 34 transactions where funds were debited from customers' accounts, and other customers having normal service disrupted.

The bank's chief executive Gerry Mallon said: "We are very sorry for the impact that this fraud attack had on our customers."

Tesco Bank has a total of six million customers across products such as current and savings accounts, credit cards and loans.

It made more than £200m in profit for its parent - currently the UK's largest retailer - during the last financial year, and has set out plans to expand its presence during the coming years.

Benny Higgins, Tesco Bank's high-profile chief executive at the time of the 2016 incident, has since retired from the role, and been replaced by Mr Mallon, who joined from Ulster Bank.

At the time of the cyberattack, Andrew Bailey, the FCA chief executive, said it looked "unprecedented in the UK" and required urgent attention, although the sophistication and intensity of such incidents has evolved at a rapid pace in the nearly-two years since then.