Memorandum by the Financial Services Authority
1. The FSA submits this memorandum in response
to the Committee's call for evidence on its inquiry into personal
Internet security. The memorandum:
sets out the legal basis and regulatory
objectives of the FSA and the extent and nature of our interest
in personal internet security;
describes work we have done in the
past in areas related to personal internet security, such as cybercrime
and information security; and
outlines the further work we are
planning in these areas.
The FSA is the single statutory regulator for
the great majority of financial services in the UK. Its powers
are conferred primarily by the Financial Services and Markets
Act 2000 (FSMA).
2. FSMA requires the FSA to pursue four
maintaining market confidence in
the financial system;
promoting public understanding of
the financial system, including awareness of the benefits and
risks of different kinds of investment or other financial dealing;
securing the appropriate degree of
protection for consumers, while having regard to the general principle
that consumers should take responsibility for their decisions;
reducing the extent to which it is
possible for a regulated business to be used for a purpose connected
with financial crime, such as money laundering, fraud and market
3. In carrying out these functions FSMA
requires the FSA to take into account a number of matters, which
we refer to as "the principles of good regulation".
the need to use its resources in
the most economic and efficient way;
recognising the responsibilities
of regulated firms' own management;
the principle that the burdens and
restrictions imposed by regulation should be proportionate to
the international character of financial
services and the desirability of maintaining the UK's competitive
the desirability of facilitating
the desirability of facilitating
the need to minimise the adverse
effects of regulation on competition.
4. The FSA is a company limited by guarantee
and is financed wholly by levies on the regulated industry; it
receives no Government funds. The FSA's governing body is the
Board, all Board Members are appointed by the Treasury. The Board
sets overall FSA policy. Day-to-day operational decisions and
management of staff are the responsibility of the Chief Executive.
The FSA is accountable to Treasury Ministers and to Parliament.
The legislation requires us to report annually to Ministers on
our discharge of our regulatory responsibilities, and Ministers
are required to lay our Annual Report before Parliament. The Treasury
Committee of the House of Commons takes evidence from us regularly,
on our Annual Report and other matters.
5. In discharging all our responsibilities,
we work closely with Government and other authorities and agencies
that have related responsibilities. In the case of personal internet
security we are starting to work with the Information Commissioner's
Office and with the regulators of other sectors of industry such
as the Office of Gas and Electricity Markets (Ofgem) and the Office
of Communications (Ofcom). Our work with the Home Office in this
area is set out in paragraph 20.
FSA WORK ON
6. Personal Internet security is an important
issue for the financial services industry, as ever-increasing
numbers of firms seek to exploit the cost savings, customer convenience
and flexibility that the internet offers. Our interest in this
issue derives from all our regulatory objectives: the reduction
of financial crime, consumer protection, consumer awareness, and
7. Increasingly, both organised and opportunistic
criminals are stealing customer data. The theft may either be
from the customer's PC, using malicious software or "phishing"
attacks or from financial institutions or retailers who hold financial
data for payment purposes, using hacking techniques or insiders
to steal the data. Customer data can then be used to carry out
various forms of identity theft, ranging from relatively simple
fraudulent use of card details to much more sophisticated account
takeovers. Even small amounts of seemingly non-sensitive customer
data can be used to obtain false documentation. This can be used
by criminals to facilitate identity theft and ultimately obtain
credit and other products in the victim's name. The market in
which stolen personal data is traded by criminals, particularly
on the internet, has matured. It has features such as discounts
for large amounts of data and "feedback" scoring on
the quality of data sold, in much the same way as legitimate sellers
are rated on eBay or other legitimate internet sites.
8. Large-scale compromises of customer data
from both financial services firms and non-financial, retail-focused
businesses are of particular concern. In the past few years, organised
criminal gangs have both corrupted and coerced individuals in
financial services firms and infiltrated firms with their own
people in order to access the large amounts of sensitive data
they hold. Although we have no direct information on firms outside
those we regulate, it seems likely that this is also happening
in non-financial services firms.
9. In pursuing our statutory objectives
we seek to ensure that firmsboth at the authorisation stage
and on a continuing basishave the necessary systems and
controls in place to meet the requirements of the FSMA (the "threshold
conditions") and in our Handbook of Rules and Guidance. This
includes assessing whether their systems and controls are adequate
to prevent them being used for purposes connected with financial
crime, including fraud; it also includes the adequacy of their
information security measures. We are also concerned to ensure
that the persons running the firm are competent and committed
to conducting their business with integrity and in compliance
with our regulatory requirements.
10. We are a risk-based regulator, so we
seek to assess whether firms' systems and controls are appropriate
for the business they conduct, rather than assessing all firms
against a single model. In evaluating, and seeking to mitigate,
the risks in firms that provide online services, we are likely
to focus in particular on areas such as information security,
disaster recovery and anti-fraud measures. Where firms provide
cross-border services, we co-operate closely with overseas regulator
in our supervisory activities.
11. Where we identify weaknesses in firms'
systems and controls, we use a variety of methods to raise standards.
Most of this work is done in private, for example, through discussions
with firms' senior management on remedial action or more formal
"risk mitigation programmes". Our enforcement powers
enable us to conduct investigations, to take administrative and
civil action, and to commence criminal proceedings. For legal
and policy reasons, we usually comment in public on individuals
or firms only where, after due process, a sanction (criminal or
administrative) has been imposed. In terms of disciplinary sanctions,
we have statutory powers to censure firms and individuals publicly
or to impose financial penalties on firms and individuals. The
ultimate regulatory sanction available to us is to withdraw our
permission for firms to carry on some or all of their regulated
financial services activities, or to prohibit individuals from
working within the industry, either at all or in connection with
specified function(s) for a fixed or indefinite period.
12. We also conduct "thematic work"
on particular risks we have identified that affect groups of firms,
sectors or even the entire financial services industry. We normally
publish the aggregate results of this type of work. Our thematic
reports generally contain good practice observations and cite
areas where firms could improve their practices. This type of
work is often used for financial crime issues, given that financial
crime can affect all the firms we regulate. Thematic work also
allows us to identify problem areas or sub-sectors in the broad
range of firms we regulate.
13. In order to assess the risk of customer
(and other) data being compromised in financial services firms,
we conducted some thematic work in 2004 and published a report
"Countering Financial Crime Risks in Information Security".
We found a mixed picture of how financial services firms were
managing their information security at that time. Although some
major firms, particularly in the banking sector, had built their
defences in response to targeting by hackers and fraudsters, other
sectors and small and medium-sized firms were less well-prepared
and risked exploitation by criminals seeking a weak point in the
system. Although we found that known financial losses to firms
and customers were low, we encouraged firms to do more to address
the potential risks rather than responding to attacks once they
have occurred. We recognised the inherent difficulty which firms
face in keeping up with rapidly evolving technologies and increasingly
determined, dynamic and well-organised fraudsters. We also highlighted
that consumers must protect themselves by safeguarding their personal
details or following the security tips offered by the firms with
which they deal.
14. In 2005, we conducted some work on the
offshore operations of 15 large financial services firms, which
looked at several issues including information security. We observed
a high level of security in operation; indeed, some firms said
that the security measures in place in India were better controlled
than in the UK. Examples of security measures in place in some
offshore operations included:
Swipe entry to the premises and further
swipe card restricted access to specific client areas.
CCTV and/or security guards walking
Staff prevented from taking personal
effects to their workstation.
Computers without hard drives, floppy
drives, USB ports, access to email/internet or printers. Where
printers were required, access was controlled and restricted to
relatively senior people.
In all companies reviewed, data was stored onshore
in the UK and transferred to India as necessary. Firms had also
implemented systems to monitor telephone conversations, protect
data and monitor staff. There was no evidence to suggest consumer
data were at greater risk in India than in the UK.
15. In addition, new methods being tested
in the UK by banks to improve internet banking security include
two-factor authentication, where users are required to enter two
means of identification: one is typically digits from a physical
token and the other is typically something memorised. Another
bank has recently started to offer free anti-virus software with
its online banking service.
16. In a speech to the British Bankers Association's
Annual Financial Crime Conference on 5 December, Philip Robinson,
the FSA's Sector Leader for financial crime, discussed the issue
of information security and the FSA's work in ensuring that firms
have appropriate systems and controls in place.
17. Consumers have an important role to
play in protecting their personal internet security. We have emphasised
to banks the need to engage consumers in their work to combat
the rise in online banking fraud. We carried out consumer research
in October 2005 to gauge confidence in internet banking. The research
found that consumer confidence in internet banking was fragile.
Half of active internet users said they were "extremely"
or "very" concerned about the potential fraud risk of
making an online transaction. Most consumers who conducted online
banking were taking steps to protect themselves against fraud
by installing security software on their PCs, but over a quarter
either did not know when they last updated their software or updated
it infrequently. Our research found that, if banks were to tackle
online banking fraud losses to them by shifting the liability
fully towards the consumer, more than three quarters of users
would abandon internet banking. 95 per cent of users surveyed
believed that at least some responsibility for security should
lie with the bank, while 45 per cent believed banks should take
18. Regulated firms already have the normal
commercial incentives to manage their fraud risks. Our approach
to combating fraud is therefore to add value to what firms are
doing by working in partnership with other stakeholders to ensure
that firms have access to the knowledge and tools they need. In
line with this approach, we work with trade associations, law
enforcement and Government (including Her Majesty's Revenue and
Customs, the police and the Serious Organised Crime Agency, whose
eCrime unit has particular expertise on high tech crime), other
regulators (including the Office of Fair Trading and The Pensions
Regulator, which will have anti-money laundering responsibilities
under the 3rd Money Laundering Directive) and firms to mitigate
information security risk.
19. The Banking Code Standards Board (BCSB)
is responsible for overseeing the way in which banks conduct their
business and the FSA ensures that banks put into place appropriate
systems and controls to prevent fraud.
20. Through our consumer website we alert
consumers to a variety of scams, including phishing and advance
fee fraud, and provide information on how consumers can protect
themselves from identity theft and what to do if they become victims.
In addition, we sit on the Home Office's ID Fraud Steering Committee
and its subgroup, the ID Fraud Consumer Awareness Group. We have
contributed to their "Identity TheftDon't Become A
Victim" public awareness campaign. Financial services and
other firms have ordered about 11 million leaflets from this campaign
for distribution to customers. Initiatives such as the "Get
Safe Online" campaign run by the Government in collaboration
with the private sector also contribute to consumer education
in the area of personal internet security.
FUTURE FSA WORK
21. In view of the pace of technological
change and the dynamic character of organised fraud we keep information
security issues under close review. In the past year, the media
have reported several significant incidents of data loss and/or
lax information security. Although some of the cases reported
related directly to financial services firms, others appeared
to derive from companies in other sectors of industry which hold
consumers' financial information for payments purposes. In these
cases, the fact that bank account and credit card information
has been compromised, coupled with the manner in which the media
sometimes reports these incidents, can lead to the perception
that the compromise was the bank's fault. And, whatever the source
of the compromised data, the subsequent attacks on individuals'
bank or credit card accounts affect firms regulated by the FSA,
as well as their customers.
22. We are currently conducting a project
examining the methods used by financial services firms to authenticate
the identity of consumers during remote contact (for example,
via telephone or internet), and how this data is protected while
held by the firm and its agents. In line with the approach outlined
earlier, we plan to publish the results of this work by mid-March
23. We are still finalising our work programme
for the next financial year. In the area of personal data security
we are currently considering taking forward a number of strands
of work. The areas we are looking at are:
Offshoring: In evidence to the Treasury
Committee in October we undertook to look again at the financial
crime and information security risks associated with the offshoring
of significant functions in financial services firms, in the light
of that Committee's concerns over recent media reports.
The security of consumers' banking
data held outside the financial services industry: We intend to
meet the Information Commissioner, relevant regulators such as
Ofcom and Ofgem, and other bodies to discuss measures to improve
the security of banking information in sectors outside the FSA's
Low tech information security risk:
We will study the potential for low-tech breaches of information
security (for example, careless disposal of sensitive consumer
data; the removal of sensitive consumer data from the workplace;
staff awareness of information security issues etc), and the systems
and controls firms have in place to mitigate such risk.
Identity theft risk arising from
financial marketing practices: This project will consider issues
such as the appropriateness of marketing literature which contains
non-essential, and sometimes sensitive, consumer data, such as
unsolicited credit card cheques and partially completed credit
application forms, and also the inclusion of sensitive personal
information in other types of communications from forms such as
8 December 2006
6 Philip's Robinson's keynote address to the British
Bankers Association's Annual Financial Crime Conference, delivered
on 5 December: http://www.fsa.gov.uk/pages/Library/Communication/Speeches/2006/1206_pr.shtml Back