Powerchex Limited, the leading pre-employment screening firm for financial institutions, has backed the Financial Services Authority (FSA) in their stance on the data security measures finance firms should be employing to protect customer data.
In a paper released in April 2008, the FSA highlighted a number of examples of bad practice by financial services firms. Amongst their findings they discovered that generally a high level of vetting is being applied to senior staff, but junior staff and those working in areas that would allow them to view sensitive data are not being vetted appropriately. Most notably very few firms were found to be conducting criminal record checks on junior staff.
“We strongly advise our clients to determine the level of vetting required using a risk based approach rather than a rank based approach. Someone who works in a call centre is likely to have access to large volumes of customer data. So are they less of a risk than a senior manager? Not in our view, so why should they be vetted to a lower level?” says Alexandra Kelly, Director of Powerchex.
The FSA also found that some financial firms were subjecting temporary workers to less rigours vetting than permanently employed colleagues carrying out similar roles. Kelly believes that firms are starting to realise the biggest threat is from within.
“Temporary workers pose the same, if not a bigger risk to the company than permanent employees. Data Security is not just an IT issue. Firms should appoint a senior manager who heads a committee that has representation from all areas of the business, including Human Resources. And firms should also be asking their suppliers the same questions they ask themselves in regards to how sensitive data is kept safe.”
The FSA backed up their report by handing out a hefty fine to Merchant Securities Group Limited (Merchant Securities) in June 2008 for weak data security. Margaret Cole, Director of Enforcement at the FSA, said, "Reducing financial crime in the UK is a priority for the FSA and our recent data security report showed that many firms still need to do more to get it right. We will not wait until information has been lost or stolen before taking action against a firm. The level of the fine for a firm of this size should serve as a warning to others to take data security seriously."
As the need for financial institutions to hold and transfer sensitive data increases, so does the risk they face. In the future financial firms are likely to employ more and more stringent data protection measures and their employees and suppliers can expect to be checked more thoroughly and more often.