Financial Services and Markets Bill – in a Public Bill Committee at 3:26 pm on 19th October 2022.
We have until 4.10 pm for this panel. Would the witness please introduce himself for the record?
Good afternoon. I am Mike Haley, chief executive officer of CIFAS, the UK’s fraud prevention service. We are a not-for-profit membership organisation of 600 members. Member organisations are, in the main, financial services—banks, fintechs, alternative lenders and mortgage providers. We also share data and intelligence on fraud and financial crime.
Thank you. Does anybody on the Government side wish to open the questioning?
Q It is not a general question, but I want to ask about push payment fraud and APP. If we set a specific amount for APP fraud reimbursement, would a suggested £1 million limit encourage fraudsters to try to act like the victim? Would a limit set that high be an incentive for fraud?
Yes. One of the issues with a contingent reimbursement model in any compensation scheme is that it is not a fraud prevention initiative in itself; it really just says who suffers the risk of the fraud. It passes the individual loss on to the banks. The emphasis is on a large amount that you could get away with without thinking that you have taken it out of an individual’s pockets; a faceless bank will pay up to £1 million. Any limit of that size reduces any moral questions a fraudster might have about who they are stealing money from.
Q Thank you for coming to give evidence. You do not need me to tell you the amount of money directly stolen from people’s bank accounts through fraud and scams—a record high of £1.3 billion, as you will know. Why do you think we have reached that amount?
There are three interconnected reasons why scams have reached such frightening proportions. First, the reach of social media and online platforms means that scammers and fraudsters can reach millions of people—marks and vulnerable people—much more effectively.
Secondly, we have seen organised crime turn its hand to fraud because it is a low-risk, high-return crime. Their skills have grown in something called social engineering, which is how they to persuade someone that they are calling from the bank or from the police by impersonating others. They have become very skilled in that.
Thirdly, faster and instant payments mean that once a fraud has been successful, and you mandate a payment through your bank account, it is very hard for banks to tell that that is a fraudulent transaction, because it has been mandated by the customer. Then, there is a network of money mule accounts, which are either accounts that have been set up for those proceeds to go through, or accounts belonging to people who have been duped into allowing their accounts to be used for that money to go through. Instant payments mean that that is untraceable very quickly. I remember investigating a mass fraud—[Interruption.]
Order. We resume our session. I think a question was put to you. Do you want it repeated?
I do not need the question repeated.
On the question of what has created the significant increase in frauds—particularly authorised push payment frauds, known as scams—I was saying that there are three interconnected issues. First, there is the reach of social media. Secondly, organised crime has turned its attention to fraud. Thirdly, the faster payments regime has enabled fraudsters to quickly dissipate the scam funds.
One of the things we have seen with the dissipation of scam funds is that they often go into cryptoassets and crypto exchanges. That is why, as part of the Bill, we welcome extending the regulatory perimeter to cryptoassets—digital settlement assets—so long as, in that authorisation process, there is a risk assessment around economic crime. Authorised crypto firms should meet the same standards as banks, in terms of know your customer—customer due diligence—and should have in place the anti-money laundering, counter-terrorist financing and fraud operational standards that we expect from the other financial service players so that it is a level playing field.
Q Thank you for your answer. Fraud is a huge issue, and I am sure we all have individual stories from constituents who have been impacted by it. I just wonder what else could have been done in the Bill to tackle fraud. Specifically, should we have legislation on a single dedicated national strategy to tackle fraud, or should we have provisions to support investigators in the sector to prevent fraud and track stolen money? I asked a previous witness about putting in place data-sharing agreements that extend beyond just the banks to include fintech, electric money institutions, cryptoasset firms and payment system operators. What more can be done? Would you support what one of the witnesses—I forget who it was—said about data sharing?
I will take those in reverse order. Provisions that facilitate greater data and intelligence sharing, particularly on suspicions of fraud and financial crime, would have the biggest impact in helping to prevent this type of crime. It is a crime that is at scale and at speed in the online environment. To be able to share the mobile numbers that are being used, the devices and the IP addresses at speed across the whole of the environment—payment providers, fintechs and telcos—would be enormously powerful. This is a volume crime, and we need to have prevention at the core of any national strategy. That would have a massive positive impact.
I would like to see it go further. I would like it to be mandatory, because why should an organisation sit on knowledge about fraud or financial crime, and not share that with others to protect the whole of the financial services industry? There should certainly be strong leadership saying it should be done. For those who do not, I would like it to be mandatory, but it should certainly be facilitated. There should be something in the Bill that facilitates that sharing.
Q Something on the face of the Bill that says that they have to do this.
And that they can. A lot of the time, organisations feel, rightly or wrongly, that they cannot share this type of data and intelligence. They might quote the General Data Protection Regulation, but in my view the GDPR says that it is in the legitimate interests of businesses to share data to protect their services and consumers. There is a lack of confidence in doing that, so we should have something very explicit that says not only that it is allowable but that it is expected, because we are all part of the same ecosystem, in which people are being scammed and organisations are losing literally billions of pounds.
Absolutely, there should be a national strategy, and prevention should be at its core. We are looking forward to the Home Office publishing a national strategy; it has been much delayed, and it is very much anticipated. From what I have seen, I would like it to be more ambitious, and to cover the public and private sectors, as well as law enforcement. Fraudsters do not decide one day, “We only go after bounce back loans because that is a public sector fraud.” They will go after a loan from the Nat West bank, or a mortgage. A lot of data is not being shared between the public and private sectors and law enforcement. That would be a powerful set of data and intelligence, which would make us more effective as a country in defeating fraud.
Q Fantastic. Are there any other things that you think could be done with the Bill to try and tackle fraud that we have not covered so far?
Q Like an economic crime assessment?
Yes, because there can be unintended consequences some way down the line that were not thought of at the start. Faster payments are a really good example; they put the UK in a competitive position and most people would support faster payments. However, we find that they have been exploited. There could have been some thought about, for example, in what circumstances we slow that journey down to prevent fraud. With any new rule changes we should ask what the impact could be, and what unintended consequences there could be—does it open a gateway for fraudsters or criminals to exploit? I think that would strengthen the Bill and also give some real teeth to a regulator—to be held to account about whether they thought about it at the outset.
That is really helpful, thank you.
Q Do you think this is a good example of an area where it is important that the Government have an intervention power? We have seen some patterns of behaviour emerge very rapidly and cause significant public policy concern.
Yes, I think we have seen in the past that regulators have not moved quick enough when there has been widespread harm. We might look at payment protection insurance, for example, where consumers brought plenty of reports into MPs’ and Government in-trays, and yet the regulator was rather slow in intervening in a market—a market that had been abused. I think that an intervention power could be very powerful.
Q In terms of clauses 21 and 22 on digital settlement assets, how effective do you think the Bill will be in ensuring that we reduce fraud with digital settlement assets that use blockchain? I am not having a go at the technology, because that is a completely different discussion. How effectively will an open or closed blockchain, and the differences between the two, be regulated by this Bill?
I think one of the problems of all legislation is how quickly it keeps up with changes in technology, and it being broad around principles. As I mentioned, with the authorisation of anyone who becomes a regulated entity dealing with digital settlement assets, it is important to have clear criteria for the onboarding—know your customer—and to know who the accounts are opened by. I find that already we are looking at money laundering through coin swap services, for which you do not need an account and may not be under this regulation. There are cross-chain bridges, where someone can move from one blockchain to another. I am not an expert on whether clauses 21 and 22 cover some of those services that have been created, which were probably not in the thinking when the Bill was starting to be drafted.
Q My concern is that blockchain has been around for a long time. Fraud is not new—there is nothing new under the sun. Do you have a concern about the ability of the regulators to keep on top of this, as they do not have the knowledge that they should have, nor do they have the access to resources to develop it?
There are a number of questions there. One is whether the legislation is broad enough to ensure that the regulator can act on some of those services. They need to be included in the perimeter. I do not think that some of these services—I talk about those coin swap services—are actually in the purview. There are cryptoassets and cryptocurrency exchanges, but some of these other services have been created, and from my reading of those provisions, I do not think they are covered.
Order. I am afraid that brings us to the end of the time allotted for the Committee to ask questions. I thank our witness on behalf of the Committee.