Merchant Securities Group Ltd has become the first stockbroking firm to be fined by the Financial Services Authority for weak data security controls and failing to protect its customers' details.
In imposing a fine of £77,000 on the company, the FSA issued a public notice outlining a number of areas where it said Merchant Securities had failed to apply good security processes. These included failing to verify the identity of customers who telephoned to make a trade, putting confidential information in letters sent to customers, and allowing unencrypted customer information to be stored overnight in a bag at the home of a Merchant employee.
The use of instant messaging and webmail was also poorly controlled, according to the FSA.
The fine followed an inspection visit the FSA carried out on 7 September last year, where the FSA inspectors identified the security weaknesses. The report noted that no security breach had taken place at Merchant Securities. The original fine of £110,000 was reduced by 30% because the company co-operated with the FSA.
The case marks a further tightening of the FSA's rules and shows the body is prepared to back up its warnings about security with punishment. Just last month, the FSA warned members that poor data security was a "widespread and serious problem" and that it would consider stronger enforcement action for those companies that ignored the warnings.
Merchant Securities is quite a small broking company, serving around 850 private clients. The FSA report says it relied too heavily on staff knowing their customers voices when they called, rather than having more formal identification procedures, thereby exposing customers to the risk of impersonation by fraudsters.
"Advisors relied on recognising customers' voices to identify their clients and by talking with them informally about personal matters such as holidays or hobbies," the report says. "However, each advisor had approximately 150 customers, of whom only 20% had frequent contact with the Firm."
The inspection also uncovered poor control over the use of instant messaging and webmail. It said: "Monitoring for use of instant messaging and web-based email was ad-hoc and focused on productivity rather than information security. Web-based email presents a particular risk because its content cannot be monitored or retrieved by firms."
In a statement, the company said: "MSGL (Merchants Securities Group Ltd) has listened to the FSA's concerns and has undertaken a thorough review of all its systems and controls for the protection of customer data to ensure that they are now robust. Changes implemented since October 2007 mean that MSGL is confident that the shortcomings in its systems and controls identified by the FSA have been fully resolved."
Patrick Claridge, who took over as acting chief executive from Tony Parizi last week said the company was a "traditional private client business servicing a client base of long-standing clients and we value the personal relationships that we have with them. We have taken steps to improve our systems and security for our clients' benefit and will continue to do all we can to protect their interests in the future."
Since November 2004, when the FSA published a report entitled "Countering Financial Crime Risks in Information Security", the authority has tried to raise awareness through a number of speeches and publications to raise awareness. These warning have been backed up with penalties, notable against Nationwide Building Society in February 2007, and Norwich Union last December.