Examination of Witnesses (Questions 162
WEDNESDAY 13 DECEMBER 2006
Mr Robinson and Mr Gruppetta, thank you very much for coming to
talk to us and answer our questions. Would you now like to introduce
yourselves and then make any opening statements should you wish
to do so.
Mr Robinson: My name is Philip Robinson and
I am the Director of Financial Crime in the UK's Financial Services
Mr Gruppetta: My name is Rob Gruppetta and I
work at the FSA with Philip on his Financial Crime Team.
Mr Robinson: We have no need to make a statement.
Let me start out with a simple question: how secure is on-line
Mr Robinson: You have heard a lot of evidence
already about that. Our view is that it is very secure generally
because it often requires more security than non-on-line banking.
There may be questions about how the security is used, but certainly
where you require somebody to have to deliver some security password
to get access, that is generally more secure than other mechanisms
of payment in cash.
Do you bank on-line yourself?
Mr Robinson: I do, sir.
Mr Gruppetta: So do I.
You make payments et cetera, as well as just monitoring your account?
Mr Robinson: I do. I often make payments very
late at night, often when my daughter has asked me to top up her
bank account at university, as we have all done, so I am certainly
a very active user of on-line banking facilities.
There is general agreement among those who have submitted evidence
to this inquiry that the current reliance on shared secrets for
on-line security is wholly inadequate. What pressure has the FSA
been putting on the industry to raise security to more acceptable
Mr Robinson: In 2004 we actually reviewed the
information security issue from a financial crime perspective,
and we have mentioned that in our submission. What we found in
2004and I will talk in a minute about what we have done
in 2005 and what we will do in the futurewas that in general
the very large institutions were very up to speed and they were
aware of the threats and risks. They had very strong disciplines
in managing their IT and in the environment that we saw at the
time we felt that the large institutions did well. We found though
that the middle-sized and smaller institutions just did not have
the same rigour of practices. We publicised that information in
2004 and we followed up with one or two other interventions in
2005 and 2006 to make sure that the issues were being addressed.
As a risk-based, proportionate regulator, our starting point is
always to look at the systems and controls that firms are implementing.
Indeed, that is our requirement under the Financial Services and
Markets Act. We are not a direct regulator of the behaviour of
the banks, for example, towards their customers; that is the Banking
Codes Standards Board. So our starting point is are the firms
managing their financial security risks properly and, if not,
what are they doing about it? We publicise good and bad practice
and we followed up on that information through our supervision
of banks through 2005 and 2006.
So can we expect to see Chip and PIN style authenticationwhat
Visa call dynamic pass code authenticationgenerally available
for on-line credit cards and, if so, when do you think it will
Mr Robinson: I think that we need to make a
distinction between on-line payments for purchases there
are around 26 million individuals who do that sort of thingand
people who have on-line bank accounts. The difference in the nature
of those two relates to the way you can communicate with the customers.
If you have got an on-line bank account many of the alerts and
other concerns that people were talking about earlier on can be
brought to people's attention if they are going to go on-line.
There are various other ways of doing that. If you are dealing
with people who are making on-line payments with a credit card,
they may not have an on-line bank account and they may not themselves
therefore get access to these on-line warnings, and other things
may be necessary. The reason I made those comments in that way
is really that you need to focus on the risk that is being presented.
The two factor authentication already exists in many areas with
the existence of a Chip and PIN card and the knowledge of a PIN.
The problem with that is that in the area of customer not present
fraud, which you have heard is a growing area, and I would say
is one of the larger growing areas in fraud of that nature, you
do not have the capacity to put that two factor authentification
into play unless you have some other mechanism. It is my judgment
that that is the direction in which the industry will go. Our
starting point is that we would not necessarily instantly require
institutions to do anything. Our starting point would be to ask
the question "are they managing the risks that are presented
by their channels of operation?" So a bank that is not offering,
for example, an Internet banking opportunityand there are
many that are notwould not need to have that level of protection.
A bank that did might feel that it was appropriate to do that
or it might want to do some other level of protection. Really
we would be looking at whether institutions are managing the risks
presented by their propositions to customers and the nature of
their experience, are their fraud losses going up or are they
being managed well.
Q168 Earl of Erroll:
Of course the banks are offloading a lot of risk onto the merchants.
Is the risk actually being taken in the right place or should
the banks be taking the risk because they are the people who might
be able to do something about that?
Mr Robinson: I think our very clear view as
the FSA is that in a world of electronic commerce, particularly
on-line banking but it would apply in every respect, you need
to have a shared responsibility. The sharing should be between
consumers, merchants (in the case being talked of here) or third
party acquirers of personal data, and the banks themselves. So
it is a shared responsibility between the bank, the third party
and the customer. I do not think it is possible to make that responsibility
exist in any one area because the very nature of the electronic
channel is that it is an open network and it is susceptible to
compromise at the weakest link. You said, I think, that banks
are moving the liability from themselves to the merchants. That
may be a matter that you would wish to discuss with the banking
sector as a whole. From my side, we are looking at the fraud losses
suffered by the banks and secondly, particularly when it comes
to individual customers, are they treating their customers fairly?
I have no direct remit to look at the way they are treating their
commercial partners other than where it affects those two areas.
Q169 Baroness Hilton of Eggardon:
Could you outline for me your powers and your role in relation
to on-line banking services? Do you have sanctions that you can
Mr Robinson: We have powers under the Financial
Services and Markets Act. Under the financial crime objective
we are given we are required to "reduce the extent to which
it is possible for the firms we regulate [a bank or somebody else]
to be used for a purpose connected with financial crime."
That is broadly defined as fraud and dishonesty, market abuse
and dealing with the proceeds of crime. We have a range of powers
given to us under the Financial Services and Markets Act, ranging
from civil administrative sanctions through to in some cases under
the money-laundering regulations criminal prosecution powers,
and indeed we have, under the insider dealer regulations.
Q170 Baroness Hilton of Eggardon:
Presumably that is a last resort. I just wondered what your normal
relationship is with on-line banking services? Do you have an
on-going dialogue with them that keeps them in line or not?
Mr Robinson: We have an approach to banking
supervision, most of the on-line supervision you are talking about
originated from the banking sector, although I am sure not all,
which is based around for a large bank a close and continuous
relationshipthat is not close in a cosy sense but very
close monitoring at a high level. On a quarterly basis for example,
you would see our supervisors discussing with the bank the latest
trends, including fraud trends, that they are experiencing. That
information is fed through our risk model and fed out to other
supervisors so that we pick up the issues that are arising and
feed them back in so that all of our supervision processes try
to pick up on those risks. We very infrequently use our statutory
enforcement powers despite the way it can often appear to people.
We frequently, though, issue proposals to change behaviour in
the form of a risk mitigation programme. As part of our risk mitigation
assessment we will identify where Firm A seems to be doing less
well than its peers, for example, or where its own systems have
identified concerns, and will require them, through an audit letter,
to change those issues which we will then follow up. We give them
a follow-up pointit might be three months, it might be
a year depending on what the issue isand we will make sure
that they deliver on that. Only if we find that an institution
is failing to respond to those sorts of prompts do we move into
the more invasive supervision processes which could involve a
detailed review by our own expert financial crime review teams
or the commissioning of an external report, the responses to both
of which we would expect the firm to adopt, and if the firm is
not doing that, or indeed has consistently failed to do what we
require, we consider public enforcement action which has a proper
appeal process and so on.
Q171 Baroness Hilton of Eggardon:
In view of the rapidly rising amount of fraud that there seems
to be in relation to on-line services do you think you are being
sufficiently interventionist, sufficiently rapid in your response
to the current situation?
Mr Robinson: I think it is the rate of growth
that is very high. The absolute amounts of on-line fraud, for
example, are not so great compared to the general level of fraud
experienced in the sector. We are interested in the rate of growth
and that rate of growth has meant that, for example, in the last
two or three years in our financial risk outlook, a document we
publish at the beginning of the year, we have alerted firms to
the financial crime issues we have seen and our supervisory approaches
have been driven by a wish to look at those issues and we are
very active in following up concerns, so I would say that we believe
that we have got a proportionate response to this but we are continuing
to look very carefully from a risk perspective because the rate
of growth is very high. Our starting point would be if the market
is not delivering a solution then we should intervene.
Q172 Lord Young of Graffham:
Mr Robinson, identity theft is apparently costing our economy
an alarming £1.7 billion a year. Can you break that down
in some way? How much of that is Internet related, how much of
that is really people just impersonating others?
Mr Robinson: We can break that down a little
bit. There is some information, I think, in our annex, but can
I ask Mr Gruppetta to cover that particular point?
Mr Gruppetta: This particular figure, £1.7
billion, was put together by the Home Office as part of its work
on the ID Fraud Steering Committee, of which we are a member,
and the constituent organisations put forward figures for certain
acts which they felt constituted ID theft. Due to the fact that
some of those acts are quite different from each other it is quite
difficult to break it down in terms of how much of that occurred
on the Internet, I am afraid, but we can, if you would like, provide
you with the breakdown of each of the 16 members' figures.
Mr Robinson: Let me give you some illustrations
to help understand the difficulty.
Q173 Lord Young of Graffham:
Forgive me: I think the figures, if you could write to us, would
Mr Robinson: Certainly, we will do that.
May I add something about the difficulty? There is a combination
of, for example, industry data that talks about estimating their
financial losses due to ID fraud. There is information from the
Home Office about the estimated cost to the Immigration Service
of undertaking enforcement activity, and from the Passport Service,
the cost to the Passport Service of measures to counter identity
fraud, so it is a complete mix of information.
Q174Lord Howie of Troon:
We are told that there has been a rise in the rate of "phishing".
Are you greatly concerned about this or do you see it as a minor
issue in the general picture of financial fraud?
Mr Robinson: If I may I will make one or two
preliminary comments and again ask Mr Gruppetta to deal with this
one. As I have already said, the size of, for example, on-line
fraud, banking fraud, customer not present fraud, is not very
large in the quantum of fraud as a whole. However, the rate of
growth is what concerns us. We have some things that we are going
to do and I will ask Mr Gruppetta to speak about that.
Mr Gruppetta: As Philip said, we are very concerned
about the rate of increase. I think it is about 8,000 per cent
in the past two years, if you look at month-on-month figures.
Q175 Lord Howie of Troon:
Mr Gruppetta: Very big, but in terms of the
actual size of the losses associated with that in the grand scheme
of total fraud in the UK it is still quite small. However, we
are concerned because obviously these phishing attacks are becoming
more and more sophisticated. You do still see some quite primitive
ones but they are becoming more sophisticated at the other end
of the scale, so it is important that consumers do receive advice
on how to stop phishing attacks and what measures and precautions
they should take so that they do not fall victim to such attacks.
Q176 Lord Howie of Troon:
You mentioned a very large percentage increase, quite staggering
in its way. It is quite easy to get a big percentage increase
from a low level. Is that part of the answer?
Mr Gruppetta: The figures we have, which come
from APACs, and the actual figures I have got in front of me are
different from the month-on-month ones that I referred to just
now, but if we just take these as an example, from January to
June 2005 there were 312 unique phishing incidents. In January
to June, the same period for this year, 2006, there were 5,059
unique phishing incidents. We understand that that type of increase
in the figures has continued throughout this year, so we were
starting from a fairly low base in that there were 312 attacks.
I suppose it depends how you define what is low, but it is much
Q177 Lord Howie of Troon:
8,000 per cent?
Mr Robinson: It does have some worrying aspects
about it though. It is very easy to perpetrate these attacks in
large volumes and so the consumer understanding of the issue and
equipping consumers to know how to respond to what I think will
continue to grow as a challenge is one of the key issues. Ninety-two
per cent of the phishing targets seem to us to be in the financial
service industry or connected to it, and indeed most personal
financial data, whichever way it is acquired, will ultimately
end up being used to defraud people in the financial system and
therefore it is of interest to us wherever or however it is acquired.
Q178 Lord Howie of Troon:
Could I ask you a question about banks? I gather that the bank
marketing departments send out what you might call unsolicited
emails and I am wondering if there were to be a general presumption
that any unsolicited email supposed to come from a bank is fraudulent.
The word is "supposed", of course.
Mr Robinson: My Lord, are you saying that the
first presumption should be that marketing emails should not be
responded to? It is probably a good presumption, actually, not
necessarily because they are fraudulent.
Q179 Lord Howie of Troon:
When people ring me up and say, "I have got a terrible opportunity
for you", I have a great tendency to hesitate for a moment
and just listen before I put the telephone down, because my presumption
there is that this is fraudulent. Is that a sensible attitude
on my part?
Mr Robinson: Regrettably, I think that not everybody
takes the view that if it is too good to be true it is too good
to be true, and not just in this area do we see these sorts of
scams. I am sure we are all very familiar with the kind of 419
scams where people say you have won the lottery, give me some
money. The earlier evidence session talked about the issue of
marketing and how to separate from the plethora of marketing material
that which is fraudulent and that which can simply be ignored
and that which you might respond to because it may have advantage.
I think this issue of aligning marketing activities to incorporate
thinking about managing fraud risk is something we have been talking
to firms about over a number of years. Over the last two or three
years, where we have started to talk to firms about how they manage
their fraud risk in a more direct way, one of the things that
comes up is the importance of every part of the institution thinking
about how to prevent fraud in the way they are acting, and that
means that when you are designing a product it makes sense to
design a product that does not facilitate fraudulent behaviour.
We are also doing that with institutions in the context of money
laundering because that is another area of our remit. I do think
it is a good question to ask if there are very large numbers of
marketing material hitting your inbox, but how do you determine
which are real and which are not when they all often look the
same because the phisher or spammer has made it look just like
it comes from your institution or an institution like yours. Typically,
the phishing emails will impersonate a bank and they will send
it willy-nilly to a name and address list or an email list that
they have bought, possibly legitimately, on the Internet from
people that market lists and they will send it out to anybody
on the basis that if they send it to 10 million people some of
those people might be banking with X bank and a small portion
of those people that bank with X bank will respond to this email,
and it is that small proportion that then get their money stolen.
They may get 10 out of sending a million emails but that is enough.
If you mix that issue up with the other things going out from
banks it is very important. I noticed earlier on that there was
reference to whether a website should identify itself. Reference
was made by Visa to the secure system that is used increasingly
by vendors. If the phishing issue becomes a really big problem
in terms of the actual losses and those losses are not mitigated
in any other way, then looking at some mechanism for identifying
what is legitimate and what is not is going to be important.
7 http://www.identity-theft.org.uk/ID per cent20fraud
per cent 20table.pdf Back