The numbers involved have reduced from Monday's headlines. The money has been refunded. But that's not the end of the matter.
Speculation continues as to the cause of one of the largest single incident banking frauds in the UK. Tesco Bank says it knows but is unable to release details whilst investigations are ongoing. So we, the public, are none the wiser at this stage.
What we do know though is:
- Banks are under regulatory obligations to both the Financial Conduct Authority (FCA) and the Information Commissioner (ICO) to ensure that their systems are secure, and that the information that they process and store are secure. Both are therefore likely to be interested in the results of Tesco Bank's investigation (Tesco Bank has so far said that personal data was not compromised which may influence the level of ICO involvement).
- Tesco Bank has moved quickly to refund customers, releasing a statement yesterday to confirm that the total cost is around £2.5m and that 9,000 (down from 20,000) customers were affected. Whilst meeting its regulatory obligations, Tesco Bank will also have been mindful of the brand impact that incidents such as these can have.
- concerns have been raised over the possible impact on customers willingness to use internet/mobile banking. It seems unlikely that one incident such as this will lead to changes in customer behaviour, however it is entirely possible that awareness of online security and reputation will become a growing factor in the choice of not just who we bank with, but e-commerce more generally.
- concerns have been voiced as to whether, given Tesco Bank's position as a new challenger bank, the incident may impact on customers' willingness to switch away from the more established institutions.
There's also an interesting legal/compliance angle caused by the number of interested parties. The Bank of England, the National Crime Agency, the FCA and the ICO are all potentially involved.
Fast forward the clock and under the new Network and Information Security (NIS) Directive (passed by the European Parliament in July) a further authority may be interested. Which raises an interesting question of inter-regulator co-operation and co-ordination, and whether in order to assist organisations in meeting their regulatory obligations there is some form of standardisation possible across, for example, reporting procedures and information.
One footnote, as with a lot of things based around Europe, there is a degree of uncertainty as to whether or not the NIS will find its way into UK law. However given the timetable the UK government is currently working to around service of Article 50 it is likely that it will be adopted before we leave.
The number given for the current account customers hit by the fraud is fewer than half of the 20,000 initially reported to have been affected.Personal data "was not compromised" in the attack, and all accounts affected had been refunded, the bank said.