FSA threatens executives with fines
Senior management to be held accountable for security lapses at banks
The FSA aims to "pierce the corporate veil" at retail banks
Board-level executives found responsible for information security lapses in retail banks are to be personally fined as part of a new drive to “pierce the corporate veil”.
The Financial Services Authority (FSA) is concerned that corporate fines are not incentive enough for banks to take adequate measures to protect customers’ information and wants to drive best practice by ensuring executives personally oversee security programmes.
The move is a key part of ensuring security compliance, according to Bill Sillett, manager of the retail department at the FSA.
“Protecting personal data is essential to reduce the level of financial crime,” he said. “This is a big shift in how we operate. There will be more fines for senior individuals in the future.”
The FSA regulates banks’ compliance with the Data Protection Act and the Financial Services and Markets Act, both of which contain legal obligations for banks to safeguard customers’ financial information.
The regulator is concerned that banks place too much emphasis on IT security as part of a cost-benefit risk analysis.
“With some large firms even if we fine them £20m it won’t have much of an impact we hope targeting senior management will help solve that problem,” said Sillett.
The FSA has not yet levied any major fines on individuals, but will commit more resources to doing so in such cases in the future.
Sillett said the level of senior management to be targeted will depend on the case, but the FSA wants to avoid executives palming off overall security responsibilities onto the IT department.
Chief executives, compliance officers and board-level IT directors could all be held responsible.
The obligation of senior management for data protection issues is not a completely novel idea, according to Stewart Room, barrister with law firm Field Fisher Waterhouse.
“Directors and senior management are liable if a firm doesn’t comply with an enforcement notice from the Information Commissioner’s Office,” he said. “Regulators need to make sure they inflict real pain to ensure compliance.”