14 January, 2009


I always thought my correspondence with my bank was supposed to be private. Someone in St Kitts has just sent me the most extraordinary bit of correspondence. It showed that some of our banks are not very sophisticated or cautious how they deal with their customers’ confidential correspondence. My correspondent had sent the Caribbean Commercial Bank an enquiry about banking procedures in Anguilla. He had got an automatic response from the CCB computer. He was upset, and he told me why.

I decided to contact CCB myself. I went to their contact page. I filled out their enquiry form. I asked them to send me the requirements to open a bank account. Sure enough, I got an email similar to the one my correspondent had got. This is what it said:

From: <idmitch@anguillanet.com>

To: <twoodley@ccb.ai>

Cc: <masonc@masonc.com>; <idmitch@anguillanet.com>

Sent: Sunday, January 11, 2009 4:57 PM

Subject: Contact Us

Name: Don Mitchell

Email: idmitch@anguillanet.com

Phone Number: 497 2139

Comments: Please let me know the requirements for opening a bank account.

So, what’s special, you ask? Well, if you look carefully, you will see that, besides Trevor Woodley, the bank computer’s automatic response has been copied to Chris Mason. Now, I know Chris Mason. He is a perfectly respectable project manager. One of my last meetings with him was when he was managing Altamer Hotel’s new project to expand into the West End. Altamer wanted me to do part of an Environmental Impact Assessment for them. Their expansion project involved negotiations with cousins of mine. I considered that would raise a conflict of interest for me. Anyway, what expertise do I have to prepare any part of an EIA? I decided to tell them I was not available to do it.

But, what in the world does Chris Mason have to do with having copies of confidential banking correspondence sent to him by a bank? Why would a bank set up its enquiry page so that every piece of correspondence sent to it is automatically copied to someone who has nothing to do with the correspondence of the bank’s customers?

Is this in compliance with CCB’s confidentiality obligations?

Now, I do all my banking at the National Bank of Anguilla. Does NBA make the same mistake, I wondered?

So, I went to the NBA website. I found their contact page. I checked it thoroughly. I was relieved to find that it did not have a form that would automatically get sent to anyone outside the bank. It seems that with NBA you have to personally email or telephone an individual at the bank with your enquiry. What a relief!

I would urge the CCB Board to have their website tightened up. I do not think that customers, or potential customers, for that matter, should have their confidential queries sent to any person, no matter how respectable, outside of the bank.

Now, having made the enquiry, I’m wondering if the bank is going to efficiently respond to it.


  1. The Financial Services Commission
    says that my banking confidentiality is "ensured by legislation".

    But on the same web page they seem to think that Barclays Bank is still operating in Anguilla. Should I should trust them to know what's going on at CCB?

    In what legislation does it authorize my bank to copy my confidential messages to their website designer?

  2. The autoresonder (AR) that was sent to you would have no way of "knowing" about your personal relationshiop with Chris Mason (a Web designer on Anguilla). It would take Google-like programming to work to that level of sophistication.

    What likely happened is that the AR was set up to cc Chris Mason because he was the Web designer, or was at least involved in the programming of that AR. Now, why in the world a Web designer needs to see confidential information is beyond me. There are better ways to monitor if an AR is functioning properly without compromising your security.

    It's also unfathomable that the bank would not know about that. Didn't anyone at the bank wonder why Chris Mason is getting a copy of confidential information? Imagine the number of people who have filled in that form with truly confidential information?

    Stunning. I'm sure everyone is interested in seeing an explanation from the parties involved. Or if there is no good explanation, an apology and immediate correction.

    By the way, have you informed them, as they ask you to in the last paragraph of their privacy statement?


    The follow-up on this will be interesting.

  3. Have you heard yet from the bank?

  4. No, I have not heard from the bank. But, you will be pleased to learn that the bank has now cleaned up the list of persons to whom it sends copies of your enquiries.


  5. Good pick up Mitch.

    It truly is a shame that mediocrity is the norm in a lot of businesses today (not only on Anguilla). However this breach goes beyond mediocrity, it's illegal. Just "cleaning up the list" isn't enough. Someone needs to investigate how this happened and those involved, and guarantee it won't happen again.

    With all the problems with identity theft today this carelessness is unforgivable. I can't believe that the CCB has allowed this type of security lapse.

    "AR was set up to cc Chris Mason because he was the Web designer, or was at least involved in the programming of that AR." No, this wouldn't be the case.

    I wonder why this Chris Mason wouldn't have let the bank know he is getting this type of confidential information via email.

    I'd like to see someone from the bank and Chris Mason explain how this breach of confidentiality occurred and how long it's been going on.

  6. I'll bet $20 (EC!) that Chris did it on his own , and the bank did nothing.

  7. I think the CCB should immediately have the police do an investigation as to whether Chris Mason should have recieved any information on CCB customers. also did Chris Mason ever use any of this information for his own personal gain The police may want to sieze his computers to see what he did with any confidential information gleaned from the CCB.
    This is a very serious breach of confidentiallity within CCB.

  8. This is a disgrace by CCB to pass on any bank information to Chris Mason.
    Chris Mason could have a database of client wishing to do business on Anguilla, business plans, financing etc.
    The CCB needs to write to all clients who contacted them, since their details were sent to Chris Mason and see if he proffited from this confidential knowledge.
    As i said before this is an absolute disgrace and definitely needs looking in to.
    Well done Don for exposing this situation.

  9. Has anyone contacted Chris Mason for his reaction to this startling news? Would love to know his reply!

  10. Mason doesn't live in a bubble. Twenty people must have told him about this blog by now. If he had anything to say in his defense he could have done so before now.

  11. Be interesting to know if CCB or the police have questioned Mason about receiving confidential information on their clients and what he used it for. I hope the CCB have checked all their computers to make sure nothing else is going to Mason and to check what else may have gone to him. This needs a full investigation by a computer expert as well as the police.

  12. Confidentiality is a cornerstone of Anguilla's financial services sector. Has CCB violated the provisions of the Bank Secrecy Act? Does the fact that their Chairman of the Board is also our Chief Minister provide them with immunity from observing our laws?

  13. "if CCB or the police have questioned Mason about receiving confidential information on their clients and what he used it for."

    Really, what is the possibility of this happening? 0% I'd say. Like so many other things it will "go away". CCB doesn't want the hassle.

    If this got published in The Anguillian - then that's another story...

    btw isn't Chris Mason involved with the government through a tourist info web site run by net concepts?

  14. It should not be up to CCB to decide whether their employees or contractors have broken the law or that this matter should be investigated. If I'm caught committing a crime, are the police going to ask me if I want the matter investigated?

  15. Any business, bank, government entity etc should check that no private or confidential information is being chanelled to Mason. Be very wary.

  16. Personally, I have no idea why everyone is quarreling with Chris Mason. The focus is wrong. Mason engaged in no subterfuge. He appears to have done exactly what he was instructed to do. The evidence is that he hid nothing from the bank or its customers. It was always there out in the open on the screen in front of Trevor Woodley, every time someone sent an inquiry. If the bank wished to correct it, they had every opportunity.

    The real issue remains why would a bank instruct its outside web page designer to copy himself with confidential messages addressed to the bank. That is the only issue.

    And, if the bank did not give such instructions, why did they permit the situation to remain year after year, or however long this website has existed.

    Mason is not a bank or a banker. He cannot be expected to know anything about a bank's duty of confidentiality to its customers. By contrast, every banker learns that rule on the first day on the job.



Note: only a member of this blog may post a comment.