The Financial Services Authority report in full

The Charges

- Norwich Union Life failed to take reasonable care to both assess where its financial crime risks lay and establish adequate procedures and controls to manage those risks and respond to the frauds in an appropriate and timely manner once they had become apparent.

How many policyholders were affected

- Over 632 policies were targeted by the fraudsters.

- There were 74 fraudulent surrenders amounting to approximately £3.3 million in total.

Norwich Union Life's pre-fraud security procedures

- Norwich Union Life's caller identification procedures required callers to provide the following five pieces of information: surname, first and any middle names, first line of the address, date of birth and policy number.

- If the caller did not pass the five initial checks, the caller identification procedures allowed call centre staff to select alternative questions from a secondary list of six questions: post code; policy type; policy term; bank details; mortgage provider or premium amount and method of payment. The post code was the first question in the secondary list.

- Accordingly, callers could pass the caller identification procedures in the Relevant Period without quoting a valid policy number by correctly providing the following information: surname, first and any middle names, date of birth, first line of the address and postcode. All of this information can be acquired from publicly available sources.

- Once the caller identification procedures were satisfied, Norwich Union Life procedures allowed callers to request and obtain further information, including the policy number, the value of the policy or their bank account details recorded by Norwich Union Life. Callers could also request changes to the details held by Norwich Union Life including for example the customer's address and the recorded bank account details.

- Until November 2006, no additional checks were carried out by Norwich Union Life before it amended its record of a customer's address. Following notification of a change of address, Norwich Union Life procedure was to write to the new address to confirm that it had amended its records. However, it did not send a similar letter to the previous address.

What the frausters did

- The fraudsters used publicly available information such as names, addresses and dates of birth to impersonate Norwich Union Life customers and, in a series of telephone calls to Norwich Union Life's call centres, sought confidential customer information and in some cases succeeded in amending customer records such as address and bank account details.

- The fraudsters subsequently instructed Norwich Union Life to surrender the proceeds of customers' policies to bank accounts controlled by the fraudsters.

How the fraudsters get around the system

- The frauds were committed through a series of calls, often carried out in quick succession. For example, in the case of one policy, five calls were received by Norwich Union Life in one day.

In another case three calls were received in 12 minutes. Even if call handlers had been suspicious and reported these matters to Norwich Union Life’s fraud team, the fraud team, whose normal response time was 24 hours, might not have responded in time.

Further, as the call handlers did not record the suspicion report on the customer records and as call handlers differed from call to call, when a fraudster rang back the next call handler was unaware that a series of calls was being made.

When Norwich Union Life first became aware of the fraud

- Norwich Union Life first became aware that these frauds were taking place in April 2006 when fraudsters attempted to surrender the policy of a former director of an Aviva company.

- In May 2006, Compliance investigated this attempted fraud and highlighted a number of weaknesses in Norwich Union Life’s procedures, including weaknesses in the caller identification procedures. Compliance made a recommendation that callers be required to provide their policy number in order to pass the caller identification procedures.

This recommendation was not accepted by Norwich Union Life at the time on the grounds that it would impact on its levels of customer service and lead to customer dissatisfaction.

- Compliance also recommended that following any change of address, Norwich Union Life should write to both the old and new addresses to confirm that it had amended its records. This recommendation was considered and investigated but was not acted on at the time because it would have required the introduction of a manual process to an otherwise automated procedure. A decision to implement such changes was made in October 2006.

When did Norwich Union Life first take action

- On discovering the frauds in July 2006, Norwich Union Life took specific action to identify, inform and protect all current and former directors of Norwich Union Life and the wider Aviva Group (Aviva Directors) who were policyholders. It did not take equivalent action at that time to inform and protect the policyholders who were not connected with the business. Of the 74 policies that were surrendered, nine belonged to Aviva Directors.

- Norwich Union Life took action to protect all of its customers in September 2006 when call centre procedures were amended so that no change of address instruction could be made over the phone unless the caller could provide a valid policy number.

- This action was made ineffective by the fact that callers could pass the caller identification procedures in one call, request and be provided with their policy number over the telephone, and then call back with the policy number to request a change of address.

- Procedures were further amended in November 2006 so that neither policy numbers could be disclosed over the phone (callers were notified by post only) nor could full bank account details.

What Norwich Union Life could have done to prevent the fraud

- In circumstances where call handlers became suspicious of a caller, Norwich Union Life's procedure required the call handler to refer his suspicion by email to Norwich Union Life's fraud team, which was part of Compliance. The fraud team would normally act on the reported suspicion within 24 hours and, where appropriate, put a flag on the customer’s record to indicate that an investigation was underway. In the meantime, neither the call handler’s suspicions nor the fact that it had been reported to the fraud team was recorded on the customer's electronic record.

- Further, call handlers were not always aware if there had been any recent amendments to a customer’s electronic records or if a number of calls had recently been received. Call handlers would only be aware of any recent activity if they checked any notes made by previous call handlers on the customer's electronic records.

Before August 2006, it was not standard practice to check the records before speaking to the caller. In August 2006 Norwich Union Life issued guidance to call handlers encouraging them to review the previous call history.

- Following the introduction of the Group Fraud Standards in October 2005, Norwich Union Life was obliged to assess its anti-fraud systems and controls against the Group Fraud Standards. Norwich Union Life carried out a review of its anti-fraud systems and controls in April 2006 to assess whether those procedures complied with the principles in the Group Fraud Standards.

However, its assessment of fraud controls did not include a review of the adequacy or effectiveness of the caller identification procedures as Norwich Union Life considered that the purpose of the DPA checks was to ensure that the business complied with the Data Protection Act 1998 rather than to act as part of Norwich Union Life’s anti-fraud systems and controls.

- Following the publication of an FSA Enforcement action in March 2006 concerning another regulated firm, Compliance assessed Norwich Union Life's financial crime controls and identified similar weaknesses both in Norwich Union Life's caller identification procedures and in its change of address procedures.

Despite identifying the weaknesses, Norwich Union Life failed to act at the time to correct them. Remedial action in respect of these weaknesses was not taken until September and November 2006.

Explore Industry Sectors

• Banking & Finance

• Construction & Property

• Consumer Goods

• Engineering

• Health

• Industrials

• Leisure

• Media

• Natural Resources

• Retailing

• Support Services

• Technology

• Telecoms

• Transport

• Utilities

Times Recommends

• Pressure to scrap 2p fuel tax as oil hits $135
• Credit crunch halves lending at Nationwide
• UBS presses the button on a $16bn rights issue