Three HSBC companies have been fined a total of £3m by the Financial Services Authority (FSA) for failing to protect customer information, which led to two incidents of data going missing.
HSBC Life UK was fined £1,610,000; HSBC Actuaries and Consultants was fined £875,000; and HSBC Insurance Brokers was fined £700,000. All these companies are part of HSBC's Insurance business.
The FSA found that "large amounts" of unencrypted customer details had been sent via post or courier to third parties.
"Despite increasing awareness of the need to protect people's confidential details, all three firms failed to put in place adequate procedures to manage their financial crime risks," said the FSA. The failings were discovered over a year ago and the bank said it has since fixed the problems.
In April 2007, HSBC Actuaries lost an unencrypted floppy disc in the post, containing the personal information of 1,917 pension scheme members.
HSBC Group Insurance's compliance team warned all three companies in July about the failing, but in February 2008 HSBC Life lost an unencrypted CD containing the details of 180,000 policy holders in the post.
Margaret Cole, director of enforcement at the FSA, said the breaches were very disappointing. "All three firms failed their customers by being careless with personal details, which could have ended up in the hands of criminals."
Clive Bannister, group managing director at HSBC Insurance, said, "Keeping our customers' data confidential and secure is vitally important to everyone at HSBC. We hold ourselves to the highest standards, but it is clear that in these instances we have fallen short, which we sincerely regret.
"While this is a serious matter, no customer reported any loss from these failures and we are doing everything possible to prevent a recurrence. We have implemented even more rigorous systems, better checks and more training for our people. We believe our customers can have confidence that we are doing everything we can to protect their privacy."