The Financial Conduct Authority has fined Tesco Bank for failing to adequately protect its customers' accounts from cyber attacks that saw criminals net £2.26m
The City watchdog fined the bank £16.4m for failing to exercise due skill, care and diligence in protecting account holders from online fraudsters.
The regulator stated: "Tesco Bank is in the business of banking and fundamental to that business is protecting its customers from financial crime."
The attacks, which occurred over 48 hours in November 2016, revealed holes in Tesco's debit card design and its financial crime controls as well as the effectiveness of its financial operations team to fend off the attacks.
Aside from the £2.26m illegally taken from customer accounts, more than 8,000 Tesco Bank personal current account holders were affected by the cyber attacks, receiving text messages, which were likely to cause ‘distress’.
Mark Steward, executive director of enforcement and market oversight at the FCA, said: "The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks.
"In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all."
The FCA's final notice reveals Tesco Bank cooperated throughout the investigations.
Following the attack Tesco Bank implemented a comprehensive redress programme, employing ‘significant resources to improving the deficiencies that left the bank vulnerable to attack.’
The regulator also noted the bank has made significant improvements to its financial crime systems and controls, and enhanced the skills of those who operate them.
The bank would have faced a much larger penalty, of £33.5m had it not cooperated and agreed to settle at an early stage of the regulator's investigation.
Mr Steward stressed the importance of maintaining security standards.
He said: "Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place.
"The standard is one of resilience, reducing the risk of a successful cyber attack occurring in the first place, not only reacting to an attack."
Helen Howcroft, managing director of Equanimity IFA, said: "Clients are already sceptical about registering for online financial services, such as investments, and becoming more so, if anything.
"If the industry cannot get a grip on this issue we risk people shying away from all types of saving and investing."