to help enterprise security across Europe
The resource centre for busy senior executives seeking the latest insights into IT Compliance & Privacy issues for major organizations
sarbaines oxley ofcom communications regulator
Latest Resources      data protection register
compliance resources privacy resource center

Breaking Global News
Global Compliance and Privacy News
- Breaking News, updated every 30 minutes
•   Compliance, Privacy and Security
•  Money Laundering
•  Phishing
•  Regulatory Issues
•  SOX, Basel 2, MiFID

You Tell Us:

We use SSL Technology for web data entry points:

What is SSL?

Are Smartphones Endangering Security? - Wick Hill
Dealing with Internet Security Threats - Ian Kilpatrick
How the New EU Rules on Data Export Affect Companies in and Outside the EU - Thomas Helbing
Farmers' Data Leak Highlights Old Technology Use - Wick Hill
Saving Money with SFTP - Wick Hill
UK Information Commissioner targets firm selling vetting data - Eversheds e80
12 Key Steps to Internet Security - Wick Hill
Telephone Monitoring Legality in the UK - Dechert
Firewall or UTM - Wick Hill
UK Information Commissioner demands mobile device encryption - Eversheds e80
Data loss - liability, reputation and mitigation of risk - Eversheds e80
Phorm, Webwise and OIX - BCS Security Forum
The challenges of PCI DSS compliance - Thales, Russell Fewing
"Quality" Data Vendor Spams us! Editor astounded!
National Gateway Security Survey 2008 - Wick Hill
Unified Threat Management - Watchguard Technologies

news archives
0 | 1 | 2 | 3 | 4 | 5 |
6 | 7 | 8 | 9 | 10 | 11 |
12 | 13
[What is this?]

Industry Blogs
Tim Berners Lee's Blog
Tim Callan's SSL Blog
Davis Wright Tremaine's Privacy & Security Law Blog
Emergent Chaos Blog
Michael Farnum's Blog
Phillip Hallam-Baker's Blog - The dotFuture Manifesto: Internet Crime, Web Services, Philosophy
Stuart King's Security and Risk Management Blog
David Lacey's IT Security Blog
Metasploit Official Blog
Jeff Pettorino's Security Convergence Blog
Jeff Richards's Demand Insights Blog
David Rowe's Risk ManagementBlog
Bruce Schneier's Security Blog
Larry Seltzer's Security Weblog
Mike Spinney's Private Communications Blog
Richard Steinnon's Threat Chaos Blog
The TechWeb Blog
Tim Trent's Marketing by Permission Blog
Rebecca Wong 's DP Thinker Blog

23 February Newsletter
Newsletter Archives are located in "News"

Industry Update
Internet Security Intelligence Briefing - November 2005
Find out the latest trends in e-commerce, web usage & the latest threats from adware/Spyware

Phorm, Webwise and OIX
- BCS Security Forum

'The Any Era has Arrived, and Everyione has Noticed' - Stratton Sclavos - VeriSign
Identity Security - Time to Share
Malicious code threats - iDefense
Public Alerts - updated as they happen from
Public Alerts - updated as they happen from Websense
Public Advisories - updated as they happen, from iDefense
Phoraging - Privacy invasion through the Semantic web: a special report by Mike Davies of VeriSign

Privacy Laws & Business International E-news, Issue 57
Privacy Laws & Business UNited Kingdom E-news, Issue 60

Security Reviews
February 2007 - VeriSign Security Review
The security review archive is here

Case Studies
Finance Industry
Case Study Example

A case study on a Finance industry company.

White Papers
VeriSign® Intelligent Infrastructure for Security
VeriSign® Intelligent Infrastructure: An Overview
Identity Protection Fraud Detection Service - description of the service
Life of a Threat - Video on Threat Management Lifecycle
Optimizing Enterprise Information Security Compliance - Dealing with all the audits
For a full list of all whitepapers, visit our Whitepaper library

Legal Notices
Privacy Policy
Terms of use

basel 2 sarbanes oxley
data controller notification binding corporate rules BCR data transfer third countries third part data transfer basel 2 regualtor regulation regulate FSA banking network security RSA encryptin algorithm Bits sacked bank staff
Blogs compliance Reports compliancy Legislation Data Protection Case Studies data privacy White Papers data protection act News information commissioner Events security standards Links information security iDefense
Retail Solutions

Finance Sector - a Roundup of all the Current News Items, Newest First

compliance and privacy

Current News Updates

A Summary of Finance News and Topics on Compliance and Privacy

We gather together topics for the Finance sector

To avoid long load times news is archived periodically. If you can't find what you are looking for on this page please refer to our archives. Please use the search engine for ease of retrieval.

Main Finance News page | Archives: (oldest) 1 | 2 (most recent)
See also Finance Mentor for general finance news and views

MiFID – Outsourcing continues to be an issue

A recent survey by City law firm Field Fisher Waterhouse has indicated that a significant percentage of outsourcing agreements signed by MiFID-impacted firms still fail to comply with the basic requirements of the directive. Whereas other regulations such as Basel II and Sarbox impact outsourcing by extrapolation of their rulings, MiFID is different in that is specifically refers to outsourcing and makes demands on outsourcing contracts, requires actions of supervisors and differentiates according to where the outsourcing service is located.

The overall impact will be to require substantial re-writing of existing outsourcing contracts and potentially brings the outsourcing vendors into the supervision of national regulators. This was recognised by the UK's Financial Services Authority who released specific guidance in May, see Chase Cooper News of 17th May .

Read the Chase Cooper article

MiFiD: 50% say regulators slipping on guidance

With less than 100 days before the 1 November deadline many financial services firms are unhappy with the support they are receiving from their national regulators as they prepare for the Markets in Financial Instruments Directive, found a survey by SunGard and TradeTech. Half the 300 respondents stated that their national regulators were either “bad” (32%) or “very bad” (19%) in helping them to get ready for the directive.

In the UK, respondents were divided on whether the Financial Services Authority's minimal guidance, principles-based approach to MiFID was a good one – only 54% believed that this is “the best approach to prevent regulatory overload”, with the remaining respondents stating that this approach “makes it difficult to understand exactly what requirements the FSA desires, adding to the compliance task”.

The survey showed an overall increase in MiFID readiness – 53% of respondents now believe their preparations for the directive are “ahead” or “right-on-track”, compared with just 34% in September 2006. However, opinions are still divided on whether MiFID will have a positive impact. The majority (54%) of institutions surveyed state that they see MiFID as just “another piece of compliance”. In addition, only 42% of respondents believe that MiFID will be good for Europe's economy in the next 5 – 10 years, with over a third still undecided.

Read the Banking Technology article

Reg NMS and MiFid...Together Forever?

Is there a possibility that MiFid and Reg NMS could one day be accepted by regulators on both sides of the Atlantic as being equivalent?

While financial services firms in the U.S. have been gearing up this year for the full implementation of Reg NMS, companies in Europe have been preparing for MiFid. (Well, actually only 8 of the 27 EU member states have so far implemented the legislation into their domestic law.)

Now, the head of the Centre for European Policy Studies (CEPS) is urging the European Commission to look into the similarities and differences between MiFid and Reg NMS.

Karel Lannoo, chief executive of CEPS, says both pieces of legislation came into effect at around the same time, and both are aimed at "updating regulation to reflect technological changes and market developments."

Read the Wall Street Technology article

More investment managers using web for reports

Investment managers are increasingly delivering client reports online, according to research by Rhyme Systems, an asset management services company.

A survey of managers at a Rhyme Systems workshop shows there is a growing trend towards web delivery and a need for greater reporting flexibility to accommodate changing client needs.

The research also suggests all client reports might need to be bespoke but raises questions about how to charge the cost to the customer.  However, most firms surveyed do not measure the cost of producing individual client reports.

There is also a trend towards integrating client reports across a business rather than using a separate service.

Read the IFA Onoine article

Thales launches end-to-end security consultancy service for compliance with UK's Faster Payments Scheme

Financial institutions involved in ‘second wave' of compliance will require specialist security consultancy and products to mitigate increased security risks

Thales has announced the launch of an end-to-end security solution for Faster Payments aimed at mid-tier banks and corporate treasury departments. Many of these organisations will be considering how to meet the Faster Payments regulation after the 13 member banks go live in the ‘first wave' of compliance in November.

Thales' end-to-end security service, covering physical, technical, human and organisational security, will be essential if financial institutions and treasury departments are to mitigate the increased security risks associated with the Faster Payments scheme.

The Faster Payments process will initially enable funds of up to £10,000 for internet and phone banking to be transferred in a matter of seconds and for funds of up to £100,000 to be transferred before 06.00 am on the due day of standing orders.  While the benefits for consumers are obvious, it will also allow fraudsters to move funds from account to account and convert these funds into cash or goods within a couple of hours. As a result, the security risk profile of transactions using the Faster Payments platform is significantly altered, making it a potentially higher value target. It is therefore likely that the Faster Payments environment will face increased scrutiny by organised crime, with future attacks exploiting a blend of external and internal vulnerabilities.

Read the article

MIFID-EU executive to step up non-compliance legal action

BRUSSELS, June 26 - The European Commission will step up legal action against 24 European Union countries for being late to introduce sweeping new share trading rules into national law.

"We will step up the 24 legal actions tomorrow," an EU source said on Tuesday.

Only three EU states -- Britain, Ireland and Romania -- introduced the bloc's Markets in Financial Instruments Directive (MiFID) into national law by the Jan. 31 deadline.

Read the Reuters article and the Reuters update

Technology stalls take-up of algorithms

Fund managers in Europe have been slow to embrace algorithmic trading compared with their US counterparts. Poor technology has been blamed and, while the markets in financial instruments directive may eventually encourage algorithmic trading, fund managers' time and resources are focused on other projects.

Algorithms make up 12% of trading volume at asset managers using the systems in Europe (see chart) and the share has nearly doubled in the past year. Some fund managers and technology providers say use of this advanced electronic trading tool will accelerate.

Michael Holman, head of global trading at Axa Rosenberg Investment Management, said: “The take-up in Europe has been fairly rapid in the past six to nine months. There's a lot of pressure on fund managers to change because of the increasing concentration on (execution) cost savings.” He expects algorithmic trading to reach 28% to 35% of total trading volumes in Europe.

Read more in Financial News Online

Financial services CIOs reveal investment priorities

One-fifth of this year's CIO50 list is represented by the financial services sector. With the industry still dominated by pressure to keep costs down and with little growth in tech budgets forecast for the next three years, Andy McCue talks to two financial services CIOs about current investment priorities and future trends...

Financial services has traditionally been, and still very much is, the industry that spends the most on technology, both pound for pound overall and in terms of the percentage of company revenues set aside for the IT budget.

The current figures are truly eye-watering. In UK retail banking alone - just one segment of the massive financial services vertical - IT spend is tipped to reach almost £10bn this year, according to analyst Gartner's latest forecasts. In securities that figure is £6.6bn while in insurance the total is £5bn.

But despite the huge headline figures the underlying trend is still one of caution when it comes to IT investment. Gartner is only predicting compound annual growth of around five per cent in financial services IT budgets through to 2010.

Read the article

Alternative trading systems in Europe face post-MiFID hurdles, says Celent

Alternative trading systems in Europe will struggle to increase trading volumes, despite catalysts such as MiFID, according to Celent, a Boston-based financial research and consulting firm. The most likely scenario, in the near term, is that equity execution options will increase, but little liquidity will be siphoned away from the traditional exchanges.

Celent estimates that in the UK, ATSs have attracted less than 0.5% of the equities market, and that in Germany this number is lower still, essentially close to 0%. In France, Italy, and Spain, with concentration rules severely limiting off-exchange trading, the volume of equities trading in ATSs is, not surprisingly, about 0%.

By 2011, Celent predicts that ATSs in Europe will have captured only 5% market share. Off-exchange equities account for a sizable 11% of total transactions in Europe. The on-exchange equities market is of course significantly larger at 54% of total European transactions.

Read the Tekrati article

MiFID – best execution still a concern – and the Boat sails on

Best execution requirements under the EU's Markets in Financial Instruments Directive (MiFID) remain the "biggest piece of work" in firms' MiFID projects according to the MiFID mid-tier special interest group, the Financial Services Discussion Club , at their monthly meeting in London on June 4th.

The conditions stipulated under best execution were seen as the main challenge for firms, as members detailed the issues in putting appropriate policies together. There was particular concern about synchronising best execution policies between buy-side and sell-side firms. Many buy-side firms were waiting on information from sell-side counterparts in order to put best execution policies together and were concerned at the diminishing time-frame available to them before November this year to complete this part of the project. Traders' increased responsibility to document that best execution policies have been followed was also seen as a taxing issue.

Read the Chase Cooper article

Think tank highlights five keys to MiFID compliance

Key hotspots have been identified that financial institutions must address if they are to comply with the forthcoming Markets in Financial Instruments Directive (MiFID).

The hotspots have been pinpointed by 15 leading technology providers who are members of the JWG-IT Technical Special Interest Group (TechSIG) financial industry think tank.

The TechSIG members have allocated resources to three work teams to drill down on what is required of complex infrastructures, applications and data architectures once the directive comes into force this November.

The directive seeks to create a standardised financial services industry operating framework across Europe.

Read the Computer Weekly article

MiFID: CESR's final Level 3 guidelines

The Committee of European Securities Regulators has published its final set of guideline on Level 3 of the Markets in Financial Instruments, clarifying some important issues of the legislation, due to take effect in November.

CESR's final MiFID Level 3 guidance and recommendations, published at the end of last month, cover inducements, best execution, passporting and transaction reporting, and focus on the operational aspects that arise as a consequence of the provisions of the Directive and its implementing measures, and on “identifying practical solutions to address the regulatory challenges to ensure certainty amongst market participants”.

The recommendations go a long way to removing some of the uncertainties that remain for firms implementing MiFID. Alan Jenkins, European head of MiFID at BearingPoint, welcomed the recommendations on transaction reporting, saying that they could just about be characterised as a breakthrough” and were “remarkably liberal”. In other areas, he said that the there was now “good clarity”, though it was not all that investment firms could have hoped for.

Read the article in Banking Technology

FSA withdraws IDD and Menu from MiFID plans

The FSA has withdrawn plans to include Initial Disclosure Documents and the ‘Menu' on top of the information requirements for the Market in Financial Instruments Directive. 

In January the FSA submitted a notice to the European Commission stating its intention to retain the rules concerning IDDs and the Menu which meant its regulations would go beyond the provisions of MiFID.

Following this decision the FSA commissioned research by CRA International to investigate the benefits of the Menu, however the results found only limited evidence that the ‘Menu' has reduced provider bias in advice sales.

Read the article in IFAOnline

MiFID - FSA confirms Industry Guidance on outsourcing

The Financial Services Authority (FSA) today (16 May 2007) confirmed that its supervision of outsourcing by firms will in future take account of industry guidance which has been issued by MiFID Connect.

This is the first guidance developed by industry which the FSA has recognised since publishing its Discussion Paper 'FSA confirmation of Industry Guidance' in November 2006, and the first formal Industry Guidance related to the Markets in Financial Instruments Directive. The guidance covers so-called 'common platform' FSA firms - those subject to MiFID and/or the Capital Requirements Directive. MiFID Connect is a joint project set up by 11 trade associations to support their members in implementing the Directive.

The Discussion Paper set out plans to encourage greater use of Industry Guidance as the FSA moves toward a more principles-based approach to regulation.

Read the article

UK Information Commissioner audits HBOS

The Information Commissioner's Office (ICO) is conducting an audit of Halifax Bank of Scotland (HBOS)'s data security procedures after it was revealed that the bank was putting customers' financial documents in ordinary bins.

The act, uncovered by the BBC's Watchdog programme, is in breach of an undertaking to the ICO signed by HBOS earlier this year after it was found throwing out documents containing customer details.

The ICO is conducting an audit of HBOS and its security procedures and will soon examine the evidence gathered by Watchdog. If a breach is found then it will serve an enforcement notice on the bank. A repeat offence in breach of the notice will be a criminal offence and will open HBOS to prosecution.

Read the article

Smart Card Alliance Leads Education Effort on Identity Management

With reports of security breaches increasingly in the news, commercial and government organisations recognising the critical need to strengthen IT security are often turning to cards, tokens and new software solutions. The Smart Card Alliance will lead the discussion on these and other trends in cybersecurity and identity management in its full-day educational session, May 16th from 8:30am to 4:30pm at the SecurTech 2007 conference on secure identification, part of CardTech/SecurTech (CTST) 2007.

"Trusted and secure digital identities are a top priority for government and commercial organisations, but how to get there isn't always clear," said Randy Vanderhoof, executive director of the Smart Card Alliance. "In this session, speakers from top solution provider and user organisations will explore how it is done and in use today–from available technology, to issuance and management of credentials, to real life implementations. It is a must-attend for IT professionals."

Read the article in SDA India

RBS to issue online banking customers with smartcard readers

Royal Bank of Scotland is the latest bank to issue card readers to its online banking customers to help prevent fraud.

Barclays announced a similar move last month. Royal Bank of Scotland has signed a contract with XIRING to supply the readers, and first customers are receiving their personal readers this week.

Read the Computer Weekly article

PayPal security measures help stamp out fraud

PayPal's 133 million online customers are the biggest ocean phishers have to plunder. CISO Michael Barrett wants to make it safe to be in the water; and he's not going at it alone. Backed by PayPal's sophisticated fraud models and help from ISPs and browser makers, Barrett is succeeding in protecting the most-spoofed brand on the Internet.

Can you quantify losses due to phishing for PayPal?
Michael Barrett: Forty-one basis points is the total fraud number [on PayPal's fraud model], and we don't break out where phishing is in that overall mix. I will say: it isn't very high on that list. That's one of the issues here; there is a perception there is a huge problem, whereas the financials don't indicate that. Part of the issue is there's been a certain amount of hype about the magnitude of the problem from a financial sense. I don't at all discount the perception impact, but I don't think the financial impact is what some elements are saying it is.

How does PayPal defend against phishing?
Barrett: One of the back-end defenses we have is a lot of fraud modeling. It's very advanced, and it's resulted in extremely low fraud rates compared to the rest of the financial services industry. We've gotten very good detecting fraud on the back end, so what's [the phishers'] response? They generate more mail on the front end.

Read the full interview at Search

Don't underestimate Mifid IT security, warn experts

Finance companies are leaving themselves open to potential lawsuits because they are underestimating the IT security requirements needed to implement the Markets in Financial Instruments Directive (Mifid), experts have warned.

Ambiguities in the directive mean that organisations are leaving decisions on IT security to business analysts, who are less aware of the need to maintain data integrity, said PJ Di Giammarino, chief executive at consultancy JWG-IT.

"The problem is that Mifid does not define accountability or measures for ensuring IT systems are secure," he said. "Maintaining the security of data is implicit in the directive, but it is not made explicit."

Although Mifid does not spell out what steps IT departments should take to secure data, organisations need to be able to show that they have systems in place to ensure that any sensitive data they are holding has not been compromised. Failure to do so could leave organisations exposed to lawsuits.

Read the Computer Weekly article

Only 13% of Financial Services Firms On Track with MiFID Preparations, Reveals SunGard-TradeTech Survey

SunGard, a leading provider of software and processing solutions for financial services, and TradeTech, a leading research firm, announced today (25 April 2007) that according to the firms' joint MiFID readiness survey, only 13% of financial services firms are confident that they are on track to meet new MiFID regulations. Over 60% of respondents indicated that their preparations for the directive still required some work, despite the rapidly approaching November deadline.

The survey results, taken from the third in a quarterly series of polls undertaken by SunGard and TradeTech, reinforce those of an earlier poll in which over 65% of respondents admitted that they were yet to even identify or plan operational budgets to meet the demands of the directive.

With only three European countries meeting the January 31 st deadline for transposition of MiFID regulations to local law, 63% of those surveyed believed that, even if other EU countries failed to meet the November deadline, those countries that were on track should not delay their own implementations. This response comes despite respondents' concerns that MiFID-ready countries may be placed at a competitive disadvantage to those falling behind. Forty six percent of those surveyed also stated that they remained concerned that their own national regulators would add further complexity to MiFID through the imposition of national laws and additional guidance.

Read the article

Banks prepare lawsuit over TJX data breach

In a move that was widely expected, three New England banking associations and some individual banks announced they will sue TJX Companies Inc. over the data breach that exposed at least 45.7 million credit and debit card holders to identity fraud.

Banks have suffered a heavy financial toll over the breach, having to shell out a significant sum of money to replace compromised cards and cover fraudulent charges traced back to the TJX incident.

The Massachusetts Bankers Association, Connecticut Bankers Association, Maine Association of Community Banks and some individual banks will file the lawsuit in U.S. District Court in Boston Wednesday. Nearly 300 banks are represented by the New England associations.

Dan Forte, president and chief executive of the Massachusetts Bankers Association, told the Associated Press (AP) that his organization will invite other state bank groups from around the country to join the lawsuit, which seeks class-action status.

Read the artivcle on Seach

Phishing fraudsters widen net

The number of banks targeted by phishing attacks sky-rocketed in March, according to new figures from the ‘war-room' of RSA Security, the security division of EMC.

The security outfit's Monthly Online Fraud Report found that 202 banks were struck by cyber-criminals last month, a “dramatic increase” on the 153 attacks recorded in February.

Some ten per cent of brands attacked were located in the UK, placing the country second in the rankings behind the US, which hosted a whopping 73 per cent of attacks.

Read the CRN article

Cowen publishes the Markets in Financial Instruments and Miscellaneous Provisions Bill 2007 - Ireland

The Irish Minister for Finance, Mr Brian Cowen TD, today (20 April 2007) announced that the Irish Government had approved the publication of the Markets in Financial Instruments and Miscellaneous Provisions Bill 2007.

The EU Markets in Financial Instruments Directive (MiFID) was recently transposed into Irish law. The MiFID harmonises and modernises the EU-wide legislative framework for investment firms, promoting greater cross-border competition and the competitiveness of the EU financial sector overall. 

The Bill being published today provides for some complementary measures to specify significant penalties following conviction on indictment for breaches of regulatory requirements under MiFID.

The Bill is also being availed of to make a range of largely technical amendments to various Acts including those concerning the National Treasury Management Agency, the Financial Regulator, the Financial Services Ombudsman, Ministerial pensions and credit unions.

Read the FinFacts Ireland article

Merchants Advancing Slowly on Data-Protection Efforts

Merchants are taking a harder look at complying with industry standards to safeguard credit card data, according to an RSA, the Security Division of EMC, study released April 16.

Of those surveyed, 68% have made moderate progress in complying with Payment Card Industry standards. Another 10% have made significant progress. About 47.5% of respondents said reported they are PCI compliant.

PCI standards were created by American Express, Discover Financial Services, JCB International Credit Card Co., MasterCard Worldwide, and Visa International in 2004 to protect customers’ credit card data through its lifecycle. The standard was most recently updated last September.

"The [PCI] guidance has very specific requirements," said Dave Howell, Solutions Manager at RSA, a security-technology vendor. "It’s very prescriptive, with more than 230 requirements."

Read the BankNet 360 article

Chi-X Successfully Begins Full Equity Trading, Clearing and Settlement

Pan-European ATS now fully trading AEX 25 and DAX 30 indices, with clearing services provided by Fortis; Credit Suisse's Advanced Execution Services begins providing externally routed order flow; BNP Paribas approved as “General Clearing Participant”

Instinet Chi-X® Limited, a pan-European equity alternative trading system (ATS), today (16 April 2007) announced that it is successfully trading, clearing and settling the component stocks of the AEX 25 (Dutch) and DAX 30 (German) indices with the help of Fortis’ European Multilateral Clearing Facility (EMCF) entity, a non-exclusive partner. With this phase of the Chi-X rollout in place, the integrated system is now the first to offer trading and clearing services that completely bypass Europe’s existing exchanges and central counterparty infrastructure.

Chi-X will begin trading the component stocks of the FTSE 100 index by the end of Q2. The other major European markets will be introduced ahead of MiFID later this year. Chi-X has been in live beta production since November 2006, during this time successfully executing trades from Instinet’s client order flow.

“Chi-X is a completely open and MiFID-compliant trading platform, allowing institutional and private client investors to access it through any broker that connects to Chi-X and becomes an accredited partner,” said Tony Mackay, Managing Director of Instinet Chi-X Limited. “We strive to provide market participants with an attractive alternative to trading on the incumbent exchanges, and it is also our intention to make offers of equity ownership to selected participants.”

Read the article

Many EU states face legal action over MiFID

The European Commission is preparing legal action against many European countries for failing to introduce sweeping new financial services rules into national law on time, an EU source said on Thursday.

Data provided by the EU executive showed that only three of the bloc's 27 members -- Britain, Ireland and Romania -- met the January 31 deadline for transposing the Markets in Financial Instruments Directive, or MiFID, into national law.

"It is expected that within the next few weeks infringement proceedings will be started against countries that have not transposed MiFID," the EU source said.

The European Commission declined comment.

The source said it was unclear when the cut-off point would be for determining which countries faced legal action as some states are due to transpose the rules this month or in May.

Read the Reuters Italia article

PCI Won't Save You

You'd think that the Payment Card Industry (PCI) standard for protecting consumer credit card information would be chock full of requirements for protecting against the loss of personally identifiable information. Or that security teams would be able to use the 12 requirements as a template for protecting against all kinds of sensitive data losses.

Unfortunately, it's not, and they can't.

Both PCI and the Sarbanes-Oxley Act focus more on the integrity of the data and the processing infrastructure. Neither one requires much in the way of data leakage detection. So to avoid being the next TJX on your block, here are a few steps to consider for protecting your business:

Read more at Dark Reading

Shops in rush to meet card security rules

Time is running out for organisations that handle credit card payments to make their systems compliant with a new security standard, experts have warned.

In less than three months, the Payment Card Industry , which represents credit card companies, will bring in the PCI Data Security Standard (DSS) to help safeguard customer data.

But there are fears that many smaller retailers, in particular, will not be ready for the 30 June deadline and could face fines.

The PCI DSS sets requirements for the monitoring and storage of credit card information to four levels of security, depending on the volume of credit card transactions being handled.

Firms with large numbers of transactions are required to monitor closely all access to stored credit card information, and they can be audited qua rterly at a cost of up to £10,000 a time to ensure best practice is adhered to.

Read the Computer Weekly article

ABN pays out over hacked accounts

ABN Amro has compensated four customers who lost cash when hackers stole money from their accounts using a malware phishing technique.

The hackers overcame the bank’s two-factor authentication system by first sending the victims an e-mail containing an attachment.

The bank’s customers opened the attachment which installed malware on their machines. This malware changed the customers browser settings, so when they tried to visit the ABN Amro site they were instead directed to a spoof copy of the site.

Read the Computer Weekly article

Online fraudsters ‘sting' users for £875 - Get Safe Online

Internet users who have experienced online fraud lost an average of £875* each over the past twelve months, according to “Internet Safety: The State of the Nation,” research by the government and industry online safety campaign,  Get Safe Online .

A survey of UK internet adult users – who number 29 million – found that 12% (almost 3.5 million people) had experienced online fraud in the last year.  In that time, 6% of all internet users (1.7 million people) suffered fraud while shopping online, 5% (1.5 million) experienced another form of general online fraud and 4% (1.2 million) were subject to bank account or credit card fraud as a result of activity online (some users experienced more than one of these).

The rise in online fraud comes as UK internet activity has risen dramatically.  The report found that 93% of internet users now use the web daily and that, on average, we each spend £1,044 per year buying goods and services on the web – equivalent to £30 billion for the UK online population as a whole.

Read the article

Russian Criminals Targeting U.S. 401ks and Online Traders

Cybercriminal rings in Russia and Eastern Europe have stolen tens of millions of dollars by breaking into and looting U.S. 401k and online stock trading accounts, FBI and SEC officials tell ABC News.

"You could wake up one morning and find all your money in your retirement account or in your trading account is gone," said John Reed Stark, Chief of Internet Enforcement at the Securities and Exchange Commission.

In addition to the Russian rings, authorities have also seen hackers in India, Hong Kong and Malaysia going after similar online accounts.

Read the FInance Mentor article

Lloyds TSB is to introduce an automated phone fraud alert service for all its debit card holders.

The system is already used on the bank's credit cards and now debit card holders will receive an automated call whenever the bank's systems believe a card could be threatened by a fraudulent transaction.

The automated calls will kick in when the card is being used for particular transactions when the customer is not present during the deal, such as web, phone or postal purchases.

The customer will have to give permission for the transaction to go ahead; if they don't, they will be put through to an operator who will be able to freeze the account and prevent the transaction completing.

Read the Computer Weekly article

Phishing scams more costly than bank robberies

Although bank robberies are a perennial threat to banks, their employees and their customers, the increasingly sophisticated and accessible high-tech fraud tactics used by cyber criminals are a greater - and growing - threat to a bank's bottom line.

In a bank robbery, especially in the unusual case where the whole bank is taken hostage, a situation The Mechanics Bank encountered when its Point Richmond branch was robbed in November, the bank's main concern is safety. The amount of money taken typically is fairly small and will not dent a bank's bottom line. Further, bank robbers are apprehended in almost 58 percent of cases, according to Federal Bureau of Investigation statistics. Only murder has a higher rate of clearance by arrest.

That's a stark contrast to checking account fraud, which cost financial institutions $2.4 billion over one 12-month period that ended in 2004, according to a study by research firm Gartner Group. A portion of those losses was caused by "phishing," a scam in which crooks use fraudulent e-mails and Web sites in an effort to entice consumers to give up personal and account information. Since 2004, phishing attacks have grown exponentially.

Not only are the losses greater, it's also harder to catch a cyber thief; investigators often find themselves chasing a ghost who may have put up a fake Web site for just a couple of days. When it comes to financial losses, bad loans, unscrupulous employees, check fraud and identity theft are far more worrisome for banks than robberies.

Read the article in

Card fraud losses continue to fall 

  • Total card fraud losses fall from £439.4m in 2005 to £428.0m in 2006
  • Card fraud losses at UK retailers fall by 47%
  • Online banking fraud increases from £23.2m in 2005 to £33.5m in 2006
  • Cheque fraud losses fall from £40.3m in 2005 to £30.6m  

2006 fraud figures released today (14 March 2007) by APACS, the UK payments association, show total card fraud losses fell by three per cent in the past year to £428m – a decrease of nearly £80m over the past two years. This fall has been driven by a 13 per cent decrease in UK domestic fraud and the combined reduction of more than £45m in mail non-receipt and lost and stolen fraud.

Credit and debit card fraud losses on UK-issued cards split by fraud type

Fraud Type

2006 (+/-change on 2005)



Counterfeit (skimmed/cloned) card fraud

£99.6m (+3%)



Fraud on stolen or lost cards

£68.4m (-23%)


£114. 5m

Card-not-present fraud (phone/internet/mail)

£212.6m (+16%)



Mail non-receipt

£15.4 m (-62%)



Card ID theft

£31.9m (+5%)




£428.0m (-3%)



Contained within this total:




UK retailer (face-to-face transactions)

£72.1m (-47%)



Cash machine fraud

£61.9m (-6%)



Domestic/International split of total figure:




UK fraud

£309.8m (-13%)



Fraud abroad

£118.2m (+43%)



The introduction of chip and PIN has made it more difficult for fraudsters to commit card fraud in the UK , with losses at UK retailers falling by £146.7m over the past two years. However, criminals are still targeting our cards with the aim of copying the magnetic stripe data. They use this data to create counterfeit magnetic stripe cards that can potentially be used in countries that haven't upgraded to chip and PIN. This has caused the increase in fraud abroad losses over the last 12 months

Read the article .

Bank of England issues new £20 note - APACS gives an overview of Britons' use of cash

To coincide with the Bank of England's launch today (13 March) of a new £20 note featuring economist Adam Smith, APACS - the UK payments association – gives an overview of how we use cash and how this has changed in recent years. APACS figures show that although plastic card payments are increasingly popular, Britons show no signs of abandoning cash any time soon.

Cash still accounts for more than six in ten (63 per cent) of all day-to-day payments by volume, and the £20 note is one of the most popular denominations of them all – accounting for 66 per cent of all notes dispensed by British cash machines in the last quarter of 2006.

read the article

Reuters launches first market led solution to MiFID regulations

Reuters today (12 March 2007) announced a package of measures aimed at solving the most pressing data problems for clients who will soon have to comply with Europe's Markets in Financial Instruments Directive or MiFID.

From November 1st this year, MiFID will require investment firms to execute trades efficiently at the best price, publish that information and show that the best price was obtained for clients. In response Reuters is offering a suite of solutions, developed with clients, which will allow users to meet the key demands of MiFID.

Today's announcement means that these requirements can all be handled by Reuters and will be offered based on proven solutions in use by customers today.

read the article

SEC suspends trading of 35 pump-and-dump spam companies

SEC rolls out Operation Spamalot, investigates 35 suspected firms

The Securities and Exchange Commission has taken the drastic step of suspending trading in shares of 35 companies whose stocks have frequently been touted in mass spam campaigns.

SEC officials said on Feb. 8 that the firms involved -- none of which are household names -- have been the subject of repeated spam efforts meant to drive up trading of their securities and, subsequently, the value of the companies themselves.

The trading bans will last for 10 days, after which shares in the involved companies will be unlocked -- unless the SEC's ongoing investigation proves any of the firms were involved in the e-mail schemes.

While the ban might seem unfair to the businesses involved, especially if their names and securities were merely selected by scammers looking for penny stocks to inflate in so-called pump-and-dump operations, SEC officials said that in each business's case, there were sufficient questions raised regarding the "adequacy and accuracy" of information being advertised about the companies.

Criminals have increasingly begun using spam to drive up interest in cheap stocks over the last several years. Before sending out mass messages about a specific firm, the individuals buy stock in the companies in the expectation that, with their e-mails, they can convince other people to purchase shares. When prices of the shares involved rise, the schemers sell off their own holdings, thus the pump-and-dump moniker.

Read the InfoWorld article

UK FSA fines Nationwide GBP980,000 over security failures

The UK Financial Services Authority has fined Nationwide Building Society GBP980,000 for failing to have effective systems and controls to manage its information security risks. According to the watchdog, these failings came to light when a laptop was stolen from a Nationwide employee's house in August 2006.

The Financial Services Authority (FSA) commented that, during its investigation, it found that Nationwide did not have adequate information security procedures and controls in place, potentially exposing its customers to an increased risk of financial crime. It added that it had taken swift enforcement action to send a clear message to all firms about the importance of information security.

According to the FSA, Nationwide worryingly did not realize that the laptop contained confidential customer information or start an investigation until three weeks after the theft. According to the BBC, the computer has still not been recovered.

Margaret Cole, FSA director of enforcement, said: "Nationwide is the UK's largest building society and holds confidential information for over 11 million customers. Nationwide's customers were entitled to rely upon it to take reasonable steps to make sure their personal information was secure."

Read the article in Computer Business Review

Nationwide customers pay £1m fine

The customers, not the directors, of Britain's biggest building society will pay a £980,000 fine for lapses in data security.

Nationwide was fined on Wednesday after a laptop was stolen from an employee's home in August.

It took three weeks before the society realised the extent and sensitivity of the customer details on the computer.

But Nationwide has told the BBC that it "would not be fair" if the directors paid the fine.

As a building society, Nationwide is owned by its members - the 11m customers - so any penalty, in effect, comes from their money.

Many are not happy that they will have to pay the penalty for their data being compromised.

Jill called BBC Radio 4's Money Box programme to say: "Because it's a mutual society, any fine will have to be picked up by the members, because there are no shareholders.

"It's a double whammy. It's bad enough to think your details may have been spread across the globe unnecessarily. But to be told as a member of a mutual society you are going to be fined, that seems a little unfortunate."

Read the BBC article

PayPal CISO outlines antifraud strategy

PayPal has 133 million customers that use its Internet-based money-transfer service, which handled US$37 billion in transactions last year. Michael Barrett, who is CISO at the eBay subsidiary, recently spoke with Network World senior editor Ellen Messmer about new approaches PayPal is taking to combat online fraud.

Almost every day I get a fake PayPal e-mail that's obviously a phishing scam. How do you deal with this phishing fraud or even use e-mail to communicate with PayPal customers?

There's a lot of spoofing of and We get e-mail from customers asking questions about this and other topics and we respond within 15 minutes. We use our own Web-based e-mail to communicate. The problem with phishing and spoofing generally is there's no magic bullet. So it's classic defense in depth.

How much fraud hits PayPal each year?

As a class of operational loss, it's 0.41 percent. In the industry, that's known as 41 basis points, which is pretty low. When our customers are victimized, their user ID and password are compromised, we compensate them.

What are some of your defensive strategies?

If the consumer actually never actually saw the phish e-mail, it's hard for the criminal to victimize you. We're working with people who make e-mail clients and the ISPs, such as Yahoo, MSN and AOL, on a technical strategy that says if the e-mail is not signed by us, drop it. We're having good discussions, but we have nothing to announce now.

Read the Computerworld article


This site is independent of all its sources
The contents of the site are sourced from across the industry. All copyrights are acknowledged.