February 2007

Nationwide fined £980,000 for inadequate systems and controls relating to information security

This fine (reduced from £1.4 million for cooperation and early settlement) was widely reported in the press at the time it was announced on 14 February 2007. The FSA found that Nationwide had failed to respond quickly and appropriately following the theft of a company laptop (it was not until three weeks after the theft that the firm became aware that the laptop contained large quantities of confidential customer information of a kind that could have been used to further financial crime). FSA considered that Nationwide failed adequately to consider its risks relating to information security and to take reasonable care to ensure that it had adequate procedures to manage those risks. Section 4 of the Final Notice cites a number of examples, including the procedures being in an unwieldy electronic format, not well structured, with inconsistencies and lack of any prioritisation; reliance on self-certification; and inadequate controls to ensure that the procedures were understood and staff adhered to them.

The fine is no doubt intended to signal to firms the seriousness with which the FSA take information security where failures can increase the risk of financial crime, and firms generally will want to ensure that their procedures are appropriate and, importantly, that they are observed and appropriately monitored.