This report from the FSA clearly highlights structural weakness in the vetting process and therefore exposing the UK financial system to the risk of financial crime. The FSA has found that Financial services firms, in general, could significantly improve their controls to prevent data loss or theft.
Vetting of staff was found to be variable, more stringent vetting being applied to staff in senior positions with little consideration of the risk that junior staff with access to large volumes of customer data may facilitate financial crime. Consequently, very few firms conduct criminal record checks on junior staff and very few repeat the vetting process to identify changes in an individuals circumstances which make them more susceptible to financial crime.
They identified that one of the most important controls that firms can put in place to prevent data theft and other financial crime is a good standard of staff vetting, highlighting cases of staff stealing customer data to use fraudently or sell on. They were also disappointed that many firms were not adopting an appropriate risk-based approach to preventing financial crime as required by their handbook.
Examples of bad practice include allowing new recruits access to data before vetting has been completed, temporary staff receiving less-rigorous vetting than permanently employed colleagues carrying out similar roles. The FSA felt that there was a failure to consider whether staff in higher-risk positions are becoming vulnerable to committing fraud or being co-erced by criminals.
Where they saw good practice there was a risk based approach to staff vetting taking into account data security and other fraud risk, enhanced vetting for staff in roles with access to large amounts of customer data. A good understanding of the level of vetting conducted by employment agencies during the recruitment of temporary and contract staff. Firms that had formal procedures to assess regularly whether staff in higher risk positions are becoming vulnerable to committing fraud or being co-erced by criminals were highlighted as examples of good practice.
The report is full of gems on security policies and IT controls with many examples of where these policies had adversely affected firms and examples of where they had seen both good and bad practices.
All in all a great publication from the FSA. Use the following address to access the full report: http://www.fsa.gov.uk/pubs/other/data_security.pdf