The press cover for the use by fraudsters of files from a defunct Barclays subsidiary serves to highlight the counter-productive nature of the “know your customer regulations” which require banks, brokers and “financial advisors” to collect and keep information for supposed consumer protection and anti-money-laundering reasons. The churn rate among brokers and “financial advisors” and the lack of responsibility of liquidators to safeguard (or at least delete) the files on computers they may be selling, as opposed to getting the best price for the creditors, illustrates soem of the consequences.
The Daily Mail article also reminded me of a conversation after an “awareness” event. I was asked to consider a similar exercise for a silver surfers by an organisation whose high value clients were being targeted by fraudsters who had all the information necessary for successful impersonations. They did not know if the problem was shared or peculiar to them. It was too commercially sensitive to talk with their competitors and they could find no leak or breach. Was it some-one in their supply chain? Was it a common problem: e.g. a fake “Cruises’Rus” website to harvest the details and preferences of high value silver surfers? They did not subsequently offer to help with funding, so I filed the conversation away.
Yesterday I was drafting a possible call for reform of the EU approach to Data Protection, Electronic Identities and Information Security. One of the high level recommendations was:
· “Regulation should focus less on what is stored, (given the many requirements of consumer protection regulators and others to retain that which is not required for business purposes) and more on who has access, under what conditions and how that right of access is checked and exercised.”
We should never forget that what is retained for regulatory, not business, reasons is a potential honey pot for fraudsters.