The FSA’s financial crime and intelligence sector has carried out a review of data security systems and controls in place in 39 UK companies operating across all of the different financial services sectors. The review found that many firms still under estimate the risk of data loss and fraud to their business and their customers.

Reducing the extent to which it is possible for a business to be used for a purpose connected with financial crime is one of the FSA’s statutory objectives. In view of this, the fact of the review and the FSA’s criticism of current practice should come as no surprise.  The FSA obliges firms to ensure data security through its Principles for Business which state: “a firm must conduct its business with due skill, care and diligence” (Principle 2) and “a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.” (Principle 3). In addition, the Systems and Controls section of the FSA handbook (SYSC) requires firms to establish and maintain systems and controls to avoid the risk that the firm might be used to further financial crime (SYSC 3.2.6A).  Further, firms that are data controllers and are processing individuals’ personal data must comply with the Data Protection Act 1998 including the 8 data protection principles. The seventh principle requires firms to take appropriate security measures against unauthorised or unlawful processing of personal data and against accidental loss, destruction of, or damage to, personal data. When firms pass personal data to third party suppliers they must still comply with this principle.

It would appear from the report  “Data Security in Financial Services” firms are not doing enough to meet their statutory and regulatory obligations.

Firms are not identifying all aspects of data security risk for three main reasons: 1) they do not appreciate the gravity of the risk, 2) they do not have the expertise to assess risk factors and implement mitigation techniques and 3) they fail to devote or co-ordinate adequate resources to the matter. The FSA feels firms focus far too much on technical security measures rather than broader, organisational security issues for example, office procedures, monitoring and due diligence.  Firms’ risk assessment of exposure to data loss is weak, vetting of staff is largely focused on more senior staff with little appreciation that junior staff may also facilitate financial crime and the implementation of policies is patchy, overly focussed on training that is rarely relevant with little testing of staff comprehension. The FSA found insufficient procedures were in place to ensure that only those people who required information could access it. Firms were also found to appear more concerned about negative media coverage in the event of significant data loss than on being open and transparent with customers about what had happened and how they were rectifying the problem.

It was also noted that very few firms check how their third party suppliers vet employees or what their security arrangements are.

It is clear the FSA expects firms to understand their legal and regulatory obligations, to assess the risks they face, to develop appropriate policies, to co-ordinate their implementation across all relevant sectors of the firm and to enforce and test compliance with policies and procedures.  As a starting point, firms should consider the 16 pages of the report containing examples of both good and bad practice to benchmark their own practices and to install more effective controls. The report is not however intended to constitute formal guidance.

The FSA takes the issue of data security seriously and has warned it may take enforcement action for example, if firms fail to encrypt customer data that is taken offsite. In 2007 it dealt with 56 cases of lost or stolen customer data from financial services firms and has issued several substantial fines including the fine imposed in February 2007 on Nationwide (£980,000) and that imposed in December 2007 on Norwich Union (£1.26 million). In addition, the FSA will be issuing guidance to supervisors to ensure data security is reviewed as part of normal supervision.

The full report is available here.  For small firms, the FSA will be publishing specific data security fact sheets and a monthly regulation round up e-mail. A short report relating to smaller firms will be available from the FSA website soon. The British Insurance Brokers Association will also be publishing a guide for members on protecting their business from financial crime.