Looking at the FOI requests submitted to the FCA In August 2015 there was an interesting question about IT.
“Please provide me with a list of fines (issued by the FCA to banks and other financial institutions over the past 7 years) relating to a failure in systems and controls of IT systems. Please list the data by institution showing the amount, date, and a one line description of the justification for the fine.“
In their response the FCA quite clearly states that “to compile the list of relevant cases we have selected the FCA final notices relating to breaches of the FCA’s Principles for Business (in particular, Principle 3 – Management and control) and out of these selected cases relating to IT failures, including data security breaches.” They also say that “We have interpreted ‘other financial institutions’ to mean all other authorised firms”.
As an aside there are much more relevant SYSC & COBS rules that could be applied. However as IT underpins pretty much the entire market from IFA’s through Investment managers & Insurance companies all the way up to Banks and there are a load of really specific rules that cannot be satisfied if a firm’s IT goes awry, I was looking forward to a long list of misdemeanours and fines.
This is it, 5 cases in 6 years.
|19/11/2014||Royal Bank of Scotland Plc,National Westminster Bank Plc,Ulster Bank Ltd (Nov 2014)||The Authority imposes a financial penalty for breaches of PRIN 3. IT failings.||£42,000,000|
|19/08/2010||Zurich Insurance Plc, UK branch||Fined for breach of Principle 3 and SYSC rules in relation to data security of customers information in the context of outsourcing arrangements.||£2,750,000|
|17/07/2009||HSBC Life (UK) Limited||Fined for breach of Principle 3 in relation to system and controls failures in respect of customer data security.||£1,610,000|
|17/07/2009||HSBC Insurance Brokers Limited||Fined for breach of Principle 3 in relation to system and controls failures in respect of customer data security||£700,000|
|17/07/2009||HSBC Actuaries and Consultants Limited||Fined for breach of Principle 3 in relation to system and controls failures in respect of customer data security||£875,000|