It’s hard to come up with a vivid enough metaphor for the self-interested bungling of the Norwich Union top brass over the defrauding of policyholders. But try imagining the Titanic run by Keystone Cops elbowing aside women and children to get to the lifeboats first.

Failing upon failing is revealed in the Financial Services Authority’s final report into the fraud. Incompetence and complacency were manifest, it hardly needs saying, but Norwich Union seems guilty of something else – downright bone-headed stupidity.

It’s impossible not to boggle at the obtuseness of the Norwich Union decision-making. In essence the company set up security procedures so useless that fraudsters were able to empty the accounts of policyholders using information entirely from the public domain.

A ten-year old could spot the glaring flaw in the system, but not apparently Norwich Union.

When fraudsters impersonating policyholders were unable to come up with a potential victim’s policy number, they were given a second chance, and were asked for the policyholder’s postcode instead. Yes, you didn’t read that wrong. Not password. Postcode.

It gets worse. Even after the frauds were discovered the company rejected procedural reforms that could have stopped them dead, thus allowing the plundering of customer policies to continue. Better security arrangements were rejected on the grounds they would worsen customer service or would require manual processes to supplement NU’s computers. In other words they might mean hiring extra people.

The fraudsters ran circles round NU’s sleepy internal fraud investigators and feeble security systems. Call centre employees’ suspicions were not registered on electronic records. The investigators took 24 hours just to respond to a suspicious event, while the fraudsters were carrying out their efficiently executed stings in as little as 12 minutes. Crucial caller identification procedures were checked by NU, not to ensure that they actually confounded potential criminals, but to ensure that they complied with the Data Protection Act.

When Aviva and NU belatedly woke up to the fact that their arrangements were the equivalent of leaving the Tower of London unlocked and giving the Beefeaters the day off, their response was to rush to protect the personal nest-eggs of their own senior managers. There was no attempt to alert the other six million policyholders who were also vulnerable to the same fraud.

NU says that it has learnt from the experience and has reviewed security internally and externally and takes it “extremely seriously”. And of course, the victims have been compensated.

Yet, questioned by The Times yesterday, senior NU management did not know how long the fatal procedural flaw had been in place, nor how it had originated, nor who was responsible for approving it.

With their heads buried that deep in the sand, they seem destined to repeat their mistakes. Not that it will matter much for their own career prospects. No one has been disciplined in any way over this disaster.

And the fine – equivalent to less than four hours’ profits for NU’s parent Aviva – is unlikely to act as much of a deterrent in future, either at NU or elsewhere in the financial services industry.

Until customer confidentiality and identity theft rises higher up the priority list in our financial institutions, these lapses are bound to recur. Boards will continue to regard the fines as regrettable, but not much different in kind to any other business expense.

Times Recommends

• Lies and cover-up at MG Rover exposed by report
• High oil prices push manufacturing costs up
• Primark founder steps down as chief executive