The Financial Conduct Authority (FCA) said the attack was the subject of a “very specific warning that Tesco Bank did not properly address until after the attack started”.
Mark Steward, executive director of enforcement and market oversight at the FCA, said: “This was too little, too late. Customers should not have been exposed to the risk at all.”
Tesco Bank said the fraud did not involve the theft or loss of any customers’ data, but led to 34 transactions where funds were debited from customers’ accounts, and other customers having normal service disrupted.
The FCA said cyber attackers exploited deficiencies in the design of Tesco Bank’s debit card and its financial crime controls to carry out the attack, which netted the cyber attackers £2.26m in 48 hours.
Steward added: “The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks.
“Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place.”
The regulator said the fine would have been £33.5m had Tesco not cooperated fully and agreed to an early settlement.
Gerry Mallon, Tesco Bank chief executive, said: “We are very sorry for the impact that this fraud attack had on our customers. Our priority is always the safety and security of our customers’ accounts and we fully accept the FCA’s notice. We have significantly enhanced our security measures to ensure that our customers’ accounts have the highest levels of protection. I apologise to our customers for the inconvenience caused in 2016.”