This is the first time the FSA has fined a stockbroking firm for weak data security controls.
The regulator says Merchant Securities had inadequate procedures for verifying the identities of customers that contacted the firm by telephone. Instead, the firm relied on being able to recognise customers’ voices and talking with them informally about personal matters such as holidays or hobbies.
Personal account numbers which could be used with a customer’s name to access account information were included in routine letters and backup tapes containing unencrypted customer information were stored overnight at a staff member’s house.
The FSA says however that there was no evidence during its investigation that customer details had been lost or stolen.
FSA director of enforcement Margaret Cole says: “It is unacceptable that despite increased awareness of data security issues, a firm should be so careless about its systems for protecting customers’ personal details. People have a right to expect their details to be kept secure and firms should be committed to treating their customers fairly in all aspects of their business.
“Reducing financial crime in the UK is a priority for the FSA and our recent data security report showed that many firms still need to do more to get it right. We will not wait until information has been lost or stolen before taking action against a firm. The level of the fine for a firm of this size should serve as a warning to others to take data security seriously.”