Thursday, 23 July 2009

"Double-jeopardy" threat for banks

A regulatory partner at a London law firm has labeled the £3.2million fine the Financial Services Authority imposed on HSBC as unprecedented and draconian.

Yesterday, I wrote about HSBC being fined by the FSA for failing to adequately protect customer data by not encrypting computer discs containing personal information and for failing to keep personal paper files on site under lock and key. RPC partner, Jonathan Davies said fining HSBC for the latter was draconian. He said the £3.2 million fine was much more substantial than that imposed on Nationwide Building Society for similar failures back in 2007.

Back in 2007, the FSA imposed a £980,000 fine on Nationwide for ineffective information security controls following theft of a laptop from a Nationwide employee's home. "You can see that fines for financial services companies have undergone massive inflation as the FSA has instituted its get tough policy in response to the credit crunch,” said Davies.

Given the pubic backlash against data leakages and the increased threat of customer details being used for fraudulent purposes, particularly in difficult economic times, the hefty fine the FSA imposed on HSBC should come as no surprise even though it may be unprecedented.

Regulators are taking an increasingly dim and no-nonsense view of banks that fail to protect customer data and as banks trade on their reputation as trusted third parties, how can consumers take them seriously when banks fail to adequately protect customer data?

Banks could be in even more hot water from next year as in addition to FSA-imposed fines, the UK's Information Commissioner will also have the power to impose fines on companies for data breaches.
"When the Information Commissioner gains this power next year, any FSA-regulated firm may well be subject to “double jeopardy” fines for data protection breaches," said Oliver Bray, a partner at RPC specializing in data protection. "One careless mistake by a regulated firm could expose it to fines from both the Information Commissioner and the FSA. From a wider perspective, all businesses should be concerned that the Information Commissioner may be encouraged by this case to apply similar levels of fines when he starts flexing his new muscles next year."