The UK’s Financial Services Authority has fined three HSBC subsidiaries more than £3 million ($5.46 million) for failing to protect consumer privacy.

The FSA said Wednesday that the firms did not having adequate systems and controls in place to protect their customers’ confidential details, and that these failings contributed to customer data being lost in the mail on two occasions. As a result, HSBC Life UK Ltd. was fined £1.6 million, HSBC Actuaries and Consultants Limited was fined £875,000 and HSBC Insurance Brokers Ltd. was fined £700,000.

During its investigation the FSA found that “large amounts of unencrypted customer details” had been sent in the mail, or by courier, to third parties. Confidential information about customers was also left on open shelves or in unlocked cabinets and could have been lost or stolen. In addition, staff were not given sufficient training on how to identify and manage risks like identity theft, it alleged. In April 2007, and again in February 2008, the firms lost unencrypted disks containing clients’ private information.

“These breaches are very disappointing. All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals. It is also worrying that increasing awareness around the importance of keeping personal information safe and the dangers of fraud did not prompt the firms to do more to protect their customers’ details,” said Margaret Cole, director of enforcement at the FSA.

The firms have since taken a number of remedial actions to address the concerns raised, including contacting the customers concerned, improving their staff training and requiring that all electronic data in transit is encrypted, the FSA said. All three firms agreed to settle at the early stage of the FSA’s investigation and qualified for a 30% discount on their fines.

IE