Key points and business impacts
- Highest fine yet for breach of information security requirements
- Emphasis on internal policies to drive enforcement consequences
- Firms must ensure compliance strategies are properly embedded within their business models at all levels
- The FSA expects to see compliance policies:
- Assessed against current and emerging risks
- Amended to mitigate identified risks
- Implemented effectively
By final notice dated 17 December 2007, the FSA has fined Norwich Union Life ("NUL") £1.26 million for systems and controls failures relating to information security, which placed their customers at risk of financial crime. The failures were exploited by criminals who were able to impersonate customers by using publicly available information to target over 632 NUL policies in 2006, for which, through contact with NUL's call centres, they obtained and in some cases altered confidential customer information – including customers' contact addresses and full bank account details. The control weaknesses in NUL's customer identification procedures allowed criminals to instruct NUL to surrender 74 policies to criminals' bank accounts, resulting in a loss to customers of £3.3m – subsequently reimbursed in full by NUL. Despite heightened awareness of the risks of financial crime both within NUL, its parent group ("the Aviva Group") and from external sources, the FSA found NUL failed to take appropriate and timely action to prevent the failings by:
- Failing to undertake an adequate assessment of the financial crime risks it faced;
- Failing to assess whether its existing controls were adequate to manage those risks; and
- Failing to implement adequate and effective procedures to address those risks.
NUL agreed to settle at an early stage and therefore qualified for a 30% (stage 1) discount, reducing the fine from £1.8 million to £1.26 million.
Breach of Principle 3 - Failure to maintain effective systems and controls
The FSA based its case entirely upon Principle 3, but what is novel in the context of principles-based enforcement is the emphasis it placed upon the detailed weaknesses within NUL's customer contact policies to support its case, and the elevation of those policies to the status of regulatory rules when considering the enforcement consequences. The FSA also relied on a detailed analysis of the failings within NUL's response to identified risks even whilst the frauds were ongoing, and stressed that controls need to be reviewed regularly to combat emerging risks and the innovation of organised crime.
Prior to the period between 1 March 2005 and 30 November 2006, when the Principle 3 breaches occurred, Aviva Group's financial crime strategy and objectives for 2005 highlighted the growing threat from organised crime, the risk of identity fraud and the associated risks to the group of fraudulent investment surrenders through identity theft. By October 2005, NUL was required by the Aviva Group's Fraud Standards to undertake fraud risk assessments; implement preventative controls into new and existing systems and processes; and establish a fraud response plan to detail how fraud would be reported and investigated within NUL.
When NUL undertook a review of its systems and controls against the Aviva Group standards in April 2006, it omitted to consider the standards in relation to its call centre caller identification procedures, assuming that such procedures were solely in place in order to comply with data protection laws instead of also forming the first defence against fraud committed against the company and its customers. This was attributed to NUL's failure at business unit level to develop an effective fraud response plan, which would have enabled it to respond in "an appropriate and timely manner to the potential and actual risks arising from the series of actual and attempted frauds which occurred in mid 2006."
As it was, the fraud only came to light because one of the policies targeted for fraudulent surrender in April 2006 was that of the former director of an Aviva company. Compliance undertook an investigation into the attempted surrender and, in May and July 2006, warned NUL that its controls were inadequate.
Following FSA enforcement action in March 2006 (against Capita Financial Administrators), Compliance identified similar weaknesses in NUL's caller identification procedures and change of address procedures and recommended several changes, but due to concerns over customer service and the difficulties in changing automated procedures, action was not taken until the autumn. The FSA deemed that decision to be a failure to take reasonable care to protect NUL customers. The failure was exacerbated by the fact that by the summer of 2006 NUL knew that the fraudsters' methodology was to use publicly available information, yet call centre identification procedures remained the same for a "significant period".
By the end of July 2006 more frauds had come to light: of the 74 frauds identified, 9 were against directors or former directors of NUL and the Aviva Group. Although NUL made a concerted effort to identify, inform and protect its and Aviva's current and former directors, it failed to take equivalent action with respect to the 65 policyholders who were not connected with the business. Effective action to protect the remaining customer base by preventing the disclosure of policy numbers and bank account details over the telephone was not taken until November 2006.
The FSA considered that had NUL responded to Compliance's concerns immediately, the majority of both information and financial losses would have been prevented.
Internal standards and principles-based regulation?
NUL's failure adequately to review its systems and controls in light of Aviva Group's specific reference to a fraud to which NUL was at high risk was considered "particularly serious" by the FSA. This action shows that the FSA will not hesitate to focus on firms' internal procedures to evidence regulatory failures. This is an innovative use by the FSA of firms' internal policies in the enforcement environment.
The FSA appears to be assigning yet more responsibility to firms not only to develop compliance strategies which are embedded within their business models to align risk to the FSA's regulatory objectives with other internal business risks (see in particular the FSA's "Dear CEO" letter of July 2007 to investment banks regarding the management of compliance risk) but also to expect regulatory consequences to flow from failings in or non-compliance with those strategies - regardless of whether they are mirrored by hard regulatory requirements. The language of the final notice is particularly instructive: the FSA makes reference to NUL being "obliged" or "required" to assess its anti-fraud standards against the Aviva Group standards – rather than against any external regulatory standard. The external enforcement of this internal requirement may give compliance teams pause when seeking to introduce "best practice" rather than "good practice" across their businesses.
This case should also highlight to firms that any Group policies must be properly implemented through detailed systems and controls embedded in the business and that the FSA will assign such failures the same status as breaches of specific regulatory requirements.
Information security: wider issues
The FSA's enforcement action against NUL is novel in that the FSA was able to rely heavily on the lack of embedding of internal group policies and the failure of management to implement Compliance suggestions and ensure there was a clear responsibility for NUL's response plan to any frauds. By considering the external awareness of information security risks as an aggravating factor the FSA also reminds firms yet again that they must familiarise themselves with informal "guidance" including FSA publications, enforcement actions and publications from government and other industry organisations.
In particular, firms should note that in its October 2007 Financial Crime Newsletter the FSA has specifically reminded firms that it is their responsibility to ensure that their appointed representatives take sufficient care to protect clients' confidential information:
"Firms should do more than expect appointed representatives to hold a Data Protection Act licence. They should satisfy themselves that their appointed representatives have adequate safeguards in place to protect client data for which they owe the client a duty of care. Firms must perform further checks to ensure appointed representatives are holding confidential information securely."
It would be prudent for firms to review their contractual arrangements with their appointed representatives in the light of this further piece of “soft guidance”.