Weak security controls to blame as finance firm is hit by FSA fine
Merchant Securities, a specialist in corporate finance and private equity, was fined £77,000 by financial watchdog, the FSA. It is the first time the FSA has fined a stockbroking company for having weak data security controls.
In a visit to the company's premises, the FSA found that Merchant Securities had "inadequate procedures for verifying the identities of customers" who called the company. The company relied on recognising customers' voices and talking to them about their holidays and hobbies, the FSA found.
Unencrypted back-up tapes of customer information were stored at the home of a member of staff, the watchdog reported.
Furthermore, Merchant Securities did not address the risks of staff being able to use instant messaging software and web-based email.
Margaret Cole, director of enforcement at the FSA said: "It is unacceptable that despite increased awareness of data security issues, a firm should be so careless about its systems for protecting customers' personal details.
"We will not wait until information has been lost or stolen before taking action against a firm. The level of the fine for a firm of this size should serve as a warning to others to take data security seriously".
The FSA said the company's failures came to light because of its visit, and that the company's own controls had failed to pick up its shortcomings.
Merchant Securities said it had listened to the FSA's concerns and has undertaken what it called a "thorough" review of its systems and controls. It said it was confident the shortcomings had been resolved.
The company's acting chief executive Patrick Claridge said: "We have taken steps to improve our systems and security for our clients' benefit and will continue to do all we can to protect their interests in future".
There was no evidence that customers' details had been lost or stolen, the FSA said.
The last few months have been challenging for Merchant Securities. Claridge was only appointed last week following the resignation of his predecessor. The company has also replaced its chief financial officer and compliance officer.
In a trading update last month, the company warned that collapsed private equity deals would leave it facing a £600,000 loss after tax in the year ending 31 March.
The FSA said the fine would have been £110,000, but that it had reduced the figure by 30% because Merchant Securities had agreed to settle at an early stage of its investigation.
The watchdog is taking an increasingly tough stance on lax security controls in the financial sector.
Six months ago, the FSA fined insurance giant Norwich Union £1.26m for not having effective controls in place to protect its customers' information.
And the Nationwide Building Society landed a fine of just under £1m in February 2007 for failing to manage its information security risks.
The FSA has reviewed the systems and controls at a total of 39 financial sector firms.
Philip Robinson, director of its financial crime and intelligence division told the watchdog's annual conference in April: "It is worrying that despite increased public awareness of the impact that identity theft can have on customers, many firms are still not taking this risk seriously."
Just last month, auditors reported that French bank Societe Generale, which had been hit by a multi-billion euro trading fraud in January, had widespread weaknesses in its IT security systems.
In that case, poorly designed applications were largely to blame and the bank's systems had failed to keep pace with the complexity of the financial environment, Price Waterhouse Coopers said.