INTRODUCTION

  1.  The FSA submits this memorandum in response to the Committee's call for evidence on its inquiry into personal Internet security. The memorandum:

—  sets out the legal basis and regulatory objectives of the FSA and the extent and nature of our interest in personal internet security;

—  describes work we have done in the past in areas related to personal internet security, such as cybercrime and information security; and

—  outlines the further work we are planning in these areas.

BACKGROUND

  The FSA is the single statutory regulator for the great majority of financial services in the UK. Its powers are conferred primarily by the Financial Services and Markets Act 2000 (FSMA).

  2.  FSMA requires the FSA to pursue four objectives:

—  maintaining market confidence in the financial system;

—  promoting public understanding of the financial system, including awareness of the benefits and risks of different kinds of investment or other financial dealing;

—  securing the appropriate degree of protection for consumers, while having regard to the general principle that consumers should take responsibility for their decisions; and

—  reducing the extent to which it is possible for a regulated business to be used for a purpose connected with financial crime, such as money laundering, fraud and market abuse.

  3.  In carrying out these functions FSMA requires the FSA to take into account a number of matters, which we refer to as "the principles of good regulation". These are:

—  the need to use its resources in the most economic and efficient way;

—  recognising the responsibilities of regulated firms' own management;

—  the principle that the burdens and restrictions imposed by regulation should be proportionate to the benefits;

—  the international character of financial services and the desirability of maintaining the UK's competitive position;

—  the desirability of facilitating innovation;

—  the desirability of facilitating competition; and

—  the need to minimise the adverse effects of regulation on competition.

  4.  The FSA is a company limited by guarantee and is financed wholly by levies on the regulated industry; it receives no Government funds. The FSA's governing body is the Board, all Board Members are appointed by the Treasury. The Board sets overall FSA policy. Day-to-day operational decisions and management of staff are the responsibility of the Chief Executive. The FSA is accountable to Treasury Ministers and to Parliament. The legislation requires us to report annually to Ministers on our discharge of our regulatory responsibilities, and Ministers are required to lay our Annual Report before Parliament. The Treasury Committee of the House of Commons takes evidence from us regularly, on our Annual Report and other matters.

  5.  In discharging all our responsibilities, we work closely with Government and other authorities and agencies that have related responsibilities. In the case of personal internet security we are starting to work with the Information Commissioner's Office and with the regulators of other sectors of industry such as the Office of Gas and Electricity Markets (Ofgem) and the Office of Communications (Ofcom). Our work with the Home Office in this area is set out in paragraph 20.

FSA WORK ON AREAS RELATED TO PERSONAL INTERNET SECURITY SUCH AS CYBERCRIME

  6.  Personal Internet security is an important issue for the financial services industry, as ever-increasing numbers of firms seek to exploit the cost savings, customer convenience and flexibility that the internet offers. Our interest in this issue derives from all our regulatory objectives: the reduction of financial crime, consumer protection, consumer awareness, and market confidence.

  7.  Increasingly, both organised and opportunistic criminals are stealing customer data. The theft may either be from the customer's PC, using malicious software or "phishing" attacks or from financial institutions or retailers who hold financial data for payment purposes, using hacking techniques or insiders to steal the data. Customer data can then be used to carry out various forms of identity theft, ranging from relatively simple fraudulent use of card details to much more sophisticated account takeovers. Even small amounts of seemingly non-sensitive customer data can be used to obtain false documentation. This can be used by criminals to facilitate identity theft and ultimately obtain credit and other products in the victim's name. The market in which stolen personal data is traded by criminals, particularly on the internet, has matured. It has features such as discounts for large amounts of data and "feedback" scoring on the quality of data sold, in much the same way as legitimate sellers are rated on eBay or other legitimate internet sites.

  8.  Large-scale compromises of customer data from both financial services firms and non-financial, retail-focused businesses are of particular concern. In the past few years, organised criminal gangs have both corrupted and coerced individuals in financial services firms and infiltrated firms with their own people in order to access the large amounts of sensitive data they hold. Although we have no direct information on firms outside those we regulate, it seems likely that this is also happening in non-financial services firms.

  9.  In pursuing our statutory objectives we seek to ensure that firms—both at the authorisation stage and on a continuing basis—have the necessary systems and controls in place to meet the requirements of the FSMA (the "threshold conditions") and in our Handbook of Rules and Guidance. This includes assessing whether their systems and controls are adequate to prevent them being used for purposes connected with financial crime, including fraud; it also includes the adequacy of their information security measures. We are also concerned to ensure that the persons running the firm are competent and committed to conducting their business with integrity and in compliance with our regulatory requirements.

  10.  We are a risk-based regulator, so we seek to assess whether firms' systems and controls are appropriate for the business they conduct, rather than assessing all firms against a single model. In evaluating, and seeking to mitigate, the risks in firms that provide online services, we are likely to focus in particular on areas such as information security, disaster recovery and anti-fraud measures. Where firms provide cross-border services, we co-operate closely with overseas regulator in our supervisory activities.

  11.  Where we identify weaknesses in firms' systems and controls, we use a variety of methods to raise standards. Most of this work is done in private, for example, through discussions with firms' senior management on remedial action or more formal "risk mitigation programmes". Our enforcement powers enable us to conduct investigations, to take administrative and civil action, and to commence criminal proceedings. For legal and policy reasons, we usually comment in public on individuals or firms only where, after due process, a sanction (criminal or administrative) has been imposed. In terms of disciplinary sanctions, we have statutory powers to censure firms and individuals publicly or to impose financial penalties on firms and individuals. The ultimate regulatory sanction available to us is to withdraw our permission for firms to carry on some or all of their regulated financial services activities, or to prohibit individuals from working within the industry, either at all or in connection with specified function(s) for a fixed or indefinite period.

  12.  We also conduct "thematic work" on particular risks we have identified that affect groups of firms, sectors or even the entire financial services industry. We normally publish the aggregate results of this type of work. Our thematic reports generally contain good practice observations and cite areas where firms could improve their practices. This type of work is often used for financial crime issues, given that financial crime can affect all the firms we regulate. Thematic work also allows us to identify problem areas or sub-sectors in the broad range of firms we regulate.

  13.  In order to assess the risk of customer (and other) data being compromised in financial services firms, we conducted some thematic work in 2004 and published a report "Countering Financial Crime Risks in Information Security". We found a mixed picture of how financial services firms were managing their information security at that time. Although some major firms, particularly in the banking sector, had built their defences in response to targeting by hackers and fraudsters, other sectors and small and medium-sized firms were less well-prepared and risked exploitation by criminals seeking a weak point in the system. Although we found that known financial losses to firms and customers were low, we encouraged firms to do more to address the potential risks rather than responding to attacks once they have occurred. We recognised the inherent difficulty which firms face in keeping up with rapidly evolving technologies and increasingly determined, dynamic and well-organised fraudsters. We also highlighted that consumers must protect themselves by safeguarding their personal details or following the security tips offered by the firms with which they deal.

  14.  In 2005, we conducted some work on the offshore operations of 15 large financial services firms, which looked at several issues including information security. We observed a high level of security in operation; indeed, some firms said that the security measures in place in India were better controlled than in the UK. Examples of security measures in place in some offshore operations included:

—  Swipe entry to the premises and further swipe card restricted access to specific client areas.

—  CCTV and/or security guards walking the floors.

—  Staff prevented from taking personal effects to their workstation.

—  Computers without hard drives, floppy drives, USB ports, access to email/internet or printers. Where printers were required, access was controlled and restricted to relatively senior people.

  In all companies reviewed, data was stored onshore in the UK and transferred to India as necessary. Firms had also implemented systems to monitor telephone conversations, protect data and monitor staff. There was no evidence to suggest consumer data were at greater risk in India than in the UK.

  15.  In addition, new methods being tested in the UK by banks to improve internet banking security include two-factor authentication, where users are required to enter two means of identification: one is typically digits from a physical token and the other is typically something memorised. Another bank has recently started to offer free anti-virus software with its online banking service.

  16.  In a speech to the British Bankers Association's Annual Financial Crime Conference on 5 December, Philip Robinson, the FSA's Sector Leader for financial crime, discussed the issue of information security and the FSA's work in ensuring that firms have appropriate systems and controls in place[6].

CONSUMER INFORMATION

  17.  Consumers have an important role to play in protecting their personal internet security. We have emphasised to banks the need to engage consumers in their work to combat the rise in online banking fraud. We carried out consumer research in October 2005 to gauge confidence in internet banking. The research found that consumer confidence in internet banking was fragile. Half of active internet users said they were "extremely" or "very" concerned about the potential fraud risk of making an online transaction. Most consumers who conducted online banking were taking steps to protect themselves against fraud by installing security software on their PCs, but over a quarter either did not know when they last updated their software or updated it infrequently. Our research found that, if banks were to tackle online banking fraud losses to them by shifting the liability fully towards the consumer, more than three quarters of users would abandon internet banking. 95 per cent of users surveyed believed that at least some responsibility for security should lie with the bank, while 45 per cent believed banks should take sole responsibility.

  18.  Regulated firms already have the normal commercial incentives to manage their fraud risks. Our approach to combating fraud is therefore to add value to what firms are doing by working in partnership with other stakeholders to ensure that firms have access to the knowledge and tools they need. In line with this approach, we work with trade associations, law enforcement and Government (including Her Majesty's Revenue and Customs, the police and the Serious Organised Crime Agency, whose eCrime unit has particular expertise on high tech crime), other regulators (including the Office of Fair Trading and The Pensions Regulator, which will have anti-money laundering responsibilities under the 3rd Money Laundering Directive) and firms to mitigate information security risk.

  19.  The Banking Code Standards Board (BCSB) is responsible for overseeing the way in which banks conduct their business and the FSA ensures that banks put into place appropriate systems and controls to prevent fraud.

  20.  Through our consumer website we alert consumers to a variety of scams, including phishing and advance fee fraud, and provide information on how consumers can protect themselves from identity theft and what to do if they become victims. In addition, we sit on the Home Office's ID Fraud Steering Committee and its subgroup, the ID Fraud Consumer Awareness Group. We have contributed to their "Identity Theft—Don't Become A Victim" public awareness campaign. Financial services and other firms have ordered about 11 million leaflets from this campaign for distribution to customers. Initiatives such as the "Get Safe Online" campaign run by the Government in collaboration with the private sector also contribute to consumer education in the area of personal internet security.

FUTURE FSA WORK ON CYBERCRIME AND INFORMATION SECURITY ISSUES

  21.  In view of the pace of technological change and the dynamic character of organised fraud we keep information security issues under close review. In the past year, the media have reported several significant incidents of data loss and/or lax information security. Although some of the cases reported related directly to financial services firms, others appeared to derive from companies in other sectors of industry which hold consumers' financial information for payments purposes. In these cases, the fact that bank account and credit card information has been compromised, coupled with the manner in which the media sometimes reports these incidents, can lead to the perception that the compromise was the bank's fault. And, whatever the source of the compromised data, the subsequent attacks on individuals' bank or credit card accounts affect firms regulated by the FSA, as well as their customers.

  22.  We are currently conducting a project examining the methods used by financial services firms to authenticate the identity of consumers during remote contact (for example, via telephone or internet), and how this data is protected while held by the firm and its agents. In line with the approach outlined earlier, we plan to publish the results of this work by mid-March 2007.

  23.  We are still finalising our work programme for the next financial year. In the area of personal data security we are currently considering taking forward a number of strands of work. The areas we are looking at are:

—  Offshoring: In evidence to the Treasury Committee in October we undertook to look again at the financial crime and information security risks associated with the offshoring of significant functions in financial services firms, in the light of that Committee's concerns over recent media reports.

—  The security of consumers' banking data held outside the financial services industry: We intend to meet the Information Commissioner, relevant regulators such as Ofcom and Ofgem, and other bodies to discuss measures to improve the security of banking information in sectors outside the FSA's regulatory scope.

—  Low tech information security risk: We will study the potential for low-tech breaches of information security (for example, careless disposal of sensitive consumer data; the removal of sensitive consumer data from the workplace; staff awareness of information security issues etc), and the systems and controls firms have in place to mitigate such risk.

—  Identity theft risk arising from financial marketing practices: This project will consider issues such as the appropriateness of marketing literature which contains non-essential, and sometimes sensitive, consumer data, such as unsolicited credit card cheques and partially completed credit application forms, and also the inclusion of sensitive personal information in other types of communications from forms such as pension statements.

8 December 2006