The Financial Services Authority (FSA) has fined three arms of the HSBC brand £3millon for information security failings.

The three HSBC firms were fined for not having adequate systems and controls in place that would ensure the protection of customers' confidential details from loss and theft.

On two occasions, customer data was lost in the post, which the FSA said was contributed to by HSBC's failings.

HSBC Life UK Limited, HSBC Actuaries and Consultants Limited and HSBC Insurance Brokers Limited have been fined £1,610,000, £875,000 and £700,000 respectively.

The FSA found during its investigations into the firm's data security systems and controls that large amounts of unencrypted customer details had been sent via post or courier to third parties by HSBC. Details were also left on open shelves or unlocked cabinets, and staff were not given full training on the identification and management of risks such as identity theft.

"These breaches are very disappointing," commented Margaret Cole, director of enforcement at the FSA. "All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals. It is also worrying that increasing awareness around the importance of keeping personal information safe and the dangers of fraud did not prompt the firms to do more to protect their customers' details.

"Fraud, particularly identity theft, is a major concern to everyone and firms must ensure that their data security systems and controls are constantly reviewed and updated to tackle this growing threat."

All three firms have qualified for a 30 per cent early settlement agreement discount, which brought the fines down from £1million for HSBC Insurance Brokers, £1.25million for HSBC Actuaries, and £2.3million for HSBC Life.

HSBC released a statement saying the company is doing all it can to prevent a recurrence of this issue. Clive Bannister, group managing director of HSBC Insurance, said: "Keeping our customers' data confidential and secure is vitally important to everyone at HSBC. We hold ourselves to the highest standards, but it is clear that in these instances we have fallen short, which we sincerely regret.

"While this is a serious matter, no customer reported any loss from these failures and we are doing everyone possible to prevent a recurrence. We have implemented even more rigorous systems, better checks and more training for our people. We believe our customers can have confidence that we are doing everything we can to protect their privacy."

Jonathan Davies, regulatory partner at law firm Reynolds Porter Chamberlain LLP (RPC), added that actuaries which are FSA authorised could be fined for failures that do not relate to their FSA-regulated business: "When the FSA fined HSBC Actuaries and Consultants £875,000 it was for business practices that are not FSA regulated. This should act as a stark reminder to any FSA authorised actuaries that the FSA can look at their systems and controls covering all their activities, not just those which are FSA regulated activities."

- Pensions Age July 2009

Share Story: