In December 2007, the FSA fined Norwich Union Life a record £1.26m for failing to take reasonable care to organise and control its affairs responsibly and effectively with adequate risk management systems. The decision is the most recent example of high-profile companies who have fallen foul of data protection laws.

From April 2006, Norwich Union Life was the target of organised fraud. Telephone callers, using information obtained from public sources such as Companies House, contacted Norwich Union Life posing as genuine customers. They were able to amend address and bank account details, and falsified written surrender requests were submitted. In 74 cases, funds were paid out to fraudsters, to a total of approximately £3.3m.

One of the FSA’s chief concerns was the lack of priority given to the financial crime risks. They noted that key steps could and should have been taken earlier on, which would probably have prevented the breaches of customer confidentiality and the financial losses of the fraud. The size of Norwich Union Life, and its customer base, made their failings all the more serious, as did the fact that Norwich Union Life had effectively allowed the losses to occur by not reacting to the obvious and known risks.