Phillip Robinson, Director of the FSA's Financial Crime and Intelligence Division, said the industry must raise its standards.
"It is worrying that despite increased public awareness of the impact that identity theft can have on customers, many firms are still not taking this risk seriously," he said. "Customers have a right to be confident that firms are doing everything reasonably possible to keep their personal and financial details safe."
"Some firms have made progress by adopting good practice while others need to do more in this area to ensure that they are treating their customers fairly. Firms getting data security right is a key priority for the FSA and we expect the industry to raise its standards," he said.
Robinson was speaking at the FSA's annual conference on financial crime last Thursday. The regulator's report, based on a survey of systems and controls at 39 banks, building societies, insurers and financial advisers, was published the same day.
The report claims that many organisations underestimate the seriousness of the threat and fail to recognise the value of their customers' data to fraudsters. It also warned that many organisations underestimate the threat that posed by their own staff.
The report states: "Firms’ vetting of staff is variable. In most firms, more-stringent vetting is applied to staff in senior positions – there is little consideration of the risk that junior staff with access to large volumes of customer data may facilitate financial crime. Consequently, very few firms conduct criminal record checks on junior staff. In addition, few firms repeat vetting to identify changes in an individual’s circumstances which might make them more susceptible to financial crime."
The FSA is also worried that many firms are not proactively checking that their third-party suppliers vet their employees or have adequate security arrangements in place to prevent unnecessary access to customer data. Organisations often use third parties to provide IT maintenance or back up services, but suppliers of other services, such as cleaners and security staff, may pose just as great a risk.
In the past, when a serious data loss has occurred, the FSA found some firms were more concerned about avoiding adverse publicity than telling their customers what had happened. But, the report noted, many organisations are beginning to take a more responsible approach and now write to customers to explain the circumstances and give advice on how they can protect themselves.
Examples of good data security practice in the report include encrypting laptops, transferring data only through secure internet links and masking financial details from staff who do not need to know them to do their jobs.
In a foreword to the report, Information Commissioner Richard Thomas said: "I am disappointed – but not altogether surprised – that the FSA has found that financial services firms, in general, could significantly improve their controls to prevent data loss or theft."
"The financial services industry needs to pay close attention to what its regulator is saying here," he said.
