ASB Securities has been fined $80,000 for a privacy breach which left hundreds of online accounts able to be viewed and traded by users without permission.
The New Zealand Markets Disciplinary Tribunal censured the online share trading platform after 576 of its trading accounts were made vulnerable to unauthorised use over a 14-year period.
ASB Securities is one of New Zealand's most popular online brokerage services for DIY retail investors, owned and operated by ASB Bank.
Of the affected accounts, 37 were viewed and six were traded. All six account holders confirmed they were aware of the trades taking place and were not concerned.
The tribunal said the widespread vulnerability was a "serious breach", despite the small number of actual occurrences, which opened the bank up to a maximum penalty of $500,000.
"A significant number of client accounts were able to be accessed by unauthorised individuals and were vulnerable to activity that could have had a significant impact on clients in terms of financial loss and violations of client privacy and account security," it said.
The breach was reported in August 2018, when a customer inadvertently viewed her ex-husband's trading account despite no longer having access permission.
This weakness occurred as ASB employees had to manually delink shared trading accounts when requested, but routinely failed to do so.
Across a three-year sample period, 21 employees, or most of ASB's client services team, failed to properly action requests to delink accounts.
The tribunal criticised ASB for failing to have effective processes and supervision to ensure staff were fully complying with these delinking requirements.
"ASB Securities did not have an audit or compliance testing process to assess whether staff were carrying out the manual delinking sequence required by ASB Securities' standard operating procedures," it said.
This breached the NZX rules which require brokers to "ensure the accuracy, integrity and bona fides of all trading" and to "maintain appropriate security procedures designed to prevent unauthorised entry into the trading system".
However, NZX and ASB agreed to an $80,000 fine - well below the $500,000 maximum - and a public censure, as the breaches were unintentional and there was no financial loss to clients, or financial gain for the bank.