Ashfords Solicitors - Data Security in the Financial Services Industry

The Financial Services Authority Report

Data security is particularly relevant at the moment following the recent high profile data breaches by both public and private sector organisations. Both the FSA and the Information Commissioner, who is charged with the enforcement of the Data Protection Act 1998 (DPA), share the joint goal of ensuring that customers' data is adequately protected within their respective remits.

The report does not constitute formal guidance but the FSA says that it expects financial services firms to use the findings, to translate them into a more effective assessment of the risk and to install more effective standards as a result. The FSA is driven to protect the reputation of the entire financial services industry and to ensure that consumers have confidence in the financial system.

In order to compile the report, the FSA sought the views of stakeholders and visited 39 FSA regulated firms including retail and wholesale banks, investment firms, insurance companies, financial advisers and credit unions. The firms included small concerns up the national and even international chains.

A timely reminder

In relation to the outsourcing of contracts, the report offers a useful reminder that even where a firm may have entered into a contract which it regards as low risk or low value, such as contracts with office cleaners, document couriers or catering staff, those services can have a big impact in terms of the potential for data security breaches.

In addition, it is not enough to have robust contractual provisions entitling the firm to audit its service providers or to obtain references in relation to the service provider's employees, if the firm does not have methods in place to police the contract in practice and actually makes use of those provisions set out in the contract.

Conclusions set out in the report

The report concludes that poor data security is a serious, widespread and high-impact risk to the FSA's objective to reduce financial crime.

Although firms are starting to consider data security more carefully in the light of the recent data security breaches, overall, data security in financial services firms needs to improve significantly.

A user guide to the report

The report is extremely comprehensive and also fairly lengthy (at 100 pages in total). It may therefore seem daunting, albeit necessary, for firms' compliance officers to tackle yet another piece of guidance and take its recommendations on board.

The findings of the report are divided into distinct categories. The report is also interspersed with practical examples of both good and bad practice in each of the categories. There are consolidated examples of good and poor practice to be found in the penultimate chapter of the report for those who like their data in tabular form.

The report can be sobering reading at times. For example, the report sets out the following example of an "alarming basic lapse in physical security";

"A medium sized investment firm, where the cleaners and main building receptionist had not been vetted but had full access to the firm's offices. We were told that the receptionist had no business need to access the offices but sometimes came in to use the microwave. The same firm did not operate a clear-desk policy."

What is frightening is that most organisations can probably relate to the scenario above. Often, businesses will have a policy or procedure in place, but either staff are not aware of it or there are instances where that policy is ignored and informal practices are condoned. The report emphasizes the need for senior management to review and strengthen current procedures. Restricting the number of staff that have access to areas where customer information is present is key to making sure that customer data is protected.

Some issues think about...

Rule 3.2.6R in the FSA's Senior Management Arrangements, Systems and Controls sourcebook must be taken into account since it obliges businesses to 'take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime'. This is the minimum standard required to meet the requirements of the regulatory system.

Encryption of laptops

The report supports the Information Commissioner's position that it is not appropriate for customer data to be taken offsite on laptops or other portable devices which are not encrypted. The FSA goes a step further in the report and states that it may take enforcement action against firms that fail to encrypt customer data offsite.

Staff Vetting

The report recommends that financial services firms have a good standard of staff vetting in place to prevent data theft and other financial crime. Where firms use employment agencies, they must agree the vetting standards with the agency and make regular checks to ensure those checks are taking place.

The report advises having appropriate recruitment and vetting policies in place but also ensuring that there is ongoing monitoring of changes in employees' circumstances. There may be some roles (such as IT staff who have access to large amounts of customer data) where more in-depth monitoring is required.

Firms are reminded they must take a risk-based approach to preventing financial crime as required by the FSA Handbook.

Third party suppliers

The report acknowledges that for reasons of efficiency, nearly all firms outsource certain aspects of their business. This ranges from office cleaners to printers and mailing companies and marketing companies. These companies are likely to have either direct or indirect access to customer data.

Where firms use third party suppliers, they are advised to ensure that those suppliers have appropriate data security standards.

The report concludes that most firms are over-reliant on third parties to comply with contractual obligations. Often, the firms surveyed did not monitor which individuals at a third-party supplier had access to their customer data.

The report makes it clear that even where a firm has concluded a thorough risk assessment of its own data security and standards, this will not ensure adequate data security if the third party supplier does not have equivalent standards. The financial services firm should conduct its due diligence of the supplier's data security arrangements before the contract is entered into.

Call Centres

It is worth noting that the report mentions the use of call centres in a number of places throughout the report. This is because the use of call centres by financial services firms or by their third party suppliers poses particular concerns for data security.

Staff typically have access to large volumes of customer data yet their training and vetting were found by the FSA in its study to be lacking. The report concludes that call centre staff are "more vulnerable to approach from fraudsters seeking to buy or extort customer data". This will be particularly true of a call centre which operates on a 24/7 basis where round the clock supervision is difficult.

Disposal of customer data

In general terms, the FSA reports that the disposal of confidential paper is generally very good, with most firms either shredding sensitive documents on site or via a suitably accredited supplier.

There are, however, some useful reminders in the report. Firms should enquire about the security standards used by their waste disposal company and should also visit the disposal site to examine security. There is an industry standard for secure disposal firms (British Security Industry Association) which would give firms greater confidence that any confidential paper will be disposed of correctly.

Overall, the message is that it is not sufficient to leave the disposal of waste paper to a third party supplier. Firms should audit adherence to waste disposal procedures and ensure that customer data is disposed of correctly.

Conclusion

Most financial services firms will hold a lot of very sensitive personal and financial data about their customers and that data can be used by criminals for fraudulent transactions on a customer's account or false credit applications. The report reminds businesses of the serious (and possibly long-term) implications of data losses for their customers.

The FSA fined Nationwide £980,000 for information security lapses in 2007 and this recent report is just the latest in its campaign to highlight the importance of data security. The FSA will continue to deal with losses of customer data extremely seriously going forward. Equally, the Information Commissioner is seeking new powers to impose sanctions on businesses in general which do not comply with the principles of data security set out in the DPA.

Businesses would therefore be well advised to take account of their responsibility to safekeep customer data and to implement the good practice recommendations which are set out in the report.

The Information Commissioner, Richard Thomas, gives the foreword to the report and endorses its aims and objectives. His salutary message for financial services firms summarises perfectly why firms should make the protection of customer data a priority:

"Getting data protection wrong can bring commercial, reputational, regulatory and legal penalties. Getting it right brings rewards in terms of customer trust and confidence."

This briefing note is a brief overview of the FSA's report on data security in the financial services industry and is not intended to be a comprehensive guide.

Ashfords is regulated by the Solicitors Regulatory Authority. The information in this article is intended to be general information about English law only and not comprehensive. It is not to be relied upon as legal advice nor as an alternative to taking professional advice relating to specific circumstances.

20th June 2008

Key Contacts

Data Security in the Financial Services Industry

Introduction