Written evidence submitted by the Financial Conduct Authority (OSB0044)
- We welcome the opportunity to give evidence to the joint pre-legislative scrutiny Committee on the draft Online Safety Bill (‘the Bill’).
- Tackling scams and reducing online harm are key areas of focus for us. The threat from online fraud has risen markedly in recent years and shows no sign of slowing. From April 2020 – March 2021 we received almost 30,000 consumer enquiries about potential scams – 77% more than we received in the previous 12 months.
- Tackling online fraud, the biggest driver of financial harm, will enable us to take a solid step forward in protecting consumers.
- We therefore welcomed the Government’s confirmation that the draft Bill is intended to include measures to address certain types of user-generated fraud, such as fake investment opportunities promoted on social media.
- To help achieve the Government’s stated aim of ensuring the UK is the safest place in the world to be online, we hope the Bill can be amended further to:
designate content relating to fraud offences as priority illegal content
extend the duties in the Bill to cover fraudulent content contained within paid-for advertising
- We stand ready to work with Members of Parliament and this Committee, officials and partner regulators to deliver this. We welcome the extensive engagement we have already had on the draft Bill from colleagues in the Department for Digital, Culture, Media and Sport (DCMS) and Ofcom.
- We describe below our remit and work in relation to fraud and online harm and provide our views on the following two questions outlined in the Call for Evidence.
- The draft Bill specifically includes [child sexual exploitation and abuse] CSEA and terrorism content and activity as priority illegal content. Are there other types of illegal content that could or should be prioritised in the Bill?
- The draft Bill applies to providers of user-to-user services and search services. Will this achieve the Government's policy aims? Should other types of services be included in the scope of the Bill?
Our approach to fraud
- Our statutory objective of protecting and enhancing the integrity of the UK financial system expressly includes ensuring that the financial system is not used for purposes connected to financial crime. As the financial services and markets conduct regulator, as well as the money laundering supervisor for the financial sector, we also have a keen interest in reducing fraud.
- Tackling fraud is also vital to protecting consumers from harm. In the UK, a firm must be authorised and regulated by the FCA to carry out most financial services activities. Consumers who use an unauthorised firm cannot generally access the Financial Ombudsman Service or Financial Services Compensation Scheme, so they are unlikely to get their money back if things go wrong.
- Our work to tackle fraud takes a variety of forms but includes action to address:
fraudulent activity undertaken, or facilitated by, firms which we authorise or regulate
unauthorised persons deceiving consumers into believing they are authorised
unauthorised persons unlawfully engaging in regulated activities
- While we have broad jurisdiction and a variety or powers at our disposal, we are not able to address all fraud and our perimeter sets an important constraint on our ability to do so.
- Our approach recognises that not all frauds can be stopped before they happen, that we are not able to restore all victims to the position they were in beforehand and that most frauds and scams operate outside our formal regulatory jurisdiction. We recognise that reducing the incidence of fraud requires not only the pursuit of fraudsters and the imposition of penalties and sanctions, but also considerable efforts on prevention. We do this by requiring regulated firms to maintain high standards of conduct and diligence to ensure they do not facilitate fraud (either by permitting their systems to be used by fraudsters, by laundering proceeds of crime or otherwise) and by providing consumers with information about how to identify fraudsters through our successful Scamsmart campaigns (see below).
- We devote significant resources to the protection of consumers from scams and fraud. We focus, in particular, on that activity which takes place inside our perimeter (e.g. where unauthorised persons are making false claims to be authorised or are engaged in unlawful regulated activity or the unlawful promotion of financial services or products). This includes those who make unrealistic ‘too good to be true’ promises to consumers. We also maintain a robust approach to market abuse which the courts view as a species of fraud.
- We pursue regulated firms which commit serious misconduct, including fraud, and those which may facilitate financial crime, such as those with poor anti-money laundering systems and controls. We also pursue those who pretend to be regulated by the FCA (inducing victims on that basis), and those who carry on regulated activities without our permission. We have a broad range of powers which we use including financial penalties, the suspension and prohibition of firms and individuals, injunctions and civil and criminal powers.
- Given the incidence of fraud in the community goes far beyond the formal reach of our jurisdiction, we also work closely with other agencies. We are a member of the National Economic Crime Centre (NECC), which has a broad coordinating role across UK agencies. We have provided resources to the NECC through a secondment programme and work closely with fellow members, the National Crime Agency (NCA), Serious Fraud Office (SFO), City of London Police and HM Revenue and Customs (HMRC). The problem of fraud, especially volume fraud, is a complex one, spanning responsibilities across UK law enforcement, which is why we are a keen supporter of the NECC.
- We protect consumers through a broad range of consumer education initiatives designed to ensure consumers are less susceptible to scams. We do this by warning them about specific scams and unauthorised persons which we believe may be unlawfully engaged in regulated financial services activity in the UK. We also provide guidance to consumers on the general risks of falling victim to scams and frauds.
- We use our Warning List to publish details of unregulated entities which we believe are
engaging in regulated activity without authorisation
promoting financial services or products unlawfully
using the details of authorised firms to convince people that they work for a genuine, authorised firm (so called, clone activity).
- We do this to warn consumers and third parties, such as banks, financial advisers, and tech companies which may be facilitating these entities’ online activities, not to deal with them. Publishing warnings also allows us to mitigate the risk of consumer harm swiftly, in circumstances where our prospects for taking successful enforcement action may be limited. For example, where the entity is based overseas and has no assets in the UK, and we are unable to identify the people behind it. This year, we have posted 79% more warnings than last year.
- We also run ScamSmart. ScamSmart is a broad, multi-year campaign to raise awareness of scams and the techniques employed by scammers, and to educate consumers about how to avoid becoming a victim of investment and pension scams. It provides basic information and tips and is supported by professional research that identifies particularly vulnerable groups or behaviours that fraudsters tend to exploit. Our campaign uses television, radio, press, digital advertising and social media to promote our messages and ScamSmart has its own section on our website which includes our Warning List of firms which we advise consumers to avoid and the FCA register. We regularly update our ScamSmart webpages and deliver 3 multi-channel marketing campaigns a year for ScamSmart which includes; ScamSmart Investments, ScamSmart pensions and Loan Fee Fraud.
- Over 1 million people have visited our ScamSmart website since its launch in 2014, and more than 20,000 have seen our warnings about specific, unauthorised firms. So far this year (up to 31 July 2021), over 65,000 people visited the ScamSmart website.
Technology Service Providers and Online Harm
- As we set out in our recent written and oral evidence to the Treasury Select Committee’s Inquiry on Economic Crime, online platforms, such as search engines and social media platforms, are playing an increasingly significant role in putting consumers at risk of harm.
- They do this through exposing them to user-generated content and paid-for adverts that contain unlawful financial promotions or make false or misleading claims. These range from scams to false or misleading adverts (which can fall within or outside our jurisdiction).
- There are few practical barriers to scammers exploiting consumers online. Fraudsters have unprecedentedly cheap access to an online population of consumers who find it difficult to differentiate genuine offers from the fraudulent. Online platforms do not always check the details of the people placing the adverts, so scammers are able to place adverts anonymously on an industrial scale, without fear of being caught. There are ads online for firms that don’t exist, for firms that claim to be regulated but aren’t, for firms that claim to be based in the UK but aren’t, and for clones of legitimate authorised firms.
- In order to further seek to protect consumers searching online for investment opportunities, we have paid Google to promote our warnings. In 2020, we spent close to £500,000 on Google Adwords to warn consumers about high-risk investments. We also paid Google to promote adverts about specific unauthorised firms. This means Google received a fee from the scammer, and the regulator. We have also had to contact platforms to inform them of adverts that are not only unlawful but also breach their own rules and policies.
- We want to ensure that consumers are effectively protected from the risks presented by fraudulent and scam investment activity. Online platforms are, in many cases, the gateway for consumers to investment services and products which cause them harm.
- We liaise with online platforms to seek to mitigate the risk of consumers being exposed to harmful content on or through these platforms. However, negotiation and persuasion (as opposed to clear requirements imposed by legislation) are not always the fastest way to achieve meaningful change to protect consumers. We think that more substantial and permanent change is reliant on clear legal obligations on the part of platform operators to protect consumers.
- We therefore believe that it is vital that these platforms are subject to clear legal obligations in respect of these gateways. We consider that it is vital that platforms’ responsibilities extend to both user-generated content and paid-for advertising
- Given this, we believe the best way to protect consumers from illegal online scams is for content relating to fraud offences to be designated as priority illegal content under the draft Bill. We believe these provisions should include online advertising as well as user-generated content.
- Without legislation, we are obliged to rely on a combination of existing laws and individual negotiation with every online platform, to persuade them to provide gateway protection to consumers. This will produce a patchwork of inconsistent approaches, take us considerable time and create gaps that can be exploited by scam advertisers. Legislation can help avoid these gaps and ensures there is a level playing field for all online platforms and consistent, enforceable standards to protect consumers.
The draft Bill specifically includes CSEA and terrorism content and activity as priority illegal content. Are there other types of illegal content that could or should be prioritised in the Bill?
- The extent of the safety duties under the draft Bill vary according to whether the content has been designated as ‘illegal’ or ‘priority illegal content’. Overall, the duties in relation to ‘priority’ illegal content require significantly more proactive monitoring and preventative action by platforms than for ‘illegal content’ where, for example, the duty on search services is to remove illegal content only where the provider knows about it, having been alerted to its presence.
- We believe it is important that operators are subject to clear, proactive obligations to identify and disrupt unlawful content which is disseminated through their platforms. We do not consider that the provisions on ‘illegal content’ would achieve this. We have the following specific concerns
- Incentives on platforms: Insofar as the safety duties in respect of mere illegal content require platforms to mitigate and manage risks of harms to users, they may make little practical difference to the operations of platforms. The more significant platform operators already maintain detailed policies, terms and conditions which purport to restrict users’ rights to upload or post illegal material. What is needed for consumers to be meaningfully protected online are clear pro-active obligations on the part of platform operators to monitor for, and take down, illegal content (or, in the case of paid-for advertising, to prevent it reaching their platforms in the first instance).
- Lack of clarity for consumers: There is a risk that a reactive obligation alone is, for consumers, the worst of all worlds. It will at best be very difficult for consumers to know whether they can trust the investment promotions they are seeing, or not. At worst, they may be confused into believing that they are safer online than they are and therefore be less wary of scams, resulting in greater harm.
- We therefore strongly believe that content relating to fraud offences should be designated as ‘priority illegal content’. Without this, we do not think that the draft Bill will lead to a material change in platform behaviour, and therefore the volumes of scam material to which consumers are being exposed in and through online platforms.
- We also believe content relating to fraud offences clearly meets the criteria set out in the draft Bill for priority illegal content. We have set out further information on the offences that could be used to capture fraud, and the assessment of fraud in the Annex.
The draft Bill applies to providers of user-to-user services and search services. Will this achieve the Government's policy aims? Should other types of services be included in the scope of the Bill?
- We welcomed the Government’s confirmation that certain types of user-generated online fraud will be brought within scope of the Bill. However, we believe strongly that the draft Bill should be amended to cover paid-for advertising as well, since online advertising is a major source of scam investment promotions, leading to very significant consumer harms.
- For some time, we have expressed our concern about the prevalence of scams promoted through paid-for adverts, which allow criminals to reach wide audiences in a relatively low-cost way. Excluding paid-for advertising from the scope of the Bill will allow scammers to easily avoid easily avoid any new processes put in place by platforms relating to user-generated content by simply promoting their scams through paid-for adverts.
- We are concerned that the result will be a confusing landscape of patchwork regulation/protection for consumers. For example, as the Bill stands if a criminal were to post a scam in a local parents’ social media group, the online platform would be compelled to remove it if alerted. However, if the same criminal paid the platform to promote that scam to thousands of individuals, the platform would not be obliged to take action under the Bill.
- Consumer protections should depend on how the individual comes across a scam online. We believe that platforms should have an obligation to identify and remove fraudulent content on their services, regardless of its format.
- Research commissioned by the Advertising Standards Authority found that up to two-thirds of respondents (66%) were able to identify an advert as a brand advert, leaving a significant minority who were uncertain. The Money and Mental Health Policy Institute found that differentiating between adverts and other content can be even more difficult, with 82% of their Research Community respondents agreeing that it can be difficult to tell the difference when experiencing a mental health problem.
- We consider that the same systems and controls and Ofcom oversight should apply to both user-generated fraud and paid advertising, particularly as paid advertising is likely to be easier for the platforms to monitor (due to some level of engagement with the advertiser). We also think that it should be operationally easier for platforms to apply a single regime to both user-generated content and paid-for advertising.
- We do not consider that the inclusion of paid-for adverts would undermine the competitiveness of the UK technology sector as we do not consider a business model which acts as a gateway to large scale fraud against consumers constitutes a sustainable business model.
Complimentary regimes: Interaction between the financial promotion regime and the draft Bill
- Under UK law, a person is prohibited from communicating (or causing to be communicated) a financial promotion unless (i) the person is authorised by the FCA/PRA; (ii) the promotion has been approved by a person authorised by the FCA/PRA; or (iii) the promotion is communicated within an exemption in the Financial Services and Markets Act 2000 (Financial Promotion) Order 2005 (the ‘Financial Promotions Order’). This is known as the ‘financial promotion restriction’ and is contained in section 21 of the Financial Services and Markets Act 2000.
- A general EU-derived exemption in the Financial Promotions Order broadly exempted electronic financial promotions from the scope of the prohibition where these were made from an establishment in an EEA state other than the UK. This exemption was a component of the UK’s implementation of the E-Commerce Directive (the ‘ECD’). Since 1 January 2021, following the end of the transition period, this exemption no longer forms part of UK law.
- The Financial Promotions Order still contains another exemption which has its roots in the ECD. This broadly exempts from the financial promotion restriction communications made by online intermediaries where the communication would fall within the scope of one of the three safe harbours in the ECD (‘mere conduits’, ‘caching’ and ‘hosting’). Our view, however, is that these safe harbours (and therefore the related exemption in the Financial Promotions Order) do not apply when the intermediary has a significant role in optimising the content or actively determining which recipients receive particular promotions – most obviously in the case of paid for advertising.
- As a result of this change, we are now looking at the operations of the major online platforms to determine whether they are now subject to the financial promotion restriction and, if so, whether they are compliant.
- We think that the financial promotion restriction would be one of the key offences that could be used to define priority illegal content for the purposes of the Bill. By doing this the draft Bill would complement and reinforce the requirements of the financial promotion regime. The draft Bill would provide for an overarching civil regime ‘upstream’ under which platforms had to undertake risk assessments and ensure adequate systems and controls aimed at delivering the outcomes set out in the draft Bill. The broader focus of the draft Bill would also provide protection in cases where a criminal case cannot be brought.
- The financial promotion regime would provide for criminal liability ‘downstream’ where an individual promotion was identified as having been communicated in breach of the financial promotion restriction. Evidence that we gather of potential breaches of the financial promotion restriction are likely to be relevant to Ofcom’s assessment of a firm’s compliance with the obligations of the Bill. This could be supported by information sharing and regulatory cooperation by the FCA and Ofcom. We have already had working level conversations on what cooperation would be required.
- Some of the scams we witness on online platforms have not only been designed to take advantage of service features like search engine optimisation, but also to evade the requirements of the financial promotion regime. The responsibilities to prevent, monitor and remove priority illegal content contained in the draft Bill are therefore vital if the UK is to keep pace with highly adaptive criminals seeking to defraud consumers.
Online Advertising Programme
- It has been suggested that paid for advertising would be addressed through the Government’s Online Advertising Programme. Online fraud is an urgent issue which is growing steadily. As mentioned, we have already posted 79% more warnings than last year. We cannot wait for the outcome of the untested Online Advertising Programme which could take years to provide protections for consumers. The timescales, parameters and outcomes of the programme have yet to be confirmed and there is no guarantee it will recommend, let alone operationalise, essential consumer protections. In contrast, both industry and regulators are preparing to adapt their operations in response to the Online Safety Bill now.
Definition of harm
- The definition of harm used in the draft Bill is one area where it will be important to ensure that the drafting of the Bill is effective in delivering the Government’s expressed intention to catch certain types of fraud.
- The draft Bill defines ‘harm’ as “physical or psychological harm” (cl. 137(1)). While content need not necessarily give rise to ‘harm’ in order to be within the scope of the duties, the definition of ‘harm’ is important for defining various elements of the Bill’s obligations. For example, the illegal content risk assessment duty requires an assessment of, amongst other things, the level of risk of ‘harm’ to individuals and the nature and severity of ‘harm’ that might be suffered by users.
- The safety duty is also framed in terms of taking proportionate steps to mitigate and effectively manage the risk of ‘harm’ to individuals. The level of risk and severity of harm is an important component in determining whether to specify an offence as giving rise to priority illegal content.
- We agree that as a matter of fact victims are likely to experience psychological or physical harm. However to avoid any uncertainty about the extent to which economic / fraud offences give rise to ‘harm’, we would welcome targeted amendments to the draft Bill to encompass financial or economic harm for the purposes of the above duties and assessments in relation to fraud.
Annex – Fraud offences
- Under the draft Bill illegal content is defined by reference to existing offences. We have set out here the list of offences we have previously provided to colleagues in DCMS and HM Treasury as being relevant to capturing fraud in the financial services space. We note, however, that the concept of a relevant offence under the Bill is currently wide enough to capture (subject to limited exceptions) any offence of which the victim or intended victim is an individual.
- A key question will be how a platform identifies content which would constitute a criminal offence. Certain offences (i.e. S.21 FSMA –‘breach of the financial promotion restriction’ or S.24 FSMA – ‘false claims to be authorised’) would seem in most cases to be relatively straightforward for platforms to identify and police.
- Other offences, for example ‘making a false or misleading statement’ are likely to be less easy to spot on their face.
FSMA and FS Act 2012
- There are 3 relevant criminal offences under FSMA and 2 criminal offences under the FS Act 2012:
- s.19 FSMA – breach of the general prohibition (s.23 outlines the breach)
- s.21 FSMA – breach of the finproms regime (s.25 outlines the breach)
- s.24 FSMA – false claims to be authorised
- s.89 FS Act 2012 – making a false or misleading statement
- s.90 FS Act 2012 – creating a false or misleading impression
- These are all criminal offences and we have criminal prosecution powers under s.401(1) FSMA to prosecute breaches. Under s.402 of FSMA, we can also prosecute breaches of the regulations relating to money laundering.
- We have also prosecuted/are prosecuting the following ‘fraud’ offences:
• General offence of fraud under s.1 of Fraud Act 2006, broken down into:
o fraud by false representation s.2 Fraud Act 2006;
o fraud by failing to disclose information s.3 Fraud Act 2006;
o fraud by abuse of a position s.4 Fraud Act 2006.
• Criminal Law Act 1977: conspiracy to defraud (section 5(2)).
• Theft Act 1968: false accounting (section 17);
• Theft Act 1968: false statements by company directors (section 19).
Annex – Criteria for designation of priority illegal content
- Under the draft Bill the Secretary of State must take the following criteria into account when deciding which content should be designated as priority illegal.
(i) the prevalence on regulated services or content that amounts to the offence;
(ii) the level of risk of harm being caused to individuals in the UK; and
(iii) the severity of that harm.
- We have set out below our assessment of content linked to fraud offences against these criteria.
The prevalence on regulated services or content that amounts to the offence;
- Fraud accounts for one-in-three crimes in the UK, costing up to £190 billion a year. European Commission research (2020) found that the level of exposure to scams and fraud in the UK was the third highest amongst EU countries with 67% of individuals having personally experienced at least one type of scam or fraud in the previous two years.
- The Telephone Crime Survey for England and Wales (TCSEW) indicated a 36% increase in fraud and computer misuse offences compared with the year ending March 2019 Crime Survey for England and Wales (CSEW).
- The data showed a 57% increase in “online shopping and auctions” fraud in the latest year (from 62,509 to 97,927 offences) and a 44% increase in “financial investment fraud” (from 14,024 to 20,260 offences).
- The chart below shows the growth in reports of financial scams received from consumers over recent years. From April 2020 – March 2021 we received almost 30,000 consumer enquiries about potential scams, with investment scams accounting for 56% of all these enquiries. This is 77% higher than scam enquiries we received in the previous 12 months.
- It has been estimated that 86% of fraud is committed online and this is a growing problem. There are few practical barriers to online scams. Fraudsters have unprecedentedly cheap access to an online population of consumers who find it difficult to differentiate genuine offers from the fraudulent.
- The chart below shows the method through which consumers encountered potential scams as reported to FCA’s ScamSmart support centre from April 2020 to March 2021.
- As can be seen, ‘online’ and ‘advert on social media’ are two of the most common ways which consumers come across potential scams and contribute significantly to total fraud.
The level of risk of harm being caused to individuals in the UK
- Individuals in the UK are at a high risk of harm from frauds and scams online. It can be extremely difficult for consumers to determine what is a genuine promotion for an investment (and what is not) with scams evolving constantly and becoming ever more sophisticated. There are promotions online for firms that do not exist, for firms that claim to be regulated but are not, for firms that claim to be based in the UK but are not, and for clones of legitimate authorised firms. Many sites emanate from overseas locations using fake UK addresses though often using what looks like a genuine UK telephone number. Also, because of the way search engines provide algorithmically personal search results, scammers target victims in the same way legitimate advertisers find customers.
- At the same time, consumers are not always best placed to identify and protect themselves from scams. Research from Which? found that individuals may have only partial awareness of the breadth, range and sophistication of types of scams that can be found on social media.
The severity of that harm.
- There are two main ways in which fraud and scams cause severe harm: the first is in respect of the financial loss to the individual, many of whom may have lost their entire life savings. Action Fraud data shows that between August 2020 and July 2021, there were a total of £658m reported losses due to investment and pensions scams. That equates to approximately £25,500 loss on average. Some individuals will have lost many times that. Victims of pension fraud reported in 2018 that they had lost an average of £82,000 each.
- Secondly, there is also the significant mental harm and distress which can be felt by victims of fraud, resulting in anxiety, depression and suicide. Research from the Money and Mental Health Policy Institute found that 40% of all online scam victims have felt stressed as a result of an online scam. Which? has reported that Action Fraud data identifies 300-350 fraud reports a week where victims show signs of severe emotional distress – equating to around 18,000 reports a year.
17 September 2021
 For user-to-user services, the duty in relation to ‘priority illegal content’ is to minimise the presence and dissemination of illegal content whereas for ‘illegal content’ it is merely to take steps to manage the risks of harm as identified in the most recent risk assessment. Similarly, for search services, the duty for ‘priority illegal content’ is to use proportionate systems and processes to minimise the risk of individuals encountering priority illegal content. However, the requisite duty for ‘illegal content’ is to remove it only where the provider knows about the illegal content, having been alerted to it.
 The news story was published on 13 April 2021 by The Daily Mail
 Home Office, Fraud Review – Headline Findings, February 2020.