FSA fines stockbroker over weak data security

A stockbroker has been fined 77,000 by the Financial Services Authority (FSA) for failing to protect its customers from identity fraud despite the firm not having had a data breach.

The FSA visited Merchant Securities Group (MSGL) in September 2007, to look through the stockbroker's systems and controls. The firm did not have a breach of any sort, but was looked at as part of an FSA drive to gather information about how firms manage their data security.

During the visit, the FSA found that Merchant did not have proper procedures for identifying customers over the telephone, but relied on recognising customers' voices or knowing details about their personal life. In addition, account numbers were sent out in letters containing customers names.

As well, back-up tapes of customer data were stored overnight and unencrypted in the home of a staff member, and staff were openly allowed to use webmail and instant messaging despite concerns about data risks.

Margaret Cole, director of enforcement at the FSA, said: "It is unacceptable that despite increased awareness of data security issues, a firm should be so careless about its systems for protecting customers' personal details. People have a right to expect their details to be kept secure and firms should be committed to treating their customers fairly in all aspects of their business."

She added: "Reducing financial crime in the UK is a priority for the FSA and our recent data security report showed that many firms still need to do more to get it right. We will not wait until information has been lost or stolen before taking action against a firm. The level of the fine for a firm of this size should serve as a warning to others to take data security seriously."

The original fine against Merchant Securities was 110,000, but it was reduced by 30 per cent as part of a settlement deal that saw Merchant co-operated with the FSA from an early stage.

In a statement, Merchant Securities stressed that there was no loss of customer data at any point. "The FSA found no evidence of any theft or compromise of customer information," the statement said. "MSGL has listened to the FSA's concerns and has undertaken a thorough review of all its systems and controls for the protection of customer data to ensure that they are now robust. Changes implemented since October 2007 mean that MSGL is confident that the shortcomings in its systems and controls identified by the FSA have been fully resolved."

Patrick Claridge, acting chief executive of Merchant Securities, said: "We have taken steps to improve our systems and security for our clients' benefit and will continue to do all we can to protect their interests in the future."

The FSA has previously fined Norwich Union some 1.26 million after a data breach.