HSBC firms fined over £3 million for information security lapses

27 Jul 09

The Financial Services Authority (FSA) has fined three HSBC firms over £3 million for not having adequate systems and controls in place to protect their customers' confidential details from being lost or stolen.

By Brian Sims

SMT Online has discovered that HSBC Life UK Limited (HSBC Life) was fined £1,610,000, HSBC Actuaries and Consultants Limited (HSBC Actuaries) the lesser sum of £875,000 and HSBC Insurance Brokers Limited (HSBC Insurance Brokers) was fined £700,000.

During its investigation into the firms' data security systems and controls, the Financial Services Authority (FSA) found that large amounts of unencrypted customer details had been sent via post or courier to third parties. Confidential information about customers was also left on open shelves or in unlocked cabinets, and could easily have been lost or stolen. In addition, it was noted that members of staff had not been given sufficient training on how to identify and manage risks such as identity theft.

Adequate procedures found to be missing

Despite increasing awareness of the need to protect people's confidential details, all three firms failed to put in place adequate procedures to manage their financial crime risks.

In April 2007, HSBC Actuaries lost an unencrypted floppy disk in the post - a disk containing the personal information of 1,917 pension scheme members, including addresses, dates of birth and National Insurance numbers.

In July 2007, all three firms were warned by HSBC Group Insurance's compliance team about the need for robust data security controls. However, in February 2008 HSBC Life lost an unencrypted CD containing the details of 180,000 policy holders in the post. The confidential information on both disks could have helped criminals to steal customers' identities and commit financial crime.

Careless with personal details

Margaret Cole, the director of enforcement at the FSA, told SMT Online: "These breaches are very disappointing. All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals. It's also extremely worrying that increasing awareness around the importance of keeping personal information safe and the dangers of fraud did not prompt the firms to do more to protect their customers' details."

Cole went on to say: "Fraud, particularly identity theft, is a major concern to everyone and firms must ensure that their data security systems and controls are constantly reviewed and updated to tackle this growing threat. In areas where we have previously warned firms of the need to improve, people can expect to see fines increase to deter others and change behaviour in the industry."

Remedial action now being taken

The HSBC firms have taken a number of remedial actions to address the concerns raised, including contacting the customers involved, improving their staff training and requiring that all electronic data in transit is encrypted.

HSBC Insurance Brokers, HSBC Actuaries and HSBC Life co-operated fully with the FSA in the course of its investigation. All three firms agreed to settle at the early stage of the FSA's investigation and qualified for a 30% discount. Without the discount, the fines would have been £1 million for HSBC Insurance Brokers, £1.25 million for HSBC Actuaries and £2.3 million for HSBC Life.

HSBC Life has over 740,000 active individual and corporate customers. HSBC Insurance Brokers boasts approximately 65,000 corporate customers, while HSBC Actuaries can number approximately 1,000 corporate customers and 500,000 active pension scheme members.

The final notices for HSBC Life, HSBC Insurance Brokers and HSBC Actuaries can be found on the FSA web site (a dedicated link has been provided on the right hand panel of this page).

Ongoing anti-fraud work at the FSA

In April 2008, the FSA published the findings of a major project reviewing how well financial services firms protect their customers' data. Since 2004, the FSA has issued a number of speeches and publications to raise awareness within the financial services sector of the need for firms to take action to combat the risks of financial crime.

In the last four years, the FSA has fined Capita Financial Administrators £300,000, Nationwide £980,000, BNP Paribas Private Bank £350,000, the Norwich Union £1,260,000 and Merchant Securities £77,000 for failings relating to data security lapses and fraud.

FSA Principle 3 states that a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.

Four objectives for the Regulator

The FSA regulates the financial services industry and has four objectives under the Financial Services and Markets Act 2000: maintaining market confidence, promoting public understanding of the financial system, securing the appropriate degree of protection for consumers and fighting financial crime.

At all times, the FSA aims to promote efficient, orderly and fair markets, help retail consumers achieve a fair deal and improve its business capability and effectiveness.