Human element is weakest link in bank security
By Haig Simonian
Published: March 11 2010 21:59
Published: March 11 2010 21:59
Not impregnable: HSBC has beefed up proceduresQuite how Hervé Falciani obtained details about more than 15 per cent of the customers of HSBC’s Geneva private bank may remain a secret of banking history, but the repercussions are already being felt.
Mr Falciani evaded the two basic principles of private banking security. For decades, Swiss private banks have worked on the principle of “cells”, restricting the amount of sensitive information available to any one individual. And, aware of the risks in their business, the banks instituted policies whereby only their most trusted employees had access to the most sensitive information.
Mr Falciani jumped both hurdles. As an employee of six years’ standing – he joined HSBC in 2000 and perpetrated his theft in 2006 – he was well-regarded enough to have sufficient access. Ironically, the project on which he was engaged – and presumably explaining why the “cell” system did not work – was a scheme to “migrate” the bank’s account information to a more secure database.
HSBC itself had no knowledge of Mr Falciani’s extra-curricular activities until informed by the Swiss Federal Prosecutor’s office in December 2008, some two years after the theft.
Alexandre Zeller, chief executive of HSBC’s private bank (but working elsewhere at the time of the theft) told the Financial Times that the bank had been told in the summer of 2008 by Swiss investigators that they suspected data theft after a tip-off from a Lebanese bank.
On December 22 2008, Mr Falciani was arrested and interrogated. That night, he fled Switzerland with his family for France, and was immediately fired by the bank.
What happened next is unclear. Mr Falciani has claimed he offered the data to the French authorities out of outrage at the tax evasion he had detected while working at HSBC.
Once Mr Falciani was a fugitive, Swiss investigators contacted their French counterparts for help. This appears to have alerted the French authorities to Mr Falciani’s existence and the material at his disposal.
The case came against spiralling French efforts to track down tax evaders, and repeated claims by Paris to have access to unspecified lists of names. By last December, the issue had grown into a Franco-Swiss diplomatic row, with Bern suspecting the French government of possibly paying for stolen data.
Even now it remains unclear how the row was defused. Swiss politicians have said the French agreed to return the HSBC data and not use it for legal requests for help in tracking down tax dodgers. Bern has also implied that Paris agreed not to pass on information to other states.
HSBC – which had originally played down the theft, saying fewer than 10 clients were involved – has apologised to clients and stressed its efforts to bolster security. It said on Thursday it had spent more than SFr100m ($93.6m) on upgrades.
Mr Zeller declined to give details. Other banks talk of big investment in hardware – from computers without USB ports or disc drives to prevent information being copied – to specialised USB memory sticks.
Such steps will help to prevent abuse. But private bankers acknowledge the human element will remain the weakest link.
The willingness of foreign tax authorities to pay for stolen information may only increase the temptation for rogue employees.
Copyright The Financial Times Limited 2010.
0 comments:
Publicar un comentario