Datonomy talks to Harry Taylor of Harry Taylor Consulting Ltd, an independent consulting actuary and management consultant with over 30 years commercial experience of insurance, pensions, investment and banking, about the FSA and data security:
It is clear the FSA are taking a tougher line on regulatory breaches with higher and more punishing fines.
As long ago as March 2009 the Financial Times reported on comments by FSA Chief Executive Hector Sants responding to accusations that the FSA has not been sufficiently tough on insider trading and other financial crimes. Mr Sants said: “There is a view that people are not frightened of the FSA. I can assure you that this is a view I am determined to correct. People should be very frightened of the FSA.” His comments came after the FSA faced heavy criticism for its scrutiny of banks and other financial institutions during the boom. Under the principles-based approach that influenced regulation around the globe, the FSA set broad guidelines for financial standards, believing that they would cover more than a handbook of specific rules.
So how will this new tougher approach emerge in practice? Obviously more intrusive scrutiny and challenge is here for certain for regulated firms. But what of the future approach to the ensuing FSA fines for regulatory breach?
It has been suggested that fines may include clawing back a proportion of any ‘extra profits’ arising in the firm which are attributable to the rules breach. So for example this could remove bumper profits gained by overly aggressive and inappropriate sales of a high margin retail financial product.
The natural extension of this line of thinking is even more interesting to consider.
Let us suppose that future fines include a portion of any costs saved by a firm choosing not to put in place appropriate risk control mechanisms which subsequently are shown to contribute to a rules breach. After all, saving costs also has a direct impact on bottom line profit.
Bluntly, any firm which is saving money short term by not implementing a set of recommended data security improvement measures may just end up paying double when things go ‘pear shaped’. A false economy and a bit like gambling ‘double or quits’ which is always a risky strategy!