HoC 85mm(Green).tif

Digital, Culture, Media, and Sport Sub-Committee on Disinformation

Oral evidence, HC 74

Monday 4 November 2019

Ordered by the House of Commons to be published on 4 November 2019.

Watch the meeting

Members present: Damian Collins (Chair); Clive Efford; Ian C. Lucas; Jo Stevens; Giles Watling.

Questions 201-321

Witnesses

I: Eva Gustavsson, Director, EMEA Government Relations, PayPal, and Richard Nash, Vice President and Head of Global Government Relations, PayPal.

 

 

Examination of witnesses

Witnesses: Eva Gustavsson and Richard Nash.

 

Q201       Chair: Good afternoon. I welcome the witnesses to this session of the Digital, Culture, Media and Sport Select Committee. Today’s session forms part of the work of our Sub-Committee on disinformation and fake news, which was set up to look at the issues arising from the Committee’s inquiry into those subjects.

We are grateful that PayPal has been able to attend the session today. We were very keen to invite you to come and give evidence because the whole question around online payments, particularly in the political context, is something we looked at in our previous work. It was a theme of our recent session with the Electoral Commission, and at the previous International Grand Committee meeting in Ottawa, which we took part in, we discussed some of these issues with the chair of the Federal Election Commission in America. There are a number of issues that arose from those meetings that we want to discuss today. I am sure you will be aware of them.

When people make donations to a political campaign using an online payments system, and PayPal in particular, what sort of information does PayPal record about these donations? Is that all made available to the political party? If so, how?

Richard Nash: Thank you very much, Mr Chair, for the invitation to be here today. My name is Richard Nash. I am the vice-president of global government relations at PayPal, based in the US now. Government relations means that my team works on both current and potentially future global public policy issues with Governments and legislators, and then, in collaboration with our compliance and regulatory affairs teams, with regulators and central banks.

Eva Gustavsson: Thank you for having us. My name is Eva Gustavsson. I am a director of government relations for PayPal, based in the UK. I look after the UK, Ireland and parts of Europe for the stakeholders that Richard mentioned.

With regards to the question of what information political parties receive when using digital online payments providers like PayPal, I imagine it will vary depending on payment provider, but for PayPal specifically the political party will receive informationthe name of the donor, the email address of that donor, the sum donated, the currency, the date, and the country of provenance. In addition—this is probably relevant for the Committee; I was expecting the question—they can enable their accounts to receive the address of that donor as well.

I think it is probably useful for the Committee to be also aware that PayPal has two types of accounts. One is for consumers and the other is for what we typically call merchants. We do not have a particular product for political parties, but there are definitely ways in which political parties can enable PayPal to receive the information that they need, such as the address.

Q202       Chair: So the address is not necessarily given automatically unless it is set up to make sure that is included.

Eva Gustavsson: Thats right. Part of that is also to do with the legal agreement implicit in making the donation. So unless the framework is set up for the political party to receive the address specifically, the person who is making the donation has not legally agreed for their address to be shared—if that makes sense.

Q203       Chair: So a political party could set the system up whereby you would have to give the address in order to make a donation. Would that be correct? So if a donor decided that they did not want to share their address, they would not be able to make a donation. Is it possible to configure it in that way?

Eva Gustavsson: Sure. In fact, that raises a good point. There are also a couple of things that political parties can do just in smart website design. You can set up your web pages so that, as a political party, you receive all the information you would like to have up front before you even get to a payments page.

Q204       Chair: I appreciate that. On most political sites, particularly in America, there is a landing page that asks you to sign up and give your address so it can identify where you are. I appreciate these functions are there, but I suppose what we are interested in is the core functionality of the way PayPal works.

Richard Nash: Maybe just to clarify, we do not have a particular product or service for political parties or organisations—we are not targeting that sector—but political parties have been using our services for many years globally, and we have always understood, based on their successful use of the service, that the information they can pull from the service is sufficient to meet their regulatory obligations.

Q205       Chair: But it would only be sufficient if they knew the address of the donor, because that is the only way of checking whether they are on the electoral roll. If they are not on the electoral roll, the donation is not permissible. It seems to me that if a political party like the Brexit party is being investigated because the Electoral Commission feels that some of this information is not being provided, it could be that the reason it was not provided is that it was not set up to allow that information to be gathered.

Richard Nash: Well if they have not configured it in such a fashion, that possibly could be the case. The reason we would not by default be sharing—or causing the system to share—that information is actually because of good practices and legal obligations around privacy. By design, you would not push all the information out if it was not necessary. Understanding that the user of the service could configure their website to capture the information elsewhere, actually, it would be good practice not necessarily to over-push information to the business concerned.

Q206       Chair: But even if you have gathered the information elsewhere, you do not necessarily know whether it really was that person who made the donation or whether it was someone just using their name.

Richard Nash: Well, I would have thought you would make sure that the information you are getting from the payment service—whether it is PayPal or another payment service—would correspond to what you know about the account holder and you could match that. If there is a doubt, I assume you shouldn’t be—

Q207       Chair: Yes, but let’s say I have given my data to the Conservative party, so the Conservative party knows I am a party member and it knows where I am on the electoral roll. The party has that information because I have given it to it. Someone could make a donation on PayPal using my name. It might not be me, but they could look at that and say, “Oh, well that looks like it corroborates with a person who we know is on the electoral roll.” If you do not have all the information that comes when the payment is made, how do you know it is that person?

Richard Nash: Understood, but I would say that, as a regulated payment service provider, we obviously are in the business of making sure that we are dealing with the safety and security and the integrity of the payment system. In the example that you gave, I would think it is unlikely that that sort of payment could get through our anti-money laundering, anti-fraud and risk management systems, if somebody is trying to make a payment on your behalf but they aren’t actually you.

Q208       Chair: The point I am making is that I think a lot of people would say it should be impossible to make a donation on PayPal to a political party unless you give your address, and there should be a default setting for any political campaign that you cannot use PayPal unless you require people to give their address when they make a donation. There should not be an option of saying, “You don’t have to turn that setting on if you can promise us you’re getting that data elsewhere.” If safety was the first priority, you would say, “You shouldn’t be able to make a political donation unless you’re giving your address.”

Eva Gustavsson: I go back to the point that data privacy principles require that we do not automatically push too much information. That is appropriate usage of data; you are not meant to share more information than is requested or required.

Q209       Chair: But if I make a donation of £500 or more to a political party, I have to give them my address when I make the donation, and that information is published. It has to say who I am and where I live—or the address I have given—when that donation is made. That is if I make the donation to a party; if I make it to a candidate personally and it is over £50, that same declaration has to be made, but there is not an automatic default that that information has to be provided if you make the donation through PayPal. I could give £500 to a political party through PayPal and not hand over my address. That could be a way of getting around the rules.

Richard Nash: Again, as a regulated payment provider, we are supposed to manage the integrity of our system. It is still, obviously, the obligation of the political party concerned to make sure that any payments that it is receiving are permissible, isn’t it?

Q210       Chair: But would you have an objection if the Electoral Commission said, “We have changed the law to say that the default setting for any online payment should be that certain pieces of information have been given,” so that if you were making a donation above a certain level, you could not make that donation through an online payments system unless you were disclosing your address when you made the donation? You would not have a problem with that?

Richard Nash: That is a matter for Parliament and the Electoral Commission. If it were so decided, we, like any other payments provider, would have to comply. But I reiterate that, today, our understanding is that a political party using PayPal can meet its obligations. I think we are comfortable that the service that we are providing today can live up to the expectations of our users. But if improvements to the overall process, procedure and law are considered by Parliament and the Electoral Commission to be appropriate, we would have to follow that.

Q211       Chair: Obviously there are obligations for the political parties in demonstrating to the Electoral Commission where their funds come from, but there is also a question about some of the new tools that people are using and will increasingly use in the future. Should they be configured for political parties so that they cannot be used unless the basic requirements of disclosure are being met?

Eva Gustavsson: Again, as a regulated payment services provider, we have a licence to conduct business. There are responsibilities that come with that licence, and we work very hard to meet those compliance obligations. Equally, for a political party to become registered and earn the right to be on the ballot and, indeed, take donations, there are responsibilities that come with that, including ensuring that you have the appropriate systems and processes in place to be able to report as necessary with regard to accepting those donations, as set out by the Electoral Commission.

I think it is important to be clear about the fact that it is, surely, a choice for political parties to, first, register as political parties and, secondly, accept online donations. I think that is very important to be aware of.

Q212       Chair: I appreciate that. Ultimately, the political party is in a position where, if it accepts the donations but cannot prove where they have come from, it could be in breach of the law, and it is the Electoral Commission’s job to determine whether that is the case. But it is also a fair question to say this: should it be possible to use these systems to make payments to political parties or registered political groups without the user having to disclose the sort of information that we know is required?

Eva Gustavsson: Sure, agreed. Something useful for us to share is that we have been in discussions with the Electoral Commission about this and a broader explanation or education piece around how PayPal can be used and payment systems, etc. That will feed into their statutory report, which I know is due in a few months.

Through our work and discussions with the Electoral Commission, it emerged, in this space, that it could be useful for political parties to have, collated in one place, information on how to enable PayPal, what services PayPal use that are useful for them and how to enable PayPal so that they can meet their own reporting requirements and so forth. So we have worked to prepare the collation of that information in one place and have really aggressively finished that quickly, particularly in the light of the election that has just been announced. That is now an external site available for political parties and with specific guidance in terms of how to set up their accounts to receive the information that they need. It also links to the guidance that the Electoral Commission suggested to us would be most useful for those parties.

Q213       Chair: Sure. I understand that. So the accounts can be configured so that people have to disclose their address when they make a donation, and the information is out there, so any political party should know that it can do that and how to do it. When the Electoral Commission gave evidence to us, they said that some parties were operating to a higher standard of compliance than others, and I imagine that was one of the things that they were talking about.

When someone sets up a PayPal account, what information do they have to provide to make it active?

Eva Gustavsson: There are two kinds of accounts. There are consumer accounts and there are what we call merchant accounts, which would be the accounts that political parties make use of. I imagine you are talking about consumer accounts, in terms of donations.

Chair: Yes.

Eva Gustavsson: Specifically, people are required to give demographic information and identification information, which we then use and verify against appropriate external sources.

Q214       Chair: Would that be name, address and age?

Eva Gustavsson: For example, yes. We then verify that against external sources and, as PayPal is a global payments provider—we process 27 million transactions every day—we get loads of data that we use to inform very sophisticated risk-monitoring engines, which we consider very important to our business model and which work very hard to ensure that we are compliant with all the anti-money laundering requirements, counter-terrorist financing requirements and fraud detection that we need to fulfil. There is a significant amount of upfront checking before an account is allowed to be opened.

Q215       Chair: The checking is external. For the sake of the record and so that we are clear, someone would give their name, address and age. What other information would they give when they set up the account?

Richard Nash: They would also attach a funding instrument.

Eva Gustavsson: That is right.

Richard Nash: Either a bank account or a credit card—something to be able to use through the digital wallet that PayPal provides.

Q216       Chair: Okay. Do they have to provide any personal ID?

Eva Gustavsson: Absolutely.

Q217       Chair: What sort? A driver’s licence or a passport picture?

Eva Gustavsson: That is right: a Government-issued ID.

Q218       Chair: A photo ID?

Eva Gustavsson: Indeed. It needs to be attached to a bank account which is verified. The account can only be opened in the country in which that person is registered.

Chair: Okay. So when somebody

Eva Gustavsson: I am sorry to interrupt. I have found my notes, so I can be very specific with you in terms of your questions and what you are looking for. We look at full name, address, telephone number and email. Those are the pieces of information that the individual will provide upfront. We can then know and see a lot of background information, and in our risk engine, we run fraud checks against that—for example, what IP address it is coming from, what machine identification it is coming from, and other technical details to verify that they are who we think they are and who they say they are. That person is then assigned what we call a “risk score”, which gets updated regularly.

Q219       Chair: That data would tell you whether they are in the country that they claim to be in, but how would it help to identify an individual?

Eva Gustavsson: We verify the information against the sources that we have to detect that. We get the picture identification and check that.

Q220       Chair: You can check someone’s name and address on the electoral roll, and that would also give you an idea of whether they are over 18. If someone provides a phone number and email address, which are not hard to come by, that does not necessarily tell you that they are who they say they are; it just tells you that they have an email address and phone number. If someone submits Government-issued photographic ID, is it a question of someone looking at it and saying, “Yes, that is a driver’s licence; that is a passport”? As you said, there is an attached payment method, so that there is an account paying money in. The IP addresses will tell you where someone is, but not necessarily who they are. Other than that, in terms of external sources to verify, is anything else done? Other than checking the actual register, most of this seems fairly self-reporting on the customer’s part.

Eva Gustavsson: I feel like Richard has something to add—I can hear it—but to answer your question specifically, I would say two things. First, to take money out of the account, it would need to be attached to a verified bank account. Secondly, I do not want to oversimplify our very sophisticated risk engine, which is able to identify most fraud and looks at a number of background factors on how the information was inputted, where it comes from, whether it looks like someone is using a proxy, whether the machine ID is from the country that we think it is, whether it is in the area that is says it is in, and whether it has been used with other suspicious activity before. We look to identify whether that account is, in other ways, connected with other suspicious activity that we have seen. It is a very sophisticated analytical engine that identifies whether the accounts seem credible or not. That is in addition to the other work that we do upfront, which you are addressing: looking at picture identification, verifying the identity through more traditional ways, and the fact that the account is attached to a verified bank account.

Q221       Chair: Can a verified bank account be connected to more than one PayPal account?

Richard Nash: Instinctively, I think the answer is no, I don’t think it can be. I would have to check that and get back to you, but I am pretty sure the answer is no.

Q222       Chair: Your systems would need to check that when the account is set up. If you can—if there is no bar to it—obviously that means a single individual could make donations from multiple accounts.

Richard Nash: Yes, understood. That is a sensible anti-fraud measure, by the way—more horizontally, and not just in relation to this. I am pretty sure that is the case, yes.

Q223       Chair: Okay. If there is someone on your team here who can discover the answer during the session, I am happy for us to come back to that point later on, because it is quite an important one. If this does happen, and it is possible to have more than one account—of course, a named individual can have more than one bank account anyway. Even if you can have only one PayPal account per bank account, someone could have several bank accounts and different credit cards, and they could set them up using different accounts in that way. Is there any way to link people’s accounts to the individual and the address where they are registered when people are setting up accounts?

Richard Nash: That would be one of the measures in our anti-fraud engine that we would look at. We call them linked accounts. Understanding somebody’s pattern of activity is very much part of our anti-fraud engine.

Q224       Chair: Anti-fraud could be about identifying suspicious activity, but not necessarily about stopping people setting up the accounts.

Richard Nash: Yes, because there may be legitimate reasons that they would have different accounts for different purposes.

Q225       Chair: Yes, so there is not necessarily a bar that stops someone setting up multiple accounts. You think that different bank accounts are linked to different payment mechanisms, but they could all be traced back to the same individual. From what you are saying, it sounds like there would be nothing to stop someone doing that. There would be an intervention if it looked like someone was engaged in fraudulent activity through a linked account, but that would be based on their behaviour after the account had been set up.

Richard Nash: This would be a classic measure that any of our regulators, internationally and in Europe, would look at in terms of the suitability of our anti-money laundering programmes.

Q226       Chair: We want to get into the political dimensions. What happens if an individual makes a series of small donations to a political campaign that are below the threshold whereby you have to declare your name and address, but, actually, they have all come from the same source? Could a political party get the information it needs to know whether it is receiving multiple donations from the same source?

Eva Gustavsson: Sure. A political party would absolutely be able to see that very easily through its account dashboard. That is just the basic service. In addition to that, at no extra cost, there are plenty of other tools around being able to manage your own accounts, reporting customisable reports, and the ability to search vast amounts of information—if you have a number of donations, you can search them for specific key words or a particular donor, absolutely. You can export those into any tools that you might want to use, such as Excel. The political party can then use that to check and identify whether there are any donations that it finds disconcerting or impermissible, in which case it is tremendously easy to return the donations.

Q227       Chair: Does the PayPal dashboard, in the basic settings, show you—you said earlier that it says, “name”, “email”, “sum” and “country of donation”. It does not show you the ultimate source of the funds, which would give you information about which bank account it had come from; it shows only the PayPal account of the person, if they are paying through PayPal.

Eva Gustavsson: Indeed.

Q228       Chair: So from that basic information, there is no way of knowing whether donations are connected to the same individual or not.

Eva Gustavsson: Other than our risk analytics engine preventing that from happening.

Q229       Chair: Yes, but again, from what you said, someone could set the accounts up to make those payments and then close them down again. The risk analytics does not stop you setting up accounts that connect back to common source, and the party has no way of knowing whether the payments it is receiving are ultimately coming from the same source. All it sees is the basic PayPal account information, or potentially the address as well, if it has been configured for that. It has no way of knowing whether the same bank account is making multiple donations that would put the donor above the threshold.

Eva Gustavsson: I want to come back to that point that you made a couple of questions ago about whether an individual is allowed to open multiple PayPal accounts for one bank account. My hesitation in answering you 100% on that is that I just wonder whether there is any way in which someone—such as someone who runs a small business—could set up a legal entity account and whether that can be connected to a personal account or not. Indeed, it is not PayPal’s intention, and we do not permit, for users to have more than one PayPal account, generally speaking. However, I wanted to be cautious in responding to you initially, because this is a very serious forum. We are happy to write to you formally afterwards to confirm that.

However, it is very much our intention to catch exactly the kind of behaviour that you rightly highlight as concerning, to ensure that that type of behaviour does not take place on PayPal. It is tremendously important to us that all activity that takes place on PayPal is, first, within the bounds of the law, and secondly, within the bounds of our user agreement—our accepted use policy—which prohibits an intention to commit any kind of fraud or to spread any kind of disinformation or be disingenuous in any way.

Q230       Chair: There are two issues here. There is the issue about whether impermissible donations from overseas are being made. The only way to know that is by having the address of the person making the donation, which can be checked against the electoral register. The second issue would be whether someone is giving a large donation to a political party but is processing it as a series of micro-donations that are all below the threshold and untraceable.

From what you are saying, although maybe not from the same bank account, it sounds like an individual could set up multiple PayPal accounts if they are connected to different payment systems. That could be someone who has a company or personal account, or maybe another connected account. Many businesspeople we have seen in front of the Committee have multiple businesses and probably multiple different bank accounts. From a common source, money could be channelled through different routes.

The way in which that may be traced by an investigator, such as the Electoral Commission or someone else, would be if the source of funds to those PayPal accounts could be accessed. Is that information that you hand over? If you had a request from the Electoral Commission saying, “We’ve got concerns about these payments that were made. Could you tell us which payment systems or bank accounts those funds came from?”, would you be able to hand that information over?

Eva Gustavsson: For my part, there are two answers—there were two questions and I have two key points. One is that we invest hundreds of millions in risk analytics and processes, and we have thousands of colleagues who are dedicated to and focused on ensuring that the type of inappropriate behaviour that you characterise does not take place on PayPal. That is tremendously important to us. The second point—

Q231       Chair: Okay, but from what you and your colleague said, that is an after-the-fact investigation. If someone is doing it, will your systems detect it?

Eva Gustavsson: It is real time. The second point, in answer to your question on whether we would hand over that information to the Electoral Commission, is that there are two ways of answering that. One is that, as we know from the Electoral Commission, if it is to open an inquiry, it is able to request information from us, which we would, of course, happily share, as we do in working very carefully with local authorities in all markets in which we operate.

Secondly, going back to Richard’s much earlier point, given that we are a regulated payment system, there are frameworks through which we can share suspicious transactions, or even elements of suspicion. We are required to do so by regulation, and we do so very fulsomely, because it is tremendously important to the trust and security of PayPal overall. We would send any suspicious transactions to the relevant financial intelligence unit, and financial intelligence units across the world have framework agreements regarding sharing information to identify patterns and all kinds of criminal activity.

Q232       Chair: I understand that, but can the Electoral Commission make a request for all the information you hold about an account holder, including their address—whether or not that was part of the agreement when the donation was made—and the source of funds? Are you able to hand that information over if it is requested?

Eva Gustavsson: My understanding is that if the Electoral Commission opens an inquiry and requests that information from PayPal, yes.

Q233       Chair: Okay, but it has to be part of a formal inquiry?

Richard Nash: Yes, in accordance with the legally applicable framework for that.

Q234       Ian C. Lucas: Imagine for a moment that I am resident outside the UK and want to make a donation to a UK political party through PayPal. If I seek to make a donation, as far as PayPal is concerned is there a system in place to flag that I am making a donation to a UK political party?

Richard Nash: To flag to?

Ian C. Lucas: To flag to you that there is a donation happening from outside the UK to a UK political party.

Eva Gustavsson: Yes, indeed. For every single payment that is made, we will share what country that payment is coming from.

Q235       Ian C. Lucas: But will that indicate any warning to you that there is possible illegal activity going on here?

Richard Nash: Not necessarily. If that relates to a pattern of risk that we pick up and our systems look at, based on

Q236       Ian C. Lucas: Can I just stop you there? In this day and age, it is quite straightforward for PayPal to flag, as an issue for PayPal, an overseas payment to a UK political party. That is quite a straightforward process that you could flag within your system.

Richard Nash: The user—the political party receiving—would get that information

Q237       Ian C. Lucas: I am asking about you, not the user, because I want to look at your responsibilities. You have talked about the different indicators that you have within your system—I am sure there are lots of them. Is it an indicator that a foreign donation to a UK political party is being made?

Eva Gustavsson: It is reported with every transaction.

Q238       Ian C. Lucas: But is it reported as something that requires further investigation?

Richard Nash: I am a British citizen living outside the UK, and up until about three years ago I was still on the electoral roll in the UK, so I could have legitimately made a donation in the last three years.

Q239       Ian C. Lucas: Absolutely, and you could check, as PayPal, that that person was legitimately making a donation. I am not saying that it shouldn’t be allowed; I am saying that there should be a flag. Is there a flag now that this is something that needs further investigation?

Richard Nash: I don’t think that is our responsibility.

Q240       Ian C. Lucas: Absolutely—that’s the point. It is interesting that in February 2018, I had a very similar conversation with Facebook in Washington DC, and they said that none of this was their responsibility.

Richard Nash: Well, I think our responsibility is to run a highly regulated payment system and protect its safety and integrity.

Q241       Ian C. Lucas: Yes, but—I make the point that I made to Facebook—your responsibility is to comply with the law.

Richard Nash: Yes.

Q242       Ian C. Lucas: I think this is not something that you are deliberately doing—this is my personal opinion. I think it has not occurred to you previously that this is an issue for PayPal. When you put together all your systems—my wife is a big fan of yours, by the way—when did you first think about electoral fraud? You are the government affairs people. When did you first discuss electoral fraud within PayPal? Was it recently?

Richard Nash: Again, I think that our responsibility is the payment—

Ian C. Lucas: Can you just answer the question?

Richard Nash: To us, it wouldn’t be subject to a specific conversation; it is about the risk management of our overall system and our compliance with the rules applicable to us as a regulated payment service.

Ian C. Lucas: You are here giving evidence to the House of Commons DCMS Select Committee because this has been a risk for you. As I say, I don’t think you have intended to do anything wrong at any stage; I think this just hasn’t been addressed within your systems. I will come back to the original question: when did you first look into the issue of electoral fraud as opposed to the myriad other frauds that exist? Can you answer that? It is a quite straightforward question.

Richard Nash: I will happily answer it. We are looking at the horizontal thing, not necessarily electoral fraud

Q243       Ian C. Lucas: Can you give me a date? Was it 2018, 2017, 2016?

Richard Nash: I hesitate to answer your question directly

Q244       Ian C. Lucas: Why?

Richard Nash: Because it is not part of our responsibility today. Our responsibility is to look at compliance with our regulation, which is in the financial services areas.

Q245       Ian C. Lucas: It isn’t just within the financial services area. Electoral fraud is important. You accept that compliance with the law is important. What we are talking about here is compliance with the law, because it is illegal to make donations from overseas. I could set up a political party tomorrow in the UK and I would have to comply with the law by recording issues properly, but from what you are saying it seems that I could receive payments through PayPal. Although I might be breaking the law with my political party, you do not seem to think you have any responsibility in this area. You seem to think it is all the responsibility of the political party. Is that correct?

Richard Nash: I believe that when the Electoral Commission gave evidence, it suggested that that was the case.

Q246       Ian C. Lucas: I think it did, but I think it was wrong. I think you guys should be responsible, too, in the same way that I think Facebook should be responsible for activity, as I flagged up with them. If you look at fraud more broadly than electoral fraud, you have obligations to ensure that you are not used for fraud, don’t you?

Eva Gustavssonindicated assent.

Ian C. Lucas: That’s absolutely right, and you accept that.

Eva Gustavsson: And we work very hard to ensure that fraud does not take place. Indeed, I mentioned earlier our acceptable use policy, which goes on top of the legal and regulatory requirement and has even stricter requirements.

Q247       Ian C. Lucas: So why shouldn’t you have obligations in respect of electoral fraud?

Eva Gustavsson: Again, I am a little worried about the insinuation that PayPal is enabling anything of that nature.

Q248       Ian C. Lucas: Hold on. I didn’t suggest that. In fact, I think I’m being quite charitable to you, which is not in my nature normally. I just think you guys had not thought about this until you were put in this position by other people. One of the reasons we are doing the Committee is that we are flagging up issues that we haven’t thought about previously.

Eva Gustavsson: I would say that a very good outcome of our participation in this inquiry and our engagement with the Electoral Commission has been the collation of the information for UK political parties, which, as we referenced earlier, is available. It has its own dedicated site now. I think that that is a very good outcome of this inquiry and this work.

Richard Nash: I am very sympathetic to your line of questioning.

Ian C. Lucas: Thank you.

Richard Nash: I would just say that we are confident that we are meeting and going well beyond our obligations today, according to the law and the regulations that we are subject to. If there is a conversation to be had with the various stakeholders about whether there should be changes in future, you will find us a very willing participant in those conversations. I would hope that other players in the financial services industry would say likewise to you. Ultimately, that would then be a matter for Parliament to consider as to whether liability or responsibility should be apportioned differently.

Q249       Ian C. Lucas: You have had recent contact with the Electoral Commission, which has been positive, but my sense is that the position has changed. Would it be fair to say that you have been paying more attention to this issue in the past two years?

Richard Nash: I would simply say that our work on anti-fraud and anti-money laundering continues with the same dedication that has always been there. I think this Committee is taking quite a leading role globally in this issue.

Q250       Ian C. Lucas: Stop flattering us. I think we know that. What I am trying to get at is the fact that in the past we have had a lot of elections and referendums and all the rest of it, and these issues were not dealt with, or not focused on, in the way they are being addressed today. Within PayPal, would you agree with that? I mean, you’re here, and you weren’t here three years ago, were you?

Richard Nash: I don’t believe we were invited three years ago, but I take your point. The more discussions that can take place to highlight the gaps that you are referring to in the system overall, and to understand how best and most appropriately to plug those gaps—I think that is a very welcome discussion. Thank you.

Q251       Chair: To pick up on something that Mr Lucas said, the reason he drew the analogy with Facebook is the well-known case of people using rouble credit cards to buy political ads to run during the American presidential election. As far as the law is concerned, an offence was committed, but it was committed by the person in St Petersburg who was buying the ads. Facebook had no obligation to declare that this was happening. The issue that Ian was getting at, and which I think many Members are sympathetic to, is that that is not good enough, because the platform is the only person who can see the transaction being made, and it is illegal.

The concern here is that PayPal can be used by someone to commit an electoral offence, and maybe there should be rules in place to say that political donations have separate laws and regulations to other financial transactions and should be marked differently, and if someone is seeking to make a political donation from overseas a verification should be built into the system before they can make that donation. Why should it be that PayPal can facilitate that transaction, which could be being made in breach of the law, but it is the job of the political parties and the Electoral Commission to determine that? Why can’t the system be set up to say that the default setting is that you cannot make these donations at all?

Eva Gustavsson: First, the responsibility is, again, not with the Electoral Commission; it is with the political party. Secondly, I want to emphasise again that PayPal will not release the funds into the political party’s account if they were deemed to be suspicious based on any sort of detections that we have around anti-money laundering, counter-terrorism financing, fraud, et cetera. I understand that you are asking whether, if it is in breach of electoral law but otherwise looks fine, it would be possible to freeze that.

Q252       Chair: If you have this schedule of things that you check for suspicious activity, that might, in the case of political donations, be someone who has made a donation but who has not disclosed their address to a political party. That would be suspicious because there would be a likelihood that that person seeking to make a donation may not be on the electoral register. In some ways, it would be safer and better if within the system, as Ian said, a flag is raised that prevents that transaction from being made until that person has verified that they are a permissible donor.

Richard Nash: I hear you. All I would say is that today we understand the roles and responsibilities that we have. We conform to those. As I mentioned, we do not have a separate service specifically for a political party. We are not aiming to be a solutions provider to them. We are trying to deliver payments.

Q253       Chair: In your own words, you summed it up when you said, “We’re not responsible. It’s not our responsibility.”

Richard Nash: That is what the law says today.

Q254       Chair: And that is how you have defined your own responsibilities. You have obligations as a financial services provider.

Richard Nash: Quite.

Q255       Chair: But you do not believe that it is your responsibility to raise a flag if you can see donations being made from overseas and it is not clear whether the donor themselves is on the electoral register, and whether they are a permissible donor. It is not your responsibility.

Richard Nash: I think that is what the law says today, sir.

Q256       Ian C. Lucas: I don’t see what is so difficult for you. Just treat electoral fraud in the same way that you treat financial fraud. If you just say yes and put the flag in, we would go away happy.

Chair: I don’t see why it requires legislation. You could just do it.

Eva Gustavsson: Agreed—that requires legislation. Okay. The other point I would make

Q257       Ian C. Lucas: I don’t think it requires legislation for you to put a flag in about a donation from overseas.

Eva Gustavsson: Again, every single transaction is reported with the country of provenance.

Q258       Ian C. Lucas: But it doesn’t tell me that there is anything wrong, does it? It is just another donation.

Eva Gustavsson: Whether it is compliant with electoral law or not, our systems will not capture

Q259       Ian C. Lucas: I have made the point that you can introduce a flag within your systems, if you wish, to say that this is a donation to a political party, which have specific rules relating to them about donations from abroad. Let’s look at it—that is what I am asking. I cannot see why that is so difficult for you.

Eva Gustavsson: The other point to be aware of is that political parties will use their accounts for a variety of things, including the selling of tickets, merchandise and so on. I would keep that in mind in terms of being aware of it in this discussion about flagging. There is a lot of activity that happens on the account that is not donations.

Q260       Clive Efford: What is the process when you flag up something that you consider to possibly be a fraudulent payment? Does that transaction actually get completed or do you stop it?

Eva Gustavsson: It stops.

Q261       Clive Efford: In terms of political donations, you could stop and check them, and ask the recipient to check whether they should be receiving that payment. That would be possible, would it not?

Richard Nash: No. We would not want to ask—at that stage of our processes, currently, we would not go to the intended recipient and ask them whether they should be receiving it. If there were genuine fraud taking place in our system, they would be in on it, so we would not want to give that information away. For us, it is dependent on whether there is a reason for us to be suspicious of the transaction or the intended transaction. It is not even that we have necessarily found something definitive, but if we have a reason to suspect that there is something suspicious involved, the transaction does not take place. We then flag that and file a suspicious activity report to the financial intelligence unit, based on our regulatory obligations.

Q262       Clive Efford: But we have rules in this country about who can make donations to political parties. It is quite clear that overseas payments could, potentially, be in breach of those rules. You have the systems in place by which you could prevent those transactions from taking place while they are verified. You could do that, could you not?

Eva Gustavsson: The transactions are prevented while we verify them for anti-money laundering and fraud risks.

Q263       Clive Efford: Why can you not do that for a political donation?

Eva Gustavsson: With regard to the political donations, as I mentioned earlier, it is tremendously easy for political parties to take the information that they have available to themselves, however they may have captured that, to check the permissibility of the donation. If it is not suitable, it is very easy to return that payment—it takes seconds.

Q264       Clive Efford: What we are trying to create here is a system that can prevent donations that are outside of the rules of the electoral regulations in this country from being made. It seems to me that you have the systems in place and you could offer that service to political parties. It does not seem that you are willing to do so.

Eva Gustavsson: Like I said, we have a product that is available for what we call merchants. There are many political parties in this country that choose to use PayPal for their needs. There are a number of other providers that they can also choose from. We provide tools that they can enable to help them to meet their own requirements, but there is no specific product that does what you are talking about today. Political parties have a choice of which payment services provider they use, if any.

Q265       Clive Efford: So even if an organisation asked you to set that up, you could not do it.

Richard Nash: To set up a system where

Clive Efford: Where the sender must be in country before they can make a donation to a political party. If they wanted you to set that up, could you do it?

Eva Gustavsson: Again, it comes back to the point that we do not know whether the payments being made are donations or payments for other services or products. We would not see that.

Q266       Giles Watling: This is a fascinating exchange, and I would like to announce that, like Mr Lucas’s wife, I am a great fan of PayPal and how it makes life simpler for buying online and there is a certain reassurance. I get all of that. As you might be aware, the Committee has done a lot about the harvesting and storing of data. We have now been talking about multiple payments, possibly fraudulent payments, and so on. Clearly, there is a powerful tool that you could be using, which we have not mentioned, which is the storing of IP addresses. Do you do that at the time of transaction? Do you store IP addresses? Do you know the IP addresses of the people who have been making donations or payments, so that you can always go back down the trail if asked?

Richard Nash: IP addresses are one of a number of data points that we use in our risk management systems, yes.

Q267       Giles Watling: So if the Electoral Commission, for instance, wanted to come to you, you would be happy to supply that information.

Richard Nash: If we were able to do so according to the legal procedures in place, yes.

Q268       Giles Watling: You must be under ever increasing and sophisticated attack. Like Mr Lucas was saying earlier, when we were talking to companies such as Twitter and Facebook, we would get the feedback, “We just provide the platform. What people do on it is entirely up to them.” Clearly, in the case of Twitter and Facebook, we have had hate crime and stuff like that happening. It occurs to me that tech companies, be they financial tech companies or social media tech companies, must take more responsibility. Would you agree with that?

Richard Nash: I would again emphasise the point that we are already a regulated financial payments services provider. We already have those obligations. To get a licence in our space, you need to demonstrate that you have the capabilities to comply with the law, and in our case, we look at what we do over and beyond the law. We look at managing risk and making sure that we prevent fraudulent transactions.

Q269       Giles Watling: Is there a way that you would like to deal more proactively with engagement with organisations such as the Electoral Commission, so that you can be ahead of the game and advise, help and assist?

Richard Nash: Looking at our relations with authorities that could request data from us, the way that it works today, as I mentioned, is that we have the financial intelligence unit reporting system for suspicious activity reports. That is part of our regulatory obligations.

Over and beyond that, we will regularly work with law enforcement to make sure they understand who the contact point is, if they will ever need such information from us, and what kind of data we may legitimately be storing about users and transactions, so that, again, if they can request data from us in accordance with the legal procedures they are subject to, they can do so expeditiously and in a much more satisfactory way. We pride ourselves on that kind of work—on our commitment to engagement with authorities so that they can pursue their investigations efficiently and speedily.

Q270       Giles Watling: I get that, but with all due respect, that is sort of reactive. What would you like to do to be more proactive?

Eva Gustavsson: We have developed good relationships with law enforcement authorities so that the feedback channel is two ways. We do the required reporting and so on, but they also now know that they can come to PayPal to get the information they may need to inform their own investigations, all within the appropriate legal frameworks. Regarding our engagement in those channels, we received feedback that the quality of the data we share is good and our engagement is constructive and of an appropriate level. It is both ways.

Richard Nash: On the proactive side, we could not proactively contact the Electoral Commission to supply them with information.

Q271       Giles Watling: Perhaps you could supply them with guidelines on something that they need to be looking atthings that occur to you, that come through your algorithms.

Richard Nash: We discussed possible follow-ups to this discussion, and we would be delighted to participate in sustaining a framework of the responsible stakeholders and better educating all of us as to what we can all be doing, and potentially helping the Electoral Commission improve or submit ideas for improving some of the processes.

Q272       Giles Watling: Good, thank you.

I would like to move on to a rather more personal thing. Over these past few days, my wife has been selling her car on eBay. Interestingly, she has had several people come up who wanted to make payments straight away through PayPal and then send a courier to pick up the car. Upon investigation on Google, there is a scam going on: people come and pick up the car, and then claim it is damaged or whatever and get the money back through PayPal. Is this something you know about? This is a personal thing, but I would just like to know your reaction to that.

Richard Nash: Those kinds of typical fraud scams have, unfortunately, been around for a long time. In this case, we work with eBay—PayPal used to be owned by eBay. The advice that eBay gives to its customers is that if something is for sale on eBay, make sure the transaction stays in that platform until completion. There is a lot of user education out there about this.

From our perspective, we try to ascertain whether fraudsters are using accounts and whether we have managed to kick them off our services but they have then tried to come back with the same details—and we link those accounts. A lot of work goes on there but, unfortunately, there are always fraudsters out there who are looking to take advantage of services that, rightly, engineer great trust among users. That is a never-ending anti-fraud thing that we have to deal with.

Q273       Giles Watling: Have you noticed any trends in the use of your services regarding money laundering and economic crimes?

Eva Gustavsson: The rise of bots is significant and makes up a large chunk of the fraud that we see on PayPal. We work very hard to defend against that. We have many bot attacks every day. Typically, we see them coming in two forms. One is account takeovers, where they take a legitimate account such as yours and try to access funds through that manner. The other is that they will try to create an account by using stolen credentials.

Coming back to how important the safety and security of PayPal is and how important trust is to us, you can imagine that we invest significantly in being able to identify that type of activity. There are things you can use to find those, which we do. There are hundreds of data points, such as the speed at which the information is being inputted on the machine, the machine identification number and whether it looks as though a proxy is being used: is someone on one end is trying to appear as if they are in the location of the stolen identification credentials that they are using? We try to and do employ all those things significantly to defend against bot attacks.

Q274       Giles Watling: I imagine you have algorithms that would flag that up, so you can then take action.

Eva Gustavsson: Yes.

Q275       Giles Watling: Do you think you are winning this battle?

Richard Nash: Unfortunately, there are always folks who are seeking to have such schemes and commit fraud. That is regrettable. Our success has been establishing trust, privacy, security and safety. That is almost part of our brand promise; they are the things that we live by and why we are a hugely successful company globally. We are proud of our work in this space but we always know that there is something that will continue to surprise us tomorrow. The work is never ending. The table stakes for us is to be so committed to this space, and is one of the reasons we have been so successful, but we would never rest on our laurels with what we have achieved.

Q276       Jo Stevens: The Mirror carried out an investigation in May this year, showing that it was possible to join the Brexit party under the alias of Russian President Vladimir Putin, using his Kremlin address, and donate £25 to the Brexit party via PayPal. In June, the Financial Times reported that one contribution of £1,000 was returned by the Brexit party because it could not identify whether the donor was a permissible source.

We have touched on the Electoral Commission’s role with you during this session. Earlier, you talked about the information and data that you push to people who use your platform—name, email, currency, amount and date. Can you tell me whether the Brexit party set up its data framework that you described so that donors’ addresses were provided?

Eva Gustavsson: I understand—you have very clearly articulated—why that would be of interest to this Committee, but I hope you also understand that we cannot divulge the details of any particular account, Brexit party or otherwise.

Q277       Jo Stevens: Why not?

Eva Gustavsson: It is the legal and regulatory requirements that are incumbent on us. Not least of all, of course, we have GDPR; but our responsibilities as a regulated payment services provider—we couldn’t share the detail of any account publicly.

Q278       Jo Stevens: That’s really disappointing, because you have just spent a long time telling us how it is not your responsibility to effectively comply with electoral law, but you are choosing which laws you are going to comply with, and won’t give us the information.

Eva Gustavsson: We certainly look to comply with all laws and regulations, local and otherwise, in all the markets in which we participate. That is not negotiable from our part. It is a basic principle of GDPR, which has also been implemented in this country, as we know. We can’t share that information.

Q279       Jo Stevens: Earlier, Mr Nash, you said that good practice on user privacy involved you pushing—I think you described it—the email address to people who use your platform. Why not the postal address?

Richard Nash: To clarify what I said earlier, it was that we wouldn’t unnecessarily push details if the account holder—the business organisation—hadn’t set up to receive that information from the system, because they may be capturing it elsewhere.

Q280       Jo Stevens: So you don’t as a default position include a postal address in that data framework.

Richard Nash: I don’t believe that is the case.

Eva Gustavsson: The merchant, or in this case the political party, needs to set up their account to receive the information that they would like to receive. In the case of a political party it would seem likely to me that they would also want a postal address. If they plan on getting that information through PayPal, as Richard mentioned, there are other ways in which they could also be receiving that information: website design, setting that page up front initially, for example, to capture all the information they would like to have, and then move on to the payments page.

Q281       Jo Stevens: Is there nothing in your obligations as a regulated industryfinancial servicesto include a postal address in your default data framework?

Eva Gustavsson: We capture the information. PayPal has it. The question is, has the account holder—or in this case merchant or political party—set up their account to receive that information?

Jo Stevens: I understand that, but

Eva Gustavsson: PayPal holds that information—absolutely.

Q282       Jo Stevens: Okay. Is an organisation able to set maximum and minimum restrictions on how much a sender can pay in one transaction, through your platform?

Eva Gustavsson: We certainly have thresholds that are compliant with the maximum send and receive limits that are sent through what is called the fourth anti-money laundering directive.

Q283       Jo Stevens: That wasn’t my question, though. I am asking whether an organisation like a political party can set maximum and minimum restrictions on how much can be paid through your platform.

Eva Gustavsson: They can certainly also do smart things through website design. They could have a dropdown menu for how much people would like to donate.

Q284       Jo Stevens: My question is: through your platform can they set a maximum and a minimum?

Richard Nash: I actually don’t know the answer to that. I would have to come back to you on that.

Eva Gustavsson: I think it needs to be done through the website design, is my answer to you.

Q285       Jo Stevens: Have you ever set these sorts of restrictions in the past, around any of your customers?

Eva Gustavsson: I’m sorry—what type of restrictions?

Jo Stevens: Maximum and minimum restrictions on payments.

Eva Gustavsson: Yes. They are in line with the fourth anti-money laundering directive, so with those restrictions we have enhanced verification requirements, we have annual limits that require further verification. That is just in line with our legal and regulatory compliance obligations.

Q286       Jo Stevens: So you have all the existing tools and framework there ready to be able to put similar things in place for political parties using your platform for donations, if you wanted to, don’t you?

Eva Gustavsson: It comes back to our earlier point: there is no product made specifically available for political parties.

Q287       Jo Stevens: I understand that. It is a simple question. You have everything there ready to put in place, should you wish. It would not be difficult. You would not have to create new things; you could just do it with the stuff you use already.

Eva Gustavsson: If that were deemed appropriate, we could look into that. Again, Richard has been very clear that we are very happy to participate in wider discussions around what would be useful for political parties and in discussions across industry in terms of what would be useful there. We are happy to engage in those conversations.

Q288       Jo Stevens: On that basis, the Electoral Commission said that there is a “high and on-going risk” of your platform being used to facilitate impermissible donations to UK political parties to be used in UK elections and UK referendums. What is your response to that? So far, it seems to me it has been “Nothing to do with us, guv.”

Eva Gustavsson: Again, it is very important, and I feel we have been very clear about it. We take very seriously all our regulatory and legal requirements; we really do. We want to participate in this discussion fulsomely with you. We try very hard to ensure that all payments that take place on PayPal are safe and secure—not fraudulent—and in line with our acceptable use policy. That is tremendously important to us. If there is a need and an appetite for a particular product or design features for political parties in this country, we are very happy to participate in discussions around what that might look like. That is something we are very open to.

Q289       Chair: If I connect my Facebook and PayPal accounts, what data am I sharing with Facebook about my PayPal activity?

Richard Nash: There will be some necessary sharing of data in order to ensure that transactions on a Facebook platform, or whoever else where we are facilitating a payment, could take place. I think we would also share information that makes sure that anti-fraud measures can be maintained. Beyond that, if there is anything that the user or person making a transaction would proactively consent to be sharing with Facebook, I think we would facilitate that, but we are not in the business of sharing extensive information.

Q290       Chair: In your terms of service is obviously says with users’ consent, but that is usually the tick box that you have to tick in order to sign up for the service. Can you personalise the terms of service with Facebook if you are linking your PayPal account to Facebook? Or do you just accept it or not?

Richard Nash: I think it would be based on whatever the service on Facebook is. For example, if you are playing games or something like this, I am sure there is a terms of service box that would—

Q291       Chair: Yes, you see them. If you want to link the accounts, you tick the box. That is your consent. Looking at what it says in the terms of service—we have looked at this with other companies as well—it looks as though, if you connect, Facebook would know what you spend your money on. They would get data about what you buy using PayPal.

Richard Nash: I do not believe we would be sharing that information unless explicitly asked to—

Q292       Chair: You would be asked to do it when you tick the consent box to link your two accounts. So it seems to me that part of the data you would share would be your personal data: personal data about the transactions you make. We have had this with video games companies where Facebook can see what in-game purchases you make and so on. From looking at your terms of service, it looks like Facebook would get data back about how frequently you use PayPal and probably what sorts of things you use it for.

Richard Nash: Again, I would have to go back and clarify that and give you a fuller answer.

Q293       Chair: The reason I am interested in that is that part of that will be, if you are making a donation to a political party, the chances are that that data is being shared with Facebook. So the chances are that Facebook could facilitate someone targeting ads at an individual who has made donations to a political campaign before.

Richard Nash: Forgive me; I don’t know the answer to that question, but I would be happy to look into it and come to you.

Q294       Chair: I appreciate that the terms of service is quite long and complicated, but it looks like you could do that. If that is the case, it is quite possible that you are sharing more data with Facebook about people’s political donations than you are sharing with the authorities.

Richard Nash: Again, sir, I will have to come back to you with a fuller answer. I don’t know the answer to that now.

Q295       Chair: It amazes me that a Facebook login has become a key part of so many online businesses, yet people are so reluctant to talk about the data sharing that goes on between PayPal and Facebook. If there is nothing to be concerned about, it should be easy to discuss.

Eva Gustavsson: We are happy to write to the Committee with further detail following this hearing. We simply do not have it to hand.

Q296       Chair: The terms of service applies to any service; there are other social media accounts that people have. However, looking at your terms of service, I am interested to know whether data is shared with Facebook about people who make political donations using PayPal. Also, the PayPal service is marketed to Facebook users as making it faster if they link their accounts and use PayPal to make purchases within Facebook from pages and other things. Does that mean that there is less oversight of the transactions being made? Is less data being made available to the receiver about the person making the payment if it is made through Facebook, rather than externally?

Richard Nash: We have a lot of agreements with Facebook and many others to power payments on their platform. Each of the services that are involved in that provision of service are subject to a specific agreement. Again, we will have to come back to you with details on your particular example, and we are happy to do so.

Q297       Chair: I wonder whether, if I make a donation to a political campaign through Facebook using PayPal, all the political party would know about me is which Facebook account the payment was made from and nothing else?

Richard Nash: I think, in that case, Facebook would be the merchant of record. Facebook would be able to gather information, and maybe in that case would pass that on to the political party, if that is your question.

Q298       Chair: If you make donations in that way, is even less information disclosed about the donor? Is it just taken as an assumption that, because they have a Facebook account, they must be a real person, and therefore all that is needed to ID them is their Facebook information?

Eva Gustavsson: I understand the question. We will definitely come back to you on that.

Q299       Chair: Given that Facebook deletes 500 million fake accounts per quarter, if the verification is based on the fact that someone has a Facebook account and therefore must be real, and that the location they have marked on their Facebook account says where they are, that would be concerning, because that could be a kind of backdoor way to making donations with an even lower level of compliance.

Richard Nash: I understand and, as Eva said, we will clarify that. Any transactions that we facilitate are subject to our risk management and anti-fraud engines and so on. It is not that, just because it is somewhere else, we would wash our hands of what we do in processing a transaction, which we are so successful at.

Chair: I would be interested to know whether the data that PayPal shares with Facebook as part of its data reciprocation for linked accounts makes it possible for people to run ads on Facebook targeting people who have donated to political campaigns on PayPal.

Richard Nash: Okay.

Chair: I know that, in your terms of service, separate from the section on social media accounts and data sharing and the sharing of personal data, it also says that, with someone’s consent, you will share personal data with other companies for marketing purposes. Again, that consent will be buried in the tick box that people sign off. If personal data is being shared not only for anti-fraud reasons but for marketing and business reasons, it would be interesting to know what sort of data is being shared.

Q300       Ian C. Lucas: I wonder if I could repeat the question about when you first considered the electoral fraud issue as a risk management issue within PayPal. If you cannot give me an answer now, can you please write to the Committee to indicate when you first considered it as a risk issue for PayPal?

Richard Nash: Again, I understand the question. At the risk of repeating my answer from earlier, because we do not have a product for political parties, I am not sure that we would consider electoral fraud risk as separate from our overall anti-fraud

Q301       Ian C. Lucas: But there are different regulations and laws in place for political parties, and if I was working for PayPal in risk management, then I would feel it was my responsibility to indicate that within the organisation—that you needed to flag additional responsibilities that existed.

Richard Nash: Sir, with respect, I think we take all of our responsibilities incredibly seriously. As I think I clarified earlier, to us, when we look at the law today, our responsibility is to run a regulated payment service and everything that is inherent in that. Today, that responsibility will be with the political parties, overseen by the Electoral Commission.

Q302       Ian C. Lucas: So you do not consider that this is a matter for Facepal—for PayPal? “Facepal”—sorry about that.

Richard Nash: Today, again, I would say we consider that our systems need to be up to scratch and we take that over and beyond, to deal with anti-fraud and risk management in general.

Q303       Jo Stevens: The Electoral Commission has said that your platform represents “a high and ongoing risk”. So, are you telling us that you do not consider that your platform represents any sort of risk to the breaking of electoral law in the UK? If you do not think that, tell us please, but I am really having a problem trying to understand why you cannot answer this question.

Richard Nash: To us, it is about managing the payments system. My understanding is that the example that you are giving is one where it is an extension of the legitimate use of our system, and everything would potentially look fine to us, but the risk would come if the political party using it was not conforming to its obligations.

Q304       Jo Stevens: So you do not think there is any sort of reputational risk for PayPal? I used to run a business; I used to do risk management. You do not just think in narrow silo lines about risk management; you think about what can occur across a whole range of issues to affect your reputation as an organisation or a company. You do not think this causes the potential of a problem for you, reputationally?

Richard Nash: We would take any of that unbelievably seriously. Again, I would just point to the fact that political organisations have used our services successfully, in full compliance, it seems, for many years. And so, yes, we do look at any new flags and things that we could do better within the frameworks that we operate. But I think

Q305       Jo Stevens: But you are not doing anything. You have just told you are not doing anything. You do not flag things.

Eva Gustavsson: We do, and we have been in discussions with the Electoral Commission, as we have shared with you, and we have produced further material for political parties to reference, so that they can indeed meet their own requirements and address some of the gaps that the Electoral Commission highlighted in its report. I think that is a very useful outcome of our engagement with them, as well.

Jo Stevens: Okay.

Q306       Chair: You said earlier on you cannot give information about individual investigations or inquiries, but could you just confirm for us whether or not there are active investigations about political donations made through PayPal, where there is believed to have been either a breach of the law or there is no way of verifying whether they were permissible or not?

Eva Gustavsson: Again, back to the point: if we have any element of suspicion of fraud on our platform—on PayPal; now I am doing it—then we would absolutely report that to the relevant financial intelligence unit or work with law enforcement, as appropriate. That happens—

Q307       Chair: I appreciate that, but that is not the question I asked, though. The question I asked was whether there are current investigations into impermissible donations that were made via PayPal.

Eva Gustavsson: And again, we would not be able to share the detail—

Q308       Chair: No, I am just asking whether it is currently being investigated.

Eva Gustavsson: And again, we would not be able to reveal that, either. Again, these are regulatory—

Q309       Chair: I’m sorry—there is absolutely no reason why you cannot tell the Committee that. I appreciate that you cannot say which party it is, which donor or which individual person. I am not asking you to disclose people’s personal data. I am simply asking whether there are current investigations into donations made through PayPal that may have been impermissible.

Eva Gustavsson: This, again, is part of ongoing risk and fraud work that we do at all times, and which we share with the appropriate authorities as required by law—

Q310       Chair: I am sorry. This is a parliamentary Committee. I think we are an appropriate authority to know, on the eve of a general election, whether this is something that is currently being investigated. That is a perfectly legitimate question for us to ask you.

Eva Gustavsson: I am afraid that you would have to ask the relevant financial intelligence unit. In the UK, that would be the National Crime Agency. They would be the appropriate authorities. That is simply due to laws and regulations—

Q311       Chair: Sorry, is the National Crime Agency investigating this? Is this part of a National Crime Agency investigation?

Richard Nash: We would not have information on that.

Q312       Chair: If so, why mention them, if they are not relevant? If it has been referred to the NCA, we would have to ask the NCA about it, because that could be relevant to an investigation they are undertaking; if it has not been referred to the NCA, there is no reason we would ask them.

Eva Gustavsson: Again, we would refer that to the relevant financial intelligence unit, which would then refer it to the NCA.

Q313       Chair: Have you made such a referral?

Richard Nash: We cannot comment on referrals we have made, but—

Q314       Chair: I am not asking for the details of any referrals; I am asking whether such a referral has been made. Is that why you cannot talk about it?

Richard Nash: In terms of your question, are there investigations currently under way, I am not aware of any, sir.

Q315       Ian C. Lucas: You are not aware of any? It looks as though Ms Gustavsson is. Can you confirm whether there is an investigation that has been referred to the NCA?

Eva Gustavsson: I would not be in a position to do so.

Q316       Ian C. Lucas: Is that no?

Eva Gustavsson: First, I do not know and, secondly, I do not believe that if that was under way we would be allowed to share that with this Committee, in this forum.

Q317       Chair: There is no bar on someone saying that there is an NCA investigation. There is an NCA investigation into a matter that the Committee considered about political donations made by Arron Banks to Leave.EU. That was referred to the NCA, and it was a public matter that it was referred to the NCA. Disclosing evidence that they are considering could prejudice an investigation, but not the fact that there is such an investigation. We are asking a question that is fundamental, and which we have been talking about for the past hour and a half—are there active investigations looking at donations that may have been made through PayPal that could have been impermissible? Are you saying that, to your knowledge, you do not know of any?

Eva Gustavsson: To my knowledge, I do not know of any, yes.

Q318       Chair: So as far as you’re concerned, you don’t believe that there are any.

Eva Gustavsson: I have no knowledge of whether there are or there are not. Furthermore, and I will say it again—

Q319       Chair: In that case, would you be able to write to the Committee to confirm whether PayPal is aware of such an investigation and whether that investigation has been referred to a law enforcement agency?

Eva Gustavsson: I believe that the regulatory and legal frameworks that govern our conduct as a regulated payment services provider mean that we cannot. I think that is the point that Richard and I are trying to make here.

Q320       Chair: Okay. I would be grateful if you could write back to us to confirm that, too, and to spell out what rules and regulations would preclude you from saying that, whether or not there is an active investigation and whether that investigation has been referred to a law enforcement agency.

Eva Gustavsson: Yes.

Q321       Chair: I cannot believe that you cannot disclose that. I could well believe that you cannot say what the nature of it is, but I cannot believe that you cannot say that that has happened. Again, we have been talking about an issue that is of concern on the eve of an election, which is whether it is easy to use these payment systems to make impermissible donations. If there is an active investigation, that would suggest that there is a level of concern about that that has now escalated over the past year or so.

On the question of responsibility, in other areas of the law, if I drove someone to a bank knowing that they were going to rob it and then they did, I could be considered to be a party to a crime. Here, we have a situation, rather like with Facebook and the Russian ads, where the offence is accepting receipt of the donation, and there is no jeopardy for the mechanism through which the donation was made. I think there is a question of whether that is a good enough bar, or whether there should be, because of the sensitive nature of politics, higher rules put in place to make it harder for people to do things that are illegal.

Richard Nash: I understand the point and I understand the questions. I certainly understand your frustrations if there are gaps in the overall system. As I have said, if there are to be discussions involving the different stakeholders, we will be a willing participant in those.

Ian C. Lucas: If I was in government affairs, I would be advising my boss that it would be good practice to have a flagging system for overseas donations. That may not be a strict legal requirement, but I think it would be wise.

Chair: And that concludes this Committee’s questions and indeed its oral evidence sessions in this Parliament. Thank you very much.