Nationwide Building Society

On 14 February 2007 the FSA imposed a financial penalty of £980,000 (the penalty) on Nationwide Building Society (Nationwide) in of a breach of Principle 3 of the FSA's Principles for Business which occurred between 1 December 2004 and 1 December 2006 (the relevant period). Nationwide agreed to settle at an early stage of the FSA's investigation and qualified for a 30% (stage 1) discount under the FSA's executive settlement procedures. Were it not for this discount FSA would have imposed a financial penalty of £1.4 million on Nationwide. In the relevant period, Nationwide breached Principle 3 by failing to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems. Nationwide did not take reasonable care to ensure that it had effective systems and controls to manage the risks relating to information security, specifically the risk that customer information might be lost or stolen. In particular: a) Nationwide failed adequately to assess the risks in relation to the security of its customer information. b) Nationwide had procedures in relation to information security which failed adequately and effectively to manage the risks it faced. c) Nationwide failed to implement adequate training and monitoring to ensure that its information security procedures were disseminated and understood by staff. d) Nationwide failed to implement adequate controls to mitigate information security risks, to ensure that employees adhered to its procedures and to ensure that it provided an appropriate level of information security. e) Nationwide failed to have appropriate procedures in place to deal with an incident involving the loss of customer information and, as a result, Nationwide did not respond appropriately and in a timely manner to establish the risks to Nationwide customers of financial crime arising from the theft of a Nationwide laptop computer. The FSA considered these failings to be particularly serious because: a) Nationwide is the UK's largest building society and holds confidential financial information for over 11 million customers. Nationwide's customers were entitled to rely upon Nationwide to take reasonable steps to ensure the security of information entrusted to it. Nationwide's failure to have comprehensive information security procedures and controls exposed its customers to the risk of financial crime. b) The failures occurred following a period of heightened awareness of information security issues as a result of government initiatives, increasing media coverage and an FSA information campaign about the importance of information security within the financial services sector. c) The systems and controls were such that, when the laptop was stolen, Nationwide was not aware that it contained confidential customer information. For a period of three weeks after the theft of the laptop Nationwide failed to take any steps to investigate whether it contained such information. d) The cumulative impact of the failings represented a significant risk to the FSA objective of reducing the extent to which it is possible for regulated firms to be used for a purpose connected with financial crime The FSA took into account the following steps taken by Nationwide which served to mitigate the seriousness of its failings: a) Nationwide implemented a range of additional measures to increase security around its accounts including increased anti-fraud measures and monitoring of suspected fraudulent activity. b) On notification of the theft of the laptop Nationwide disabled the remote access facility, preventing access from the stolen laptop to live Nationwide systems. c) Nationwide wrote to all of its customers explaining the loss of the information and measures customers can take to minimise the risk of identity theft. d) Nationwide confirmed, in accordance with its existing policy, that it would reimburse any customer who can establishat they suffered financial loss as a result of the theft of the information on the laptop. e) Nationwide commissioned a comprehensive review of its information security procedures and controls overseen by an independent third party