• Accessibility
• Email alerts
• RSS feeds
• Contact us

Economic Crime: Consumer View Contents

---

2Prevention

16.As methods for defrauding consumers continue to change and develop, financial services firms have been working with the Government and Regulators to prevent fraud. This has sometimes been at firms’ own initiative and sometimes in response to pressure from regulators or consumer groups. In this chapter we consider both fraud prevention initiatives already being implemented and those still under consideration.

Data sharing

17.Financial firms already use data sharing to help them identify criminal activity which could be occurring across multiple banks. Chris Rhodes, Chief Product and Propositions Officer at Nationwide Building Society, told us that there “is a huge amount of data-sharing”21 with other institutions.

18.However, we also heard that there was potential for more information to be shared between different financial institutions to prevent fraud and that regulations were getting in the way. Susan Allen Head, of Retail Business Banking at Santander UK said:

There is room for us to do more on data-sharing […] Anything that helps us in terms of regulation to enable more of that would be really helpful.22

19.Stephen Jones, Chief Executive of UK Finance, told us:

We have previously asked Government for a new power to share information more widely across the sector and not to have […] a criminal burden of proof before we start to do that. That will enable us to track, trace and prevent in a much more effective way.23

He explained that UK Finance did not believe the criminal exemptions in the Data Protection Act24 were clear enough to allow data sharing at the pace and extent needed:

We proposed to Government a general power and safe harbour for banks to share information for the purposes of preventing and detecting all types of economic crime. We asked for that in the Criminal Finances Act, and indeed the FCA supported that call, but Government rejected it.25

20.When the Criminal Finances Bill was proceeding through Committee stages in 2016, Nausicaa Delfas, Director of Specialist Supervision at the Financial Conduct Authority, called for:

The threshold for sharing information to be lowered, so that institutions can share information when they see unusual activity and not just when they actually have enough information to have a suspicion.26

This request was not implemented, though the Act does permit financial firms to share information under certain conditions if there is a suspicion an individual is involved in money laundering.

21.The concern around the ability of firms to share data was echoed by Police Commander Karen Baxter, the Police National Coordinator for Economic Crime at the City of London Police:

Probably one thing [that could help] is around that facilitation of data sharing. […] GDPR has just put a framework around that. […] Perhaps it has slowed, in some cases, the exchange of that information.27

22.The Government sees data dating sharing as an important part of the fight against economic crime. Its Economic Crime Plan 2019–22 says that:

No one agency or organisation has the information, intelligence or data necessary to combat economic crime alone. This can only be achieved by agencies and organisations having the appropriate powers, gateways, frameworks and culture in place to facilitate the effective, appropriate and targeted sharing and use of information.28

23.In order to achieve efficient data sharing between firms the Government has set a commitment for a “public-private working group” to be set up which is “focused on information-sharing for economic crime purposes.”29 This working group will include the Home Office, HM Treasury, UK Finance and the National Economic Crime Centre. HM Treasury has told us that the working group is at an early stage and is currently developing policy workstreams.30

24.The Government has not been listening to concerns that data sharing requirements for financial services firms are too restrictive and unfit for purpose. We welcome the establishment of the public-private working group. Its remit must include assessing whether the current data sharing requirements are fit for purpose. If not, the working group must make detailed proposals to reform those legal requirements including considering using existing subordinate legislation-making powers under the Data Protection Act 2018 to amplify or clarify exemptions in the Act. The group should report to us every six months on progress made.

Blocking accounts receiving stolen funds

25.Financial services firms work together to track where stolen money goes once it is within the financial system. Susan Allen of Santander UK told us that Santander had invested £100 million in 2018 into combatting economic crime and that once a fraudulent account was identified, they were able to look for linked computers and mobile phones to see which other accounts were also being accessed via those devices.31

26.Accounts holding money fraudulently obtained are reported to financial firms by the police and consumers. We questioned Megan Butler of the FCA on media reports that some bank accounts were still receiving funds eight weeks after the bank had been told they were receiving stolen funds. She told us that “[firms’] systems are very different and their ability to spot it is very different at the moment.” She did not believe setting targets for how quickly an account should be blocked from receiving new payments would be the best solution:

Generally we want banks to exercise judgment and to be capable of responding properly. The difficulty with setting hard and fast rules around this is that they then work to the hard and fast rule and not necessarily as quickly as they should in some particular circumstances.32

27.Chris Hemsley of the PSR provided information on developments within the sector remarking that “everyone needs to act as quickly as possible” and that:

One quite encouraging change that happened last year were the changes that were put in place to improve the way that banks talk to one another. They agreed standard ways of passing information to one another, which facilitated the receiving bank acting more quickly on these types of frauds.33

28.We are concerned over the length of time some accounts used in economic crime remain active once intelligence has been received on their potential misuse. Whilst we understand that prescribed timeframes could delay how quickly banks act, the difference in time each bank takes to act creates weakness in the UK financial system. The FCA should work with financial institutions to ensure consistency across the sector. We recommend that the FCA uses its powers to set a timeframe in which an account must be frozen when evidence has been received by a bank that it is receiving money fraudulently.

Confirmation of payee

29.Confirmation of Payee (CoP) is a new element of protection when sending a payment via the Faster Payments Scheme and CHAPS.34 At present when a payment is sent, the initiator of the payment must give the payee’s name, account number and sort code. While the latter two are cross referenced and confirmed with the receiving bank, the payee’s name is not.35 CoP involves the name of the recipient being confirmed as well as the account number and sort code when a payment was made. Chis Hemsley, Co-Managing Director of the Payment Systems Regulator, told us how the system is intended to work:

If there is a perfect match between the account number and the name, you would expect the transaction to go through much as it does today[…]. If you are setting up a new payee, that is when these checks particularly come in. […] If there is a close enough match, so that it is Mr Smith rather than Dr Smith, for example, that there would be a warning. It would go back to the customer and say, “Actually the name is this. Is this who you want to pay?” If there is not a reasonable match at all and it is quite far away from it, you would expect the sort of warning that asks the customer to contact the payee again, to get the details right and restart or initiate that payment.36

30.Customers will be able to use this system by March 2020 when it will cover the six largest banking groups and 90% of eligible payments.37 No timetable yet exists for smaller firms getting onto the system, however this will be a focus for the Payment Systems Regulator (PSR) once the largest six are up and running. Originally the PSR had set a timetable of July 2019 for CoP to be operational, however their consultation led to the conclusion this timetable was too tight.38

31.The current lack of payee name check can lead to cases where consumers believe they are paying one person—and insert that name—but in reality are sending to a fraudulent account. Richard Emery, Independent Fraud Investigator, 4Keys International, explained:

Most individuals are completely unaware of the fact that it is possible for a fraudster to change the bank details in an attachment to an email. They receive an invoice by email. They are expecting it and have no reason to question it, so they pay it; but the money goes to an account controlled by a fraudster.39

32.Issues caused by the lack of name matching were raised by Which? in a 2016 super-complaint to the PSR which focused on “highlighting that when people are subject to sophisticated scams and are tricked into transferring money to fraudsters via bank transfer […] banks did not provide the levels of protection that they could–and that they typically would provide for other types of payment fraud.”40

33.When we asked about progress of confirmation of payee implementation, Stephen Jones of UK Finance, said that “it is quite a complex IT and process change.”41 He also discussed a competition rationale for a delay until a wider range of institutions were able to offer the technology to consumers:

There is also the issue that we want a broad variety of payment service providers in the system. […] While the large and sophisticated institutions […] have the resource to do what is required internally, a number of the middle and smaller-sized institutions do rely on third parties to deliver a solution to implement. […] If we go too fast, we will end up with a two-tier system where […] customers are forced to make a choice between the big institutions and mid-sized and smaller-sized institutions.42

34.The delay in rolling out CoP to a wider range of institutions will have consequences. Mark Tingey, Head of Financial Crime Operations at Metro Bank, said that “the more participants there are, the more successful it is going to be.”43 Chris Rhodes of Nationwide explained that this was because the system “requires [the sending bank] to send a message to [the receiving bank] and for them to confirm that it is the right account, it has to work both ways.”44 Therefore, if not all financial firms with customer accounts are part of the scheme the protection becomes less effective.

35.Susan Allen of Santander UK provided the following explanation of the complications around a seemingly simple change:

Our customers make payments in lots of different ways […] we have to make changes in every single one of those channels; we have to make changes that link into the payment systems; and then we have to make changes to be able to receive messages in from the other banks and present them back to the customer in whatever channel the customer chooses.45

36.Mark Tingey of Metro Bank explained that the variety of data which could be used—such as using a second name instead of a first name, or businesses using holding company names—creates issues around matching the data.46

37.One of the concerns around CoP is spelling mistakes. We questioned Mark Tingey of Metro Bank on this, asking what the system would flag if ‘independent’ was spelt incorrectly with an ‘a’. Mark Tingey explained to us that “an obvious spelling mistake” would not be flagged, however he also said that the system needs to be “sophisticated enough to identify a genuine mistake versus a clear fraud.”47

38.Confirmation of payee was seen as a positive step towards combatting economic crime. Richard Emery, an independent fraud investigator , told us that “it will make a lot of difference when it comes in”48 and Megan Butler of the FCA agreed that it would “play a significant part as an anti-fraud measure.49 However, we were warned confirmation of payee would not be the whole solution to economic crime. Megan Butler warned us that “It is not going to be the only thing that will stop [economic crime]. We need to recognise that there are other things that banks need to do.”50

39.Confirmation of payee will not solve economic crime alone, and as such the onus will always be on financial firms to develop further methods and technologies to keep up with fraudsters.

40.The fact that banks were not previously confirming payees is a serious failure to protect customers from harm. Asking for such information but not using it would have created a false sense of security among some customers when sending payments. It might have been better for banks to not ask for this information at all if they were not going to use it for fraud prevention.

41.We therefore recommend that Confirmation of Payee should be introduced as a matter of urgency. Every delay leaves more people vulnerable to falling victim to economic crime. If the implementation date of March 2020 begins to look in doubt, regulators should consider introducing sanctions, such as fines, to firms who have not met the deadline.

42.The arguments put forward that Confirmation of Payee implementation could be harmful for competition if large firms implemented before small ones, is without merit. Competition in the banking sector exists for the benefit of customers, not for the benefit of firms. Customers should not be put at risk of becoming victims of fraud, in order to protect slow adopting firms from implementing protections for their customers. The Payment Systems Regulator should therefore ensure that all relevant firms can implement Confirmation of Payee by the end of 2020.

43.Subtle differences which might not be immediately obvious to many people, such as using ‘soliciters’ rather than ‘solicitors’, could represent a fruitful way for fraudsters to disguise fraudulent accounts as legitimate accounts, and therefore small inaccuracies should be flagged for consumers’ own protection. We recommend that spelling mistakes are flagged within the new Confirmation of Payee System.

Delaying Faster Payments

44.Faster payments are an instant transaction which are normally processed and sent within a number of seconds, without a recall or reversal system built in.51 Clearly this is something customers appreciate, however there is a balance between speed and safety. Stephen Jones of UK Finance explained to us that when a criminal is moving money it is “often split very quickly and very intelligently in seconds and put into multiple accounts that sometimes go cross-border.”52 Caroline Wayman of the FOS told us that “[…] the money moves in seconds so recovery is very difficult. Prevention is the best thing […].”53

45.Within the Faster Payments scheme it is currently possible to delay a payment for up to two hours to undertake scanning to detect fraud.54 Chris Rhodes of Nationwide Building Society told us how Nationwide use this function:

We suspend and delay up to 1,000 payments a week to do further investigation before they leave the society. About one in 20 of those turn out to be fraud.55

46.The faster payments delay is to enable the providers to detect fraud. It does not allow customers to protect themselves. Some banks have tried to introduce a delay that would be applied by the customer themselves. Susan Allen told the Committee that such an approach has not been very successful:

Customers already have the choice to change the timings of their payments. […] on its own that is not really sufficient, because the fraudsters are quite sophisticated and they can convince the customer that they actually should not tick that box.56

47.Richard Emery, an independent fraud investigator, told us how in his experience, the speed of the financial system contributes to consumers falling victim to fraud:

The vast majority of authorised push payment fraud and unauthorised fraud […] happens within 24 hours of […] the creation of a new payee.57

48.Richard Emery suggested how it could be possible to counter the speed in the system:

From the moment I create a new payee, [the bank] are not to release any payment to that payee until after a clear 24 hours. In that time, please send me a text message, an email or phone me with an automated voice message, but tell me that I have created a payee.58

The benefit of such a system would be that in a high pressured situation where a fraudster is persuading the victim to transfer funds, the victim would have 24 hours after setting up that payment to reassess the situation. In the case of unauthorised fraud, the account holder would become aware that someone else had accessed their account to set up a payee.

49.Fraudsters rely on the speed of the payment system to move money into a series of different accounts before a customer or a customer’s bank are aware that a fraud has taken place. The speed of transactions make it difficult for banks to trace stolen money once a fraud has occurred. Very few first-time payments need to be received instantaneously. Very large payments will often be scheduled days in advance. Therefore, high-speed payments on first time payments could be made redundant with only a limited impact on consumers.

50.We recommend a mandatory 24-hour delay on all initial or first-time payments, during which time a consumer about to be defrauded could remove themselves from the high-pressure environment in which they are being manipulated. All future payments to that same account could flow at normal speed to minimise inconvenience to customers. If a situation arose whereby an initial payment was needed instantly, a customer could ring their bank and additional checks could be carried out for the funds to be released.

Tackling Mule Accounts

51.All of the frauds previously discussed in this report require somewhere for the money fraudulently obtained to be deposited. One of the ways fraudsters do this is to use a money mule account. CIFAS (Credit Industry Fraud Avoidance System–a not-for-profit fraud prevention membership organisation) define a money mule as “an individual who allows their bank account to be used to move criminal funds […].”59

52.Mule accounts are a significant problem for the financial sector. Santander estimated that it closed about 900 accounts a month which were suspected of being mule accounts60 and Nationwide shut 23,790 accounts over a three-year period which had proven criminal activity.61 Metro Bank estimated that it shuts around 200 mule accounts per month which “received confirmed proceeds of crime.”62

53.The latest figures from CIFAS’ ‘Fraudscape 2019’63 report showed that money mules were a growing problem. It reported that in 2018 there were around 40,000 cases that “bore the hallmarks” of money mule activity, a 26 per cent increase on the previous year. CIFAS attributed the increase in money mules to the increasing difficulty in opening accounts via identify fraud (down 12 per cent in 2018 compared to 2017), making it often easier to recruit a new money mule to launder funds than opening accounts specifically for the fraud intended. The data also showed that the highest percentage increase in the use of money mule accounts were for from accounts belonging to those aged between 40 and 60.64

54.Whilst financial firms are actively trying to prevent money mule accounts from being opened up, it is often existing and genuine accounts that are repurposed as mule accounts over time. One example of this is students who no longer need their account selling the log in details. This was reported in the Guardian:

Students are selling their bank accounts–giving someone else their account details such as logons–for as little as £50 to £100, often as they are finishing university and heading abroad for a period. These accounts are then used by fraudsters to evade the strict checking procedures when individuals try to open an account.65

55.Megan Butler told us that the FCA expects banks to have “effective transaction monitoring arrangements”66 to detect changes in account usage in order to identify changes when a mule takes over.

56.Financial firms who allow members of the public to open bank accounts should provide information about what a money mule is, and the penalties for being convicted, at the point of opening. This should take the form of an easy to read factsheet, rather than being buried in the small print of terms and conditions.

57.Where groups of people most susceptible to being persuaded to become money mules are identified, targeted campaigns should be undertaken. For example, banks should fund work with universities, youth organisations, community centres, schools, Further Educational institutions and sixth form colleges to provide students with information, both when they join and at graduation. Targeted campaigns where other emerging trends are identified should also be undertaken.

58.We recommend that the FCA should set a challenging timeframe in which an account must be frozen when evidence has been received by a bank that it is receiving money fraudulently. We understand the argument made by the FCA that a timeframe may encourage financial firms to work towards the prescribed timeframe, rather than as quickly as possible, but without a deadline, some accounts are remaining open for weeks allowing further fraud to occur unnecessarily.

Interactions with third-party providers

59.Not all data breaches which lead to economic crime stem from failures of the banking industry. Barclays told us:

As organisations within all sectors collect an increasing amount of consumers’ data–and as the value of that data increases–the increased likelihood of data breaches will potentially leave consumers’ ever-more vulnerable to fraud.67

60.Examples of data breaches have been covered in the press. In August 2018 a data breach at British Airways led to approximately 245,000 British Airways customers having their personal data, including payment details, stolen by hackers.68 Similarly, in the early part of 2018, Ticketmaster was also hacked and customer’s payment details also taken.69

61.Given such leaks of customer information, the financial sector argue that it is not able to stop economic crime alone as third-party participation in the solutions are needed. Barclays said:

Broader and cross-sectoral collaboration is required from all organisations in the “scams ecosystem” - banks, telecommunications firms, social media platforms, dating websites, and many more-to prevent criminals from even reaching a customer in the first place.70

62.Which? also explained that “It is important that wherever a system’s vulnerabilities are exploited, the most appropriate bodies, […] [take] responsibility and work together.71

63.UK Finance provided some examples of how the collaboration across the ‘scams ecosystem’ was already underway:

One example of […] collaboration is the work we have undertaken with Ofcom and the telecommunications sector to help mitigate the threat of fraud and the harm it causes to consumers. […]

all UK landline service providers have implemented changes to their infrastructure, reducing the length of time a call remains connected from two minutes down to circa two seconds; […].72

The latter point refers to instances where a fraudster tries to prove they are from a consumers’ bank by asking them to call the bank via the number on their bank card. However, the fraudster remains on the line and the consumer speaks to the same person.

64.UK Finance also identified many areas where work was in progress, including raising awareness of phishing, ensuring Ofcom are aware of new frauds and working to try and stop number spoofing.73

65.Barclays explained to us that it was often banks who ended up reimbursing consumers as a result of third party breaches, and how this could result in a lack of incentives for third parties to improve their security:

While a data breach may be the result of insufficient cyber security and data protection procedures, it is often banks that must incur the costs of reimbursing consumers, whether it be in pre-emptive action such as the re-issuance of new cards, or in payment following the instance of a fraud or scam.

We recommend that the liability framework for merchant data breaches is reviewed and updated to ensure that those who allow data losses bear the full costs of such losses, including the costs of third parties which can be accurately associated to their data loss. Otherwise, those who allow their perimeters to be breached will never have a robust incentive to protect data in the first place.74

66.Barclays called for data sharing across the Government and different sectors as it is critical in “preventing and halting fraud”75 and also for the Government and regulators to use their powers under GDPR to fine firms which suffer data breaches.76

67.The FCA told us that the third parties in question will often be under the jurisdiction of the Information Commissioner’s Office and ‘subject to those regulations’.77 Megan Butler said that the FCA works closely with the Information Commissioner’s office to ensure that “regulators can work together.”78 Chris Hemsley, of the PSR, said they were engaging with “our fellow sectoral regulators–energy, water and so on–[…]to identify what more could be done.”79

68.When third parties are responsible for data breaches which lead to associated fraud, they should be responsible for the associated costs. The Government should consider making third parties liable for associated costs to financial services firms and encourage the Information Commission to take this account when fining firms under the General Data Protection Regulations.

De-risking

69.De-risking—where a financial institution ends a customer relationship it deems to be too high risk—was a topic covered in detail in our Economic Crime - Anti-money laundering supervision and sanctions implementation report. The focus of that Report was the wider picture and the effect that de-risking had on economic crime and whether the practice of de-risking could lead to greater illegal activity. Here we look at how de-risking affects individuals and small businesses.

70.De-risking has been a topic of concern for us and previous Treasury Committees. Previously the Committee has heard that charities, faith-based institutions, and money transfer businesses are often the victims of de-risking. For instance, in 2016 Dr John Low of the Charities Aid Foundation told the Committee that one bank had closed 2,500 bank accounts of charities.80 A report published in 2018 showed that 79% of charity respondents had problems accessing mainstream banking channels.81

71.In this inquiry, we received evidence that whole sectors, such as pawnbrokers, were having their banking services withdrawn, or refused in the first place.82 When consumers are ‘de-risked’ this is often done without explanation and without giving consumers an avenue to query the decision.83

72.Witnesses told us de-risking could lead to “cash economies where illegal activities flourish.”84 They also warned this could increase inequality within society as much of modern society requires access to banking services.85 The FCA Economic crime report suggested that 1.15 million customers had been refused access to financial services and around 375,000 had had their access removed.86 Megan Butler of the FCA, went on to say that this is a “relatively small proportion of the overall number of customer transactions.”87

73.When asked about how financial institutions approached de-risking, Megan Butler said that the FCA “expect” instances to be dealt with on a case-by-case basis, but that:

We do come across examples, when they are brought to our attention, where it is not clear to us why an individual has been debanked;88 we follow those up with banks when they are brought to our attention, and sometimes that leads to facilities being re-offered.89

74.Megan Butler went on to explain that the FCA was working on gaining more of an understanding about the prevalence and trends within the de-risking of customers:

We will get a great deal more information coming through following the Payment Account Regulations coming into force on what the banks themselves are doing about refusal of bank accounts. […] not only will it give us a sector-wide view of trends, […] but it will give us firm-specific views on whether there are characteristics across that that would cause us concern, and […] if we see that operating.

[…] We will get much better data, which will allow us to tackle some of those broader societal issues in the right way and, importantly, get the banks to tackle them in the right way too.

75.Artificial Intelligence (AI) is being used to help financial firms identify financial crime.90 As part of our IT failures in the financial services sector inquiry, we heard about the potential risks associated with the use of Artificial Intelligence.91 There is also evidence to suggest that AI could mirror unconscious bias from its input data92 meaning, amongst other things, it could unknowingly introduce bias against protected characteristics.93

76.In the first instance banks should be as transparent as possible on de-risking to allow all individuals and firms the best possible chance of keeping their financial services. This may include providing greater information about why services have been withdrawn. There are examples of good practice on this and the FCA should ensure its rules allow for that to happen.

77.The FCA has at times appeared unable to act to prevent de-risking from happening. The improved data gathering from the Financial Crime Report should assist it in its efforts. The FCA and Financial Ombudsman Service should ensure that all instances of de-risking where a customer cannot come to resolution with their bank are fully investigated and banking services returned as quickly as possible wherever possible and appropriate. We would expect to see timely and appropriate action taken where instances of blanket de-risking are apparent.

78.Banks should only use Artificial Intelligence if they have a high degree of assurance that its use will not result in bias. Regulators have a role to play to ensure it is used responsibility and does not pose indiscriminate risks to sections of society.

---

• A-Z index
• Glossary
• Contact us
• Freedom of Information
• Jobs
• Using this website
• Copyright