The UK's biggest bank was fined for the "careless" handling and loss of confidential details of tens of thousands of its customers.
In a series of security failings, the bank sent large amounts of "unencrypted" data via post or courier to third parties.
Three parts of the group were targetted in the fine. HSBC Life lost an unencrypted CD with the details of 180,000 policy holders, and was fined £1,610,000. HSBC Actuaries lost a disc with data on 1,917 pension scheme members, including addresses, dates of birth and national insurance numbers, which lead to a £875,000 penalty. HSBC Insurance Brokers was hit with a fine of £700,000.
During its investigation, the FSA also found that confidential information about customers was often left on open shelves or in unlocked cabinets that could easily be lost or stolen.
Margaret Cole, director of enforcement at the FSA, said: “These breaches are very disappointing. All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals."
"It is also worrying that increasing awareness around the importance of keeping personal information safe and the dangers of fraud did not prompt the firms to do more to protect their customers’ details."
“Fraud, particularly identity theft, is a major concern to everyone and firms must ensure that their data security systems and controls are constantly reviewed and updated to tackle this growing threat.
Cole also warned that banks could expect to see FSA issue more fines in cases where firms have been previously warned about lax information security practices.