FMA fesses up to website breach and apologises

The Financial Markets Authority is the latest government arm to experience a breach of its website; but it has acknowledged the error and apologised.

Friday, November 8th 2019, 6:00AM 7 Comments

The regulator had to shut down its website last week after it made public emails from and to Gareth Dobson, a business insurance adviser, and mortgage broker firm Finsol.

They related to a former adviser, Daniel Carlyon.

The Financial Service Providers Register indicates that Carlyon previously worked for Finsol but has since deregistered. After Finsol, he worked at Aspire Advisors in Auckland.

Dobson told media that he had never given the FMA permission to make his emails public.

FMA chief executive Rob Everett said the issue was rectified immediately when the regulator became aware of it. The FMA has identified six cases where sensitive personal information provided to the regulator may have been accessed.

It contacted the people involved to advise them of the issue and any further steps they should take to protect their information.

A preliminary review has identified 27 instances where documents that supported complaints were accessed by internet searches. The documents were inadvertently uploaded to a portal on the FMA website. Of these, six contained sensitive personal information such as financial information. The remaining documents were either already publicly available or did not include any sensitive personal information.

“We apologise to those people who supplied us with information and also to the wider public for this error. Their trust and confidence is critical to us,” Everett said.

“We have reviewed what files were uploaded in this way, what information they contained, and contacted those people whose sensitive personal information may have been accessed.

“We are working hard to ensure we get to the bottom of the issue.”

He said the issue related to documents that were provided to the FMA several years ago, and the FMA was still investigating the circumstances. An initial review indicated that information supplied through an online complaints form between 2015 and 2017 flowed into a folder holding information to be uploaded to the FMA website.

At no point was the information ever linked to public content on the FMA website, nor could it be located by browsing the website.

All but two of the documents were accessed following a change in automated search algorithms on September 30. The FMA believes this is related to ordinary enhancements to search engine algorithms, which took place around that time.

The FMA has worked closely with the relevant government agencies and departments, and has engaged KPMG to assist in its investigations into the cause and extent of the incident.

Everett said a full review of the issue would be conducted by an independent external party.

As a precautionary step, the FMA has removed the ability to upload complaints information via the website.

Financial Advice New Zealand chief executive Katrina Shanks said anywhere there was a breach was concerning but in the case of the Financial Markets Authority, the information that people handed over was given as part of mandatory disclosure.

“It’s not like it’s a choice whether to share information, it’s not. That’s the difference.”

She said the association would ask the FMA what happened and how it would stop a recurrence in future. “It’s a significant breach.”

She said any government department needed to have processes and systems in place to protect people’s privacy and the industry needed to be able to have faith in the system.

On its website, the FMA says: “The Financial Markets Authority is committed to ensuring your privacy is protected.

“Any personal information you provide to us will be held and used only in accordance with the Privacy Act 1993. We may disclose personal information to authorised third parties of information assurance services."

Tags: FANZ Financial Advice New Zealand FMA privacy

« Fund managers may have climate-change duty of careMann on a mission to diversify financial advice »

Special Offers

Comments from our readers

On 9 November 2019 at 8:14 am LNF said:
I am not sure of what is required and what is not
Party "A" send information to FMA about party "B" and for whatever reason the correspondence gets into the public domain.
FANZ says " the information that people handed over was given as part of mandatory disclosure.
“It’s not like it’s a choice whether to share information, it’s not. That’s the difference.”
Is this true. Can someone more informed advise where it is mandatory to snitch rather than simply say "none of my business"
It is very important because the practice of "dobbing in" is very dangerous as history has shown, and if it is mandatory very dangerous indeed
On 13 November 2019 at 6:04 am JPHale said:
@LNF, interesting view the word snitch suggests. Part of the conduct and culture review feedback has been there isn’t enough management of bad behaviours.

The snitch comment suggests complacency on bad behaviour is acceptable to you, and that’s part of the problem and why the regulator is focusing on insurers more heavily.

In this case, Gareth has identified systemic bad behaviour within the business he is in by an individual and has reported it. It’s a bit different to sour grapes because someone pinched a client.

This has since been vindicated by the individual concerned being deregistered from the FSPR and effectively push out of the industry. This is a good thing.

So no I disagree on ignoring the problem as it’s not my business, if it is put in front of me, I will do something about it.

However, we all make mistakes, and fixing them is part of the issue and approach, it’s not always off to the regulator.

When it is systemic or consistently poor behaviour, that’s when it needs to be escalated to the regulator. And even then they only respond when they have sufficient evidence to act.

What we also know is escalating within organisations is often a waste of time, as the organisation moves to protect itself, so poor behaviour in high producers is covered up and ‘managed’. Just not in ways the regulator and the public would expect.

Which is also why we need whistleblowing laws that protect people raising issues, something the FMA has failed significantly within this case.

If there is a pariah here, it is the FMA and not Gareth. And people ask why we need an ethics paper in financial services...
On 13 November 2019 at 7:18 pm LNF said:
@JPHale You miss the point of my comment
Financial Advice NZ states that "as part of mandatory disclosure" meaning "required by law or mandate; compulsory." then this means that if I see something, anything, and I do not "snitch" then I am liable to being censured even if I think it is not an issue but some other party does, and I am a party to the poor behaviour / conduct
If Shanks from FANZ is correct then this is very dangerous indeed
On 14 November 2019 at 2:58 pm Davet said:
Refer S45A Financial Advisers Act, part of the 2010 Amendment. Been around since then.
On 15 November 2019 at 8:49 am gavin austin adviser business compliance said:
Correct quote from the Act but reporting is not mandatory as the wording used is "may" not must. Shanks comments have beenquoted out of context. If the FMA asks the whistleblower for more detail as part of an investigation then the adviser must provide it. This is the mandatory part of the Act. Called a sec 25 if I recall correctly
On 15 November 2019 at 11:50 am Tash said:
Is a "snitch" exempt from civil action for damages?
On 16 November 2019 at 6:59 pm JPHale said:
@LNF I was specifically speaking to the word not the mandatory. So not misunderstanding, more a crack at the culture that the FMA and RBNZ is railing against presently. The industry has a sweep it under the rug approach, and this is a core issue the regulators are looking to address.

I.e. How many QFE’s have self reported breaches to the FMA as they should? Not many if any.

Mandatory, as Gavin has said its not, it's a maybe. However, under the HSWA it is a case of see and not report, you're complicit and on the hook too. I haven't specifically looked at this aspect in our new rules. About to go look.

And @Tash, maybe as per any other law if you are reporting it and you're found doing something wrong too, they’ll likely pick you up too. on the civil side the whistleblowing legislation may protect this aspect.

A bit of a rock and a hard place while throwing stones in the glass house...

Sign In to add your comment

www.GoodReturns.co.nz

© Copyright 1997-2024 Tarawera Publishing Ltd. All Rights Reserved