bank BNP Paribas has been fined £350,000 by the UK's Financial Services Authority for systems
and control failures at its London-based private banking unit that allowed a
senior manager to steal £1.4 million from client accounts.
The employee, who worked at BNP Paribas
Private Bank, managed to transfer the cash haul out of client accounts in 13
separate fraudulent transactions between February 2002 and March 2005 using
forged signatures and instructions and by falsifying change of address documents.
During its investigation, the FSA found that a flaw in the bank's IT system
allowed the senior employee to by-pass normal middle office processes, which
meant that basic authorisation and signatory checks were not carried out on
internal cash transfers between different customer accounts.
Furthermore, BNPP Private Bank did not have an effective review process for
transactions over £10,000 from clients' accounts. The regulator also found that
the bank's procedures were not clear about the role of senior management in
checking significant transfers prior to payment.
Margaret Cole, FSA director of enforcement, comments: “BNPP Private
Bank's failures exposed clients' accounts to the risk of fraud. This is
unacceptable particularly with the overall increase in awareness around fraud
and client money risks. Senior management must make sure their firms have
robust systems and controls to reduce the risk of them being used to commit
The bank also failed to improve its procedures for monitoring large
transactions or carry out remedial action on a timely basis, says the FSA,
despite being aware that some procedures required improvement as a result of an
examination of its anti-money laundering systems and controls in August 2002.
The FSA says this is the first time a private bank has been fined for
weaknesses in anti-fraud systems but warns that it is “raising its
game” against firms with lax controls.
“This is a warning to other firms that we are raising our game in this
area and expect them to follow suit. We will not hesitate to take action
against any firm found wanting,” says Cole. (source)
We are pleased to see the FSA finally finding its teeth and
beginning to use them against Banks that allow fraud.
However, we see that this was an internally perpetrated
fraud, rather than the more common ‘enabling of fraud’ by releasing or allowing
to be released PII (Personally Identifiable
Information) into the Internet zone, or even worse the rubbish bins.
We hope that in the future the FSA will be taking similar
actions against Banks, Businesses and Public/Government Institutions for the
crime of ‘enabling fraud’ in the same way as the internal fraud cases.
Such crimes are covered by The Serious Crime Act which states the
has been involved in serious crime in England and Wales if he—
- has committed a serious offence
in a country outside England and Wales
- has facilitated the commission
by another person of a serious offence in a country outside England and Wales; or
- has conducted himself in a way
that was likely to facilitate the commission by himself or another person
of a serious offence in a country outside England and Wales (whether or not such an
offence was committed).
offence in a country outside England and Wales means an offence under the law of a
country outside England and Wales which, at the time when the court
is considering the application or matter in question would be an offence under
the law of England and Wales if committed in or as regards England and Wales.
Therefore, if a Bank or Business is hacked, and that
business is found to have inadequate security, or if its actions were negligent
and allowed access (which includes dumping data in bins and laptop thefts), either
in the UK or overseas, and credit card details or PII
is stolen and subsequently used for fraud, then I contest that a crime has been
committed, both by the hacker and the business.
These laws are not just for the little people.
If we see the FSA forcing such institutions to starve
criminals of their source material, by investing in better security at the back
end, we can only see the fraud rates diminish, which in turn will lower the
argument for ID Cards of any kind.
Say NO to ID Cards, Say NO to the Database state.