FSA focus on assessment and management of data security risks

The FSA has fined stock-broking firm Merchant Securities Group Limited (Merchant Securities) £77,000 in respect of weaknesses in its data security controls that left its customers exposed to the risks of loss or fraud.

Overview

By Final Notice dated 13 June 2008, the FSA imposed a financial penalty of £77,000 on Merchant Securities, a stock-broking firm with some 850 retail and institutional customers, for breaches of Principle 3 of the FSA's Principles for Business.

The decision is the latest in a series of financial penalties imposed against firms for failures to take reasonable care to ensure they had effective systems and controls to manage risks relating to information security and to counter the risks of being used to further financial crime.

The shortcomings in this case were not identified by the firm, but came to light in the course of a thematic visit by the FSA.  Merchant Securities was one of 39 financial service providers visited in 2007 as part of the FSA's ongoing programme of work on identifying and mitigating risks to the FSA's statutory financial crime objective. The purpose of the visit was to review how the firm assessed and managed its data security risks and how it safeguarded customer data.

The systems and controls in place at Merchant Securities were found to be inadequate in the following respects:

• Procedures in place to verify the identity of customers over the telephone relied on advisers recognising customers' voices, and informal discussions about personal matters, rather than on a formal security procedure – this left customers vulnerable to the risk of impersonation;

• Client account numbers were included in routine written communications to customers – this carried the risk of correspondence being intercepted and customer details being misused;

• Procedures for storage of back-up tapes containing unencrypted personal client information were inadequate and not secure – tapes were stored overnight in a bag at the home of a member of staff;

•  The use of instant messaging and web based email by employees, including some employees with access to relevant customer data on their computers, was not adequately controlled or monitored.

Each of these practices placed customer data at risk of loss, theft or alteration.

Significantly, the FSA's investigation revealed no evidence that customer data had been compromised in this case. The fine demonstrates that the FSA "will not wait until information has been lost or stolen before taking action".

Focussing on the risks of Financial Crime

The Merchant Securities decision is a further reminder of the priority that the FSA is placing on scrutinising firms' information security systems and controls, but it also demonstrates that the FSA will take enforcement action in relation to issues identified in the course of its thematic work.

The FSA stressed that the gravity of Merchant Securities' failings was exacerbated by the fact that they were detected in October 2007, at a time of heightened public awareness of the need for information security, and well after the publication of the FSA's first enforcement actions in respect of systems and control issues in relation to the prevention of financial crime.

Since 2004, the FSA has focused its resources on raising awareness amongst financial service providers of the need to take positive action to reduce the risks of financial crime. Specifically, through a series of speeches and publications, the FSA has provided extensive soft guidance to firms highlighting the need for attitudes towards data security to change and for more to be done at every level to protect customers' personal details.

Enforcement action by the FSA in the last three years has seen substantial fines imposed on firms for failure to identify and mitigate risks of financial crime, including Norwich Union (£1.26 million); BNP Paribas (£350,000); Nationwide (£980,000) and Capita Financial Administrators (£300,000). Each of these fines related to weaknesses in the firms' information security and anti-fraud controls, and the cases illustrate the range of issues that can arise due to failures in information security.

The FSA's report on its thematic work

The FSA published the results of its thematic work on data security controls (of which its visit to Merchant Securities was a part) in April. The conclusion was that poor data security remains a serious and widespread risk.  The FSA considers that most firms in the financial service sector still need to significantly improve their controls in order to prevent data loss or theft.

The report highlights examples of good practice across the industry and identifies the key areas where many firms need to take further measures, including the following:-

• Senior management at firms need to recognise the value of their customers' data to fraudsters, and that staff can pose a threat similar to that posed by computer hackers and burglars;

• Firms should proactively check that third party suppliers vet their employees;

• Firms should have adequate security arrangements to prevent unnecessary access to customer data;

• Large and medium sized firms need to focus more on staff awareness and training, and on regular risk assessments, rather than relying too heavily on IT controls;

• Small firms rely too heavily on compliance consultants who often do not understand the importance of data security within the firm.

This report is not formal FSA guidance.  Nevertheless, the FSA clearly expects firms to make use of the information available, and suggests that "if firms fail to take account of [the] report and continue to demonstrate poor data security practice, we may refer them to Enforcement".

Comment

Although the amount of the fine in this case is comparatively small, that is essentially a reflection of the size, financial resources and other circumstances of the firm. (The firm also settled at an early stage for a 30% discount.) The size of the fine should not be seen as an indication that the FSA is in any way relaxing its stance on data security.

On the contrary, it is clear that the FSA considers that firms are still not taking the risk of identity theft, in particular, sufficiently seriously. Getting data security right remains one of its key priorities, and the FSA has said it will not hesitate to take action if future breaches are found.

The move towards a more principles-based regulatory approach places the onus firmly on firms to take appropriate action to respond to information and "soft" guidance provided by the FSA. The final notice in the Merchant Securities case expressly refers to the firm's failure to pay proper heed to the FSA's warning signals. The decision itself, and the FSA's report on its thematic work on data security controls, both constitute further "soft" guidance, and highlight the FSA's continuing concerns.

In the wake of this latest enforcement action and the report on the thematic work, it would be prudent for firms to consider reassessing their existing systems in the light of the issues highlighted in these documents, and to identify areas where customer data may be at risk.

Herbert Smith's "Healthcheck"  product can assist clients to do so in a cost effective and managed way.  For further information about this product, please contact Peter Burrell or Nichola Peters.

The content of this article does not constitute legal advice and should not be relied on as such. Specific advice should be sought about your specific circumstances.

Herbert Smith LLP, Gleiss Lutz and Stibbe are three independent firms which have a formal alliance.

© Herbert Smith LLP 2008