Written evidence submitted by UK Finance
Introduction
- UK Finance is the collective voice for the banking and finance industry. Representing more than 250 firms, we act to enhance competitiveness, support customers, and facilitate innovation.
- We welcome the opportunity to provide evidence to the Treasury Committee’s inquiry into economic crime. As per our evidence to the Committee’s inquiry in the 2017 parliament,[1] our members remain of the view that, in many areas, the UK approach is world-leading. The aims of the Economic Crime Plan remain right, and, if delivered, the results would be transformative.
- It is important to set out what we believe delivering the Plan would achieve. The UK would have a system that better calibrated activity according to risk, rebalanced the approach toward high-value activity and provided a properly resourced public sector with the tools, intelligence and capabilities needed to deal with criminals and terrorists. There would be a focus on all sectors bringing risk into the system playing their part to tackle the problem of economic crime, be it money laundering or fraud. Less “dirty money” would flow through the UK, helping it remain one of the safest and most transparent places in the world to do business. There would be fewer victims of economic crime both domestically and internationally. The impact on their finances would help to disrupt organised crime gangs, preventing them carrying out activity that harms communities. In short, the impacts and benefits would be clear: cutting crime, catching criminals and protecting the public. We remain committed to these aims.
- We also believe that economic-crime reform, as well as the morally important thing to do, is essential from an economic and competitiveness viewpoint, particularly post-Brexit. Effective reform would allow businesses in the UK to engage in trade in new jurisdictions more securely. A stronger focus on inbound investment would mean we could be more confident that the money coming into the UK is clean.
- Equally, cutting the costs of compliance and reporting activity viewed by both the public and private sectors as not delivering meaningful intelligence or affecting criminals, and allowing more resource to be reinvested into higher-value activity, would deliver greater value to law enforcement. It would also improve financial-crime risk management for business and ultimately make this an area of competitive advantage for UK firms.
- Commitment from both the public and private sectors to the Economic Crime Plan and economic-crime reform remains strong. Despite the impact of covid-19 and at a time of significant pressure on public finances, there is still a strong promise from the top of the UK government to tackle economic crime, as seen by the recent allocation of £63 million in the spending review to this end.
- We welcome that investment as a sign that the government sees economic-crime reform as a priority and recognises the importance of public/private partnerships. Effective partnerships, such as the Joint Money Laundering Intelligence Taskforce (JMLIT) and joint work to tackle fraud related to covid-19, demonstrate the effectiveness of two-way intelligence sharing and targeted joint activity at tackling crime.
- However, despite delivering better results, these successes remain examples of activity that is additional to the requirements of the current legal and regulatory framework as opposed to a core part of the collective response. Until reform is delivered, they will remain discretionary, sitting outside the day-to-day approach and fettered by the need to focus resource on less-productive reporting and compliance.
- Despite the individual successes we have seen, reform and the pace of reform remain critical as we are still some way short of where we want and need to be compared to the growing threat. Serious and organised crime (SOC) will be undertaken for, or underpinned by, illicit finance. The latest available estimate of the social and economic cost of SOC to the UK is approximately £37 billion.[2] Even this is a significant underestimate of the true cost as it does not include threats such as money laundering, fraud against the individual or bribery and corruption.
- Including these threats would significantly add to the total, not least with victim-reported losses from fraud increasing by 38 per cent to £2.2 billion in the year ending March 2019.[3] In the same way, the National Crime Agency (NCA) believes it is likely there was an increase in the amount of money being laundered in 2019 because of a growth across a range of predicate crimes connected to SOC. We see no reason why all these threats will not continue to grow until there is effective reform. Until then well-known vulnerabilities in systems, structures and legislation will continue to be exploited by criminals to defraud victims and move illicit finance.
- Tackling these threats is not necessarily a question of resourcing, at least for the private sector. Our members invest over £5 billion a year in the UK on financial-crime compliance and over £1.5 billion on tackling fraud. However, the sector’s efforts are not maximised due to both a lack of funding for law enforcement and system inefficiencies that require legislative and regulatory change.
- That is why we accept the need for increased public-sector investment in tackling economic crime. To this end, the scope of the proposed economic-crime levy should also cover fraud and apply to telecommunications companies (telcos), internet-service providers (ISPs) and social media, all of which bring fraud risk into the system. In addition, there is a strong economic case for increased investment where it would strengthen financial-crime risk management across the public and private sectors, such as in Companies House reform. Without the right capabilities in the public sector, the significant resource invested by the financial-services sector will deliver suboptimal results.
- However, more than resource is needed, and we must accept that the UK cannot “arrest its way out of this problem.” Prevention must be key, at the infrastructure and systems levels as well as by individual agencies and firms. There needs to be a stronger focus on designing out and preventing crime by creating a stronger ecosystem. This is where reform of Companies House as ambitious as has been announced is critical. Equally, there is a need to close vulnerabilities exploited by fraudsters in the wider ecosystem of telcos, ISPs and social media.
- Again, the NCA states that, “Cyber crime is a major enabler of fraud: data obtained via data breaches, phishing and malware is used directly to commit fraud or is sold online to other fraudsters. It is estimated that the internet plays a role in at least 54% of fraud.”[4] It notes that criminals use online services, including social media, to establish contact with potential victims and recruits. This includes recruiting money mules among otherwise-legitimate account holders to move proceeds of fraud or other criminal activity.
- To close these gaps, the government needs to involve other sectors in helping prevent and detect economic crime as policy making is currently too often focused on what the financial-services sector can do as opposed to tackling root causes. We will not tackle the threat without closing these vulnerabilities and having a focus on prevention built in to our approach from the start.
- There also needs to be a focus on infrastructure as fundamental elements, such as reform of suspicious-activity reports (SARs) and the replacement of Action Fraud, are still overly developed in silos. This is changing, but there is still progress to be made. In addition, we need to develop our understanding of how this can align with the redevelopment of the new Faster Payments System, allowing a more sophisticated picture of threat and enabling more opportunities for intervention to prevent money laundering and fraud.
- We need to look collectively at how other government activity such as digital Identification, underpinned by private-sector access to public-sector data, can support a more effective approach to know-your-customer checks, making it harder for criminals to gain access to the financial-services sector in the first place. Public/private partnerships during covid-19 have demonstrated the scope for greater collaboration, including through sharing public-sector data to tackle new opportunities for fraud against both consumers and the public sector itself. Similar partnerships using data from HM Revenue and Customs (HMRC) and the Department for Work and Pensions (DWP) could help tackle tax evasion and benefit fraud.
- We are also to continue to work with the government to address well-known aspects of legislation and regulation that do not reflect how economic crime happens, particularly with regard to information and intelligence sharing. One example is the extent and scope of the money-laundering regulations, which do not deal with how fraud—and thus money-laundering—risk is introduced by non-regulated sectors. In the same way, information-sharing powers for the private sector on fraud and money laundering differ and are often inadequate. We welcome the Home Office’s work with the public and private sectors to examine the case for new powers on information and intelligence sharing.
- All parts of the legal and regulatory regime need to work effectively to help tackle economic crime. Presently, they do not, and the current system diverts too much resource toward low-value compliance activity that does little to detect criminals or protect customers. The “all-crimes” approach of the SARs regime drives manual, low-intelligence-value reporting that ties up resource and has a significant opportunity cost for the public and private sectors. While the legislation and regulation are powerful, they do not have a safety value and so drive activity that the public sector does not want and the private sector cannot stop. Examples of this include the requirement for SARs connected to the Immigration Act and to seek consent to proceed with Defence Against Money Laundering (DAML) SARs under £3k, where the evidence shows these would be below the threshold for law-enforcement intervention.
- The situation is even worse for e-money providers that are not within the scope of the £250 DAML exemption in the Proceeds of Crime Act 2002 and so collectively have to report tens of thousands of DAML SARs and delay transactions until consent is granted, at significant cost to them, the NCA and legitimate customers. We are not aware of a single instance of consent being refused. We believe it would be better simply to change the law to allow these to be reported as intelligence SARs.
- This again relates to having a shared view of what we want to achieve and prioritising resourcing accordingly. At the moment, the system does not deliver this, so there is an inefficient use of resources across the public and private sectors. We believe the Economic Crime Plan will take us forward in helping achieve our aims.
- We recognise progress has been delayed, not least due to the impact of covid-19, but we welcome the steps taken so far, from the tactical (e.g. increasing resources for the NCA’s financial-intelligence unit and partnership work on stopping fraud related to covid-19) to the strategic (e.g. looking at legislative changes and reform of Companies House).
- We continue to support the Plan and the aims of the government, and the banking and finance sector remains committed to going beyond its legal and regulatory obligations to help protect customers and make the UK the safest and most transparent place in the world to do financial business. However, if the Financial Crime Enforcement Network (FinCEN) leaks demonstrate anything, it is that the delivery of the Plan and economic-crime reform is even more important now than when the Plan was published.
1. The work of OPBAS and the professional-body AML supervisors
- Our members recognise that effective regulation and supervision are essential to preventing money laundering and fraud. We believe the Financial Conduct Authority (FCA) is an effective regulator and has helped to drive a strong focus on and culture of tackling economic crime within the financial-services sector, with increasingly robust controls and systems in place.
- However, the perception of less-stringent supervision by other regulators has seen banks increasingly expected to act as a de facto regulator for other sectors. For example, the financial-services sector is required to carry out disproportionate levels of anti-money-laundering (AML) and counter-terrorist-financing (CTF) checks on other sectors, such as solicitors (which are already regulated for AML and CTF).
- That is why the creation of the Office for Professional Body Anti-Money Laundering Supervision (OPBAS) was strongly welcomed by our members. However, to be properly effective, OPBAS needs to be adequately resourced and empowered to drive standards. There is still more to do, but the signs are encouraging and include the development of improved frameworks for professional-body supervisors, helping them to share financial-crime information more easily with the public authorities.
- Even if OPBAS is successful, it will not address well known and significant vulnerabilities in the fight against economic crime as there are many examples where a public-sector body acts as supervisor but has failed to take sufficient regulatory and policy action to close vulnerabilities in the system. For example, our members would like reassurances that HMRC, which is outside OPBAS’s remit, will continue to improve standards among those it regulates as there are long-standing and well-known weaknesses around money-service businesses (MSBs), identified as higher risk by the national risk assessment. In addition, this means that one regulator (e.g. the FCA) can act against a bank that has an MSB as its customer even if the failings are within the MSB, which is regulated by another regulator, HMRC.
- The above is one example of public-sector oversight of risk that ends up being transferred to the financial-services sector to manage. Another is the public/private threat assessments led by the National Economic Crime Centre (NECC), which highlight the vulnerabilities around company formation that are being exploited by criminals because of negligent trust or companies service providers (TCSPs). Here, the financial-services sector is expected to carry out checks on companies that go far beyond those conducted by the government through Companies House because of concerns over TCSPs.
- Despite OPBAS’s effectiveness, the current approach is inefficient in managing risk, particularly given limitations on sharing information and intelligence. These vulnerabilities, hardwired into the current approach, increase the chances of criminal exploitation. They also increase costs for both firms and their clients by requiring duplication of activity and checks across the financial-services sector to compensate for a lack of capacity and capability in the public sector’s supervision of other regulated sectors.
- There is also a tension between manging financial-crime risk and access to finance, where there is a push from the government and regulators but little help. As the Treasury Committee recognised in its 2015 inquiry into the treatment of financial-services consumers, there are different views across the public sector about the right balance between keeping risk out of the financial system and identifying, managing and dealing with it.[5] This is an issue that the banking and finance sector faces every day when dealing with the threat of economic crime.
- Many issues about exiting accounts or a reluctance to take on higher-risk accounts arise where the current approach does not allow risks to be sufficiently mitigated or not in a way that means the account remains profitable for the bank to operate. These limitations are exacerbated where banks are expected to compensate for a lack of public-sector action by acting as pseudo-regulators for other sectors. In addition, if other supervisory bodies are recognised as consistently ineffective, banks often need to step in as the cost of failure will otherwise be too high. A simple cost/benefit analysis often drives decision making toward reducing risk exposure. Our members would like to see greater legal and regulatory clarity about the right balance as opposed to being asked to manage competing policy demands.
- Similarly, we would like the public sector to ensure there is a sufficient focus on the same activities being subject to the same regulation where they generate the same risks, irrespective of the nature of the firm or sector in question. We are keen to eliminate vulnerabilities left in the ecosystem by an overly strong focus on the type of sector or firm as the sole (or even principal) basis of determining the need for intervention.
- We want to ensure there are mechanisms to allow the same level of information on risk and threat that is shared with our larger members by law enforcement and regulators to be shared with other members, particularly challenger banks and fintechs. As firms with better sight of potential threats adjust their operations accordingly, it is important that other vulnerabilities are not unwittingly left in the system.
- JMLIT is a good example of a mechanism that allows those involved to develop their understanding of the risk. And while dissemination of relevant information and threats to those outside JMLIT is good, there is a need to continually ensure it is of sufficient breadth and depth.
- We would also like to see a more even distribution of supervision. The current arrangement of regulators is unevenly spread, beyond OPBAS’s scope to solve, as it relates to a more general debate about public-sector supervision and policy making.
- Supervision and regulation are often viewed too narrowly. Some regulators, such as Ofcom, do not currently have a role in tackling economic crime even though they oversee sectors with a significant fraud and money-laundering risk. The lack of effective supervision on the non-regulated sector is a gap increasingly exploited by criminals to commit fraud and recruit money mules. If the government fails to include economic crime in the scope of the new regulatory framework for online harms, it cannot have an effective anti-fraud strategy as there will be no supervision of some sectors that are directly increasing the risk of fraud.
- One regulator operating within its powers, the Payment Systems Regulator (PSR), is seeking to address the results of these gaps. The PSR is right to expect the financial-services sector to do more to tackle fraud, but we have ended up with an expectation that it will reimburse victims even in cases where regulators and consumer groups accept that the bank or building society could not have prevented the fraud taking place.
- The lack of overarching supervision of economic crime means the PSR increasingly expects the financial-services sector to carry strict liability on all scams and to underwrite online purchases where the customer was scammed. The most effective public-policy solution would be to require these sectors to stop their systems being exploited by criminals, but the relevant regulators have no power to do so.
- We urge the government to think more holistically about desired outcomes and how to rebalance the current system more effectively toward that end. Effectiveness should not be set or assessed by regulators by reference to compliance criteria alone. It should be determined by the value that the controls, compliance and reporting provide to law enforcement in helping to detect and disrupt economic crime. Equally, economic crime should not be the sole responsibility of regulated sectors’ supervisors.
2. The impact of the FinCEN papers
- It is important to be clear that where wrongdoing has taken place, the matter should be fully investigated. However, it should be noted that many of the cases reported in the FinCEN leaks are historic and have already been investigated by the relevant authorities. In addition, the published documents do not make clear whether the reporting banks had been asked by law enforcement to keep accounts open for monitoring, while US legislation means that firms cannot discuss their suspicious-activity reports (SARs).
- Sadly, much of the reporting failed to acknowledge that mere suspicion is not the same as even a reasonable belief of criminality, let alone proof. In both the US and the UK, suspicion is a deliberately low threshold for reporting and reflects the fact that firms and individuals submitting reports will not have access to all the available information or, indeed, the powers or means to be able to investigate whether a crime has been committed. In addition, the UK takes an “all-crimes” approach to SARs reporting, with no de minimis threshold for value or harm.
- Each year, UK banks and building societies identify 20 million alerts for potentially suspicious activity, investigate them and submit over 400,000 SARs. According to Europol, fewer than 10 per cent typically require any form of further enquiry or action by law enforcement. By comparison, there were over 8.9 billion transactions in the UK, with over £85.3 trillion transferred, in 2019. That is why we have to be careful to avoid any suggestion, as in some of the media reporting, that filing a SAR should almost automatically lead to a client being exited. Any such approach would result in widespread exiting and de-risking of customers given the volume of SARs the financial-services sector files.
- Equally, much of the reporting again sadly failed to acknowledge that the financial-services sector was complying with its duties in filing these reports and that there would be other professional enablers involved in both establishing or supporting these entities and transactions, many of whom would have a far closer relationship with their customers and the business activity than the banks involved.
- If anything, the FinCen leaks simply demonstrate the need for economic-crime reform: closing vulnerabilities, allowing the private sector to share intelligence and focus on building up a better level of intelligence for law enforcement, and resourcing the public sector to act.
- The FinCEN leaks showed how criminals can exploit system vulnerabilities in Companies House and company formation to create structures to disguise and hide the origins of funds they place into the financial system. We think this again highlights the need for reform to close system vulnerabilities. We have already called for changes to both Scottish limited partnerships and Companies House to close identified vulnerabilities in these registers. We therefore welcome, as set out below, the government’s commitment to close vulnerabilities in the current Companies House regime but consider that this work needs to be taken forward as part of a properly holistic approach.
- The FinCen reporting, while in the public interest, did run against the fact that confidentiality is critical to the operation of the SARs regime. Breaches of SARs confidentiality can lead to serious adverse consequences in terms of both undermining the effectiveness of the regime and causing harm to innocent customers and banking employees. As noted by the Financial Action Task Force (FATF), the intergovernmental body that sets international AML standards, the disclosure of a SAR could tip off the persons involved in the transaction being reported and compromise live investigations. Disclosure can also provide insight into how a bank identifies suspect conduct, which can then be used by criminals to circumvent detection.
- However, the FinCen reporting did reinforce the need for SARs reform in the UK. The current regime is one example of where significant public- and private-sector resource is invested for relatively poor outcomes in terms of detection and disruption of economic crime. The criminals behind money laundering use sophisticated techniques to target vulnerabilities and silos in the regime, and too often we find ourselves trying to work around its limitations.
- Operational transformation is needed to facilitate reporting and data exploitation as well as deliver much greater feedback to reporting firms, including trend analysis and typologies. Legislative reform is also required to bring greater targeting and flexibility to a reporting framework that duplicates other mandatory reporting without supporting law-enforcement priorities. Examples include Immigration Act SARs, suspicious transaction and order reports under the market-abuse regime and SARs relating to fraud already reported to law enforcement.
- Equally, improved SARs reporting will be of limited benefit if not part of wider reforms. Improving information and intelligence sharing is critical as no one sector or institution has all the information it needs to prevent and detect economic crime. Criminals exploit these information asymmetries to launder money, evade sanctions and commit fraud.
- SARs reporting is not the only way to share information about potential economic crime, but current laws hamper the ability of firms to share information voluntarily with other gatekeepers. This restricts private-sector cooperation with other firms as well as other regulated sectors, global affiliates and different jurisdictions. The resulting blind spots and sectoral silos provide further opportunities for criminals to avoid scrutiny.
- These barriers directly affect the efficiency of SARs reporting by hindering the investigation of alerts and effectively preventing firms from comparing shared concerns when deciding whether there were grounds for suspicion. Barriers to information sharing also reduce the effectiveness of the overall SARs regime by preventing firms from collaborating to identify linkages and develop a richer picture of potential criminal networks. This leaves law enforcement to piece the puzzle together from fragmented SARs from the different perspectives of individual firms, meaning it is slower to react to emerging trends and less able to direct firms to monitor for identified threats.
- It should also be noted that the combination of the threshold for suspicion and barriers to information sharing makes it more difficult for firms to identify and test for potential false-positive indications of suspicious activity. This is relevant to banking access and financial inclusion given the low reporting threshold and risk-based requirements for AML and CTF. The FCA’s 2018 analysis of firms’ data on financial crime noted that they refused to serve a total of 1.15 million prospective customers during 2017 for financial-crime-related reasons. In the same period, firms ended their business relationships with 375,000 existing customers for the same reasons.[6]
- The government has made a start in addressing these barriers by issuing a public statement in support of economic-crime information sharing within global banking groups. New legislation supporting pre- and post-suspicion sharing is now required to enable financial-services firms to share information more easily with each other and with other regulated sectors to better prevent and detect economic crime.
3. Corporate liability for economic crime
- We and our members welcomed the announcement that the Law Commission will undertake a deeper assessment of the issues set out in the Ministry of Justice’s call for evidence on corporate liability for economic crime.[7]
- In its response to the call for evidence, the industry was not opposed to the principle of a failure-to-prevent offence provided it was designed carefully to align with or replace—as opposed to overlay—existing regulatory requirements across AML, bribery and corruption and tax evasion.
- We noted the call for evidence acknowledged the risk that a new basis for corporate criminal liability for economic crime would conflict with the existing regulatory framework for financial services. This includes an existing basis for corporate liability for breaches of AML requirements, including consent, connivance or neglect by senior officers of a regulated firm. Equally, the government’s response noted that the identification doctrine has not prevented substantial corporate sanctions under the financial-services regulatory regime. These were both issues the industry previously identified.
- The industry also noted that the senior managers regime (SMR) had been a powerful tool in the financial-services sector and recommended that the government consider rolling out an equivalent in other sectors instead or ahead of a general failure-to-prevent offence.
- Since our original response, the financial-services sector has seen increased exploitation of telcos, ISPs and social media to enable fraud and recruit money mules. While these companies have a duty of care to their customers, they do not have a duty to prevent their systems being exploited to enable fraud. There would be benefits in considering how a failure-to-prevent offence would bite on these sectors.
- None of this is to say that any such offence is without its challenges or risks, particularly of unintended consequences. It is important that the Law Commission address the risk of duplication and friction between criminal law and regulatory approaches to avoid undermining financial inclusion, the SMR and UK competitiveness. This is a complex issue and will need careful consideration and engagement with the industry.
- We look forward to supporting the Law Commission’s examination of financial-services regulation, including lessons learned from the SMR and the extensive reforms of the economic-crime regime since the closure of the call for evidence.
4. The work of Companies House
- The industry believes it is vital that the government close vulnerabilities in Companies House and improve transparency of ownership. Doing so successfully would be a strong step change in preventing economic crime. We therefore welcome the government’s commitment to closing vulnerabilities in the current Companies House regime. We are working closely with its expert group to develop its proposals for further consultation, and we encourage the government to bring forward legislation as soon as possible. However it is important that the actual reforms at least match the ambition of the announcements made, otherwise the same vulnerabilities and inefficiencies will continue to reduce the overall effectiveness of the collective response to tackling economic crime.
- It is more effective for the public sector to verify data, cross-check against other public-sector data sets and share information actively with law enforcement. The private sector should not be used as an intermediary to pass information between public agencies or have to mark the homework of Companies House. Successful reform would strengthen the ecosystem and free up resource across multiple institutions that could be refocused on higher-value intelligence-led work.
- The proposals set out in the government’s response to its consultation on corporate-transparency and register reform will be a significant improvement on the status quo and have rightly been recognised as part of international best practice.[8] However, international standards are an inadequate benchmark, and these proposals need to be developed with the more ambitious aim of supporting a secure and effective ecosystem. While we welcome the reforms, we hope they will go further still, particularly in looking at how they can be linked to the Cabinet Office’s and Department for Digital, Culture, Media and Sport’s proposals on digital identity.[9] As outlined above, we believe the use of digital ID, linked to the ability to check against public-sector data, could be transformative in terms of creating a stronger approach to know-your-customer checks.
- We also believe the government should provide Companies House with sufficient resources and legal powers to (a) validate and verify the person-of-significant-control information being submitted, including before incorporating a company, and (b) build a capability to identify and report suspicious activity. The proposed reforms and allocated funding go some way to achieving these goals, but there needs to be a more explicit aim of closing vulnerabilities and supporting a more effective ecosystem. This approach would reduce duplication and support public/private partnership, enabling Companies House to take a more thorough approach to rooting out inaccurate submissions and assisting the Insolvency Service and law enforcement in investigations of financial crime.
- We believe the government should review Companies House’s statutory duty to ensure it can provide at least the same standard of data validation as is required to be undertaken by private-sector company-formation agents and again link these to use of digital ID. Verification of the identity of directors and beneficial owners on its own does not prevent abuse of the register through the fraudulent presentation of unauthorised and sometimes unwitting individuals, nor does it mitigate risks such as nominee directors and nominee shareholders. To improve the quality of registry information on directors and beneficial ownership, Companies House should put in place procedures to check whether there is evidence that the individuals presented actually hold these roles. Building on this and allowing the regulated sector to cross-check and receive data from Companies House would create an ecosystem more robust against abuse.
- In the meantime, we welcome new commitments by a number of UK overseas territories to make their registers of beneficial ownership publicly available as they are currently only available to UK law enforcement. We also believe economic-crime reform needs to ensure a level playing field for AML supervision of TCSPs, intensifying the slow progress to date noted in OPBAS’s report on progress and themes from 2019.[10] FATF’s evaluation of the UK noted under-reporting by a number of non-financial-services sectors, including company-formation agents and other professions providing trust and company services.[11] This should be progressed as part of the economic-crime reform programme to identify opportunities to integrate and enhance the overall UK regulatory framework, steps which would help legitimate companies and prevent abuse.
5. Consumers and economic crime
Fraud
- We welcome the Committee’s focus on consumers and economic crime. Statistics we publish on behalf of the industry demonstrate the scale of fraud.[12] Total losses due to unauthorised fraud across payment cards, remote banking and cheques in the first half of 2020 were £374.3 million, a decrease of eight per cent compared to the first half of 2019. In the same period, a total of £207.8 million was lost to authorised-push-payment (APP) fraud. This occurs when customers are tricked into authorising a payment to an account, they believe belongs to a legitimate payee but is in fact an account controlled by a criminal.
- We and our members have established strategic partnerships with both law enforcement and other sectors to help reduce fraud vulnerabilities and so protect consumers. However, the system is fragmented, and more needs to be done to build on the economic-crime reform programme to develop a more holistic and strategic approach with all sectors that bring fraud risk into the system to create a more hostile environment for criminals.
- The financial-services sector takes the responsibility to protect consumers very seriously. It invests over £1.5 billion per year in tackling fraud, including in advanced security systems such as real-time transaction analysis to identify suspicious transactions. The sector also sponsors a specialist police unit, the Dedicated Card and Payment Crime Unit, which tackles the organised criminal groups responsible for financial fraud and scams. In the first half of 2020, the unit prevented an estimated £12.5 million of fraud, secured 30 convictions and disrupted seven organised crime groups.[13]
- The APP contingent reimbursement code launched in May 2019 represents a milestone in establishing stronger customer-protection standards and has led to more victims being reimbursed, particularly for higher-value and more sophisticated scams. In situations where both a customer and their payment-service provider (PSP) meet the standards required under the code, a customer of a signatory firm who falls victim to an APP scam will be reimbursed. This was developed on a voluntary basis by a steering group comprising representatives from consumer organisations and PSPs. Nine PSPs, representing 19 consumer brands and over 85 per cent of APPs, have signed up to the code so far. There was also a substantial increase in the funds returned to victims of APP fraud in the first half of 2020, with financial-services providers able to return £73.1 million, an 86 per cent increase over the same period in 2019.
- Fraud-prevention measures are an important element of the financial-services sector’s efforts to protect consumers. During the first half of 2020, the industry prevented £853 million of attempted unauthorised fraud, with almost £7 in every £10 of attempted fraud being blocked. A key fraud-prevention initiative is the banking protocol. This was established in 2016 and is now operational in every police-force area across the UK. This ground-breaking rapid-response scheme, which allows branch staff to alert police and trading standards to suspected frauds that are taking place, has prevented £128.1 million of fraud and led to 808 arrests.
Education and awareness
- The financial-services sector’s Take Five to Stop Fraud campaign helps consumers stay safe from fraud and spot the signs of a scam.[14] 29 major banks and building societies have signed up to the Take Five charter, which sets out how signatories will use the campaign’s messages and logo throughout their customer communications, bringing the industry together to give people simple and consistent fraud-awareness advice.
- The Don’t Be Fooled campaign, in collaboration with Cifas, aims to inform students and young people about the risks of giving out their bank details and deter them from becoming money mules.[15]
- We continue to issue consumer-protection advice about scams related to covid-19. This includes highlighting the top-10 covid-19 scams of which the public should be aware, details of holiday and impersonation scams and information about how to stay safe online while shopping in the lead-up to Black Friday and Christmas.
- We have launched a dedicated toolkit to help businesses avoid becoming victims of fraud. We also collaborated with our members and the public and third sectors to increase awareness of romance scams through a campaign throughout October. Additionally, we have produced and shared covid-19-specific monthly social-media calendars.
Emerging fraud trends
- Statistics we publish on behalf of the industry suggest criminals have quickly adapted their methods to exploit covid-19 since the pandemic began. They also suggest there has been a growth in both purchase and investment scams via various online platforms. Criminals are exploiting economic uncertainty by advertising fake investment opportunities on social-media sites and encouraging victims to “take advantage of the economic downturn.” The intelligence gathered from our members has also shown criminals are using covid-19 as the hook for purchase scams, with advertisements for face masks, sanitisers and hand gels and self-testing kits.
- Public organisations such as the World Health Organization and government departments have been impersonated to target the public with phishing emails and smishing text messages offering covid-19 financial-support services including grants, council-tax reductions and assistance when applying for universal credit.
- As lockdown eased, criminals began to exploit the summer-holiday season with fake online advertisements for home and caravan rentals. Meanwhile, more traditional fraud involving contactless cards and the use of lost and stolen cards has declined.
Fraud-mitigation measures
- We and our members have established strategic partnerships with other sectors to introduce a range of initiatives to help reduce fraud vulnerabilities and protect consumers. These include working with Ofcom to crack down on number spoofing through the development of a do-not-originate list. Ofcom has said this work has led to significant successes in preventing criminals from spoofing the phone numbers of trusted organisations. For example, when HMRC added numbers to this list, it reduced “to zero” the number of inbound telephone-spoofing scams.
- We are involved in an ongoing industry initiative with the Mobile Ecosystem Forum and Mobile UK, supported by the National Cyber Security Centre (NCSC), to help identify and block fraudulent SMS texts and safeguard messages sent from legitimate businesses and organisations. Suspected fraudulent text messages can also be reported by forwarding them to the mobile network operators’ 7726 reporting service for mitigation and disruption. We are also working with Pay.UK to implement the mule-insights tactical solution, a technology that helps to track suspicious payments and identify money-mule accounts.
Covid-19 fraud-mitigation measures
- We have collaborated with the government and our members to help develop a shared understanding of emerging covid-19-related fraud threats. This includes engagement with the NCSC to ensure member banks and consumers send any suspicious emails they receive to the suspicious-email reporting service at report@phishing.gov.uk. These are then analysed and investigated accordingly.
- Fraud threat intelligence and mitigation actions were captured in a threat log that we developed and fed into the OTELLO Covid-19 Fusion Cell led by the NECC. This is a public/private data-sharing mechanism established in April 2020 as an immediate response to help stop and prevent fraud (and money laundering) and to test collaborative ways of working. OTELLO has participants in the financial-services, insurance and telecommunications industries and the public sector.
- We set up the fraud collaboration working group on behalf of the British Business Bank for the government’s Bounce Back Loan Scheme. The working group convenes on a weekly basis to discuss and assess the BBLS fraud landscape, consider fraud trends and appropriate mitigation and develop and share good practice.
- Our fraud panel convened on a weekly basis during the initial lockdown period to assess and monitor how the fraud landscape was being affected by covid-19. This provided the opportunity for our members to share information and identify new fraud trends and threats. A threat log was developed, and each fraud threat was assessed to determine the need for mitigation.
- We have also taken steps to help address fraud threats in connection with the government’s stimulus schemes in the effort to protect consumers and businesses. Through collaboration with the Ministry of Housing, Communities and Local Government, a dedicated contact was made available at each local authority in England to provide our members with a focal point to discuss any fraud-related concerns with grant payments. Our engagement with DWP has helped identify and mitigate fraud losses from the Coronavirus Job Retention Scheme, and with more people having to apply for universal credit, measures have been implemented to prevent criminals exploiting and abusing the system and the public purse.
Development of consumer protection
- Vulnerabilities in other sectors (e.g. telcos, ISPs and social media) are a key driver of fraud losses. These include exploitation of social media, online marketplaces and auction websites to carry out purchase scams. Technology has made it easier to change the identity information of telephone calls (number spoofing), which makes it difficult to trace or prevent scam calls. This leads to consumers believing they are engaging with a legitimate caller, resulting in their being social-engineered into divulging information that is used to commit fraud. These vulnerabilities are outside the financial-services sector’s control. Including economic crime in the scope of the online-harms regulatory framework would ensure all sectors have a responsibility to remove fraud vulnerability in their systems. It is for the government to lead on the development of a more holistic approach.
- Despite its success, the APP code has not worked as intended and is not delivering consistent outcomes for customers. We do not consider that the introduction of scheme rules would solve this problem. These work well for closed systems where all parties are involved, but this is not the case with APP scams. In many cases, APP scams are enabled by vulnerabilities in other sectors, such as scam adverts on social media or telephone calls spoofing legitimate business numbers. We believe the most appropriate way forward is for the government to legislate to introduce a new statutory contingent code that seeks to set out in law the standards and duties needed to protect consumers and new rules to govern liability. It also needs to find a sustainable funding solution for cases in which neither the customer nor the PSP is at fault.
- Suspended funds could be used to help fund victim reimbursement. These are funds that are not subject to law-enforcement restraint but have been frozen by firms due to concerns or where a customer being exited has been asked to evidence their entitlement to the funds but has not done so. The potential scale of suspended funds is considerable: we estimate approximately £220 million, growing by at least £20-25 million per year.
December 2020
14
[1] https://old.parliament.uk/business/committees/committees-a-z/commons-select/treasury-committee/inquiries1/parliament-2017/economic-crime-17-19/.
[2] https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/782656/understanding-organised-crime-mar16-horr103-2nd.pdf.
[3] https://www.nationalcrimeagency.gov.uk/who-we-are/publications/437-national-strategic-assessment-of-serious-and-organised-crime-2020/file.
[4] Ibid.
[5]
[6] https://www.fca.org.uk/publication/research/financial-crime-analysis-firms-data.pdf.
[7] https://www.gov.uk/government/consultations/corporate-liability-for-economic-crime-call-for-evidence.
[8] https://www.gov.uk/government/consultations/corporate-transparency-and-register-reform.
[9] https://www.gov.uk/government/consultations/digital-identity/outcome/digital-identity-call-for-evidence-response.
[10] https://www.fca.org.uk/publication/opbas/supervisory-report-progress-themes-2019.pdf.
[11] http://www.fatf-gafi.org/countries/u-z/unitedkingdom/documents/mutualevaluationofunitedkingdomofgreatbritainandnorthernireland.html.
[12] https://www.ukfinance.org.uk/policy-and-guidance/reports-publications/2020-half-year-fraud-report.
[13] https://www.ukfinance.org.uk/news-and-insight/blogs/dcpcu-prevents-12-point-five-million-fraud-half-year-2020.
[14] https://takefive-stopfraud.org.uk/.
[15] https://moneymules.co.uk/.