global insurance management

Financial Crime (May '14)


May 02 2014

Financial Crime (May '14)

Reason for issue: Update and reminder.

Action required:  Read and ensure your CPD record in your Training Log is updated.

The Financial Conduct Authority (FCA) defines Financial Crime as any kind of criminal conduct relating to money or to financial services or markets, including any offence involving:

  1. fraud or dishonesty; or
  2. misconduct in, or misuse of information relating to, a financial market; or
  3. handling the proceeds of crime; or
  4. the financing of terrorism;

In accordance with FCA Rules, we are required to ensure that we have policies and procedures in place that shows how our Directors, managers and staff understand what is required of them to prevent the firm being used for any aspect of financial crime. 

So the areas covered by our obligations to prevent Financial Crime are as follows:

  • Fraud;
  • Bribery and Corruption;
  • Money Laundering;
  • Data Security;
  • Financial Sanctions;
  • Market Abuse; Suspicious Transaction reporting.

Please be aware that these briefings are designed to support the firm’s programme of maintaining competence and are not a substitute for more in-depth training.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Data Security

Data is a collection of facts, such as values or measurements.  It can be numbers, words, measurements, observations or even just descriptions of things. 

We know from previous training material that Data Protection laws exist to strike a balance between the rights of individuals to privacy and the ability of organisations to use data for the purposes of their business.

Data Protection Act 1998 (DPA)

The seventh principle of the DPA states that:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

In particular, the ICO (Information Commissioners Office) expects firms to:

  • design and organise security to fit the nature of the personal data held and the harm that may result from a security breach;
  • be clear about who in the organisation is responsible for ensuring information security;
  • make sure there is the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and
  • be ready to respond to any breach of security swiftly and effectively.

What do we mean by Data Security?

In simple terms, data security is the practice of keeping data protected from corruption and unauthorised access.  Such personal or corporate data could be held in any format and must be kept secure because fraudsters can use it to commit crimes such as identity theft. 

The FCA states:

“Data security refers to the way that firms put in place systems and controls to prevent their consumers' personal details, such as address, date of birth, national insurance number, earnings, account details, etc, from being accessed by criminals. Information must be kept secure because consumers can be vulnerable and criminals can use it to commit offences such as identity theft.”

Firms have legal and regulatory responsibilities to safeguard their customers' data and the FCA requires firms to have adequate systems and controls in place to discharge these responsibilities.

There are a number of ways customer data can be compromised and there is a misconception that this is purely an IT issue.  Data security is part of the larger practice of Information Security.

So the security measures put in place should seek to ensure that:

  • only authorised people can access, alter, disclose or destroy personal data;
  • those people only act within the scope of their authority; and
  • if personal data is accidentally lost, altered or destroyed, it can be recovered to prevent any damage or distress to the individuals concerned.

Data Security Risks

There are a number of areas a firm should consider when assessing its ‘data security’ risks, including:

a)     Governance

Generally small firms have one individual who has overall responsibility for data security within the firm.  However, every individual in the firm is responsible for ensuring that any customer data they have access to is kept secure at all times.

b)    Training and Staff Awareness

It is vital that all staff understand the importance of protecting personal data; that they are familiar with our  security policy; and that they put our security procedures into practice. We provide appropriate initial and refresher training covering:

  • our firm’s duties under the Data Protection Act and restrictions on the use of personal data;
  • the responsibilities of individual staff members for protecting personal data, including the possibility that they may commit criminal offences if they deliberately try to access, or to disclose, information without authority;
  • the proper procedures to use to identify callers;
  • the dangers of people trying to obtain personal data by deception (for example, by pretending to be the person whom the information is about or by making “phishing” attacks) or by persuading you to alter information when you should not do so; and
  • any restrictions we place on the personal use of computers by staff (to avoid, for example, virus infection or spam).

c)     Recruiting the Right Staff / Vetting Staff

When recruiting advisers, the majority of firms undertake a thorough vetting process but when recruiting junior or administration staff, the importance of vetting prospective employees is often ignored.

Staff placed in administration roles tend to have access to customer data on a larger scale and therefore pose a higher risk to the firm.  Therefore, we should consider undertaking credit checks and criminal record checks on potential employees who will have access to large amounts of customer data.  The vetting of temporary staff should also be considered.

d)   Physical security

Technical security measures to protect computerised information are of obvious importance.  However, many security incidents relate to the theft or loss of equipment, or to old computers or hard-copy records being abandoned. 

Physical security includes things like the quality of doors and locks, and whether premises are protected by alarms, security lighting or CCTV. 

However, it also includes how we

  • control access to our premises,
  • supervise visitors,
  • dispose of paper waste, and
  • keep portable equipment secure.

e)    Disposal of Customer Data

Although we ensure that customer data is held securely whilst on our premises, we also need to take care that when it is no longer required, it is disposed of in a secure manner, irrespective of the format it is held in, paper and/or electronic format.  If disposed of carelessly, customer data, obsolete computers etc, could fall into the hands of criminals.

Our procedures on data security, also take into account the secure disposal of confidential waste.

f)     Third Party Suppliers

If we choose to use third party suppliers, e.g. for archiving or office cleaning, we will carry out the appropriate due diligence that includes checking their security arrangements and how they vet their staff. 

g)     Compliance & Monitoring

A firm’s compliance monitoring of its data security should be risk-based and appropriate to its business.  We will ensure that assessments are undertaken on a regular basis and any issues highlighted and addressed.

Finally, here are some fallacies of data loss and identity fraud

  1. ‘The customer data we hold is too limited or too piecemeal to be of value to fraudsters.’
  • This is misconceived: skilled fraudsters can supplement a small core of data by accessing several different public sources and use impersonation to encourage victims to reveal more.  Ultimately, they build up enough information to pose successfully as their victim.
  1. ‘Only individuals with a high net worth are attractive targets for identity fraudsters.’
  • In fact, people of all ages, in all occupations and in all income groups are vulnerable if their data is lost.
  1. ‘Only large firms with millions of customers are likely to be targeted.’
  • Wrong. Even a small firm’s customer database might be sold and re-sold for a substantial sum.
  1. ‘The threat to data security is external.’
  • This is not always the case. Insiders have more opportunity to steal customer data and may do so either to commit fraud themselves, or to pass it on to organised criminals.
  1. 5.       ‘No customer has ever notified us that their identity has been stolen, so our firm must be impervious to data breaches.’
  • The truth may be closer to the opposite: firms that successfully detect data loss do so because they have effective risk-management systems.  Firms with weak controls or monitoring are likely to be oblivious to any loss.  Furthermore, when fraud does occur, a victim rarely has the means to identify where their data was lost because data is held in so many places.

Penalties

It is vital that we maintain vigilance over all our data and not allow it to be abused or misused in any way because getting it wrong could be very costly to the business.

The FCA has significant powers to fine, or even ban firms who fail to put in place appropriate systems and controls to prevent financial crime.  A number of firms have previously been fined, including Nationwide B/S, which was fined £98,000 for systems and controls failures identified when a laptop was stolen.

The Information Commissioner has powers to fine up to £500,000 for breaches of the Data Protection Act.

Back to news

Global News Archive

We are now part of the AXA Group Click here

Generation 3 Ceramic  Click here

Cutting edge, Market Leading Software from our Solutions company. Click here