The FSA has fined Capita Financial Administrators Limited (CFA), a third party administrator of collective investment schemes, £300,000 for poor anti-fraud controls over client identities and accounts.
The FSA found that CFA had inadequately considered the risks posed by fraud and had not maintained effective systems and controls to mitigate the risk of fraud. This is the first time the FSA has fined a firm for failures of anti-fraud systems and controls.
The failures in controls contributed to a small number of significant actual and attempted frauds against the firm's customers. These appear to have been facilitated by colluding CFA staff. The initial frauds were not discovered by CFA but instead were brought to the firm's attention by clients.
Philip Robinson, Financial Crime Sector leader said:
"With fraud becoming an increasing menace, firms must fully understand the risks they face and have robust anti-fraud controls in place.
"The nature of CFA's business, because it holds information on client identity, makes it particularly vulnerable to fraud. Yet the firm failed to adequately consider this risk in the business.
"Our recent report on fraud governance found that parts of the financial services industry can do more to protect themselves and this case demonstrates that we take a firm's failures seriously."
CFA is a third party administrator that is responsible for carrying out client instructions to buy and sell investments. In August 2004, CFA discovered that a client's name and address had been changed and the sale of units was being processed without instructions from the client. The firm then found that the data for five other clients had been subject to unauthorised changes. Fraudulent requests for payments totalling £1,134,938 had been made but were stopped from going ahead by CFA.
In September and December 2004, CFA discovered further actual and attempted frauds, including instructions for £417,321 being processed for 20 clients. Actual fraudulent payments totalling £328,241 were made.
The weaknesses in systems and controls contributed to the frauds. There were insufficient controls to ensure that changes to client data and instructions for payments were genuine or that payments were not made to accounts that were not controlled by clients. CFA did not ensure that procedures to mitigate fraud risk were adequately implemented and that fraud awareness training was appropriate.
Since the frauds were discovered, the Capita Group has put in place an effective remedial programme at CFA. It has taken a positive approach to improving systems and has implemented controls at CFA that are consistent with best practice in the industry. CFA also took prompt action to ensure that its clients did not suffer financial loss as a result of the frauds.
The matters set out in this notice refer to the actions of CFA and not the wider Capita Group.
Background
- The full text of the final notice includes background to the case, the relevant statutory provisions and the regulatory requirements contravened.
- CFA's penalty is in respect of breaches of Principle 2 and Principle 3 of the FSA's Principles for Businesses and breaches of Senior Management Arrangements, Systems and Controls SYSc 3.2.6R
- On 27 February 2006, the FSA published its report on fraud governance in financial services firms (see press release 014/2006)
- On 26 October 2004 Philip Robinson's speech set out the FSA's approach to fighting fraud in partnership.
- The FSA regulates the financial services industry and has four objectives under the Financial Services and Markets Act 2000: maintaining market confidence; promoting public understanding of the financial system; securing the appropriate degree of protection for consumers; and fighting financial crime.
- The FSA aims to promote efficient, orderly and fair markets, help retail consumers achieve a fair deal and improve its business capability and effectiveness.