Chris Skinner's blog

Shaping the future of finance

FSA’s data hypocrisy

Chris Skinner Author Avatar
by

I had a fascinating conversation with a group of information security professionals yesterday. 

We
were talking around the issues of data leakage and covered a wide
variety of subjects from accidental leakage to deliberate theft, from
human frailties to ISO27001 standards, from the challenges of ensuring
users find it easy to get the information they need to the issue of
blocking unauthorised access and implementing layers of security, and
so on.   To be honest, we could have debated for days rather than an
hour and a half.

During the conversation, there was one moment that really surprised me.   

One
of the banks had been severely beaten up by the UK’s regulator, the
Financial Services Authority (FSA), over their lackadaisical approach
to data security.  As a result, this firm has really tightened up their
policies.  They don't allow any laptops or systems on or off the
premises without security checks, all PC's and laptops have their USB
ports blocked to stop any data leakage through memory sticks, and all
email is sent using secure servers and high levels of encryption.

The
email systems they use, in fact, are based upon PGPU, the PGP Universal
Gateway.  If you're not familiar with PGPU here's the write up from
their website:

"Unprotected
email poses a critical risk to an enterprise’s most sensitive data:
customer information, financial data, trade secrets, and other
proprietary information. Exposure of this information can result in
financial loss, legal ramifications, and brand damage.  PGP Universal
Gateway Email provides centrally managed, standards-based email
encryption to secure email communications with customers and partners.
By encrypting data at the gateway, PGP Universal Gateway Email ensures
data is protected from unauthorized access in transit over the public
Internet and at rest on a recipient’s mail server. With PGP Universal
Gateway Email, organizations can minimize the risk of a data breach and
comply with partner and regulatory mandates for information security
and privacy."

Excellent. 

After all, the biggest exposure for data loss is surely as you move files of information around between organisations?

Trouble
is that the FSA cannot receive PGPU emails because their systems aren't
up-to-date enough to allow such emails through their internal mail
servers. 

So the bank set up a bank-hosted secure server
which could hold their FSA directed emails.  The idea being that FSA
staff could access the bank’s server to download emails.  However, that
didn't work because the FSA's firewall blocked staff from accessing the
bank's secure server!

I thought this couldn't be true, but the story was backed up by other banks in the room who use PGPU encrypted email systems.

In
other words, the FSA beats up these banks about their tardy internal
data security standards, so the banks overhaul everything to conform
and kowtow, only to find they can't tell the FSA about what they've
done because the FSA is unable to communicate with their newly secure
bank servers.

Smacks a bit of regulatory hypocrisy if you ask
me.  Mind you, with so many data leaks from government departments, is
it that surprising?

Maybe the FSA should give themselves a fine.

RegulationCategories
Chris Skinner Author Avatar

Chris M Skinner

Chris Skinner is best known as an independent commentator on the financial markets through his blog, TheFinanser.com, as author of the bestselling book Digital Bank, and Chair of the European networking forum the Financial Services Club. He has been voted one of the most influential people in banking by The Financial Brand (as well as one of the best blogs), a FinTech Titan (Next Bank), one of the Fintech Leaders you need to follow (City AM, Deluxe and Jax Finance), as well as one of the Top 40 most influential people in financial technology by the Wall Street Journal's Financial News. To learn more click here...

Intelligent Money: Our Future Is Where We Do Not Think About Money, As Our Money Thinks For Us

What is the future?

Learn more

Learn more about Chris

About Chris Skinner

The Past, Present And Future Of Banking, Finance And Technology

Fintech expert Chris Skinner: countries need digital transformation to remain competitive

Join me on Linkedin

Follow Me on X!

Hire Chris Skinner for dinners, workshops and more

Learn directly from from one of the most influential people in technology, gain insights from the world's most innovative companies, and build a global network.

Chris’s latest book

Order now

Chris Skinner’s ‘Intelligent Money’ Book Launch Event

Lifetime Achievement Award

Kids creating the future bank | TEDxAthens

Alex at the Financial Services

Gaping Void's Hugh MacLeod worked with the Finanser