HSBC Life UK Limited (HSBC Life) was fined £1,610,000, HSBC Actuaries and Consultants Limited (HSBC Actuaries) was fined £875,000 and HSBC Insurance Brokers Limited (HSBC Insurance Brokers) was fined £700,000.
During its investigation into the firms' data security systems and controls, the FSA found that large amounts of unencrypted customer details had been sent via post or courier to third parties. Confidential information about customers was also left on open shelves or in unlocked cabinets and could have been lost or stolen. In addition, staff were not given sufficient training on how to identify and manage risks like identity theft.
Despite increasing awareness of the need to protect people's confidential details, all three firms failed to put in place adequate procedures to manage their financial crime risks. In April 2007, HSBC Actuaries lost an unencrypted floppy disk in the post, containing the personal information of 1,917 pension scheme members, including addresses, dates of birth and national insurance numbers. In July 2007, all three firms were warned by HSBC Group Insurance's compliance team about the need for robust data security controls. However, in February 2008 HSBC Life lost an unencrypted CD containing the details of 180,000 policy holders in the post. The confidential information on both disks could have helped criminals to steal customers' identities and commit financial crime.
Margaret Cole, director of enforcement at the FSA, said: "These breaches are very disappointing. All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals. It is also worrying that increasing awareness around the importance of keeping personal information safe and the dangers of fraud did not prompt the firms to do more to protect their customers' details.
"Fraud, particularly identity theft, is a major concern to everyone and firms must ensure that their data security systems and controls are constantly reviewed and updated to tackle this growing threat.
"In areas where we have previously warned firms of the need to improve, people can expect to see fines increase to deter others and change behaviour in the industry."
The firms have taken a number of remedial actions to address the concerns raised, including contacting the customers concerned, improving their staff training and requiring that all electronic data in transit is encrypted.
HSBC Insurance Brokers, HSBC Actuaries and HSBC Life co-operated fully with the FSA in the course of its investigation. All three firms agreed to settle at the early stage of the FSA's investigation and qualified for a 30% discount. Without the discount, the fines would have been £1m for HSBC Insurance Brokers, £1.25m for HSBC Actuaries and £2.3m for HSBC Life.
Commenting on the fines imposed today by the FSA on three HSBC firms, Clive Bannister, Group Managing Director of HSBC Insurance said: “Keeping our customers’ data confidential and secure is vitally important to everyone at HSBC. We hold ourselves to the highest standards, but it is clear that in these instances we have fallen short, which we sincerely regret.
“While this is a serious matter, no customer reported any loss from these failures and we are doing everything possible to prevent a recurrence. We have implemented even more rigorous systems, better checks and more training for our people. We believe our customers can have confidence that we are doing everything we can to protect their privacy."
Mr Bannister said the FSA had taken into account that HSBC had taken significant proactive action to address the problems that were identified. Some of these measures included:
- immediate, proactive programmes established to contact all customers potentially affected by the breaches
- more data protection awareness training for staff with 33,500 UK staff completing training
- stronger processes to ensure all confidential data that is electronically transmitted or stored and transported on CDs and laptops is encrypted
- restricting the ability to download data to portable devices
- a major business wide data protection awareness campaign