The Financial Services Authority (FSA) has today fined Nationwide Building Society (Nationwide) £980,000 for failing to have effective systems and controls to manage its information security risks. The failings came to light following the theft of a laptop from a Nationwide employee's home last year.
During its investigation, the FSA found that the building society did not have adequate information security procedures and controls in place, potentially exposing its customers to an increased risk of financial crime.
The FSA also discovered that Nationwide was not aware that the laptop contained confidential customer information and did not start an investigation until three weeks after the theft.
Nationwide's failings occurred at a time of heightened awareness of information security issues as a result of government initiatives, increasing media coverage and an FSA campaign about the importance of information security.
Margaret Cole, director of enforcement, said:
"Nationwide is the UK's largest building society and holds confidential information for over 11 million customers. Nationwide's customers were entitled to rely upon it to take reasonable steps to make sure their personal information was secure.
"Firms' internal controls are fundamental in ensuring customers' details remain as secure as they can be and, as technology evolves, firms must keep their systems and controls up-to-date to prevent lapses in security.
"The FSA took swift enforcement action in this case to send a clear, strong message to all firms about the importance of information security."
The FSA acknowledges that Nationwide has co-operated fully in the course of the investigation and has undertaken a number of actions to address this failure, including: taking a range of additional measures to increase security around accounts; informing customers of the loss of information; affirming its existing policy to reimburse any customer that has suffered financial loss as a result of this incident; and commissioning a comprehensive review of its information security procedures and controls.
By agreeing to settle at an early stage of the FSA's investigation Nationwide qualified for a 30% discount under the FSA's executive settlement procedures – without the discount the fine would have been £1.4 million.
Background
- The full text of the Final Notice issued by the FSA, which includes the background to the case, the relevant statutory provisions, regulatory requirements contravened, and the factors taken into account when setting the level of the fine may be found on the website.
- FSA Principle 3 states that a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.
- In November 2004 the FSA published a report entitled 'Countering Financial Crime Risks in Information Security'. Since then the FSA has issued a number of speeches and publications to raise awareness within the financial services sector of the need for firms to take action to combat the risks of financial crime.
- The FSA regulates the financial services industry and has four objectives under the Financial Services and Markets Act 2000: maintaining market confidence; promoting public understanding of the financial system; securing the appropriate degree of protection for consumers; and fighting financial crime.
- The FSA aims to promote efficient, orderly and fair markets, help retail consumers achieve a fair deal and improve its business capability and effectiveness.