Phillip Robinson, Director of the FSA's Financial Crime and
Intelligence Division, said the industry must raise its
standards.
"It is worrying that despite increased public awareness of the
impact that identity theft can have on customers, many firms are
still not taking this risk seriously," he said. "Customers have a
right to be confident that firms are doing everything reasonably
possible to keep their personal and financial details safe."
"Some firms have made progress by adopting good practice while
others need to do more in this area to ensure that they are
treating their customers fairly. Firms getting data security right
is a key priority for the FSA and we expect the industry to raise
its standards," he said.
Robinson was speaking at the FSA's annual conference on
financial crime last Thursday. The regulator's report, based on a
survey of systems and controls at 39 banks, building societies,
insurers and financial advisers, was published the same day.
The report claims that many organisations underestimate the
seriousness of the threat and fail to recognise the value of their
customers' data to fraudsters. It also warned that many
organisations underestimate the threat that posed by their own
staff.
The report states: "Firms’ vetting of staff is variable. In most
firms, more-stringent vetting is applied to staff in senior
positions – there is little consideration of the risk that junior
staff with access to large volumes of customer data may facilitate
financial crime. Consequently, very few firms conduct criminal
record checks on junior staff. In addition, few firms repeat
vetting to identify changes in an individual’s circumstances which
might make them more susceptible to financial crime."
The FSA is also worried that many firms are not proactively
checking that their third-party suppliers vet their employees or
have adequate security arrangements in place to prevent unnecessary
access to customer data. Organisations often use third parties to
provide IT maintenance or back up services, but suppliers of other
services, such as cleaners and security staff, may pose just as
great a risk.
In the past, when a serious data loss has occurred, the FSA
found some firms were more concerned about avoiding adverse
publicity than telling their customers what had happened. But, the
report noted, many organisations are beginning to take a more
responsible approach and now write to customers to explain the
circumstances and give advice on how they can protect
themselves.
Examples of good data security practice in the report include
encrypting laptops, transferring data only through secure internet
links and masking financial details from staff who do not need to
know them to do their jobs.
In a foreword to the report, Information Commissioner Richard
Thomas said: "I am disappointed – but not altogether surprised –
that the FSA has found that financial services firms, in general,
could significantly improve their controls to prevent data loss or
theft."
"The financial services industry needs to pay close attention to
what its regulator is saying here," he said.
Want more content like this? This story was written by the insurance and reinsurance legal experts at Pinsent Masons, the law firm behind OUT-LAW.COM. We've recently launched a new section, legal info for Insurance and Reinsurance, giving free legal information to anyone working in that sector.
