HSBC fined £3 million for losing customer details
Banking giant HSBC has been fined more than £3 million for failing to protect its customers from fraud - and for losing the details of nearly 200,000 people in the post.
Three HSBC firms - HSBC Life UK, HSBC Actuaries and Consultants, and HSBC Insurance Brokers - were fined for sending large amounts of unencrypted customer details through the post or by courier to third parties. In addition, confidential information about customers was left on open shelves or in unlocked cabinets - putting it at risk of being lost or stolen.
On two occasions customer data was lost in the post. In April 2007, HSBC Actuaries lost an unencrypted floppy disk in the post, which contained the personal information of just under 2,000 pension scheme members, including addresses, dates of birth and national insurance numbers.
Following the incident, all three firms were warned by HSBC Group Insurance’s compliance team about the need for robust data security controls in July 2007.
However, in February 2008 HSBC Life lost an unencrypted CD containing the details of 180,000 policy holders in the post.
The confidential information on both disks could have helped criminals to steal customers’ identities and commit financial crime, says the Financial Services Authority (FSA). As a result, it has fined the banking giant's firms a collective £3.2 million for security failings.
Margaret Cole, director of enforcement at the FSA, says: “These breaches are very disappointing. All three [HSBC] firms failed their customers by being careless with personal details which could have ended up in the hands of criminals."
She adds: “It is also worrying that increasing awareness around the importance of keeping personal information safe and the dangers of fraud did not prompt the firms to do more to protect customers’ details.”
HSBC Life UK was fined £1.61 million, HSBC Actuaries and Consultants was hit with a £875,000 fine and HSBC Insurance Brokers had to pay £700,000.
However, as all three firms co-operated fully with the FSA during its investigation and agreed to settle at an early stage, they qualified for a 30% discount on the fines.
The firms say they have now taken a number of steps to address the issues, including contacting the customers concerned, improving staff training and requiring that all electronic data in transit is encrypted.
Clive Bannister, group managing director of HSBC Insurance, says: "While this is a serious matter, no customer reported any loss from these failures and we are doing everything possible to prevent a recurrence. We believe our customers can have confidence that we are doing everything we can to protect their privacy."
Over the past four years, the FSA has fined five firms for data security lapses and fraud, including Nationwide (£980,000), Norwich Union (£1.2 million) and BNP Paribus Private Bank (£350,000).
A scheme originally established in 1944 to provide protection against sickness and unemployment as well as helping fund the National Health Service (NHS) and state benefits. NI contributions are compulsory and based on a person’s earnings above a certain threshold. There are several classes of NI, but which one an individual pays depends on whether they are employed, self-employed, unemployed or an employer. Payment of Class 1 contributions by employees gives them entitlement to the basic state pension, the additional state pension, jobseeker’s allowance, employment and support allowance, maternity allowance and bereavement benefits. From April 2016, to qualify for the full state pension, individuals will need 35 years’ of NI contributions.
The Financial Services Authority is an independent non-governmental body, given a wide range of rule-making, investigatory and enforcement powers in order to meet its four statutory objectives: market confidence (maintaining confidence in the UK financial system), financial stability, consumer protection and the reduction of financial crime. The FSA receives no government funding and is funded entirely by the firms it regulates, but is accountable to the Treasury and, ultimately, parliament.