Some thoughts on the recent House of Lords Fraud Report

A new report from the Fraud Act 2006 and Digital Fraud Committee landed over the weekend. It’s entitled 'Fighting Fraud: Breaking the Chain', and clocks in at 191 pages: I’ll try to make this post a little shorter - no guarantees, though ??

The mainstream press are likely to zoom in on the call to introduce a new offence around fraud,? so I’ll say a few words about that before I pick up on a couple of areas of the report which interested me more:

?? Proposal for a new offence of ‘failure to prevent fraud’

This is squarely aimed at the big tech and telecoms companies, and if it ever comes to fruition, would introduce a wider scope than the changes coming in next year via the Online Safety Bill, which are directed more at the former than the latter. At face value, it’s an option worth pursuing: if we look at the average fraud in terms of the ‘victim journey’, it’s a journey which almost never begins inside the financial services industry: it’s much more likely to begin with a spoof text or phone call, a questionable website, an enticement on social media etc. The companies who provide infrastructure and hosting for these entry points can definitely do more to protect their users, but there are a few sensible steps which could be taken before a new criminal offence like the one suggested becomes feasible.?

One obvious such step would be to introduce standardised reporting requirements. If, for example, web hosts were required to collate and publicise annual numbers of law enforcement enquiries they received in relation to sites they host (in much the same way that banks track trends in their own interactions with law enforcement), it would introduce a degree of measurability and standardisation which is currently lacking. To again draw a comparison with the kind of reporting done in banks: anyone who has had to contribute to the likes of a REP017 or a REP-CRIM will know that seeing collated stats written down in black and white can have a galvanising effect on your senior management. Put simply: when you have to report on a metric like ‘number of payments received associated with first-party fraud’ you generally want this year’s reported number to be lower than last year’s. I expect there would be a similar effect if telecoms/big tech were also made to report some of their more painful metrics.

?? The report points out that the UK’s digital banking system is among the world’s most advanced, but goes on: “...while this is great for businesses and consumers, it makes the UK a lucrative market for fraudsters who want to quickly cash out stolen funds. We are calling for the introduction of a delay lasting no more than several hours on certain high-risk payments. This would give banks more time to analyse whether a payment might be fraudulent.”

There’s a sizable elephant in this room. Those banks which are built on more modern technology stacks have already been doing this for a number of years (I’m referring to the Challengers, and the more forward-thinking Incubators), but many of the biggest incumbents still have mainframes buried somewhere in their infrastructures - and the report doesn’t sufficiently appreciate the challenges this presents to doing the kind of realtime payments monitoring and interdiction which it recommends. And the vast majority of the UK population still has some form of banking relationship with those incumbents (often with good reason: brand and stability count for a lot, as does product set) - so this is a problem which must be faced head-on.

I don’t for one second want to understate the difficulty involved in migrating off a monolith, but difficulty alone shouldn’t be seen as a reason not to upgrade infrastructure. And the report’s proposal here is a non-starter without some serious investment in modernisation. This is all before we’ve got onto the subject of the negotiations and shared agreements which would need to be reached with the payments and cards schemes for all of this to work effectively.

?? Reference to a lack of skilled officers and civilian staff in law enforcement?

From my time working with organisations such as City of London Police, the SFO, and others - I’d say that tech-savviness is not usually the key thing which law enforcement agencies lack: what they lack is budget. Budget for tools and systems which can be upgraded at the same pace which criminals themselves use and abuse new technologies. Budget to expand headcount and, perhaps more significantly: budget to retain that headcount. To be fair, the report does acknowledge budget as the root cause of the issue. Part of the problem is that it’s so difficult to attribute, say, an ECU getting an extra ￡5m in budget with an associated and directly related drop in crime. Most compliance officers will be able to relate to this: when you do your job well, it’s sometimes not clear that you’ve done anything at all.

?? ??Too many cooks

There’s a reference to the fact that a huge number of different agencies are involved in the counter-fraud response, with the result dubbed an “alphabet soup”. I can remember seeing this exact same argument being made in the period shortly before the NCA was stood up, and it’s pretty dismaying to see that the same thing is still being said today. Different agencies with slightly different areas of focus doesn’t necessarily need to be a problem, as long as (a) they are all acutely aware that they are on the same team, and (b) they are given an efficient and robust shared system for the sharing of information, with the appropriate guardrails etc.??

?? Number Spoofing??

The report cites an Ofcom survey which found that 82% of participants had been targeted with scam text or calls which purported to be from a trusted organisation such as the NHS, government department, or bank. I’d be surprised if that figure, for those of you reading this, was not closer to 100%.?

Friends and former colleagues who work in either Security or Telecoms all tell me that it will be nigh-on impossible to put this particular genie back into the bottle, for a number of reasons, such as the benefits to legitimate firms of using VoIP technology, the merging of telecoms services with cloud technologies, the widespread use of the SS7 protocol, and so on.?

But there are clearly ways that the risks can be mitigated, and these should be grabbed with both hands. For example, the report mentions one telecoms operator who implemented Ofcom’s request to block overseas internet calls wherever those calls pretended to be from within the UK. The operator claimed it led to a 65% reduction in complaints about scam calls.

?? Finally, everyone like a statistic, and the report contains some particularly eye-opening ones, some of which I’ll bullet here for later dispersal into your speeches and presentations:

• [In England & Wales] A person aged 16 or over is more likely to become a victim of fraud than any other individual type of crime, including violence or burglary - fraud accounts for approximately 41% of all crime against individuals across those two home nations.?
• One of the Big Four UK Banks reported a 50% reduction in telephone banking fraud since the introduction of biometric security using voice identification.
• In the year ending March 2022, fraud had increased by 25% since the pre-pandemic year to March 2020.
• 80% of reported frauds are cyber-enabled; they could have taken place offline, but their scale, reach and impact have been expanded by the use of online services and digital technology.
• People who have experienced mental health problems are three times more likely than the wider population to have fallen victim to an online scam.
• 37% of the UK’s workforce are thought to lack the skills needed for safe and legal online behaviour.

The government has until January next year to respond to the report. I’ve barely scratched the surface of the contents here, so I highly recommend carving out a couple of hours to go through it while we await the response...