Search News and Articles
Failure to counter financial crime: Norwich Union Life
In December 2007, the Financial Services Authority (FSA) imposed a fine of £1.26m on Norwich Union Life (part of the Aviva Group), one of the largest life insurance businesses in the UK with around seven million customers. The fine related to failures to take reasonable care to establish and maintain effective systems and controls for countering the risks of financial crime. The fine is the latest confirmation of the emphasis being placed on protecting clients and customers from the threat of financial crime.
From April 2006 to approximately December 2006, Norwich Union Life’s call centres were targeted 632 times by criminals attempting to commit fraud using information available in the public domain. During this period, organised fraudsters were able to pose as genuine customers to obtain and alter confidential customer information. By changing addresses and bank account details the impostors were able, on 74 occasions, to surrender policies worth in total around £3.3m. This was subsequent to both government and FSA campaigns highlighting the risk of financial crime.
The FSA found that these frauds were facilitated by the failure of Norwich Union Life to maintain sufficient caller identification procedures. Callers did not have to provide a valid policy identification number to access their details. A caller could access their record having provided their surname, first and middle name, date of birth, first line of address and postcode. Internal compliance had identified these procedures as weak but they had not been changed on the belief that it would lead to customer dissatisfaction. The risk of fraudulent investment surrenders through identity theft was known to the business and had been highlighted at group level as early as 2004.
The FSA was also critical of Norwich Union Life’s response to the frauds. The flawed procedures continued for a significant period of time after July 2006, when the business had first become aware of the fraudsters’ method. In September 2006, the procedures were amended to prevent changes of address being made unless the caller could provide a valid policy number. As the call centre continued to give out policy numbers to customers they had identified using the old procedures, a fraudster could obtain a valid policy number to quote on a subsequent call.
Further, while suspicious calls could be reported to the compliance fraud team, they would normally take up to 24 hours to investigate and respond. In the meantime, no indication of suspicions would exist on the customer record and it was not standard procedure to check customer records before dealing with them. As the frauds were committed generally by a series of calls in a short time frame, Norwich Union Life’s procedures were found to be insufficient to protect customers.
Of the 74 successful frauds, nine were perpetrated upon customers who were or had been Aviva directors. At the end of July 2006, Norwich Union Life took action to identify all Aviva directors who held policies and whose details might be in the public domain. They instituted effective controls to protect these individuals. The business did not take similar protective action to non-connected customers.
In November 2006, Norwich Union Life’s procedures were amended to prevent bank account details and policy numbers being given out over the phone. Information was also provided to relevant administration teams to assist in identifying frauds. Incidents of fraud then fell to previous levels.
It appeared to the FSA that caller identification procedures had originally been designed for compliance with the Data Protection Act 1998 and not for the purpose of safeguarding client information. The FSA considered that not only did Norwich Union Life’s lax controls encourage attempted and actual fraud, but they also disclosed information that exposed customers to the ‘additional, ongoing and actual risk of identity theft’.
Together these failures were found to constitute a breach of Principle 3 of the FSA’s Principles for Business: the requirement that a business take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.
The FSA made clear that the occurrence of fraud was an aggravating factor when determining the level of fine, but that their main concern was the deficiencies in procedures and the time the business unit took to adequately remedy these deficiencies.
In mitigation, the FSA considered that Norwich Union Life had reinstated all fraudulently surrendered policies, co-operated with all other agencies, including the police, conducted an internal review and improved its anti-fraud procedures. The FSA imposed a fine of £1.26m after a 30% discount as part of the FSA’s executive settlement procedure. Without the discount the FSA would have imposed a fine of £1.8m. The fine is still one of the largest the FSA has ever imposed.
The FSA is far from the only body to add the deterrents of financial sanction and public criticism to those whose weak systems and controls make them vulnerable to the risk of financial crime. The Carphone Warehouse and its sister company TalkTalk currently face the prospect of prosecution prompted by concerns raised by the Information Commissioner’s Office. Such actions – with some assistance from spectacular public-sector mishaps with personal data (including the loss of 25 million people’s personal data by HM Revenue & Customs) – are helping to make how a business protects customer data and deals with the risk of crime a factor that increasingly influences consumer choices.
By Robert Turner, partner, Simmons & Simmons. E-mail: email@example.com. Tel: 020 7825 4937.