The story from the UK about the sale on eBay of a computer that contained information on several million bank customers (BBC News) raises issues about the security procedures of external service providers.

Apparently the computer was used by a data processing and archiving company which did credit card work for financial institutions.

The information is said to include account details and in some cases customers’ signatures, mobile phone numbers and mothers’ maiden names for 3 organisations.

In Putting the ‘mort’ back in mortgage – a pocket guide to the global credit crisis (pdf) ASIC deputy chair Jeremy Cooper looks at what went wrong with US mortgages and the collapses of the British bank Northern Rock and the American investment bank Bear Stearns.

The recent ALRC Privacy Law report noted that given the increasing fear of identity theft and fraud, most customers and users of government services believe they have a right to be informed when the security and privacy of their personal information have been compromised.

Consequently, the ALRC recommends the introduction of a mandatory data breach notification scheme.

The ALRC has recommended that an agency or organisation only be obliged to notify affected individuals and the Privacy Commissioner when a data breach has occurred that may give rise to serious harm to any affected individual.

The government has indicated it will deal with this issue in the second stage of its response in the next 12 to 18 months.

In the meantime, the Australian Privacy Commissioner, Karen Curtis, has released a "Guide to Handling Personal Information Security Breaches" (pdf). It is a voluntary guide for use by businesses, agencies and non-government organisations in preventing and, if necessary, responding to a data breach.

The Guide includes four key steps to consider when responding to a breach:

Step 1: Contain the breach and do a preliminary assessment

Step 2: Evaluate the risks associated with the breach (risk analysis is on a case-by-case basis: not all breaches necessarily warrant notification).

Step 3: Consider notification

Step 4: Prevent future breaches.

With regard to Step 3, the Guide suggests that individuals affected by a breach should only be notified where a breach creates a real risk of serious harm to the individuals.

The Guide incorporates illustrative examples which will assist in circumstances, such as whether notification is an appropriate response. 

The ANZ Bank’s report of a Review Committee
(pdf) which examined the Bank’s involvement in Securities Lending and
its relationship with Broker clients including the Opes Prime group has some important risk management lessons:

• your staff need to fully understand the products they deal in.
• you need to understand and manage all the risks in your business. In particular you need to identify unacceptable reputational and financial risks.
• Lack of a proper control environment: the Equity Finance business lacked an appropriate control framework, in particular with respect to credit limits and conditions relating to the quality and quantity of securities accepted by the Equity Finance business and the loan-to-value ratios applied to those securities.
• Poor accountability and ‘management by committee’: there was a lack of individual accountability within the line and risk management responsible for the Equity Finance business, with responsibility for many decisions resting with committees. This was compounded by deficiencies in the structure and management of the relevant committees.
• Failure to identify and act on warning signs: various concerns relating to the processes, personnel and systems utilised in the Equity Finance and Securities Lending businesses and the risks associated with these businesses were identified by various staff and in the course of internal audit reviews. However, they were not addressed in a timely or effective manner. There was a history of procrastinating on decisions to either invest in systems to remedy issues or to exit the business.
• Failure to report relevant issues to the Chief Executive Officer and Board: the gravity of the issues relating to the Equity Finance business should have been, but were not, properly brought to the attention of the Chief Executive Officer and Board.
• Breaches of ANZ employee conduct policies.

The weaknesses in the management and oversight of the Equity Finance
business within ANZ’s Securities Lending unit meant that ANZ did not
adequately identify and manage the range of risks which arose from the
operation of a business of this nature.

ANZ recognises that the legacy of its involvement in Equity Finance
may well be with the Bank for many years through legal cases that it
will continue to defend and also the impact of these issues on its
reputation.

Imagine the response if your customers received someone else’s account details in a letter addressed to them.

That is what happened to customers of Goldfish, a credit card subsidiary of Barclays (Telegraph UK).

According to ComputerWeekly a processing error at the printer the company uses to process statements meant the statements were printed
incorrectly. The front page was correct, but subsequent pages contained
the account information of other people.

What procedures do your contractors have to avoid these types of errors? How do you monitor them? (Some of my clients have "dummy members" so they see every mail out). How often do you audit their procedures?

And if something goes wrong do you have a rapid response plan?

There are many day to day banking activities which aren’t governed by prescriptive legal requirements but by the terms of the financial institution-customer contract, by customary banking practice and what a competent financial institution would do.

In BFSO Bulletin 58 the Ombudsman discusses the results of bank surveys which he has used to reach conclusions about industry practice and the requisite standard of care and skill of a diligent and prudent financial services provider.

He looks at 3 particular everyday scenarios:

• Mandate for Change of Signing Authority on Accounts: "it would be good industry practice to require both account holders to request or consent to the addition of a third party signatory irrespective of whether the account mandate was for both to sign or either to sign."…"Similarly…it would appear appropriate that both account holders should request or consent to one of the account holders being removed from the account signing authority, or to a transaction which would in effect close the account or remove the whole of the funds in a deposit account from the control of one of the account holders."
• Withdrawal Instructions Presented by a Third Party: "the major banks follow different procedures in circumstances where a passbook and withdrawal voucher are presented to a teller to make a withdrawal by a person who is not the account holder. All are examples of good practice: One bank requires prior arrangements to have been made by the customer with his or her manager, in which the customer authorises the third party to present the withdrawal request. Another bank requires the third party presenting the withdrawal request to produce a signed authority from the account holder, together with proof of identity in accordance with that authority. Another bank again will not process the withdrawal request unless it can contact the account holder to verify his or her instructions."
• Guarantor and Third Party Income in Credit Assessments: "there may be circumstances in which it would be industry practice to take into account a guarantor’s income. However, where a guarantor is not directly and regularly involved in the financial affairs of the debtor, a financial services provider should take extra care before approving an application for finance based on the income of a third party or guarantor.
  We will consider what information was provided to the guarantor regarding the financial position of the debtor and the financial services provider’s reliance upon the guarantor’s income as well to approve the loan. If a guarantor was not in a position to know the financial position of the debtor in its totality, and was not fully informed of the financial services provider’s credit assessment, we may consider that it was imprudent to include the guarantor’s income in the assessment of serviceability. In that event, we may conclude that the financial services provider had engaged in maladministration in granting the credit facility."

Do you know what your organisation’s procedures are in these circumstances ? Are they documented? Is there discretion between branches? Who monitors day to day practice?

The key issues will always be:

• did you comply with the terms of your contract with your member?
• who did you owe a duty to and were you negligent or did you breach that duty?
• have you breached any law?
• have you breached your Code of Practice?
• have you acted fairly and reasonably?