The protection of customer data is a key area of focus for the Financial Services Authority (FSA). In this briefing we consider the lessons that firms can learn from recent regulatory actions against firms for data security breaches and some practical ways that firms can improve systems and controls in the light of the FSA’s recent report on data security (Data security in financial services: firms’ controls to prevent data loss by their employees and third party suppliers).

The importance of data security

Data security is a major priority for the Financial Services Authority (FSA). This reflects the increasingly sophisticated methods being employed by fraudsters in obtaining and using customer data to commit financial crimes. Over the past few years, a number of firms that lost customer data have found themselves exposed to regulatory action, monetary loss due to the commission of identity frauds and significant reputational damage.

Recent regulatory actions

In March 2006 the FSA fined Capita Financial Administrators £300,000 for poor anti-fraud controls over client identities and accounts. Capita was a third party administrator for collective investment schemes and was responsible for maintaining client records and carrying out client instructions on the purchase and repurchase of investments. Capita discovered a number of actual and attempted frauds against clients that had been carried out by a small number of its staff. The FSA found that Capita did not undertake an adequate assessment of its fraud risk, especially the risk of internal fraud, and did not take adequate steps to ensure that it had effective controls to reduce the risk of fraud.

In February 2007 Nationwide Building Society was fined £980,000 by the FSA for failing to have effective systems and controls for the use and storage of customer information on portable storage devices. The failings came to light following the theft of a laptop from a Nationwide employee’s home in 2006. The FSA also found that Nationwide did not have adequate procedures to respond to a data security incident once it had occurred. Nationwide was not aware that the laptop contained confidential customer information and did not start an investigation until three weeks after the theft.

In December 2007 Norwich Union Life was fined £1.26m by the FSA for not having effective systems and controls in place to protect customers’ confidential information and manage its financial crime risks. Fraudsters were able to use publicly available information (such as names, addresses and dates of birth) to impersonate customers on the telephone and pass the firm’s caller identification procedures. Once these procedures had been passed, the fraudsters could obtain further confidential information (such as policy numbers). The fraudsters were also, in some cases, successful in amending records of customer details such as addresses and bank account details. The fraudsters then instructed Norwich Union Life to surrender the proceeds of customers’ policies into fraudulent accounts. A total of £3.3m was extracted from 74 surrendered policies. Norwich Union Life also failed to address the issues in an appropriate and timely manner even after they were identified by its compliance department.

In February 2008 the Information Commissioner’s Office (ICO) found that Skipton Financial Services breached the Data Protection Act 1998 after an unencrypted laptop containing personal information on 14,000 customers was stolen from one of its contractors. The ICO decided that Skipton had a responsibility to introduce adequate security procedures and safeguards (eg password protection and encryption) to protect personal information stored on laptops.

Regulation by the FSA and the ICO

Financial services firms that handle customer data face regulatory supervision in this area from the FSA and the ICO. The FSA will take enforcement action against firms for breaches of its Principles for Business, in particular Principle 2 that a firm must conduct its business with due skill, care and diligence and Principle 3 that a firm must take reasonable care to establish and maintain effective systems and controls. Meanwhile, the ICO is responsible for monitoring firms’ compliance with the Data Protection Act 1998, which includes requirements for firms to introduce appropriate organisational measures against unlawful processing of personal data and accidental loss or destruction of, or damage to, personal data. To date, the ICO has lacked the FSA’s enforcement powers. It has historically been limited to regulating behaviour by issuing enforcement notices with no authority to sanction for breaches of the Data Protection Act, no matter how serious. However, the Criminal Justice and Immigration Act 2008 will provide the ICO with greater powers to impose financial penalties on firms for breaches of the Data Protection Act that are likely to cause substantial damage or distress.

In practice, the FSA and ICO already co-operate closely in determining the appropriate standards that firms have to meet. It is likely that this co-operation will extend to the realm of enforcement once the ICO’s powers are strengthened under the new legislation, thereby avoiding the prospect of firms being penalised twice, although there is still scope for firms to face significant regulatory overlap in this area.

FSA report on data security in financial services

In April 2008, the FSA’s financial crime and intelligence division produced a report describing how financial services firms in the UK are failing to address the risk that their data may be lost or stolen and may as a result be used to commit financial crimes. The report sets out the findings of a review of industry practice and standards in managing the risk of data loss or theft by employees and third party suppliers.

It concludes that poor data security is a serious, widespread and high-impact risk to the FSA’s objective of reducing financial crime. ‘Some progress has been made… However there exists a very wide variation between the good practice demonstrated by firms committed to ensuring data security and the weaknesses seen in firms that are not taking adequate steps to treat fairly the customers whose data they hold’ and goes on to state that, ‘Overall, data security in financial services firms needs to be improved significantly.’

The report sets out examples of good and bad practice in relation to data security and, although it does not constitute formal guidance, the FSA expects firms to use its findings ‘to translate them into a more effective assessment of this risk and to install more effective controls as a result’. Particular issues highlighted in the report include the following.

Governance

  • Good practice: includes appointing a senior manager with overall responsibility for data security, specifically mandated to manage data security assessment and communication between the key stakeholders within the firm; having a committee with representation from relevant business areas to assess, monitor and control data security risk, reporting to the board; having written data security policies and procedures that are proportionate, accurate and relevant to day-to-day work; having clear reporting mechanisms for staff to report data security concerns and data loss; and having detailed plans for reacting to a data loss, including when and how to communicate with affected customers.
  • Bad practice: includes treating data security as an IT issue and failing to involve other key staff from across the business in the risk assessment process; not having written policies and procedures on data security; failing to notify customers affected by data loss in case the details are picked up by the media; and having a ‘blame culture’ that discourages staff from reporting data losses.

Training and awareness

  • Good practice: includes running innovative training and awareness campaigns on financial crime risks arising from poor data security; having simple and easily digestible guidance for staff on good data security practice; and testing staff understanding of data security policies on induction and annually afterwards.
  • Bad practice: includes not having training to communicate policies and procedures; and relying on staff to sign an annual declaration stating that they have read policy documents without any further testing.

Staff recruitment and vetting

  • Good practice: includes enhanced staff vetting for roles with access to customer data (including checking credit and criminal records); and understanding the level of vetting conducted by employment agencies during recruitment of temporary and contract staff.
  • Bad practice: includes allowing new recruits to access customer data before vetting has been completed; and conducting less rigorous vetting for temporary staff than for permanently employed colleagues carrying out similar roles.

Controls

  • Good practice: includes having specific IT access profiles for each role in the firm; masking sensitive data that is not required by employees; ensuring that passwords are robust; proactively monitoring staff access to customer data and using software to spot suspicious activity by staff; encrypting backed-up data that is held off-site, including while in transit; transferring backed-up data by secure internet links; blocking access to all internet content that allows web-based communication; carrying out regular sweeps for key-logging devices in parts of the firm where employees have access to large amounts of, or sensitive, customer data; and encrypting portable devices (eg laptops) and media (eg CDs) containing customer data and holding regular audits of their contents.
  • Bad practice: includes giving staff access to customer data that they do not require; password sharing; failing to monitor staff with access to large amounts of customer data; failing to make regular use of management information about access to customer data; not having clear and consistent procedures for backing up data; holding back-up tapes insecurely; allowing access to web-based communication internet sites; having unencrypted customer data on laptops or portable media; and failing to review regularly the threats posed by evolving personal technology such as mobile phones.

Physical security

  • Good practice: includes restricting access to areas where large amounts of customer data are available; strategic use of robust intruder deterrents; using robust procedures for logging visitors and adequately supervising them while on-site; and locking filing cabinets and enforcing a clear-desk policy.
  • Bad practice: includes allowing staff and other persons with no genuine business need to access areas where customer data is held; and failing to lock away customer records/files when the office is left unattended.

Disposal of customer data

  • Good practice: includes limiting production of paper-based customer data and treating all paper as ‘confidential waste’; using a third party supplier (preferably one with British Security Industry Association (BSIA) accreditation that provides a certificate of secure destruction) to shred or incinerate paper-based data; providing guidance for travelling or home-based staff on the secure disposal of customer data; and properly wiping or destroying computer hard drives and portable media as soon as they become obsolete.
  • Bad practice: includes poor staff awareness of disposal procedures and failing to ensure that customer data is securely disposed of; and stockpiling obsolete computers and other portable media for too long and in insecure environments.

Managing third party suppliers

  • Good practice: includes conducting due diligence of third party suppliers’ data security standards before agreeing contracts and holding regular reviews thereafter; allowing third party IT suppliers access to customer databases only for specific tasks on a caseby- case basis; imposing procedures on third party suppliers for reporting data security breaches within an agreed time frame; and using secure internet links to transfer data to third parties.
  • Bad practice: includes allowing third party suppliers access to customer data without performing due diligence of data security arrangements; and sending unencrypted customer data to third parties and using unregistered post.

Internal audit and compliance monitoring

  • Good practice: includes compliance and internal audits, conducting specific reviews of data security that cover all relevant areas of the business including IT, security, HR, training and awareness, governance and third party suppliers; and enlisting external assistance if firms do not have the necessary in-house expertise.
  • Bad practice: includes focusing only on compliance with data protection legislation and failing to consider adherence to data security policies and procedures.

Liaising with the FSA

Given the tone and content of the FSA’s report, as well as the enforcement action that the FSA has recently taken, firms need to ensure that they have clear and consistent procedures to protect the customer data that they handle. However, there is always a risk that customer data will be lost or stolen, no matter how robust procedures are. If an incident occurs, a firm should consider its reporting requirements to the FSA and take advice if necessary. While the FSA recognises that firms cannot completely eliminate the risk of having data lost or stolen, when it is notified of an incident it will consider the strength of the firm’s systems and controls and its response to the incident.

In these circumstances, it is vital for a firm to demonstrate to the FSA that, notwithstanding the incident, the issue of data security is taken seriously at all levels within the organisation. It is not sufficient to point to clear and comprehensive written policies; there should also be evidence of regular checks having been carried out, showing that staff are complying with those policies. Furthermore, firms can not pass the blame for losing data to third party contractors. The FSA expects firms to vet their contractors’ procedures and to transfer data to them securely. Moreover, at the start of any new arrangement with a third party, the firm should consider whether its standard transfer policies are suitable.

A firm’s reaction to an incident should include both incident-specific responses (eg informing customers who may be affected, limiting the risks of financial crime by introducing new protections on accounts and monitoring the fallout from the incident on a continuing basis) and systemic responses (eg conducting audits to identify the root cause of the incident, instructing external consultants to assist with audits if necessary, being receptive to any input from the FSA over the scope of audits and strengthening policies and procedures where appropriate). Data security policies and procedures are unlikely to be prescriptive for every situation and it is often only after an incident has occurred that a firm is alerted to a potential weakness in them. However, once alerted, the firm will need to take steps quickly to address any issue that arises.