Memorandum submitted by CIFAS the UK's
Fraud Prevention Service
1. CIFASThe UK's Fraud Prevention
Service welcomes the opportunity to submit evidence to the Home
Affairs Committee's inquiry entitled "A Surveillance Society?".
CIFAS is an independent not-for-profit membership association,
set up as a company limited by guarantee, that allows the exchange
of information on applications, accounts and insurance claims
that have either been made fraudulently or are being used fraudulently.
2. This evidence explores the current benefits
and safeguards involved in data sharing within the private sector,
as undertaken by those organisations who are already Members of
CIFAS, and also proposals for data sharing with the public sector.
It also sets out our suggestions for criteria that will be key
to the effective sharing of data between the public and private
3. Fraud knows no boundaries. Professional
criminals do not care from whom they take moneythey attack
wherever and whenever an opportunity arises. Fraud losses suffered
by the private sector can mean that prices increase and tax revenues
fall. Equally, losses suffered by the public sector can reduce
the ability to provide public services. Sharing data about fraud
is a very good wayand often the only practical wayto
prevent such losses and help identify those responsiblenamely
criminals who will continue to use the same false identities and
illegal methods as long as they are effective. Sharing details
about these will reduce the opportunity for criminals to profit.
4. Pilot data matching exercises between
the public and private sectors undertaken by CIFAS have proved
that many of those who commit fraud against the private sector
also commit fraud against the public sector.
Sharing data on fraudsters will lead to earlier detection and
prevention of fraudulent activity.
5. The types of fraud that can be prevented
through data sharing within both the public and private sectors
are not limited to identity theft, the focus of much of the current
media coverage on fraud. Also covered are application frauds and
insurance claim frauds, which involve a real person who misrepresents
his or her entitlement or status, and which can have as large
an overall cost to the UK economy as frauds involving identity.
6. Across the private sector, the sharing
of data is a long-established and effective method of preventing
and detecting fraud proactively. The 260 CIFAS Member organisations
share data on identified frauds in the fight to prevent further
fraud and, by doing so, avoided losses during 2006 totalling £790
million. This figure represents an increase year on year of 16%.
7. CIFAS welcomed the overall conclusions
of the Government's Fraud Review, and would support the establishment
of a National Fraud Reporting Centre.
8. Since the inception of CIFAS in 1988,
Members have always followed strict rules regarding the sharing
of data. The CIFAS operating model has been developed in consultation
with the Information Commissioner.
9. CIFAS recognises that there must be clear
standards relating to the nature of the information that is shared.
There must be a defined burden of proof for determining fraud
and a high level of accuracy must be upheld. There must also be
strong safeguards to maintain the security and proportionality
of data that is shared. Such measures will be key to ensuring
the consent and support of both the general public and the Information
Commissioner's Office. However, it is important that the detail
of these measures should not be put into the public domain, as
to do so could give criminals the knowledge required to circumvent
10. All data shared through CIFAS has to
be backed by sufficient evidence to support a formal report to
the police or other relevant law enforcement agency, although
sharing data through CIFAS is not a replacement for a report to
the police. Before sharing details of a fraud or attempted fraud,
the CIFAS Member will have identified a criminal offence, having
either suffered, or potentially suffered, a loss and will have
sufficient grounds to press criminal charges.
11. The information that is shared through
CIFAS is limited to that which will be of relevance to the prevention
and detection of further frauds. Only factually correct and accurate
information may be shared and will not include any expressions
of opinions by the CIFAS Member. Details of racial or ethnic origin
are not shared, and neither are details of political or religious
12. It is important that individuals are
clearly made aware of the uses to which their data could be put.
In order to comply with the fair processing principle of the Data
Protection Act 1998, current CIFAS Members include a "fair
processing notice" in all customer contracts. This clearly
defines the nature and purpose of the information sharing that
occurs between CIFAS Members. Similar notification would be essential
for any future public-private data sharing, regardless of the
13. Similarly, individuals must be told
how to access, and if necessary correct, any information held
about them. As the extent of data sharing grows, this becomes
increasingly important. The use of inaccurate data is self-defeating,
risks the loss of public confidence and would breach data protection
law. Published complaints procedures and clear methods for individuals
to access any data held about them are key to this.
14. CIFAS Members successfully resolve the
majority of complaints they receive about the use of CIFAS data
directly with the individual concerned. Only in a handful of cases
has CIFAS found that the Member did not act according to the rules.
15. CIFAS is run on not-for-profit principles
and any financial surplus is always ploughed back into the services
delivered to Member organisations. The current CIFAS Members are
banks and building societies and other suppliers of secured/unsecured
credit to consumers and businesses, along with share dealing,
leasing and hire, communications and insurance companies. Membership
is not open to intermediaries, such as brokers, independent
financial advisers, loss adjusters, or to debt collection agencies,
tracing agents and private investigators. Public authorities and
utilities are able to join, subject to having appropriate legal
powers to share data for the purposes of fraud prevention and
16. The prevention and detection of fraud
needs to be proactive to be most effective. Limiting the sharing
of data to cases where a suspicion of fraud already exists would
curtail potential benefits. That is not to say that a "blacklist"
of people involved in fraud should be created; rather that it
should be normal procedure for any request or application for
a public sector benefit/service to be checked against those who
have committed fraud previously. This is what has been happening
in the private sector for many years to great positive effect.
17. Every two years the Audit Commission
runs the National Fraud Initiative (NFI), a data matching exercise
that detects frauds and overpayments. Using data from a number
of different public bodies, the 2004/05 exercise detected £111
million worth of fraud and overpaymentsbut only after the
event, when the money had been lost. The proactive sharing of
data, as opposed to the retrospective matching of data, would
enable such frauds against the public sector to be prevented before
money is lost.
18. A proactive method of fraud prevention
provided by CIFAS is the Protective Registration Service. This
service, frequently recommended by the police, allows those who
are at risk from identity fraud to put a protective warning against
their address. The risk could arise from the theft of personal
identification documents (eg during a burglary) or following a
breach of security (eg the loss of a computer containing payroll
data). The protective warning alerts CIFAS Members to take extra
care when receiving new applications from that address, which
could involve requesting further proof of identity.
19. CIFAS information is processed by a
number of participating fraud prevention agencies that also provide
CIFAS Members with fraud prevention services. When a Member identifies
a fraud, a warning is placed against the addresses linked to the
application/proposal/claim or account/policy/service. The warning
shows the name used on the application/proposal/claim or account/policy/service
but this does not necessarily mean that the person named is involved
in the fraud, as fraudsters tend to use a variety of names, some
false and some genuine.
20. The CIFAS warning will appear on the
fraud prevention agency record of any person who has a link with
the address, and any CIFAS Member subsequently checking that address
will see the warning. Matching data for fraud prevention purposes
using just the address, rather than a name at an address, is a
proportionate response to the threat posed by fraud, particularly
fraud involving identity. The added value of this matching has
been proven consistently.
21. The process that results from sharing
information about a previously identified fraud must be fair and
consistent, yet also robust enough to ensure its effectiveness.
Any CIFAS Member that sees a CIFAS warning is required to take
extra precautions to ensure that the application or account that
prompted the search is genuine. No CIFAS Member organisation that
receives a CIFAS warning from the system when checking an application
or account is allowed automatically to refuse to supply
the facility, product or service because of the warningan
appropriately trained member of staff must make the decision after
22. The value of the shared information
is related to its age. Although historical information can have
value, the sharing of current data will be of much greater benefit
and will be more compliant with the fifth Data Protection Act
23. Data that has been shared by a CIFAS
Member is only shared with other CIFAS Membersit is not
passed on to anyone else. Organisations who are not Members but
also use a participating fraud prevention agency would not see
any CIFAS warnings. This concept of reciprocity is essential to
the long term success of any data sharing system.
24. The police and other law enforcement
officers are able to request data from CIFAS but only on a case-by-case
basis. Section 29 of the Data Protection Act 1998 permits disclosure
of data for the purposes of the prevention or detection of crime,
or the apprehension or prosecution of offenders.
25. The Social Security Fraud Act 2001 gave
the power for authorised Department for Work and Pensions officers
and for authorised local authority officers to obtain information
from certain types of organisations, including CIFAS. Authorised
officers can obtain any information relevant to the prevention
and detection of benefit fraud in tightly defined circumstances
as set out in a Code of Practice.
26. Whilst there have been large scale data
matching exercises successfully undertaken using CIFAS data,
no personal data was disclosed as part of those pilots. Any profiles
of fraudsters based upon the data shared between CIFAS Member
organisations have not been shared with law enforcement agencies.
27. Any proposed data sharing through CIFAS
between the public and private sectors would still occur under
the existing practices and procedures outlined previously. Neither
the source, destination or nature of the information shared would
materially alter the standards or safeguards applied.
28. Information on those identified as being
involved in fraud is also valuable to the criminal community,
as it could be used to circumvent measures put in place to prevent
fraud. The misuse of data can arise from both internal and external
29. Although many external threats can be
managed through the use of appropriate hardware, software and
physical security tools, internal threats (ie employee fraud)
are more complex to deal with. Best practice among CIFAS Members
for vetting prospective employees includes references forand
the full verification ofemployment history, the verification
of any qualifications, and verification of identity to the same
standard as for anti-money laundering checks. CIFAS has recently
launched a staff fraud database for Members and, in conjunction
with the Chartered Institute of Personnel and Development, has
also provided Members with a guide to tackling staff fraud and
30. The wrongful disclosure of data is an
offence under Section 55 of the Data Protection Act 1998 and other
legislation. CIFAS welcomes the proposed increases in the penalties
for this offence recently announced by the Department for Constitutional
31. As used in the CIFAS operating model,
the sharing of data cannot be considered surveillance as the sharing
only occurs after a fraud (whether attempted or successful) has
been identified. It is important, however, to strike the right
balance between the operational need for confidentiality and the
public need to be open about how fraud is prevented. To maximise
the likelihood of the successful apprehension and prosecution
of offenders, customers are not advised when a CIFAS warning is
placed in the majority of cases. Data protection legislation has
still been observed as customers will have already been notified
by a "fair processing notice" that details of any identified
frauds may be passed to fraud prevention agencies.
32. CIFAS suggests that the following criteria
are key to the effective sharing of data between the public and
The sharing of data needs to
be proactive, but only information relevant to the prevention
of fraud should be shared.
There needs to be a defined
burden of proof which is satisfied before sharing takes place.
Individuals must be made aware
of the possible uses of their data.
Automatic refusals should not
be made purely on the basis of data that has been shared.
33. Sharing data for the purposes of preventing
and detecting fraud offers the potential for great benefits to
UK citizens, the private sector and public authorities. The full
potential can only be realised with the minimum of impact on individual
liberty, however, where there are clear standards and safeguards
in place to govern this sharing.
106 Home Office, New Powers Against Organised
and Financial Crime (Cm 6875-July 2006), Chapter 1. Back