• Doing business with the FSA
  • Small Firms
    • General information
      • TCF - deadlines
      • Principles-based regulation
      • A to Z index
      • Ensuring your RMAR is accurate
      • Using a compliance consultant
      • Guide to mystery shopping
      • Supervisory priorities 2008/09
      • Frequently asked questions
      • Small firms library
      • Appointed representatives

Financial services firms have always had an important duty to safeguard the personal data of their customers.

We are increasingly focusing on whether firms are honouring that trust by having effective systems and controls to prevent that data being lost or stolen. Personal data is being bought and sold by criminals who use it to steal identities and commit other crime. So it is important that firms frequently review their controls to stay alert to new threats.

During 2007 our Financial Crime and Intelligence Division did a thematic review of data-security controls, visiting 39 firms, including 20 small firms. We found that poor data security is a serious, widespread problem across the entire industry.

The shortcomings fall under three broad categories: firms not appreciating the gravity of this risk; lacking the expertise to make a reasonable assessment of risk factors and devising ways of mitigating them; and failure to devote adequate resources to the problem.

We have today published our detailed findings. We also published a specially designed factsheet for small firms. The factsheet your responsibilities for customer data security contains practical tips and examples of good practice, which we hope will help firms to make improvements in this area.