• About the FSA
  • What we do
    • Fighting financial crime
      • Fraud
        • Key issues
          • Data security
            • Data security and consumer communications

Data security (also known as information security) refers to the way that firms put in place systems and controls to prevent their consumers' personal details, such as address, date of birth, national insurance number, earnings, account details, etc, from being accessed by criminals.

Firms have legal and regulatory responsibilities to safeguard their consumers' data.

This information is a valuable black market commodity and is being bought and sold by criminals – often through the internet – in order to commit identity theft and related crimes, such as account takeover and mortgage fraud. The Home Office estimates that identity fraud costs the UK economy £1.2 billion a year, which is equivalent to around £25 for every adult in Great Britain.

Reviewing regulated firms systems and controls

Our Financial Crime Operations team concluded a major piece of thematic work looking at firms' controls around personal consumer data, which we published in April 2008. We visited 39 firms, including retail and wholesale banks, investment firms, insurance companies, financial advisers and credit unions.

Overall, the worrying conclusion is that poor data security is a serious and widespread problem in the financial services industry.

Our report contains examples of good practice and areas for improvement, which we expect firms to use when assessing and improving their systems and controls. We've also produced a tailored factsheet to help small firms understand how they can improve.

Thematic work: Data Security in financial services [PDF] - April 2008

Factsheet: Your responsibilities for customer data security [PDF] -April 2008

Consumer communications and marketing materials

Continuing our focus on data security, we have been reviewing the way that firms disclose personal data in various pieces of communication with their consumers; for example, when sending out personal pension statements or on an invitation to take-up a new financial product. We have found some worrying examples where firms have used personal data unnecessarily or with greater frequency than needed.

Find out more about the examples of poor practice we have discovered, together with some steps that firms can take to enhance their data security procedures.

Data security and consumer communications: Examples of good and poor practice - December 2008

 

Back to top