Conclusions and recommendations
The type and scale of economic crime affecting consumers
1.It is clear, both in terms of financial losses and in the variety of scams suffered by consumers, that economic crime is a serious and growing problem in the UK. Trends need to be identified quickly. In order to ensure a clear picture of the scale and types of economic crime facing consumers, the FCA should publish data on economic crime within six months. It should evolve its data collection practices to ensure they allow for emerging trends, while still enabling year-on-year comparisons. (Paragraph 15)
Prevention
2.The Government has not been listening to concerns that data sharing requirements for financial services firms are too restrictive and unfit for purpose. We welcome the establishment of the public-private working group. Its remit must include assessing whether the current data sharing requirements are fit for purpose. If not, the working group must make detailed proposals to reform those legal requirements including considering using existing subordinate legislation-making powers under the Data Protection Act 2018 to amplify or clarify exemptions in the Act. The group should report to us every six months on progress made. (Paragraph 24)
3.We are concerned over the length of time some accounts used in economic crime remain active once intelligence has been received on their potential misuse. Whilst we understand that prescribed timeframes could delay how quickly banks act, the difference in time each bank takes to act creates weakness in the UK financial system. The FCA should work with financial institutions to ensure consistency across the sector. We recommend that the FCA uses its powers to set a timeframe in which an account must be frozen when evidence has been received by a bank that it is receiving money fraudulently. (Paragraph 28)
4.Confirmation of payee will not solve economic crime alone, and as such the onus will always be on financial firms to develop further methods and technologies to keep up with fraudsters. (Paragraph 39)
5.The fact that banks were not previously confirming payees is a serious failure to protect customers from harm. Asking for such information but not using it would have created a false sense of security among some customers when sending payments. It might have been better for banks to not ask for this information at all if they were not going to use it for fraud prevention. (Paragraph 40)
6.We therefore recommend that Confirmation of Payee should be introduced as a matter of urgency. Every delay leaves more people vulnerable to falling victim to economic crime. If the implementation date of March 2020 begins to look in doubt, regulators should consider introducing sanctions, such as fines, to firms who have not met the deadline. (Paragraph 41)
7.The arguments put forward that Confirmation of Payee implementation could be harmful for competition if large firms implemented before small ones, is without merit. Competition in the banking sector exists for the benefit of customers, not for the benefit of firms. Customers should not be put at risk of becoming victims of fraud, in order to protect slow adopting firms from implementing protections for their customers. The Payment Systems Regulator should therefore ensure that all relevant firms can implement Confirmation of Payee by the end of 2020. (Paragraph 42)
8.Subtle differences which might not be immediately obvious to many people, such as using ‘soliciters’ rather than ‘solicitors’, could represent a fruitful way for fraudsters to disguise fraudulent accounts as legitimate accounts, and therefore small inaccuracies should be flagged for consumers’ own protection. We recommend that spelling mistakes are flagged within the new Confirmation of Payee System. (Paragraph 43)
9.Fraudsters rely on the speed of the payment system to move money into a series of different accounts before a customer or a customer’s bank are aware that a fraud has taken place. The speed of transactions make it difficult for banks to trace stolen money once a fraud has occurred. Very few first-time payments need to be received instantaneously. Very large payments will often be scheduled days in advance. Therefore, high-speed payments on first time payments could be made redundant with only a limited impact on consumers. (Paragraph 49)
10.We recommend a mandatory 24-hour delay on all initial or first-time payments, during which time a consumer about to be defrauded could remove themselves from the high-pressure environment in which they are being manipulated. All future payments to that same account could flow at normal speed to minimise inconvenience to customers. If a situation arose whereby an initial payment was needed instantly, a customer could ring their bank and additional checks could be carried out for the funds to be released. (Paragraph 50)
11.Financial firms who allow members of the public to open bank accounts should provide information about what a money mule is, and the penalties for being convicted, at the point of opening. This should take the form of an easy to read factsheet, rather than being buried in the small print of terms and conditions. (Paragraph 56)
12.Where groups of people most susceptible to being persuaded to become money mules are identified, targeted campaigns should be undertaken. For example, banks should fund work with universities, youth organisations, community centres, schools, Further Educational institutions and sixth form colleges to provide students with information, both when they join and at graduation. Targeted campaigns where other emerging trends are identified should also be undertaken. (Paragraph 57)
13.We recommend that the FCA should set a challenging timeframe in which an account must be frozen when evidence has been received by a bank that it is receiving money fraudulently. We understand the argument made by the FCA that a timeframe may encourage financial firms to work towards the prescribed timeframe, rather than as quickly as possible, but without a deadline, some accounts are remaining open for weeks allowing further fraud to occur unnecessarily. (Paragraph 58)
14.When third parties are responsible for data breaches which lead to associated fraud, they should be responsible for the associated costs. The Government should consider making third parties liable for associated costs to financial services firms and encourage the Information Commission to take this account when fining firms under the General Data Protection Regulations. (Paragraph 68)
15.In the first instance banks should be as transparent as possible on de-risking to allow all individuals and firms the best possible chance of keeping their financial services. This may include providing greater information about why services have been withdrawn. There are examples of good practice on this and the FCA should ensure its rules allow for that to happen. (Paragraph 76)
16.The FCA has at times appeared unable to act to prevent de-risking from happening. The improved data gathering from the Financial Crime Report should assist it in its efforts The FCA and Financial Ombudsman Service should ensure that all instances of de-risking where a customer cannot come to resolution with their bank are fully investigated and banking services returned as quickly as possible wherever possible and appropriate. We would expect to see timely and appropriate action taken where instances of blanket de-risking are apparent. (Paragraph 77)
17.Banks should only use Artificial Intelligence if they have a high degree of assurance that its use will not result in bias. Regulators have a role to play to ensure it is used responsibility and does not pose indiscriminate risks to sections of society. (Paragraph 78)
Investigating fraud as crime
18.The announcement of a national fraud strategy is long overdue. It followed the damning criticism of Her Majesty’s Inspectorate of Constabulary and Fire and Rescue Services’ report. It must now be a priority for police forces to make the strategy work. One of the actions from the Economic Crime Plan 2019–22 is that the police response to fraud is improved. The Government should provide us with an update on this action within six-months of publication of this report. (Paragraph 89)
19.One of the actions from the Economic Crime Plan 2019–22 is that the police response to fraud is improved. The Government should provide us with an update on this action within six-months of publication of this report. (Paragraph 89)
20.Complex fraud cases have not always been effectively ‘tasked’ or referred upwards. At times they are just moved from pillar to post. This is unacceptable for the victims of potentially devastating crimes. It is therefore welcome that this is both a focus of the police, and its inspectorate. (Paragraph 96)
21.Improvements to tasking will hopefully relieve some pressure on local forces. However, some cases will remain at the local level. The Government must review how it provides support to individual police forces which consider they have complex frauds they could successfully investigate, where resources may otherwise prevent those cases progressing. (Paragraph 97)
22.We are pleased to hear that in the main, reports of economic crime from financial institutions to the police are happening in a timely manner so the police can start an investigation promptly. However, we are concerned that banks do not always appear to be reporting instances to the police where, for example, the bank has reimbursed the victim. Given the high-speed nature of the financial system, any delay in reporting to the police could prevent recovery of funds and allow fraudsters to profit at a victim’s expense. (Paragraph 100)
23.The Government should require all frauds to be reported regardless of their size, and whether or not a financial institution has reimbursed a consumer. (Paragraph 100)
24.It is not currently always clear to consumers whether a fraud should be reported to an individual consumer’s bank, the police or to Action Fraud, nor is it always clear what each entity would do with the information provided. The process for reporting an economic crime needs to be clarified. We welcome the plans to issue guidance to Action Fraud and chief constables to ensure consumers reporting a crime are clearly told both how reported instances of fraud will be used, and also how they won’t be used, when they report a crime. (Paragraph 105)
25.The serious criticism of Action Fraud in the ‘Her Majesty’s Inspectorate of Constabulary and Fire & Rescue Services’ report and in the media need to be addressed. In its response to this report the Government should set out what it has done to address this issue. (Paragraph 106)
Consumer rights and responsibilities
26.We welcome the Contingent Reimbursement Model Code—a frame work for financial institutions to use to determine when reimbursement should be provided to victims of APP Fraud—as a way to protect consumers We remain unpersuaded that the Code should be voluntary and strongly urge any relevant parties who have not yet signed up to the Code to do so. As the first year review of the Code approaches, the Code should now be made compulsory through legislation. (Paragraph 114)
27.We accept that including retrospective reimbursement within the Code would have been a barrier to financial firms becoming signatories. However, financial firms have been warned since 2016, when Which? made a super complaint, that they have been failing in their duty to protect customers by not linking information on account names to payments. This is still an issue as Confirmation of Payee has not been implemented yet. (Paragraph 118)
28.We strongly encourage firms to consider whether refusing to retrospectively reimburse customers who relied on the payee name is fair and just. We especially encourage this where the customer would now fall into the Code’s definition of vulnerability. (Paragraph 119)
29.We accept that keeping the Practitioner Guide private avoids it becoming a guide to committing fraud. However, the current consumer guidance is so high level, it does not give consumers a clear sense of what is expected of them. Without sight of how the Code should work in practice, consumers may be left unable to effectively challenge their bank. This could lead to an increased number of cases being referred to the Financial Ombudsman Service and a delay in any potential reimbursement. We recommend that a more detailed consumers’ guide is produced, which includes practical examples. (Paragraph 124)
30.We welcome the FCA’s recent rule changes requiring financial firms receiving payments to ensure that they are not inadvertently assisting economic crime. However, we are concerned by the lack of power financial institutions have to recover money sitting in bank accounts once it has been reported as stolen. Given the development of MITS technology, the Government should review the current legislation around recovery of stolen funds to ensure that victims can be reimbursed as quickly as possible, whilst protecting legitimate transactions. (Paragraph 129)
31.The existing Payment Services Regulations do not define what actions by a customer would be deemed as ‘gross negligence’. As a result, each individual firm can set its own bar of what customer behaviour it would deem to be grossly negligent. This could lead to a lack of consistency between how customers with the same circumstances are treated. We recommend that an accepted definition for gross negligence should be agreed by the regulators. The regulators should require financial firms to produce an easy to read lists of ‘dos and don’ts’ for customers, to show how the individual financial firms would define proper account usage in the majority of circumstances. Such lists would allow for variations between firms. (Paragraph 139)
32.Financial firms must ensure that vulnerability is a key factor in determining if a consumer was grossly negligent. The FCA should ensure that the outputs from their recent consultation on the Guidance for Firms on the Fair Treatment of Vulnerable Customers covers any finding of gross negligence. (Paragraph 140)
33.If firms do find individual consumers to have been grossly negligent, we recommend their customer responses quote the legislation the firms are relying upon to refuse making a reimbursement, alongside an explanation of how this conclusion was reached. Although it may cause distress, we believe that using the phrase ‘grossly negligent’ would provide a very clear explanation to the consumer why their claim is being refused, and on what grounds. (Paragraph 141)
34.Education has an important role to play in the wider fight against economic crime. There is always merit in equipping consumers with skills to give them the confidence and knowledge to pause and think about whether or not the situation they have found themselves in could be a fraud. (Paragraph 148)
35.We recommend that financial firms should undertake targeted education campaigns where trends have been identified and when new scams appear. These should include information at the point of opening an account about the consequences of being a money mule and information regarding emerging frauds so that consumers can stay vigilant. (Paragraph 149)
36.It is important that financial education is not a ‘one time’ exercise. We recommend that reminders are sent out to consumers in different formats and at different times. This should include online marketing and social media to target messages to younger consumers. This will ensure that firms are not only meeting their obligations of the Contingent Reimbursement Model Code, but also will help prevent fraudsters from succeeding in the first place. (Paragraph 150)
Published: 1 November 2019