The FSA found that CFA had inadequately considered the risks posed by fraud and had not maintained effective systems and controls to mitigate the risk of fraud. This is the first time the FSA has fined a firm for failures of anti-fraud systems and controls. The failures in controls contributed to a small number of significant actual and attempted frauds against the firm's customers. These appear to have been facilitated by colluding CFA staff. The initial frauds were not discovered by CFA but instead were brought to the firm's attention by clients. Philip Robinson, Financial Crime Sector leader said: "With fraud becoming an increasing menace, firms must fully understand the risks they face and have robust anti-fraud controls in place. "The nature of CFA's business, because it holds information on client identity, makes it particularly vulnerable to fraud. Yet the firm failed to adequately consider this risk in the business.
"Our recent report on fraud governance found that parts of the financial services industry can do more to protect themselves and this case demonstrates that we take a firm's failures seriously."
release News release CFA is a third party administrator that is responsible for carrying out client instructions to buy and sell investments. In August 2004, CFA discovered that a client's name and address had been changed and the sale of units was being processed without instructions from the client. The firm then found that the data for five other clients had been subject to unauthorised changes. Fraudulent requests for payments totalling £1,134,938 had been made but were stopped from going ahead by CFA. In September and December 2004, CFA discovered further actual and attempted frauds, including instructions for £417,321 being processed for 20 clients. Actual fraudulent payments totalling £328,241 were made. The weaknesses in systems and controls contributed to the frauds. There were insufficient controls to ensure that changes to client data and instructions for payments were genuine or that payments were not made to accounts that were not controlled by clients. CFA did not ensure that procedures to mitigate fraud risk were adequately implemented and that fraud awareness training was appropriate. Since the frauds were discovered, the Capita Group has put in place an effective remedial programme at CFA. It has taken a positive approach to improving systems and has implemented controls at CFA that are consistent with best practice in the industry. CFA also took prompt action to ensure that its clients did not suffer financial loss as a result of the frauds. The matters set out in this notice refer to the actions of CFA and not the wider Capita Group.