The UK Financial Services Authority (FSA) ended 2007 with its biggest fine of the year: On December 17, Norwich Union Life was fined £1.26 million for failing to have adequate systems and controls in place to protect customers' confidential information and manage its financial crime risks. The failings resulted in a number of actual and attempted frauds against the firm's customers.

Norwich Union Life is one of the UK's largest life insurance businesses with 6.8 million customers in the UK. The fine imposed by the FSA is the fourth to be imposed in two years in respect of failings relating to information security lapses and fraud (see in particular the April 2007 Update detailing the FSA's action against Nationwide Building Society). The significant size of the fine against Norwich Union Life enforces the FSA's clear message that firms must ensure the security of their customers' information. It should be noted that the fine imposed would have been £1.8 million, but early settlement of the action through the FSA's executive settlement procedure qualified the firm for a 30 percent discount.

The basis of the fine against Norwich Union Life was breach of Principle Three of the FSA's Principles for Businesses: "A firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk-management systems."

In this case, fraudsters had accessed the personal details of the firm's customers through its call center and attempted to defraud 632 policies. They managed to fraudulently surrender 74 policies, worth £3.3 million in total. The FSA found that Norwich Union Life's controls to protect customers from this type of fraud were inadequate. Other features of the case were that the firm did not take sufficient action in a timely manner to change its customer services policies and, remarkably, at the outset only took certain steps to inform and protect directors of the firm who had been subject to the fraud; equivalent action was not taken to inform and protect all policyholders.

This is an area that has received significant attention from the FSA in recent years and will continue to do so. It is clear that any failings by firms relating to information security lapses and fraud will be treated very seriously by the FSA. A report from the FSA on systems and controls used by a range of financial services firms to protect their customers' data is expected to be published this year.