WIREDGOV

The Financial Services Authority (FSA) is urging firms to change their attitude to data security and do more to help prevent their customers falling victim to identity fraud and other types of financial crime.

The warning follows an FSA review of systems and controls for data security at 39 firms including banks, building societies, insurance companies and financial advisers.

There were examples of good practice across the industry however many firms still underestimate the risk of data loss and fraud to their businesses, and especially to their customers. This includes senior management at firms not recognising the value of their customers' data to fraudsters or that staff could pose a similar threat to data security as that posed by computer hackers and burglars. Also on occasions of significant data loss, firms seem more concerned about adverse media coverage than on being open and transparent with their customers. Following the review, one firm has been referred to enforcement.

Speaking at the FSA's annual conference on financial crime today (Thursday 24 April), Philip Robinson, Director of its Financial Crime and Intelligence Division, said:

"It is worrying that despite increased public awareness of the impact that identity theft can have on customers, many firms are still not taking this risk seriously. Customers have a right to be confident that firms are doing everything reasonably possible to keep their personal and financial details safe.

"Some firms have made progress by adopting good practice while others need to do more in this area to ensure that they are treating their customers fairly. Firms getting data security right is a key priority for the FSA and we expect the industry to raise its standards.

"This report provides a wealth of information including examples of good practice that could help firms benchmark their own systems and controls and make necessary improvements. We will follow up on this work with firms and will not hesitate to take action if future breaches are found."

The findings showed that:

• Many firms are not proactively checking that third party suppliers vet their employees or have adequate security arrangements in place to prevent unnecessary access to customer data;
• Many large and medium sized firms devote adequate resources to data security risk but placed too much emphasis on IT controls and not enough on staff awareness and training or regular risk assessments;
• Many small firms were wholly reliant on compliance consultants, who did not understand the importance of data security within the firm.

Examples of good practice found at the firms visited included:

• Encrypting laptops and transferring data via secure internet links to third parties;
• Masking financial details where they are not necessary for staff to do their jobs;
• Appointing a senior manager with overall responsibility for data security.

The FSA is addressing data security risks with firms through ongoing supervision and is increasing its visits to small firms to review their systems and controls. It is also publishing a factsheet to help senior management at small firms understand their data security responsibilities.

Notes for editors

1. The full report – Data Security in Financial Services: firms' controls to prevent data loss by their employees and third-party suppliers – published today.
2. The FSA’s Financial Crime Conference is an annual one-day event which brings together industry practitioners to discuss the key challenges and priorities for tackling financial crime.
3. In February 2007, the FSA fined Nationwide £980,000 for information security lapses and in December 2007, Norwich Union was fined £1.26 million for exposing its customers to the risk of fraud.
4. Consumers can find information on how to stay safe and protect themselves from being a victim of financial crime on www.moneymadeclear.fsa.gov.uk. If any consumer thinks that they have been a victim of financial crime they should go to the Home Office website www.identity-theft.org.uk which has information on what to do and where to get further help.
5. The Data Protection Act 1998 (DPA) gives legal rights to individuals in respect of personal data processed about them by others. It requires data controllers to take appropriate security measures against unauthorised or unlawful processing of personal data and against accidental loss, destruction of, or damage to, personal data.
6. The FSA regulates the financial services industry and has four objectives under the Financial Services and Markets Act 2000: maintaining market confidence; promoting public understanding of the financial system; securing the appropriate degree of protection for consumers; and fighting financial crime.
7. The FSA aims to promote efficient, orderly and fair markets, help retail consumers achieve a fair deal and improve its business capability and effectiveness.