I think it’s a great pity – but clearly unavoidable – that the FSA has arrived at the view that it will have to fine individual board-level executives of retail banks if it is to get them to take adequate measures to protect customers’s information. I think this is excellent news – particularly the clear statement that ‘FSA wants to avoid executives palming off overall security responsibilities onto the IT department. Chief executives, compliance officers and board-level IT directors could all be held responsible.’
One would have thought that banks might have spotted that protecting customer information might be a fundamental part of customer care in this identity-theft age but, then again, I guess we might have expected banks to have spotted that it might not make sense to lend someone of limited income 130% of the already-inflated value of a house.
A number of UK banks have been – or are about to be – taken into public ownership. The UK government doesn’t exactly have a great track record (eg HMRC, MOD, etc) when it comes to protecting personal data, either. So we have to hope that the FSA will have the courage to fine the government-appointed directors of nationalised banks where they fail to ensure their organisation takes adequate steps to protect personal data – or the protection of personal data in the UK will just become even more difficult.