Record fine for Norwich Union

Norwich Union Life was ordered to pay £1.26 million, and received stinging criticism from a financial watchdog, because slack security controls allowed fraudsters to pocket £3.3 million by pretending to be policy-holders.

They cashed in by using publicly-available information - such as names and dates of birth - to con call-centre workers into believing they were dealing with genuine customers, asking them to change address and bank account details, surrender policies and send the proceeds to their own accounts.

Between April and July last year, they used this information to request the surrender of 74 policies - including nine belonging to directors of Norwich Union's owner Aviva - and tried to profit from 558 more, obtaining confidential customer information virtually every time.

Their con was first spotted when fraudsters tried to benefit from an ex-Aviva director's policy, after which the company moved to protect directors.

But the FSA accused it of then taking "inadequate steps" to reduce the risk to the rest of its customers.

A Kent Police investigation has seen six men and two women charged with various offences relating to the fraud, while another man has been given a two-year suspended prison sentence and a 200-hour community order for possessing identity documents with intent and three offences under the Proceeds of Crime Act.

The penalty imposed on Norwich Union Life - which is one of York's biggest employers and has 6.8 million UK customers - by the Financial Services Authority (FSA) is its biggest-ever fine against one company for fraud, and would have been increased to £1.8 million if it had not been quickly settled.

The FSA said Norwich Union Life had "let down its customers by not taking reasonable steps to keep their personal and financial information safe and secure", and did not react quickly enough when its own compliance department flagged up the dangers.

Norwich Union Life has blamed weaknesses in its internal control systems for the fraud, and has fully reimbursed customers affected, with anti-fraud safeguards being stepped up following an internal review into the lapse.

"We're incredibly sorry and clearly embarrassed about this as no breach of confidentiality is acceptable," said Cathryn Riley, the company's chief operating officer.

"Although no customers have suffered any financial loss, we obviously regret it and have apologised to those affected.

"We have changed a lot of things, particularly our practices and procedures, taken disciplinary action where appropriate, and carried out significant amounts of training to remind staff to make sure they follow procedures correctly. Wherever we have needed to take steps, they have been taken.

"We accept there were weaknesses and it was not good enough. We took swift action, but where we hold our hands up is that we were not quick enough to spot a wider trend, although the action we took prevented this being more widespread.

"It was unprecedented, and clearly in this day and age we cannot give guarantees that fraudsters will not act - no company can - but we are very confident that the steps we have taken will make it very difficult for them and prevented this fraud becoming more widespread.

"We hope this will not damage our reputation and we believe customers can have confidence in us, both now and in the future."

The news was followed by Aviva's share price dropping by 29.5p, to £6.44 a share, at close of trading yesterday.

* Were you been affected by the Norwich Union Life insurance scam? Phone Mark Stead at The Press on 01904 567131, or email mark.stead@ycp.co.uk.

The watchdog presents its verdict

THE FSA said: "The FSA found Norwich Union Life had failed to properly assess the risks posed to its business by financial crime, including fraudsters seeking to obtain customers' confidential information.

"As a result, its customers were more likely to fall victim to financial crimes such as identity theft.

"Norwich Union Life also failed to address the issues, highlighted by the frauds, in an appropriate and timely manner even after they were identified by its own compliance department.

"The failings happened at a time of increasing awareness across the UK about the importance of information security.

"Norwich Union Life co-operated fully with the FSA in the course of the investigation.

"It has taken a number of remedial actions, including co-operating with the police to identify and arrest the fraudsters and carrying out a review of its information security processes.

"Norwich Union has reinstated all surrendered policies in full."

The FSA's director of enforcement, Margaret Cole, said: "Norwich Union Life let down its customers by not taking reasonable steps to keep their personal and financial information safe and secure.

"It is vital that firms have robust systems and controls in place to make sure customers' details do not fall into the wrong hands.

"Firms must also frequently review their controls to tackle the growing threat of identity theft.

"This fine is also a clear message that the FSA takes information security seriously and requires that firms do so."

How call centres were targeted

* Starting in April 2006, telephone callers, using information gleaned from public sources such as Companies House, contacted Norwich Union Life call centres pretending to be genuine customers.

* By providing customers' full names, addresses, postcodes and dates of birth, they satisfied caller identification procedures and obtained access to customer information, including policy numbers and bank details.

* Using this, they were able, through a series of calls, to request amendments to Norwich Union Life records, including changing addresses and bank details. False written surrender requests were sent in and, in 74 cases, money was paid out to the fraudsters' accounts.

* The series of calls were made in quick succession - five calls in one day were made about one policy, and in another case three calls were made in 12 minutes.

* The FSA found that even if call handlers had been suspicious and reported it to Norwich Union Life's fraud team - whose response time was 24 hours - they might not have responded in time. As call handlers did not record their suspicions on caller records, and handlers differed from call to call, when a fraudster rang back the next handler was unaware a series of calls was being made.

* The company's compliance department first became aware of the frauds in May 2006 and highlighted a number of weaknesses, including caller identification procedures. Their recommendation that callers should provide policy numbers was not accepted, because it would impact on customer service levels and lead to customer dissatisfaction.

* By July 2006, Norwich Union Life knew how the fraudsters worked, but the caller ID procedures were not changed. That month, the company realised targeted customers included existing and former Norwich Union Life and Aviva Group directors. The FSA said the company focused on the risks to these policyholders rather than all customers, who were not protected further until September.

* In November 2006, procedures were amended so policy numbers and bank account details could not be disclosed over the phone. Much of the stolen money has now been recovered.

Pledge to the customers

NORWICH Union Life's chief executive, Mark Hodges, said: "We are sorry that this situation arose and apologised to the affected customers when this happened."

He said all seven million of the company's customers were protected by its promise that they would be full reimbursed, and receive help and support, if they were the innocent victims of fraud