• FSA Library
  • Communication documents
    • Press releases
      • 2008

FSA/PN/058/2008
17 June 2008 

The Financial Services Authority (FSA) has fined Merchant Securities Group Limited (Merchant Securities) for not adequately protecting its customers from the risk of identity fraud. This is the first time the FSA has fined a stockbroking firm for weak data security controls.

Merchant Securities had inadequate procedures for verifying the identities of customers that contacted the firm by telephone. Instead, the firm relied on being able to recognise customers' voices and talking with them informally about personal matters such as holidays or hobbies. Personal account numbers which could be used, with a customer's name, to access account information were included in routine letters.

Furthermore, back up tapes containing unencrypted customer information were stored overnight in a bag at the home of a member of staff. Merchant Securities did not address the risk involved in its staff being able to use instant messaging and web based email. There was no evidence, during the FSA's investigation, that customer details had been lost or stolen.

Margaret Cole, Director of Enforcement at the FSA, said:

"It is unacceptable that despite increased awareness of data security issues, a firm should be so careless about its systems for protecting customers' personal details. People have a right to expect their details to be kept secure and firms should be committed to treating their customers fairly in all aspects of their business.

"Reducing financial crime in the UK is a priority for the FSA and our recent data security report showed that many firms still need to do more to get it right. We will not wait until information has been lost or stolen before taking action against a firm. The level of the fine for a firm of this size should serve as a warning to others to take data security seriously."

Merchant Securities' failings came to light in September 2007, during a visit by the FSA, rather than through their own systems and controls. The visit was part of wider FSA thematic work to gather information on how firms identified and managed their data security risks.

Merchant Securities co-operated fully with the FSA and agreed to settle at an early stage of the FSA's investigation. It qualified for a 30% discount under the FSA's executive settlement procedure. Without the discount, the fine would have been £110,000.

Notes for editors

1. Merchant Securities is a London based stockbroking firm with about 850 retail and institutional customers.
2. In April 2008, the FSA published the findings of a major project reviewing how well financial services firms protect their customers' data. Since 2004, the FSA has issued a number of speeches and publications to raise awareness within the financial services sector of the need for firms to take action to combat the risks of financial crime.
3. The full text of the Final Notice issued by the FSA includes the background to the case, the relevant statutory provisions, regulatory requirements contravened, and the factors taken into account when setting the level of the fine.
4. In the last three years, the FSA has fined Norwich Union £1.26 million; BNPP Private Bank £350,000; Nationwide £980,000 and Capita Financial Administrators £300,000 for failings relating to information security lapses and fraud.
5. Consumers can find information on how to stay safe and protect themselves from being a victim of financial crime on www.moneymadeclear.fsa.gov.uk
6. The FSA regulates the financial services industry and has four objectives under the Financial Services and Markets Act 2000: maintaining market confidence; promoting public understanding of the financial system; securing the appropriate degree of protection for consumers; and fighting financial crime.
7. The FSA aims to promote efficient, orderly and fair markets, help retail consumers achieve a fair deal and improve its business capability and effectiveness.