Home Affairs CommitteeSupplementary written evidence submitted by the Foundation for Information Policy Research [EC 06a]

The Foundation for Information Policy Research (FIPR) is an independent body that studies the interaction between information technology and society. Its goal is to identify technical developments with significant social impact, commission and undertake research into public policy alternatives, and promote public understanding and dialogue between technologists and policy-makers in the UK and Europe.

We refer to the evidence I gave to your inquiry on 20 December and the subsequent letter from the banks’ trade association Financial Fraud Action (FFA) to the Chairman, the Right Honourable Keith Vaz MP, of 29 January this year. We would like to offer the following observations and suggest a few questions for the FFA witness.

1.The FFA’s Ms Worobec objects to my remark to you that banks find it easy to blame customers for fraud, and often blame people as a routine matter, even when there is no evidence of negligence at all.

2.Ms Worobec claims that “the innocent victims of fraud can expect to receive full protection against any losses … it is only in circumstances where customers have been grossly negligent in protecting their PIN and card that they sustain any loss—which is a high threshold to overcome”.

3.This has been the line taken by the banking industry since at least 1994 but it is at variance with both the statistical evidence and the facts of many cases.

4.I was recently the expert witness for the defence of Mr W, a national of Sri Lanka who has been granted asylum in the UK. He disputed 38 transactions totaling £7,861.85 on his account at the Nationwide. The Nationwide claimed that according to their records his card and PIN had been used so he must have been negligent or complicit. When he complained, he was arrested for fraud by false representation; the police believed the bank’s claim that fraud was not possible. I submitted an expert witness report showing how fraud was indeed possible and the case collapsed. My report described how the bank’s fraud analyst, on whom the police relied, had made more than one untrue statement. However Mr W has not been reimbursed; and he also lost his job as a consequence of being arrested. Honourable members might ask Mr Worobec whether she will get the Nationwide to refund and compensate Mr W. (I have his permission to send you the papers so long as his name is not published.)

5.My colleagues and I at Cambridge University Computer Lab have published most of the academic research on payment fraud over the last 20 years, so victims often find us when they search online and come to us with their stories. It is thankfully rare for a complaining cardholder to be actually prosecuted (Mr W is only the third we’ve come across in 18 years, and all three were acquitted). But it is extremely common for cardholders to be told “Our records show that your card and PIN were used, so you must have been negligent or complicit”.

6.The steady stream of victims is scientifically useful as it enables us to see how fraud tools and methods are developing. In the last five years we have seen and documented a number of clever technical frauds that enable card data to be captured from tampered terminals, and which even enable stolen cards to be used without knowledge of the PIN. The fact that a bank’s records claim that the correct PIN was used usually proves nothing of the sort. We have a series of technical papers and videos on fraud methods available online.1

7.But the stream of victims is also frustrating and at times heart-rending, as there is often little we can do. Given current rules on legal aid and costs, and given that he does not speak good enough English to act as a litigant in person, Mr W seems to have little chance of getting his money back.

8.In general the victims who come to us having been given the brush-off by the banks and then by the Financial Ombudsman Service are disproportionately less white, less male and less middle-class than the population as a whole. They are precisely those people who are not in a position to take the bank to court.

9.The police are usually not much help either, especially since an ACPO decision in 2005 to get people to report fraud to their bank in the first instance rather than to the police. The House of Lords Science and Technology Committee examined “Personal Internet Security” in 2008; their Lordships concluded that that decision had been the wrong one. Yet they could not get ministers to change their minds.

10.So the only really dependable fraud figures appear to be those from victim surveys, such as those conducted by the British Crime Survey and Eurostat, mentioned in our original submission to the committee. These suggest that about 4% of the population become fraud victims in any year and about half don’t get their money back. What’s more, the fear of online crime is real and it discourages many people from doing more things online, causing real harm to the economy.

11.Ms Worobec talks of the Financial Ombudsman Service (FOS). Yet this routinely finds in favour of the bank and against its customer, even when this flied in the face of both the law and the facts. FIPR made a submission to this effect to the review of the ombudsman that was conducted in 2008, before the ombudsman became the adjudicator required by the Payment Services Directive.

12.In that submission2 we included the full papers of a sadly typical case. Donald and Hazel Reddell were intimidated by Barclaycard into paying up £3000 that had been stolen from their account after their card was cloned—on the single occasion when they used it, namely in a Barclays Bank ATM! The bank showed its confidence in the Ombudsman by sending in the debt collectors in while that august body’s formalities were still in progress. Donald and Hazel appeared on “Tonight with Trevor McDonald”; I raised their case with a nonexecutive director of Barclays; I wrote to Bob Diamond after he made a speech saying the bank would have to rediscover its ethics; and I even put their case before the bank’s much-heralded Salz review. Yet despite a complete lack of evidence of any contributory negligence on their part, Barclays have still not given the Reddells their money back. I suggest that honourable members ask Ms Worobec when the Reddells will receive their refund. They can hardly be described as “having practically colluded with the fraudster”.

13.Ms Worobec also talks of the Payment Services Regulations 2009, which transpose the Payment Services Directive. I would like to draw the committee’s attention to article 59.2 of the Directive: “Where a payment service user denies having authorised an executed payment transaction, the use of a payment instrument recorded by the payment service provider shall in itself not necessarily be sufficient to prove either that the payment transaction was authorised by the payer or that the payer acted fraudulently or failed with intent or gross negligence to fulfil one or more of his obligations under Article 56.” The UK banking industry lobbied long and hard to get the word “necessarily” inserted into this text. I invite the committee to ask Ms Worobec why. Was it not so that UK banks could continue saying “Your card and PIN were used so you must have been negligent or complicit”?

14.Indeed as recently as a year ago, complainants to the Ombudsman reported that adjudicators there had not even heard of the Payment Services Regulations. We wrote to the Business Secretary Vince Cable (having discussed the matter with him while he was in opposition); his response was that he could do nothing as the ombudsman was “independent”, but that we might see the FSA who assumed the power to regulate her as of April 1st. We met with the FSA in January but learned that despite the ombudsman’s manifest failings they did not propose to do anything about her at all. Their line is that “the basis for Ombudsman decisions is what is fair and reasonable in all the circumstances of the case, rather than on a strict legal basis”. We disagree; if the ombudsman service does not have to follow the PSRs and the rest of the law (including the Human Rights Act) then the UK does not have an adequate transposition of the Payment Services Directive.

15.NGO efforts towards securing better financial consumer protection in the UK are now aimed at persuading the European Commission to remove the word “necessarily” from the Payment Services Directive in the current review of that legislation, and require explicitly that adjudicators act according to law. The committee might ask Ms Worobec whether UK banks will resist either or both of these changes.

16.Yet, despite its serious flaws, the Financial Ombudsman Service is finding against the bank in tens of thousands of cases per year. In 2012 there were 64,234 complaints to the ombudsman regarding banking and credit3; 31% of these for current accounts and 54% of these for credit cards were found against the bank. The figures are not broken down enough to give the phantom withdrawal figures, but it is clear the banks’ system for refunding customers is not working.

17.So I am delighted to see Ms Worobec claim that 98% of fraud victims are reimbursed. I encourage the committee to ask her to provide the data from which this figure was derived. 98% of what, precisely?

18.The committee should be aware that when customers complain of transactions that are “chip and pin” (according to bank records) some banks see these simply as attempted frauds where the bank was the victim, not the cardholder, and record them under another heading. If customers are told to go away as “Our systems are secure so you must have been negligent or complicit”, a complaint may not be recorded at all. And a third example of non-recording is where the bank claims the dispute is purely between the cardholder and a merchant; the line is that where there was a “willing buyer and willing seller” the dispute does not concern them. A common example is where a British tourist in southern or eastern Europe gets a large card bill after eating in a restaurant where a waiter made a copy of their card and cashed it out in a nearby nightclub. UK banks then hide behind card scheme refund rules (which we understand even the FSA are not allowed to see). UK banks’ unwillingness to file chargebacks even for clearly fraudulent transactions encourages crime gangs in other countries. You might ask Ms Worobec whether eating tapas in Spain amounts to “having practically colluded with the fraudster”.

19.Ms Worobec claims that the burden of proof is on the bank, not the customer. This is somewhat disingenuous. The problem is that the fact that the banks assert that their system provides evidence that carries the day on the balance of probabilities. The ombudsman accepts this; it cannot easily be challenged by an ordinary customer for want of being able to get access to the banks’ systems for expert examination; and the courts do not usually order wholesale disclosure because there is so much of it that such an order would never be proportionate to an ordinary civil case. Where disclosure is ordered in a criminal matter (as in Mr W’s case), or where a fraud victim has the stomach and resources to make a fight of it in the courts, the banks fold. But ordinary fraud victims have little chance.

20.A matter that Ms Worobec failed to mention in her letter is that after colleagues and I revealed how stolen cards could be used by a criminal who did not know the PIN on Newsnight in February 2010, her colleague Melanie Johnson wrote to the University of Cambridge asking for one of our students’ Masters thesis to be removed from the web. The banks claimed it might help the bad guys, but this was nonsense. We had found that vulnerability after studying fraud patterns; the villains knew how to do it already. Ms Johnson appears to have simply been trying to defend the industry line that “Our systems are secure so you must be negligent or complicit”. We made her go away by pointing out to her that section 2 of the Fraud Act 2006 makes it an offence to dishonestly make a false representation to benefit yourself or another, or to put a third party at risk of loss. But perhaps many people who work in the banking industry still imagine that this law applies only to poor people like Mr W, and not to them.

Ross Anderson FRS FREng
Professor of Security Engineering, Cambridge University
Chair, Foundation for Information Policy Research

April 2013

1 Bank fraud resource page, at http://www.cl.cam.ac.uk/~rja14/banksec.html

2 FIPR submission to the Hunt Review of the Financial Ombudsman Service, 2008; at http://www.fipr.org/080116huntreview.pdf

3 Financial Ombudsman Service, Annual review 2011/2; at http://www.financial-ombudsman.org.uk/publications/ar12/about.html#a2 and /dealt.html#a5

Prepared 29th July 2013