QUICK QUESTION - Bank Call Centres and Confidentiality

ninacolada

Hello Everyone,

I'm very new to MSE.com so I'm not sure if I'm putting this in the right place but I'm hoping someone can help me?

My question related to Confidentiality and Data Protection legislation in regards to Bank's Call Centres.

I'm with HSBC and when the call centre dealing with Credit Card accounts contacted me, they gave me the opportunity, and actually allowed me, to move funds from my current account to my credit card without asking me ANY security questions. I raised this with the call centre agent, but he assured me that they only ask security questions when the customer calls their offices; but not the other way round. I had to ask the hypothetical, what if I had left my phone on the bus and a complete stranger decided it would be a lark to answer my calls. HSBC just gave a complete stranger access to my bank accounts.

Also, upon receiving further calls from the call centre, I informed them of the earlier transgression and requested that they make a note on my record that I will not answer any calls from their call centre because the service provided is not secure. As the calls have not ceased, I can only assume they have chosen to ignore the record or they didn't update it at all.
Are either of these in violation of Data Protection Laws?
I hope someone can help me?
Thank you very much
Nina x

£$&*"($£&(

ninacolada wrote: »

Are either of these in violation of Data Protection Laws?

No they are not. Whether they meet any guidance on banking security is another matter. Of course if a bank phoned up and started to ask me to prove who I was by asking me security questions it might be deemed suspicious and has been the subject of complaints before. So perhaps banks can't win.

unholyangel

grahawk wrote: »

No they are not. Whether they meet any guidance on banking security is another matter. Of course if a bank phoned up and started to ask me to prove who I was by asking me security questions it might be deemed suspicious and has been the subject of complaints before. So perhaps banks can't win.

Really? Pretty sure the DPA means they are supposed to keep your information secure, only use it in the way you have been informed/would reasonably expect and cannot disclose such information to any third party unless they have the persons consent or have taken steps to ascertain that the person they are speaking with is the account holder themselves. Its called "fair processing".

Banks can win. They can ask the customer to call them back. That way the customer is sure of who they are talking to and the bank can ask the relevant questions to make sure they are speaking with the account holder or someone authorised to deal with the accounts on behalf of the account holder.

Financial information is more sensitive than your basic information for obvious reasons. I find it unbelievable that people go to all the trouble of shredding documents, not giving out personal details etc then you get muppet banks who leave customer details in rubbish bags out the back unshredded and leaving their customers open to identity theft/fraud. And before you say that doesnt happen, it does. Its been featured on watchdog 3 times so far and yet the banks don't learn from their mistakes!

eranou

ninacolada wrote: »

Hello Everyone,

I'm very new to MSE.com so I'm not sure if I'm putting this in the right place but I'm hoping someone can help me?

My question related to Confidentiality and Data Protection legislation in regards to Bank's Call Centres.

I'm with HSBC and when the call centre dealing with Credit Card accounts contacted me, they gave me the opportunity, and actually allowed me, to move funds from my current account to my credit card without asking me ANY security questions. I raised this with the call centre agent, but he assured me that they only ask security questions when the customer calls their offices; but not the other way round. I had to ask the hypothetical, what if I had left my phone on the bus and a complete stranger decided it would be a lark to answer my calls. HSBC just gave a complete stranger access to my bank accounts.

Also, upon receiving further calls from the call centre, I informed them of the earlier transgression and requested that they make a note on my record that I will not answer any calls from their call centre because the service provided is not secure. As the calls have not ceased, I can only assume they have chosen to ignore the record or they didn't update it at all.
Are either of these in violation of Data Protection Laws?
I hope someone can help me?
Thank you very much
Nina x

Did the bank just ring you out the blue and ask you to move funds or had they phoned you back after you called them?

Bradden

Slightly off topic but my bank uses call centres worldwide.. Durban was the last location of the person who answered the phone.

What laws are they goverened by? UK? If not how do I know how secure my data is.. I have never given permission for my data to be exported outside of the UK.

eranou

Bradden wrote: »

Slightly off topic but my bank uses call centres worldwide.. Durban was the last location of the person who answered the phone.

What laws are they goverened by? UK? If not how do I know how secure my data is.. I have never given permission for my data to be exported outside of the UK.

By using their services you have.

There is no law to say your info must be kept within the UK however there are rules that state that the company must have measures in place to ensure all personal data is secure wherever it is processed.

fluffnutter

Regardless of data protection laws, which incidentally I don't think have been breached here, why is your bank phoning you so much? Like you say 'the calls have not ceased'. You do realise these are just marketing calls? Why not ask them to stop ringing you up and flogging you stuff all the time, then you won't have to worry about security. Telling them that their call centre is not secure is not a very clear instruction. You need to ask them to set your preferences to 'No marketing by phone' - they have a legal obligation to allow you to do this.

MeanParent

grahawk wrote: »

No they are not. Whether they meet any guidance on banking security is another matter. Of course if a bank phoned up and started to ask me to prove who I was by asking me security questions it might be deemed suspicious and has been the subject of complaints before. So perhaps banks can't win.

Well, the are obliged to protect customer data and if they give anything out to anyone that has not passed security checks then they could well be in breach.

Also, the FSA would come down on them hard if their internal systems showed a weakness like this.

fluffnutter

MeanParent wrote: »

Well, the are obliged to protect customer data and if they give anything out to anyone that has not passed security checks then they could well be in breach.

Also, the FSA would come down on them hard if their internal systems showed a weakness like this.

No doubt they'll argue that the phone number alone gives them adequate confidence that they're speaking to the right person.

TBH, these are sales calls and the bank's so eager to flog you something that they're not that fussed about checking who they're flogging it to.

But... that aside, this is the main reason that banks, when phoning you, don't ask you to pass security checks.. it's because the following really annoys people (which is not the best start to a sales call!):

Bank: "Hello, may I speak to Ms Fluffnutter".
fluffnutter: "Yes, speaking".
Bank: "Prove it".

unholyangel

fluffnutter wrote: »

No doubt they'll argue that the phone number alone gives them adequate confidence that they're speaking to the right person.

TBH, these are sales calls and the bank's so eager to flog you something that they're not that fussed about checking who they're flogging it to.

But... that aside, this is the main reason that banks, when phoning you, don't ask you to pass security checks.. it's because the following really annoys people (which is not the best start to a sales call!):

Bank: "Hello, may I speak to Ms Fluffnutter".
fluffnutter: "Yes, speaking".
Bank: "Prove it".

They don't say "prove it". They say "my name is xxxxxx and i'm calling from xxxxxx, can i ask you a few security questions to make sure you're the account holder?"

If you say you dont want to give that information out since they've called you, they'll ask you to call them back.

Must say though, glad i'm not with your bank if they never ask security questions. Nor do i think "but they answered the phone so it must have been the account holder" would fly, anyone can answer a phone.

Financial information is regarded as sensitive confidential personal info. And as such the protections in place should be higher because it is at high risk of causing the person damage/distress if disclosed to someone else. In fact, guidance from the ICO even states:

Are staff aware of the dangers of someone trying to trick them into making disclosures of information or changing an address when they should not do this because the enquirer is not who they say they are? Do they know the proper procedures to use to identify callers?

It then goes on to state passwords etc as a way to identify the person as the account holder.

Ich_2

I refuse to answer any security questions until I have had my own answered so they can prove who they are!