FSA fines Norwich Union for security lapses relating to customer information

18 March 2008

Siobhan McManus

The Financial Services Authority (“FSA”) has fined Norwich Union £1.26m for failing to protect its customers against fraud. The fine is the biggest of its kind.

The FSA said that weaknesses in Norwich Union Life’s systems and controls allowed fraudsters to use publicly available information including names and dates of birth to impersonate customers and obtain sensitive customer details from its call centres. In some cases, fraudsters were able to ask for confidential customer records such as addresses and bank account details to be altered. The fraudsters then used the information to request the surrender of 74 customer policies totalling £3.3 million in 2006.

During its investigation, the FSA found that Norwich Union Life had failed properly to assess the risks posed to its business by financial crime and had not properly assessed whether it had adequate security measures in place to combat the increased risk of such crime to customer information. As a result, its customers were more likely to fall victim to financial crimes such as identity theft.

Margaret Cole, director of enforcement at the FSA, said “Norwich Union Life let down its customers by not taking reasonable steps to keep their personal and financial information secure.

It is vital that firms have robust systems and controls in place to make sure that customer’s details do not fall into the wrong hands. Firms must also frequently review their controls to tackle the growing threat of identity theft.”

The fine is a clear message that the FSA takes information security seriously and requires that firms do so too.”

The FSA also criticised Norwich Union for failing to act quickly enough to change its systems when the frauds came to light. It revealed that the fine would have been £1.8m, but Norwich Union agreed to settle at an early stage of the FSA investigation, therefore qualifying for a 30% discount. They also co-operated fully with the police to identify the fraudsters.

The fine is the biggest of its kind to be imposed by the FSA which in the last two years has fined Nationwide £980,000, BNP Paribas £350,000 and Capita Financial Administrators £300,000 in relation to security lapses and fraud.