ECC0066

Written evidence submitted by Lloyds Banking Group

 

Executive Summary

Lloyds Banking Group welcomes the opportunity to respond to the Treasury Committee’s inquiry into economic crime.

This submission should be read in conjunction with the written evidence of UK Finance. The UK Finance submission covers in considerable detail the first part of the inquiry’s remit relating to the UK’s anti-money laundering and sanctions regimes. Our evidence focusses more on the second objective relating to consumers and economic crime and, in particular, the operation of the Contingent Reimbursement Model.

As a leading financial institution, we recognise our duty to protect customers from all types of financial crime. We have invested heavily in our defences and worked with the industry to introduce new ways of combatting economic crime.

Lloyds Banking Group has invested heavily in fraud prevention including spending more than £100 million pounds in the last three years to further enhance our fraud controls. This has included using the latest technology to detect fraud, working with other financial services firms to share intelligence on trends and investing in consumer education campaigns to enable our customers to best protect themselves. In relation to financial crime we have also co-sponsored the National Economic Crime Centre (NECC) “fusion cell” on COVID related fraud together with the Director General of the NECC which provides a mechanism for the rapid sharing of intelligence and data.

A key strategic priority for Lloyds Banking Group is the prevention and detection of authorised push payment (APP) fraud and our approach has the following four key pillars:

We played a leading role in the development of the Contingent Reimbursement Model (CRM) and were one of the founder signatories to this Code when it launched. However, we feel that the focus of the CRM is almost entirely on reimbursement, at the expense of prevention. The Code was intended to set out standards for firms and consumers to prevent APP fraud from occurring. We are concerned however to see anecdotal evidence of an unintended consequence of the CRM being introduced. That is, particularly in relation to payment scams, consumers taking less care than they have before in the knowledge that they will be refunded if anything goes wrong.

This has resulted in an increase in APP fraud and has contributed to it being one of the fastest growing types of fraud in the UK. It has allowed many criminals to retain the proceeds of their crimes. We believe that more focus needs to be given to addressing these unintended consequences including prevention and, in particular, steps which can be taken outside of the banking industry.

Many fraud attempts are successful because of weaknesses in other sectors, for example purchase scams facilitated via social media services and impersonation scams which often start with a spoof text or telephone call. However, the cost of fraud generally falls onto banks and the “No Blame” fraud refund mechanism is financed exclusively by banks which have recently signed up to the new voluntary Code. We believe more action needs to be taken by technology and telecommunication companies and that if they were required to part fund No Blame refunds it could provide a greater incentive to act.

In particular, we believe that there remain a number of key recommendations that, if adopted, would have a significant impact on tackling APP fraud and financial crime more generally:

  1. Stronger collaboration, and a targeted response to economic crime across Governement, law enforcement and financial services.
  2. Greater awareness of scam prevention amongst the general public and a collective effort to raise the standard of care by consumers before money is sent.
  3. A longer-term approach to tackling APP fraud, including compelling other firms and industries to take more robust action.
  4. Incentivising other firms to take more action in identifying ‘money mules’ in real time.
  5. Allowing frozen funds to be better used, such as funding fraud prevention initiatives.
  6. More punitive sanctions for APP fraud and financial crime, to act as a more effective deterrent to fraudulent activity.

If the Committee would like to discuss anything contained in this response, or any issues we have not covered, we would be more than happy to have a follow up discussion.


Key recommendations

 

1) A collaborative and targeted response to economic crime is required to better co-ordinate across Government, law enforcement and financial services.

It is crucial that various stakeholders (including financial services, government and law enforcement) work effectively together to detect and prevent financial crime.  Over recent years, a lot of work has been done to ensure robust supervision and control of economic criminal activity and significant resources are currently being deployed towards financial crime compliance and protecting customers from fraud and financial crime. However, the pace of economic crime reform has been slow and the delivery of a sustainable resourcing model is overdue. We believe the focus should be on information sharing and reducing the effort spent on low value activity.

A more effective approach could help develop a better understanding of the threat posed by economic crimes while achieving better sharing and use of information to fight economic crime between the public and private sectors. The ever-changing nature of economic crime means it can only be tackled by joining the capabilities, resources and experience of both the public and private sectors, including financial services, telecommunication and social media companies.

Lloyds Banking Group is very supportive of the Economic Crime Plan published in 2019 setting out how both sectors will work together to tackle economic crime. The work of the Joint Money Laundering Intelligence Taskforce, which has so far supported over 800 law enforcement investigations, directly contributed to over 235 arrests as well as the seizure or restraint of over £38 million in illicit funds, demonstrates what a successful public-private partnership can achieve.

Nonetheless, the threat to the UK remains high and is constantly evolving. The industry needs to both embed the reforms that have already been delivered and go further still.

 

A collaborative and targeted response to economic crime is required to better co-ordinate across Government, law enforcement and financial services.

We welcome the initiatives aimed at creating the new National Economic Crime Centre (NECC) and significantly reforming the Suspicious Activity Reporting (SARs) Regime. We hope these could create the incentive to allow for a more cohesive and unilateral approach with stronger supervision when tackling economic crime.

Lloyds Banking Group co-sponsored the NECC fusion cell on COVID related fraud with the Director General of the NECC, and took the lead in developing an information sharing structure to detect this type of fraud against consumers, banks and government. The purpose of the Fusion Cell is to bring together public sector law enforcement and intelligence capabilities with private sector banking knowledge and information. Its aim is to provide a mechanism for the rapid sharing of intelligence and data on industry-wide threats.

At Lloyds Banking Group, we are committed to supporting law enforcement through the submission of “suspicious activity reports (SARs)”. The provision of these also enables us to meet our obligations under legislation. However, we believe that many SARs submitted are of relatively low value to law enforcement and that resources used to prepare these could be better applied to providing targeted and actionable intelligence.

The National Crime Agency (NCA) now receives over half a million SARs a year.  According to a 2017 report by Europol which analysed European SARs from 2006-2014 (From suspicion to action - Converting financial intelligence into greater operational impact”, Europol), 65% of SARs submitted in Europe were filed in the UK and Netherlands.  The report stated that the Netherlands regime was one of unusual transaction reporting with little analysis performed by reporters, so is not comparable to the UK system.  If Netherlands is excluded from the analysis, then the 2nd highest total of SARs across Europe was Italy, with 13% of the UK total.

The above analysis shows that the UK has a materially different threshold for reporting than any other European country, all of which are attempting to comply with the same EU Directive.  Added to this, the report also disclosed that “only around 10% of these reports are further investigated – a figure that is largely unchanged since 2006. Even where further investigated, the likelihood of successful asset recovery is low, and barely 1% of criminal proceeds are confiscated by relevant authorities at EU Level”.

This has been discussed at a governmental level as part of a package of economic crime reforms though the pace has been slow.

 

As a result of the significant industry investment to date in fraud prevention, approximately two-thirds of attempted fraud is successfully intercepted. However, more could be done to raise standards across the ecosystem.

Fraud is now one of the most common crimes in the UK, with around one in sixteen people falling victim a year. We take the safety of our customers seriously and we are fully committed to protect them against any potential harm they may face from economic or financial crime. To attain this objective, Lloyds Banking Group has invested heavily in fraud prevention including spending more than £100 million pounds in the last three years to further enhance our fraud controls.

Despite this, there are areas of concern that we wish to bring to the Committee’s attention:

  1. We are concerned that fraud attempts often start in other sectors – e.g. data breaches, use of social media platforms, weaknesses in telco infrastructure which enables call and SMS spoofing and the hacking or interception of emails.
  2. The cost of fraud often falls onto bankse.g. No Blame” fraud refunds continue to be funded by banks which have signed up to the voluntary Code, even though responsibility for these frauds often lies elsewhere.
  3. The rate of prosecution for many fraud types is too low in order to dissuade this activity, there is need for a more credible deterrent against fraud and financial crime.

We believe more could be done to raise standards in other sectors and we welcome the opportunity to engage in further conversations with Government, law enforcement and other industry members to discuss more effective ways to ensure better fraud prevention mechanisms. We believe that if there was a requirement for these firms to contribute to the syndicated “No Blame” fund (which is currently financed exclusively by the banks and a building society which have stepped forward to sign up to the voluntary CRM code) then it could provide a greater incentive for them to act to stop fraud happening in the first place.

 

2) Authorised Push Payment (APP) fraud has now become one of the fastest growing fraud types. A long-term approach to dealing with APP fraud needs to be developed.

APP fraud, where the customer has personally authorised a fraudulent payment, having been tricked into doing so by a fraudster (e.g. impersonation scams, investment scams and purchase scams), has become one of the fastest growing types of fraud.

There are currently no legal requirements for victims of APP fraud to be reimbursed by their bank due to the fact that the fraudulent payment has been authorised correctly by the customer. This differs from unauthorised payment fraud.

Since May 2019, Lloyds Banking Group has joined a number of major and mid-sized banks in becoming a signatory to a new voluntary code - the Contingent Reimbursement Model (CRM). We played a leading role in developing this Code and were one of the founder signatories when it launched. The CRM sets out standards on firms and consumers to prevent APP fraud from occurring and sets consistent standards on how claims for refunds from victims should be considered. The CRM Code is overseen by the Lending Standards Board (LSB), with their costs being met by firms which sign up to the Code.

Since the Code has been in existence, we have returned nearly £60m to victims of fraud who would otherwise have no recourse to reimbursement. Of this c.£60m, over £20m has been recovered from the accounts to which the funds were sent (i.e. recovered from criminals) with the remainder effectively refunded as a gesture of good will. Since the CRM Code came into effect, the rate of recovery of funds from the beneficiary bank account has increased which we believe this can be attributed to signatories working together in a more efficient way under a common framework.

Externally, the focus of the Code tends to be on cases where victims have not been reimbursed or where decisions made by signatories are apparently inconsistent. However, we believe that more scrutiny needs to be given to the fact that many providers have chosen not to sign up to the Code at all and therefore do not always provide these enhanced protections to their customers and benefits across the wider ecosystem. The LSB are currently reviewing the voluntary Code and we responded to their public consultation during the third quarter of 2020.

We are also supportive of a version of the CRM being made mandatory (potentially via new legislation), as this will help create a level of consistency in the protection customers receive from APP fraud.

 

We are committed to fairly considering claims for refunds from our customers who have fallen victim to APP frauds under the provisions of the CRM Code.

We are aware that providing a refund under CRM may not allow us to recover the amount lost to the fraudster. The first expressed purpose of the voluntary Code is to “reduce the occurrence of APP scams”. Where opportunities have been missed by banks which could have prevented the fraud, we believe it is entirely appropriate that the bank then provides redress to the customer to offset the financial impact of the scam.

Some fraud claims made under the Code relate to life changing sums of money being lost and we fully support the principles of the Code relating to reimbursement for scams of this kind. Often, however, claims are for small amounts. These do not have the same detrimental customer impact but require the same time and resource to investigate and resolve. When the Code came into effect in May 2019, the very first claim received by Lloyds Banking Group was from a customer who was attempting to purchase a live spider (which was then not delivered) for £40 from an online marketplace. This case is representative of many which are raised by our customers and since the Code has been in place one in five of claims made have been for less than £100. Typically, these relate to low value purchase scams where consumers find items for sale (usually on online market places, including those provided by social media companies), which do not exist. Eight separate claims have also been received for 1 pence. We have even had claims for services which are illegal in the UK (including prostitution).

UK Regulators have recently focussed on reimbursement rates under the Code. However, we believe that the focus given to reimbursement, including on cases where a bank took all reasonable steps to stop the fraud, will result in more money being paid away to criminals in the long run.

In a recent public consultation, we recommended to the Lending Standards Board that changes should be made to the scope of the Code to target life changing crimes rather than low value cases. This would help ensure the focus of such protections are targeted at customers where the fraud has had a more significant impact on their financial wellbeing or livelihood.

3) While Confirmation of Payee (CoP) will play an important role in reducing instances of fraud, more needs to be done to create incentives across the industry, including around identifying ‘money mules’ in real time.

In 2020, we were the first bank to switch on the Confirmation of Payee (CoP) service, which enables consumers to check that the sort code and account number they are trying to pay matches the name of their payee. In the immediate aftermath of CoP being implemented, we saw a fall in the number of scam victims. However, this trend was quickly reversed and we have since seen an increase in the incidence of the exact types of scam which CoP was designed to prevent as fraudsters adapt their approach to manage victims around the tool.

Typical methods employed by fraudsters include using recipient accounts at financial firms which do not offer the service or convincing their victim to ignore the “no match” message (e.g. by claiming that the account receiving the funds is “secure” and so does not feed into the CoP service). It is entirely possible that the rate of these frauds could have been much higher had CoP not been in place.

The voluntary CRM Code is clear that the responsibility of preventing APP fraud is a shared one and applies to consumers and banks. The Code itself includes clear standards for consumers in needing to have a genuine basis for believing that payments are genuine and for heeding any warnings presented. We do not believe that the objectives of the Code are well served by this standard representing a very low bar. In the long run, there is a risk of the incidence of scams only increasing if the standard of care expected of customers is gradually eroded.

For example, we believe it is reasonable for customers making high value investments to check that they are investing in a genuine investment product. We also believe it is reasonable for consumers receiving an unexpected telephone call to take steps to verify the caller does represent the organisation they are calling from. Over time, if customers are offered protection even in cases where basic due diligence has not been undertaken then the incidence of scams will only increase.

Despite this, we have observed a trend that when cases are reviewed externally (for example by journalists, consumer groups or the Financial Ombudsman Service) the standard of care of consumers which is deemed reasonable is extremely low.

For example, in one case reviewed by the FOS our customer received a message on her phone appearing to come from her cousin. It said that if she were to click on a link and pay £700 then she would receive a £30,000 grant from the Bill and Melinda Gates Foundation. She had never applied for such a grant and had no personal connection to any activities which a charitable foundation might support but paid the £700 fee anyway, thinking that the grant could be used to pay off a personal loan. This was then followed up by further payments of £300, £1,500 and £100. The FOS have said that the customer did have a reasonable basis for believing that this situation was genuine on the grounds that the original message appeared to come from her cousin.

In another case, our customer was looking to invest in Bitcoin. While online he came across a website which, in his words, “looked legit” and filled out a form asking the firm to contact him. After sending £200 he was then told that a further investment of £11,600 would grow into £250,000 within a month. A later payment to the same scammers was made for £29,000. Again, the FOS have asked us to refund all three payments.

While we have sympathy for any victim, we believe that preventing APP fraud is a shared endeavour and that consumers also need to take responsibility for undertaking checks before sending money.

Our experience of CoP, has shown that a key step in reducing the likelihood of fraud and financial crime, is customers heeding warnings provided by their bank.

More could be done at industry level to prevent many of these scams happening in the first place. The majority of impersonation scams start with a call or text message where the fraudster spoofs the number or Sender ID to match that of the organisation they are impersonating. For fraudsters, this is a relatively easy thing to do. ‘Spoof SMS messages can be sent by anyone using easily available online services for less than 50p a time.

In addition to this, many investment scams start with a customer searching online for investment opportunities. Links to fraudulent schemes are available via online search engines which can then result in entire pension pots and life savings being lost.

For APP fraud to be successful, criminals need an account to receive the funds. This can be made possible via a “mule account” with the account holder being called a “money mule”. The majority of mules are not complicit in the underlying crime but allow their account to be used, often for a fee and often having been recruited via social media.

The accounts in question have almost always been opened with genuine identification documents and will have been operated normally (sometimes for many years) before receiving the fraudulent credits. In fewer than 1 in 200 cases do we find that the mule account has been opened with fake ID. Since we cannot know the future intent of every applicant for a new bank account, there is therefore typically little we can do at the point of account opening to prevent this issue.

In December 2017, Lloyds Banking Group established a dedicated mule hunting team which involved basing fraud analysts and fraud investigators in the same team and giving them tools and resources to identify money mules among our customers.

In the last 12 months this team has frozen more than 40,000 accounts, secured £38m in customer funds and returned £3.4m to victims of APP frauds. At the time, we believe that this approach was unique in the industry and we have since met with other banks to share lessons and techniques. We have met the cost of running this team even though the vast majority of the benefits go to fraud victims at other banks. In 2019 we also started using machine learning technology to detect unusual payments being sent to our customers’ accounts and have since used this to protect over £800k in fraud against customers of other banks.

We believe that more should be done to create incentives across the industry for financial firms to identify money mules so as to prevent the proceeds of frauds getting into the hands of criminals.

 

4) Better use could be made of frozen funds, such as funding projects related to fraud prevention

As a result of our fraud detection processes, we have tens of millions of frozen funds that have been recovered, much of which is several years old. Ideally, these funds would be returned to the underlying victim and we work with other banks to maximise the amount of money which we return in this way. However, this is not always possible for the following reasons:

Under the current rules, this money must remain frozen on our internal accounts. Since the customer account has been restricted, the funds in question do not fall into the scope of Dormant Assets Regime. The funds remain the legal property of the account holder, notwithstanding our belief around the criminal nature of the underlying activity and therefore if this money were ever paid away then banks would retain a liability to that individual.

We believe more could be done with these funds and we would welcome legislation akin to the Dormant Bank and Building Society Accounts Act to enable us to put such funds to better use. In 2020 we have led a project which aims to find a safe way to release funds, at our own risk, on a small scale to fund certain projects relating to fraud prevention and we have welcomed the support that we have been given by City of London Police, the Home Office and the Financial Conduct Authority. Our hope is that it can be a useful experiment for wider adoption of the same approach across the industry and on a much bigger scale.

 

5) More punitive sanctions for APP fraud and financial crime are required, to act as a more effective deterrent to fraudulent activity

The financial services industry (via UK Finance) funds the Dedicated Cheque and Payment Crime Unit (DCPCU) which achieves excellent results in disrupting organised crime groups involved in banking fraud.

However, it could be argued that the punishment for APP fraudsters is not high enough at the moment to discourage them from committing other crimes in the future. The most punitive sanction they are likely to receive is a marker on their credit file (by way of the CIFAS register) which will most likely limit their access to banking, credit, phone and other contracts for up to six years.

We believe we could see a significant reduction in the levels of attempted fraud in the UK if the level of law enforcement activity were to increase.  This requires fraud to become a strategic policing priority in the UK, as recommended by the HMICFRS April 2019 report “Fraud: Time to Choose.”

 

To ensure the integrity of our financial system, protect our vulnerable people and communities, and attract business to the UK, we must do all in our power to combat economic crime.

The government has made significant progress in recognising and prioritising the threat from economic crime and increasing our capability to respond to the threat.

We believe the measures to prevent economic crime implemented so far lay the basis for an efficient crime prevention framework. We are willing to participate in further discussions that will look at establishing a more efficient and joined-up approach to establish a cohesive oversight across the industry.

 

December 2020

8