A major loophole in the UK’s criminal records checking system means that IT staff, including those working in critical functions within financial services firms are not permitted to be vetted for fraud, says Simon Culhane, Chartered FCSI and CEO of the Chartered Institute for Securities & Investment (CISI).
In the latest edition of the 40,000 strong CISI’s member magazine, Securities & Investment Review, Mr Culhane explains: “The FCA requires that anyone seeking to be an “authorised person” needs to be checked against the Disclosure and Barring Service (DBS). However, there is no such requirement for any check for those working in IT. In fact it is worse: it is expressly prohibited to subject current or future IT staff to verification from the DBS as the vast majority do not hold a role that meets the strict criteria that allows them to be checked.
“It does lead to a strange anomaly. If you become a football steward, then you can be checked, but not if you work in critical IT roles in major banks and finance houses controlling millions of data points, and are responsible for the money transmission of billions of pounds.”
The CISI says the core problem is the focus of the DBS is on safeguarding people, not financial crime, so attention is focused on convictions for sexual and harming offences, not for fraud. The Government also wants to rehabilitate offenders more quickly, so in May 2013 it announced that further “filtering” of disclosable offences would occur, which reduces what will be divulged when an employee is checked. Some of this was very sensible, such as removing notification of police cautions; however it does mean that the background checks are now less thorough.
In July, the FCA and the PRA issued a consultation paper (CP 13/14) which announced changes to the current Approved Persons regime, proposing to bring a Senior Management Responsibility (SMR) function and a much wider “Certified” person’s requirement. However, whilst there is a requirement for a Senior Manager to have responsibility for IT overall, and for that Manager to be checked, it doesn’t apply to the programmers, developers, controllers and helpdesk staff.
The Government also published a list of offences which would never be filtered, which again demonstrates that beating financial crime is not a priority, as not one of the 1,028 listed offences related to financial crime or fraud (apart from not paying customs duty).
Alan Yarrow, Chartered FCSI (Hon), Chairman CISI said: ”Cybercrime costs the economy over a billion pounds a week, with seven people being defrauded each minute. The finance sector is particularly vulnerable to cyber-attacks as it possesses the personal data of almost every adult in the country.”
Mr Culhane said: “The Government needs to shut the back door and give employers the basic tools to carry out first level due diligence on those who hold power over a critical part of the cyber network.”
The CISI will be asking the Home Secretary to close the loophole.
The CISI’s latest survey on cybercrime, which drew 908 respondents, asked “How well protected is the financial services industry against the threat of cybercrime?” Only one in five respondents felt there is a high level of protection (with 3% saying “very” and 17% saying “significantly”).