Vocalink’s £11.9m Fine: Getting Remediation Governance Right
Hanish Arora
Head of Client Assets Consulting at KPMG | 20+ year SME in Financial Services
In a landmark enforcement move, the Bank of England fined Mastercard’s Vocalink £11.9 million for failures in risk management and remediation oversight. Vocalink operates the UK’s core retail payments systems, including Bacs, Faster Payments, and the ATM Link network.
This is the first time the Bank has imposed a financial penalty on a financial market infrastructure (FMI) provider, sending a strong signal about the expectations for operational resilience and governance in critical services.
What Happened?
Key Takeaways for Remediation, Assurance and Governance
1. Remediation Programmes Must Be Risk-Led
First, even well-structured programmes need formal integration with risk management. Vocalink had milestones, a steering committee, and board oversight, but scope changes were often handled informally by the first line without engaging Risk or Audit.
Lesson: Build remediation into your enterprise risk framework. Ensure any scope changes and decisions go through formal governance with clear documentation.
2. Assurance and Validation Must Be Timely and Transparent
Second, assurance is only valuable if it is delivered and escalated in time to influence decisions. Vocalink engaged consultants and internal audit, but key findings were not surfaced when they mattered most.
Lesson: Treat assurance as a live governance input. Ensure all findings, positive or negative, are escalated promptly to the Board and risk committees.
3. The Three Lines of Defence Must Operate Fully
Third, having the three lines in name is not enough. At Vocalink, second line Risk wasn’t always consulted on key scope changes, and Internal Audit did not formally assess compliance before sign-off.
Lesson: Engage all three lines from the start. Embed them in project governance, not just in post-delivery checks.
4. Boards Must Receive All Relevant Information
Finally, Boards can only make sound decisions if they see the full picture. Vocalink’s Board confirmed compliance without knowing about critical assurance reports that were only escalated months later.
Lesson: Establish clear escalation protocols that guarantee all material assurance, especially negative findings, is shared with the Board before key decisions are taken.
Checklist for Boards and Executives
Before signing off on major remediation programmes, Boards and executives should ask themselves:
Why It Matters Beyond FMIs
While this fine targets a payments infrastructure provider, the lessons apply to all firms running critical services or complex change programmes.
Any Board approving a regulatory commitment or major remediation must demand robust risk governance, integrated assurance, and a clear line of sight to unfiltered findings. Weaknesses in escalation, assurance, or the three lines of defence can undermine even the best intentions and expose firms to regulatory, financial, and reputational risks.
Final Thoughts
The Bank of England’s action against Vocalink shows that systemically important firms must prove not only that remediation work is completed, but that it is rigorous, validated, and transparently governed at every level.
Boards and executive teams should ensure remediation is treated as a core risk programme, with robust assurance, clear escalation routes, and genuine challenge from all three lines. In today’s regulatory environment, anything less creates unacceptable risk to firms, customers, and the wider financial system.