Information Security

Regulators are getting concerned with financial firms' customer data protection. For instance, last year HKMA highlighted some weaknesses of some banks' control measures in this area.

FSA recently fined Nationwide Building Society £980,000 for failing to have effective systems and controls to manage its information security risks. Nationwide is the UK's largest building society and holds confidential information for over 11 million customers.

The failings came to light following the theft of a laptop (containing customer confidential information) from a Nationwide employee's home last year. Even Nationwide reported the case to the police, Information Commissioner and FSA, it was not aware that the laptop contained confidential customer information and did not start an investigation until three weeks after the theft.

During its investigation, FSA found that the building society did not have adequate information security procedures and controls in place, potentially exposing its customers to an increased risk of financial crime. Unfortunately, Nationwide's failings occurred at a time of heightened awareness of information security issues as a result of government initiatives, increasing media coverage and an FSA campaign about the importance of information security.

For mitigating the seriousness of its failings, Nationwide has:

• implemented additional measures to increase security around Nationwide accounts including increased anti-fraud measures and monitoring of suspected fraudulent activity;
• disabled the remote access facility, preventing access from the stolen laptop to live Nationwide system;
• written to all customers explaining the loss of information and measures customers can take to minimize the risk of identity theft;
• confirmed that it will reimburse any customer who has suffered financial loss as a result of the theft;
• commissioned a independent and comprehensive review of its information security procedures and controls.

Loss of laptop did also happen in HK banking security but it seemed that HKMA took a more lenient regulatory approach.

Family Business of Insider Trading

When "hedge fund" has already become a household term, many amateur investors are tempted to set up their private own hedge funds to engage in speculative or even illegal trading activities. They may have a wrong perception that the regulators would not care if their funds are not raising money from the public.

SEC recently charged seven individuals with involvement in an insider trading scheme that netted over US$3.7m in profits made or losses avoided over fours years. The defendants include a father and his three sons, a family-run hedge fund, and other relatives and friends. This was a "family business" of financial crime!

The father Zvi Rosenthal, formerly a VP at Taro Pharmaceuticals Industries, tipped his sons with confidential information concerning at least 13 separate Taro announcements, including earnings results and drug approvals by the Food & Drug Administration. The family pooled their money into a hedge fund in order to conceal their insider trading of Taro stocks & options.

In addition, one of the sons tipped his supervisor at his law firm, a friend who worked at an accounting firm, and his father-in-law. Two of the defendants are also charged with using confidential information (about two possible mergers of other entities) obtained from their respectively employers PwC and E&Y.

What a professional team of insider trading!

Parking of Licenses

Since the exam regime was introduced in HK securities industry, maintenance of a license with SFC (or registration with HKMA) by individuals has become necessary even if they are unemployed. If you have quitted the industry for more than 3 years, you are required to take the licensing exam again. SFC and HKMA are sensitive to those "dormant" licensees or registrants.

NASD recently fined 4 Boston-based Fidelity broker-dealers for improperly maintaining NASD registrations and other failures. One of them is Fidelity Distributors Corp (FDC), the principal underwriter of Fidelity family of mutual funds. FDC permitted certain employees hired by the investment adviser FMR Co. to "park" NASD licenses they held prior to joining Fidelity - even though they did not perform any functions for the broker-dealer.

NASD further found that the 4 Fidelity broker-dealers improperly maintained registrations for 1,100 individuals who did not perform jobs for which an NASD licence is required or permitted. They effectively gave those individuals the ability to re-join a brokerage firm at a later time without the re-testing required of those who are unregistered for two or more years. In addition, they failed to assign registered supervisors to 1,000 registered individuals and ensure that the individuals complied with NASD rules.

Other failures included:

• Some FMR Co. investment advisor traders whose licenses parked at FDC received excessive gifts and entertainments from employees of brokerage firms who sought business from FMR Co. FDC failed to monitor such conflicts of interest circumstances.
• The Fidelity broker-dealers failed to retain emails of all registered individuals as required by NASD rules.

I am sure that parking of licenses is also a problem happened in HK.

AML & High Risk Accounts

NASD recently fined Banc of America Investment Services, Inc. (BAI) US$3m in connection with the firm's failure to comply with anti-money laundering (AML) rules.

NASD found that BAI failed to obtain required additional customer information for high risk accounts. The 34 accounts at issue involved trust and private investment corporations domiciled in Isle of Man and apparently affiliated with one family. The offshore entities located in Isle of Man collectively held from US$79m to US$93m in assets and engaged in multi-million-dollar wire transfers across international boundaries.

At the time the accounts were open in Aug 2003, BAI had established AML procedures designed to address certain customer account risks by requiring additional information from the account holders, specifically the names of beneficial owners, before conducting substantial transactions.

Nevertheless, from Aug 2003 to Oct 2004, BAI did not require the names of beneficial owners and never restricted the account activities. BAI allowed the accounts to engage in large wire transactions despite the advice from a senior lawyer of BAI, a determination by the BAI risk committee and repeated requests by its clearing firm that the beneficial ownership information must be obtained.

BAI's compliance program for reporting suspicious transactions was also inadequate. While BAI relied on its parent bank to determine whether a suspicious activity report (SAR) should be filed, BAI did not ensure that there was adequate communication between BAI and its parent.

This case should be shared among those private bankers in HK.

Misuse of Reinsurance Contracts

SEC recently settled securities fraud charges (US$50m penalty involved) against MBIA Inc., one of US's largest insurers of municipal bonds, for a sham reinsurance transaction to mask a huge loss from its financial statements.

In 1998, the Allegheny Health, Education & Research Foundation (AHERF) defaulted on bonds guaranteed by MBIA which was then forced to make good on its guarantee. MBIA addressed analyst concerns by representing that it had obtained reinsurance to cover its expected losses.

In fact, MBIA had agreed through concessions on other "high premium, low risk" reinsurance agreements to compensate the reinsurers for the losses they were certain to incur on the AHERF contracts. The improper use of reinsurance contracts enabled MBIA to convert its first-ever quarterly loss into a profit and reverse the decline in its stock price.

In another similar case, SEC also settled securities fraud charges against RenaissanceRe Holdings Ltd. (RenRe), a property catastrophe reinsurance company, for creating a sham reinsurance transaction that had no economic substance and no purpose other than to smooth and defer over US$26m of earnings from 2001 to 2002 and 2003. In effect, the transaction enabled RenRe to create a "cookie jar" into which it put excess revenue in one good year, to be pulled out in a future year to increase income.

These cases sound like another Enron story!

Contract Certainty

FSA recently announced that the UK insurance industry has met the challenge laid down to achieve a solution to "contract certainty".

According to the industry working groups, contract certainty is achieved by the complete and final agreement of all terms (including signed lines) between the insured and insurers before inception, and in addition:

• the full wording must be agreed before any insurer formally commits the contract; and
• an appropriate evidence of cover is to be issued within 30 days of inception.

In Dec 2004, John Tiner (FSA's chief executive) challenged the insurance industry to end the "deal now, detail later" practice in UK, giving it 2 years to find an industry solution or face regulatory intervention. Lack of contract certainty creates risks for policyholders, insurers and brokers:

• Policyholders do not know exactly what protection they have bought.
• Insurers have an incomplete knowledge of the risk they have underwritten.
• For brokers there are large and unquantifiable legal risks.
• Delays create treacle in the back office and ever longer, more arduous reconciliations.

FSA has monitored the progress by working with the industry groups and the industry reported that most of the insurance contracts are now achieving contract certainty.

Contracts of financial product are becoming less comprehensible today due to the use of technical jardons and legal words. On the other hand, use of plain language and simplified version may reduce accuracy and certainty. It is a big challenge to produce a user-friendly but informative contract.

A Banned IFA

Last week FSA placed a ban on an independent financial adviser (IFA) Mr Piggott, prohibiting him from carrying out any regulated activities in the financial services industry. This was a very interesting case because a series of misconduct and many victimized consumers were involved.

The ban follows a decision made by the Financial Services and Markets Tribunal on 2 Jan 2007. The Tribunal's unanimous decision was that Mr Piggott was not a fit and proper person. Mr Piggott's name will appear on the list of prohibited individuals which is publicly available on the FSA's website.

As a summary of a number of events, the Tribunal concluded that:

1. In his dealings with customers and in the courts Mr Piggott knowingly relied on forged documents. He also recommended lying to an insurance company.
2. He repeatedly failed to implement accurately the instructions he received from clients. Customers and others had encountered the difficulty in contacting him in order to progress their business or deal with queries.
3. He sought to intimidate others with threats of litigation, with verbal abuse, and even with threats of physical violence.
4. He gave false and incomplete information to prospective employers and to FSA, including an inaccurate CV, a bogus reference, and inaccurate details on applications.
5. He persistently failed to co-operate and be open with FSA.
6. He left behind a trail of unpaid debts. Many who dealt with him suffered loss and have not been compensated.

We may probably treat this guy as a devil IFA!