Search


July/August 2010 HOME

  CISI HOME  |  CISI INFOLINK  |  CISI CPD SCHEME

MARKET TIMING
The Government faces tough choices over when to sell its stakes in RBS, Lloyds TSB and the other banks it rescued. Christopher Thompson looks at when it will act
THREE INTO TWO?
James Gavin asks whether the Chancellor's reform of the UK regulatory landscape will make financial services any safer in future
ALL IN ORDER?
What will the Retail Distribution Review mean for the future of the quickly developing fund platform sector? Hugo Cox and Christopher Bond, Chartered MCSI, find out
KEEPING WITHIN THE LINES
When does corporate hospitality come at the risk of undue influence in your firm’s business?
PLUS: CLEARING AND SETTLEMENT SUPPLEMENT
A special PDF containing four features that review recent developments in clearing and settlement, such as interoperability and platforms
CONFERENCES
PROFESSIONAL COURSES
LONDON EVENTS
REGIONAL EVENTS
NEED TO READ
PROFESSIONAL INTEREST FORUMS
HOLIDAY OFFER
FELLOWSHIP AND MEMBERSHIP ADMISSIONS AND UPGRADES
DEALING IN HIGH NOTES
Roy Phillips, Dealing Director and opera singer
ANNUAL CONFERENCE
CPD MEASUREMENT POPULAR
POSTBAG
CISI PARTNER AT ISLAMIC BANKING SUMMIT
PROFESSIONAL BENEFITS
60-SECOND INTERVIEW WITH ROGER HARROLD MCSI
INSTITUTE LAUNCHES ON LINKEDIN
CISI ANNUAL GENERAL MEETING
1,000TH PERSONAL CHARTER
CISI AWARDS SCHOLARSHIPS
BEST OF THE BLOGS
EXAM WITHDRAWAL
MAPPING SHOWS PCIAM'S VALUE
OBE FOR INDIA STOCKBROKER
ASK THE EXPERTS: PEAK OIL
EX-ANALYST ON GOSPEL SCROLLS
TEST YOUR INDUSTRY KNOWLEDGE
BACK STORY
REFOCUSING STANDARDS
A cautious welcome for the FSA’s plans to involve professional bodies in maintaining industry competence and ethics
MINISTERIAL SKILLS
David Willetts MP, Minister for Universities and Science speaks to Hugo Cox
CLOSING REMARKS
Christopher Brown-Humes on the legacy of finacial services’ tumultuous years
ARCHIVE
JULY/AUGUST 2010
JUNE 2010
MAY 2010
APRIL 2010
MARCH 2010
FEBRUARY 2010
JANUARY 2010
NOVEMBER/DECEMBER 2009
OCTOBER 2009
SEPTEMBER 2009
JULY/AUGUST 2009
JUNE 2009
MAY 2009
APRIL 2009
MARCH 2009
FEBRUARY 2009
JANUARY 2009
NOVEMBER/DECEMBER 2008
OCTOBER 2008
TRAINING SUPPLEMENT - SEPTEMBER 2008
SEPTEMBER 2008
JULY/AUGUST 2008
JUNE 2008
MAY 2008
APRIL 2008
MARCH 2008
FEBRUARY 2008
JANUARY 2008
NOVEMBER/DECEMBER 2007
OCTOBER 2007
TRAINING SUPPLEMENT - SEPTEMBER 2007
SEPTEMBER 2007
TRAINING SUPPLEMENT - JULY/AUGUST 2007
JULY/AUGUST 2007
JUNE 2007
MAY 2007
TRAINING SUPPLEMENT - APRIL 2007
APRIL 2007
MARCH 2007
FEBRUARY 2007
JANUARY 2007
NOVEMBER/DECEMBER 2006
OCTOBER 2006
SEPTEMBER 2006
JULY 2006
JUNE 2006
MAY 2006
APRIL 2006
MARCH 2006
FEBRUARY 2006
JANUARY 2006
NOVEMBER 2005
OCTOBER 2005
SEPTEMBER 2005

Fighting the fraudsters
The increasing burden of keeping personal data safe has major implications for firms, says Alexandra Kelly FCSI

Across the world, fraudsters are realising that people’s sensitive information is a potential treasure trove. As the risk has become more pressing, there has been a steady increase in awareness of data security and the risk of identity fraud.

Identity theft is one of the fastest-growing crimes in the developed world. Despite the growing recognition by many companies of the financial and reputational risks, many still underestimate the implications of data loss and employee fraud, both to their business and to the individual with whose personal information they are entrusted.

Unfortunately for those firms that are taking the issue seriously, the main risk of data breach remains that which is hardest to control: human error. The simple fact is that, whether through carelessness or criminal intent, the result is still data loss, and the implications are just as serious.

Lack of clarity
Until recently, the FSA’s Handbook had no clear rules on data security and this was a topic that rarely appeared on compliance officers’ priority lists. Then came a surprise move: the FSA fined a large UK bank £3m for failing to employ adequate controls to protect customers’ confidential details from being lost or stolen.

Suddenly, the financial world took notice and the subject of data security shot up the compliance agenda. In 2008, the FSA upped the ante by providing a set of strong guidelines regarding what constitutes good and bad practice when it comes to data security. This report, which received little attention when it was originally released, formed the basis of what constitutes good and bad practice and it is now sitting atop compliance desks across the UK.

Now firms of all shapes and sizes are taking notice, with the announcement that the Government has launched a consultation on proposals to impose fines of up to £500,000 for serious breaches of data protection. The consultation closed on 21 December 2009 and the Information Commissioner’s Office intends to publish the results by 11 January this year.

If, as appears likely, this proposal passes into law, this will have a major impact on the operations of firms that hold and/or process sensitive data, because for the first time there will be a significant financial penalty for any organisation guilty of inadequate controls to prevent data loss.

Difficult to control
It is, however, unfeasible to completely remove all risk of data loss from your organisation. Modern financial firms store and transmit an inordinate amount of sensitive data between large groups of people. When your business revolves around information flow, it becomes extremely difficult to control it effectively.

If a firm is targeted by a sophisticated and determined gang, it will be practically impossible to prevent a leak. In attempting to pursue unattainable targets of data security, compliance departments also risk imposing unworkable and excessive administrative and regulatory burdens. The aim is to be vigilant, but realistic.

What can firms do to mitigate risk? The FSA says you should have these precautions in place:  

  • Employees should not have access to data beyond that necessary for them to perform their job. Where possible, data should be segregated and information, such as passport numbers, bank details and social security numbers, should be blanked out.
  • You should look to monitor and control all flows of information in and out of the company.
  • All forms of removable media should be disabled, except where there is a genuine business need. There should be no physical means available for unauthorised staff to remove information undetected.
  • Where laptops or other portal devices are in use, these should be encrypted and wiped afterwards. Usage of such devices should be logged and monitored under the authority of an appropriate individual. Watertight policies using such devices should be in place.
  • Software that tracks all activities, as well as web surfing and email traffic, should be installed on every single terminal on your network, and staff should be aware of this.
  • Completely block access to all internet content that allows web-based communication. This includes all web-based email, messaging facilities on social networking sites, external instant messaging and ‘peer-to-peer’ file sharing software.
  • Conduct due diligence of data security standards of your third party suppliers before contracts are agreed. Review this periodically. If you choose to outsource your IT, conduct checks on their staff also. After all, they have access to absolutely everything on your network.
  • All visitors to your premises should be logged in and out, and be supervised while on site. Keep logs for a minimum of 12 months.

There should be procedures in place that result in the production of as little paper-based data as possible. Install confidential waste bins throughout the office and treat all paper-based waste as ‘confidential’ to eliminate confusion among employees about which type of bin to use. For example, waste bins should be locked and the contents disposed securely using cross-cut shredders. Other ideas are highlighted in ‘Keep it secret, keep it safe’, below.

Caution and pragmatism
That data security has moved up the compliance agenda, for companies and authorities alike, is undoubtedly a positive development for public confidence in data controllers and handlers. However, an increase in awareness of this issue should not cause firms to be unrealistic in their efforts to monitor and control information flows. A rational and realistic approach needs to be taken by both compliance officers and authorities. The best approach is one of caution tempered with pragmatism.

If your business has a laissez-faire attitude towards data security, then expect the reputational and fiscal penalties associated. On the other hand, an unduly harsh approach will create problems with the running of your operations and create a disproportionate regulatory burden, which will travel down the supplier chain until the cost of anything becomes completely prohibitive.

You cannot anticipate everything and you cannot guard against all eventualities and remain in business. You need to choose where to draw the line. n


Keep it secret, keep it safe

  • Appoint a senior manager with overall responsibility for data security.
  • Firms should seek external assistance if they do not have the necessary expertise to complete a data security risk assessment themselves.
  • Innovative training and awareness campaigns should be offered that focus on the financial crime risks arising from poor data security, as well as the legal and regulatory requirements to protect sensitive data.
  • Back-up data should be transferred by secure internet links, and due diligence should be undertaken on third-party firms that handle backed-up data.
  • Vet staff on a risk-based approach, taking into account data security and other fraud risk, and an understanding of the level of vetting conducted by employment agencies for temporary and contract staff. Despite the temptation, never take on a new member of staff before checks have been completed.



A rational and realistic approach needs to be taken by both compliance officers and authorities
 
Pershing
 
London Metal Exchange
 
1
 
Barclays Wealth
 
FTSE
 
London Business School
 
London Financial Studies