(Provisional Translation)

June 11, 2004
Financial Services Agency
The Government of Japan

Administrative Actions on Citibank, N.A. Japan Branch

  1. According to the report from the Citibank, N.A. Japan Branch [hereinafter referred to as the Japan Branch] in response to the Financial Services Agency's [hereinafter referred to as the ''FSA''] Reporting Order based on Article 24 (1) and Article 48 of the Banking Law, with regard to the handling of customer information of the Japan Branch, it is confirmed that ,as below, there exist serious problems concerning the management of outsourced operations and internal controls.
[1] According to the reports from the Japan Branch, an incident occurred in which backup data containing 123,690 consolidated customer statement files that recorded transactions in each accounts were lost when they were moved by the Data Center under the control of Citibank, N.A. Singapore Branch on February 21, 2004. The customer statements contained one-month transaction records on deposits [including current deposit, Japanese Yen and foreign currency saving deposit and certificates of deposit], loans [including overdraft secured by deposit, unsecured card loan and housing loan] and mutual funds [including domestic and foreign-based mutual funds], and customer informations including names, addresses, account numbers of them. The followings are findings on the incident;
1] The company in Singapore which was outsourced the storage and carriage services of backup data by the Data Center did not follow the instructed procedures for data carriage. Before loading, they did not let a third party inspect the carriage and did not fix the box containing backup data at the loading space in the truck by using netting. They also did not properly lock the back doors of truck. Alarm devices in the truck did not work for warning. The company carried the data under such conditions on daily basis. Therefore it could be fair to say that the incident of losing the backup data of 123,690 statement files was occurred more or less inevitably.
2] It is confirmed that there are no agreed measures between the Japan Branch and the Singapore Branch which controls the Data Center in Singapore to protect customer information, including measures to prevent leakage, and that the both Japan and Singapore Branches were not aware of the problems mentioned 1] above even after internal audits were implemented on this security and delivery service company. The storage and carriage services have been outsourced since October 1997 under such situation where operational responsibilities for controlling and managing customer information and its backup data were not clearly defined between the Japan Branch and the Singapore Branch.
3] Moreover, there exists no department [business unit] in the Japan Branch which oversees the outsourced operations at the Data Center in Singapore. The incident occurred under such circumstances where the Japan Branch did not have regular management system of customer information or crisis operation procedures for handling customer information. This is why it took long time to identify what data was actually lost on the way of carriage, and to investigate what impact could be seen if the lost data was handed to a third party. Since the initial action was delayed, it took six days after the incident happened for the Japan Branch to receive the initial contact from the Singapore Branch, and to know that the incident was occurred in Singapore.
4] When the Japan Branch which received the first incident report from Singapore informed the situation to the FSA, the explanations on the fact of the incident [including the cause of incident, the content of lost data and the possibility of whether any suffering to the affected customers would be estimated] was unclear, and a plan and action by the Japan Branch on how to correspond to the affected customer was also unclear at that stage. Due to such unclearly, the Japan Branch received a reporting order from the FSA based on Article 24 (1) and Article 48 of the Banking Law. Notification of the incident to the affected customers and official announcement by the Japan Branch were not made promptly until when the Japan Branch received the concrete instruction from the FSA. As a result, it took almost one month to make the notification to the customers and the announcement to the public from the date of occurrence of loss of the backup data in Singapore.
5] As a background of delayed actions by the Japan Branch, it is found that the management only had a superficial understanding on the situation when the serious incident of the loss of the customer information was occurred. It is also confirmed that it will affect overall operation, management and correspondent to the customer in the Japan Branch if the management decision is delayed and/or improper decisions are made in the Japan Branch, the Singapore Branch and the head office in New York. This is because none of the three have properly established a management system of outsourced operations.
[2] In addition, the report from the Japan Branch in response to the FSA's reporting order was considered inappropriate, and it took almost another one month after the deadline to submit the final report based on the discussions with the FSA.
[3] Based on the findings above [1] and [2], which suggest that the lack of the proper management system resulted in a serious delays on the response to the incident, that there was no department which was responsible for managing customer information, and that response of the Japan Branch to the incident was not appropriate, it is difficult to assume that voluntary actions of the Japan Branch alone would bring in necessary improvements.
  1. With the findings above, the FSA today took the following administrative actions [Business Improvement Order] to the Japan Branch based on Article 47 (2) - (3) and Article 26 (1) of the Banking Law.

    Business Improvement Order based on Article 47 (2) - (3) and Article 26 (1) of the Banking Law
[1] To review thoroughly and rebuild the current management, outsourced [and re-outsourced] operations and internal controls in the Japan Branch in order to establish the proper management for handling its customer information, and to prevent their leakage, with due emphasis on the following points [including the enhancement of human resources and organizational aspects];
1] To clarify the commitment of the management on customer information controls
2] To establish the management, operations and internal controls which enable the Japan Branch to control and supervise handling of customer information with clearly defined responsibilities on the Japan Branch.
3] To enhance internal controls which enable the Japan Branch to respond promptly and properly to customer information leakages [including enhancement of internal controls to expedite necessary notification to the customers]
4] To make sure that the control measures of customer information are properly understood and followed by the management and employees
5] To enhance the internal audit functions for controls of customer information in the Japan Branch and to execute the follow-up of internal audit
6] To clarify who, among the management and employees, should be held responsible with respect to the cause of incident
[2] The Japan Branch must submit the Business Improvement Plan to the FSA by July 12, 2004 and implement it promptly.
[3] The Japan Branch must report the progress in the implementation of the plan to the FSA on a quarterly basis until its completion.

Site Map

top of page