Home Affairs CommitteeWritten evidence submitted by the British Bankers’ Association [EC 20]

Thank you for your invitation to provide evidence to the Home Affairs Committee on 16 April. I welcome the opportunity to brief the Committee on the work of the BBA and our member banks to address cyber enabled financial crimes. To inform the discussions, I thought it may be helpful to provide some advance information to the Committee on:

Supporting bank customers and victims of cyber enabled frauds.

The evolving nature of cyber threats.

The challenges in responding.

The strategic industry approach to financial crime.

Issues for future consideration.

Supporting Bank Customers and Victims of Cyber Enabled Frauds

BBA members have put in place highly sophisticated security and prevention measures to safeguard customers from online frauds. Banks have also invested in intelligence and analysis systems, recruitment of skilled staff and firm wide training and policies to ensure the most effective strategic defences against financial crimes, as well as working closely with UK law enforcement. These efforts have been essential for driving down online banking fraud losses but also important for maintaining confidence in online banking, particularly given that many customers now use this channel.

Our members see supporting the innocent victims of fraud as a crucial priority. The vast majority of customers that have been defrauded are refunded in accordance with regulatory requirements and banks also provide practical advice and support as appropriate. At the industry level, the BBA works closely with our members to promote best practice for addressing financial crimes including through the guidance materials that we publish.

BBA members are highly committed to raising customer awareness of fraud risks and the “self protection” measures that can be taken. Many banks provide fraud prevention advice on their websites and a number of firms hold awareness raising events for customers. At the industry level, Financial Fraud Action UK (FFA UK) lead fraud prevention efforts on behalf of retail banks and card issuers and have managed a number of awareness raising campaigns including:

A national campaign, led by FFA UK and supported by the BBA, to raise awareness of the risks posed by criminals that coerce or dupe members of the public into acting as “money mules”.

A partnership1 between the National Fraud Authority (NFA) and FFA UK that highlighted how cyber criminals steal and use personal information for the purposes of fraud.

Advice sheets produced jointly by the BBA, FFA UK and the Police, to raise customer awareness of the risks posed by Investment Fraud and a leaflet setting out advice for visitors to Britain.

The Evolving Nature of Cyber Threats

BBA members have achieved good success in driving down the losses from online banking fraud. However, given the size of the British banking sector and the ever growing number of people who conduct their banking and everyday business online, we recognise that our customers will continue to be targeted by cyber criminals. For example, criminals use stolen genuine card details to make fraudulent purchases over the internet via a PC, smart phone or tablet. Criminals also use malicious software and/or “phishing” emails as a means to compromise or steal customers’ sensitive banking credentials to enable fraud and money laundering. Criminals also communicate with each other online to trade data and to share knowledge on offending methods.

As banks have strengthened their controls against cyber enabled financial crimes, the criminals have sought to develop new cyber techniques, such as online social engineering, to dupe or coerce people into divulging personal information or making payments. There is also evidence that criminals are targeting other sectors and businesses that may have weaker controls than banks, to access customer information that can be then used for fraud offending.

Cyber techniques may also be used for attacks against banks that are not financially motivated including:

Subversion (often known as “hactivism”, this is generally carried out as part of a protest. The attackers seek to expose perceived injustice, bad practise and/or exploitation by banks in order to damage their reputation or force changes in policies).

Sabotage (to disrupt the availability of banks online services and content thus eroding customer trust and damaging the organisations reputation).

Espionage (to steal and exploit sensitive information or intellectual property).

Challenges in Responding to these Threats

Whilst BBA members have developed some of the strongest financial crime controls anywhere in the world, there are significant challenges that remain in responding to the cyber criminals including:

Rapid evolution in criminal techniques—Criminals are adopting new cyber offending techniques in response to the counter measures that are put in place, quickly spotting new opportunities and often operating through organised global networks. Highly advanced analytical capabilities are needed in banks, alongside effective intelligence arrangements with law enforcement, to keep up-to-speed with this rapidly changing threat picture.

Balancing customer service and financial crime prevention—There is a challenge in balancing effective measures for spotting and stopping financial crimes with good customer service, as some necessary control measures can cause delays. Our members are constantly striving to ensure that they have the most effective policies and practice in this respect, as well as providing as much information as possible to customers.

Conflicting policies and laws—Compliance with financial crime obligations can at times conflict with other legal obligations on banks. For example, data protection requirements pose challenges to the efficient sharing of information by banks that is needed to spot and stop financial crimes. Similarly, banks are required by the Proceeds of Crime Act to ensure that they do not “tip off” customers that an investigation is taking place whilst also meeting customer demands for detailed explanations when actions have been taken on accounts.

Enforcement capabilities—Often the investigation and prosecution of criminal cases involving cyber crime can be complex, lengthy and expensive, especially where offenders are located outside the UK. Adequate resources are therefore needed to ensure law enforcement is able to provide an effective response to cyber crime cases reported by banks and their customers. This is vital not only for ensuring that justice is served to victims but also to deter potential future offenders.

The Strategic Industry Approach to Addressing Cyber Enabled Financial Crimes

The role of the BBA

The BBA, as the leading association for the banking and financial services sector, supports our members’ efforts to address all forms of financial crime2 by coordinating strategy and policy, providing guidance, promoting best practice and facilitating operational interaction between banks and law enforcement. The following are some examples of our work in 2012 on fraud matters:

Thought Leadership: We provided a report to the NFA in April 2012 setting out an industry perspective on international fraud threats and challenges, including recommendations for enhanced cooperation between banks and HM Government in this area. The Chief Executive of the NFA in his written response described our report as “well written” and “an example of where work conducted by one sector can highlight wider issues and identify joint working opportunities between other sectors and organisations…..”.

UK Policy: In August 2012 the BBA responded to the FSA Guidance Consultation on “Banks defences against investment fraud”. Since our response we have agreed a programme of work with our members to follow up on the FSA recommendations and we are also liaising with the Financial Conduct Authority on this matter. Through 2012 we also provided views to the Home Office on the fraud intelligence arrangements for the National Crime Agency and to the Department of Work and Pensions on the financial crime controls for the Universal Credit.

International Policy: As well as responding to a number of EU level consultations, the BBA supported United Nations work on financial crime in 2012. This included participation in the UN Experts Group on Economic Crime and Identity Fraud and support for an initiative to promote financial crime compliance in the EurAsia region.

Industry Analysis: In December 2012 we provided a report3 to BBA members setting out analysis of cyber threats and challenges as a basis for strengthened industry collaboration in this area (more details on work in this area are set out below).

Operational/practical support: In early 2012 the BBA established a mechanism with the Metropolitan Police to ensure the most efficient exchange of information with BBA members to prevent financial crimes during the Olympics. Later in 2012 we agreed a new arrangement for the National Fraud Intelligence Bureau to provide fraud alerts to investment banks and smaller banks through an online system managed by the BBA.

The BBA Financial Crime Strategy 2013–14

Our members recognise the importance of collaboration across the industry on financial crime. With this in mind, the BBA Board in October 2012 agreed a two year strategy to address financial crime comprising the following priority initiatives:

An Annual BBA Financial Crime Report to publicly outline how the industry is responding to financial crime, the challenges we face and our future priorities.

A review of industry intelligence arrangements for financial crime, to enhance industry knowledge of emerging financial crime risks.

Dialogue with the Home Office on BBA proposals for improvements to the legal and policy framework for financial crime and on bank partnership with the National Crime Agency.

Proactive engagement with the Financial Conduct Authority to support our members to understand and meet Regulatory expectations on financial crime.

Intensified BBA led engagement with EU and international bodies, to promote public/private partnerships at the global level to address financial crimes.

The BBA Financial Crime Policy Group acts as our key oversight committee for delivery of the strategy, though regular reports will be provided to the BBA Board over the coming years. Consideration of cyber crime is an intrinsic element of our strategic approach in this area given that criminals employ cyber techniques for a range of financial crimes, particularly fraud and money laundering. The BBA has also recently established a new dedicated Cyber Advisory Panel, bringing together senior bank representatives to coordinate industry strategy and policy on strategic cyber security and cyber risk management issues.

Our partnership with Financial Fraud Action UK

The BBA works closely with FFA UK to support our members’ efforts to address cyber enabled frauds. Key areas of collaboration include:

Campaigns to raise customer awareness of fraud and promote bank best practice.

Promoting the sharing of knowledge and expertise within the banking sector on emerging fraud threats.

Developing common approaches on fraud policy issues, including joint representations to UK and international bodies where appropriate.

The FFA UK and the BBA will continue to work together to promote effective fraud prevention and raise customer awareness of emerging risks. Whilst the BBA and FFA UK have some common retail bank members the BBA also is keen to further ensure that investment bank, smaller bank and private bank members are brought into industry level initiatives where appropriate.

Areas for Future Consideration

The BBA welcomes the proactive approach of HM Government to engagement with the private sector on cyber crime matters. In particular, the BBA is pleased to be participating in the recently formed Cyber Crime Reduction Partnership that brings together industries, HM Government and academia to develop collaborative efforts to address cyber crimes.

Beyond this, we would suggest that the following could be considered to strengthen our collective capabilities to address cyber offending:

Intensified public awareness campaigns

Whilst recent banking industry led campaigns have successfully raised public awareness of cyber crime risks, there is a need for an intensified multi-sector approach to ensure that members of the public better understand the threats they face. Further targeted campaigns are needed to ensure that prevention messages are reaching key audiences, such as younger online users and the vulnerable.

Reforms to the legal and policy framework

BBA members are of the view that government should consider possible improvements to the legal and policy framework for financial crime. Specifically there may be merit in considering updates to the Proceeds of Crime Act, to ensure it is up-to-date with modern financial crime offending techniques. Policy or legislative change may also support a more effective balance between data protection obligations and the requirement for firms to share information to address financial crimes.

Enhanced investigation and enforcement capabilities

The establishment of the National Crime Agency is a real opportunity to develop the highest quality capabilities for investigation and enforcement against cyber offenders. BBA members are keen to support the strengthening of enforcement capabilities by putting in place the strongest possible information exchange mechanisms and through the exploration of potential “two-way” sharing of staff between the National Cyber Crime Unit in the NCA and BBA member banks.

A coordinated global partnership

Given the global nature of cyber offending and the widespread harm it causes, the BBA is of the view that a coordinated international multi-sector approach is required. The UN Experts Group on Cyber Crime may provide a useful mechanism for international policy development but we believe that beyond this can be done globally at a practical level. This could include sharing of knowledge between different sectors to enhance understanding of emerging cyber offending techniques, improvements to international standards for addressing cyber crimes and the promotion of greater public awareness of cyber crime risks.

I hope this provides useful supporting information to the Committee and I look forward to discussing these issues further on 16 April.

Anthony Browne
Chief Executive
British Bankers’ Association

April 2013

1 “The Devils in your Details” campaign

2 Our portfolio includes work to tackle bribery, corruption, fraud, money laundering, terrorist financing, cyber crimes and physical crimes.

3 BBA report titled “Defining the cyber threats and challenges to the banking sector

Prepared 29th July 2013