26 October 2004
Speech by Philip Robinson

Introduction

We have been reviewing our approach to tackling fraud in the financial services sector. Last December we published our discussion paper 26, The FSA - Developing Our Policy on Fraud and Dishonesty, and today I will be setting out our conclusions.

Our new policy – Fighting Fraud in Partnership - is based on the need for a collective effort to improve the fight against fraud in the financial services sector, and for the FSA to make a distinctive, important contribution to that effort.

 

Fraud risks

The present level of fraud and fraud risks in the financial sector is too high. Hard data on the size of fraud is notoriously hard to come by, but here are some statistics:

  • fraud against the private sector: the latest Government Estimate, in 1999, was that this cost firms £1.5 bn per year, equivalent to £25 for every adult and child in Britain;
  • in the survey that Robson Rhodes published last week, they found that the financial sector alone is losing some £11 bn per year from economic crime;
  • one area of those losses is plastic card fraud, where despite the industry's huge investment in clamping down on fraud APACS tell us that losses were £402 mn in 2003, as compared with £97 mn in 1994. There is a fraudulent transaction every eight seconds;
  • insurance is another example. The Association of British Insurers estimate that 3.7% of all insurance premiums result from fraud losses – a huge margin that we as consumers are having to pay for; and
  • finally there are the low frequency, huge impact frauds, such as BCCI and Barings, which have reminded us what a huge operational and prudential risk fraud can be.

Back to top

 

Why and how the FSA should respond to these risks

One of the objectives for the FSA set out in the Financial Services and Markets Act 2000 (FSMA) is: reducing the extent to which it is possible for a business carried on (a) by a regulated person, or (b) in contravention of the general prohibition, to be used for a purpose connected with financial crime. Fighting crime is therefore part of what we do. We have always required:

(a) senior management to take responsibility for managing fraud risks; and

(b) firms to have effective systems and controls in place that are proportionate to the particular risks that they face.

This will continue to be our focus. But over the coming months we will steadily be paying more attention to firms' arrangements for managing their fraud risks as part of our general supervisory and other regulatory activities. This will be a natural development of our current approach.

Firms have strong incentives to fight fraud – many frauds cost them money. Which is why the market often delivers effective anti-fraud measures. We need look no further than Chip and PIN, for example: 'the largest retail change since decimalisation' to quote APACS. As with our regulatory activities more generally, we the FSA need to prioritise our activity by working with the grain of the market whenever we can.

But in some areas the market alone is not enough, and the regulator should contribute to help reduce crime and to deliver benefit for us all. There are often situations where what is in the best interest of the overall industry is not in the best interest of the individual firm. Sharing information about an actual fraud for example: in the overall scheme of things it would be good if everyone knew who had done what, to help avoid the criminal striking again. Information-sharing is one of the most powerful weapons of all against the fraudsters, who typically will be active in more than one area. But what about the firm's reputation if the firm was known to have been caught out? The incentive isn't there to share the information for the benefit of all. We need to find ways of righting this market failure.

But even when fraud mitigation is good business, it doesn't always follow that a firm will do it well. A project that we did recently on insurance claimant fraud threw this into sharp relief for me. In thirty small and medium-sized firms who responded to our survey, every £1 they spent on fraud prevention yielded £3.80 in savings; and yet fraud budgets were tight, with 71% of the firms having no earmarked fraud budget at all. We need to find ways of ensuring that that kind of information is in the hands of the senior management who control the purse strings.

 

 

Collaboration

Collaboration is crucial if we are to make a difference over fraud, and that is why we have called our new initiative Fighting Fraud in Partnership. All of us engaged in fighting fraud need a shared vision of what we are trying to achieve: so that we can avoid reinventing the wheel, can push in the same direction, learn from one another and so on – working in partnership. That is quite a challenge - there are lots of us involved:

  • regulated firms, and in particular those within them at the cutting edge of fraud prevention - senior management; fraud, money laundering and IT security specialists; internal auditors; Audit Committees etc;
  • the police and other law enforcement agencies;
  • the Government;
  • ourselves;
  • the general public (who can be perpetrators as well as victims of fraud);
  • the Fraud Advisory Panel; and
  • those who provide key services to the industry: auditors, recruitment agencies, the Royal Mail and so on, all of whom can be victims of fraud; or those whose job it is to provide services that specifically combat fraud – the credit reference agencies, consultancy firms, fraud data sharing specialists etc.

And to that list of stakeholders I would add one of the most important players of all, the trade associations. We see the trade associations as having a key leadership role, to help build up the better picture we need on what the fraudster is up to and how to stop him in his tracks. Their collective approach to fighting money laundering has been crucial to keeping dirty money out of the UK's financial system, as is made clear in the new money laundering strategy document being published today. A key aspect of my vision for the future is that trade associations would do more on fraud, building on their current activity: not just separately on sector-specific risks, but collectively on risks and issues that are common to different sectors – such as staff and identity fraud, IT security, data sharing on fraud, or how to get better alerts to firms on what crimes and criminals to look out for. I know that the bank and insurance sectors are keen to work more closely together and I very much welcome that.

The Government and law enforcement are also key stakeholders in the fight against fraud. Fraud can only ever be one of many law enforcement priorities in the fight against crime. Society will always give higher priority to, say, the fight against drug trafficking and gun crime. But we will continue to encourage our Government partners to accord fraud generally, including fraud against the financial sector, a higher priority that is more proportionate in our view to the harm involved. And to complement this, constraints on resources make it all the more important that the Government should develop a strategic approach in which the efforts of public and private sector stakeholders are channelled to maximum effect.

Back to top

 

Where we are now

So we all need to work together to make life much more uncomfortable for the fraudster. I am not just talking theory here. Our own observations show that although there is plenty of good practice out there over managing some aspects of the fraud risk, there are important gaps in the industry that need to be plugged:

  • some sectors are better than others at managing fraud risks;
  • not all senior managers make fighting fraud a high enough priority;
  • not everyone knows how to fight fraud well;
  • nobody knows enough about fraud risks;
  • in some firms fraud is handled tactically not strategically. Fraud reports to senior management are reactive rather than regular, for example, and as a result senior management is not as engaged as it needs to be in the oversight of fraud management; and
  • businesses are reticent to share information on the crimes affecting them – whether this be with their peers, with law enforcement or with the regulator.

 

Our vision for the future


Our vision is that within the next couple of years we will see significant progress towards better fraud defences. We will see a picture in which:

  • the sector as a whole is working smarter and harder to fight fraud;
  • the trade associations work together closely, providing leadership over fraud management (as they do so successfully already over money laundering);
  • there is a very clear lead from the top of financial organisations – that fraud is a significant threat that needs managing strategically and effectively;
  • there is a much clearer picture of:
    • the risks and scale of fraud,
    • the best ways of tackling it; and
  • we have a culture where firms are much more confident in sharing information on significant frauds and near misses and do so as a matter of course for the benefit of the industry as a whole.

In other words, a future in which the financial sector is a much less comfortable place for the would-be fraudster.

 

Working together to deliver change

We take seriously our responsibility to help make that vision a reality. We are therefore putting together a programme of work with four elements:

(a) actions that we will ourselves take;

(b) work that we would like to see the trade associations and industry take on, that we will seek to encourage and support;

(c) closer relationships with law enforcement over tackling actual frauds; and

(d) a call on the Government to make fraud a higher law enforcement priority and to lead the development of a strategy on fraud.

Back to top

 

(a) Actions that the FSA will take

Encouraging firms to keep their systems and controls up to scratch
Over the coming months you will see an increasing FSA interest in firms' management of their fraud risks, as part of our general supervision of firms. What will we be expecting? Our Handbook requires firms to take reasonable care to establish and maintain effective systems and controls for countering the risk that they might be used to further financial crime. The term ‘systems and controls’ is very broad: IT and manual systems, segregation of duties, the work of internal audit, and much else besides. Our new policy is about paying more attention to how firms comply with those existing requirements. Our supervisors will be better equipped to assess firms' management and control of fraud issues in their risk assessment and Arrow work, risk mitigation programmes and so on; and we will do so of course in a risk-based, proportionate way. For the smaller firms, where our regulation is less direct, we will undertake thematic work and follow up issues that are brought to our attention. It's not just the big firms who face significant fraud risks, or who have clients who can lose money.

In considering fraud issues we will look, for example, at:

  • whether a firm has a strong anti-fraud culture, with the lead being given from the top;
  • whether there is a clear allocation of responsibility for the day-to-day management of the risk;
  • staff training;
  • firms' Know Your Customer procedures - how they keep an eye out for potentially criminal behaviour; and
  • what management information on fraud is captured and how it is used.

All in all, has the firm taken reasonable steps to make itself aware of, and to tackle, its fraud risks? If it has, the firm will probably be well placed to answer such basic questions as:

  • Who is responsible for managing your fraud risks?
  • How do you identify your key fraud risks?
  • What are they?
  • What are your key systems and controls for managing your fraud risks?
  • How many frauds have you suffered recently?
  • What are your fraud losses?
  • What whistle-blowing arrangements do you have in place and how successful are they?
  • How much do you spend on preventing and detecting fraud?
  • How do you monitor the effectiveness of your fraud systems and controls?
  • What information on fraud goes to your board or senior management?

It seems reasonable to expect firms to have a good story to tell about how they are discharging their responsibilities to manage this aspect of financial crime.

We will also be actively following up information on specific frauds that suggest that there may be underlying fraud management issues in particular firms. You will hear more this afternoon about this approach.

We will be looking for effective and proportionate fraud management systems and controls. If we find that these are lacking, we will review the most appropriate tools, including supervisory action (e.g. a risk mitigation programme). But where there are particularly aggravating circumstances, for example if significant fraud has resulted, the breach of our requirements has resulted in significant risk of fraud or there has been significant detriment to the consumer, use of our enforcement tools is an option. But we will not be down like a ton of bricks on firms who have the misfortune of suffering fraud. We need a culture where senior management manage fraud risks well and learn from the frauds and near misses that they will inevitably suffer over time. We are not in a zero failure regime here. Frauds happen. Frauds will always happen. And, to comply with the relevant Rule in our Handbook firms must report them to us if they are significant. It is only with firms whose systems and controls fall far short of the appropriate standard that we might wish to use our enforcement tools.

 

Thematic work


In the thematic work that we do, we look in detail at particular issues. For example, in a report we will shortly be publishing on information security issues we found: 'Firms are unduly reactive in managing information security risks'. And 'smaller and medium-size firms continue to carry more serious and substantial Information Security risks.' Another example comes from our study on insurance claimant fraud. In answer to our question 'What data, currently not available, would help you most?' several insurers asked for solutions which were already on the market. And in both cases this is despite there being a bottom line incentive to manage these risks well. We will use our thematic work to help build up a better picture of fraud in the financial sector and how certain risks can best be managed.

 

 

Whistle-blowing


We will continue to attach importance to whistle-blowing arrangements, that is firms having some form of facility for people within firms to report with confidence on wrong-doing. Whistle-blowing is an important defence against fraud and we expect firms to have regard to the relevant Guidance in our Handbook. We need strong structures for whistle-blowing throughout the industry and – just as crucially – a lead from the top of firms that whistle-blowing is healthy and important.

 

 

Financial crime material in the FSA Handbook


Our discussion paper flagged up the question of whether we should rationalise the existing provisions on fraud in our Handbook, and whether to proceed with the related idea of simplifying the Money Laundering Sourcebook. Our respondents expressed quite strong support for pulling the present fraud material together in one place (as well as, perhaps not surprisingly, opposing the idea of there being any specific new requirements on firms over fraud). We hear that message and will consider developing further specific proposals on the Sourcebook and on rationalising the Handbook provisions on fraud, and formally consult in the usual way.

Back to top

 

Messages to the consumer


We will be looking to work with firms, trade associations and Government on communicating more effectively with customers about the fraud risks to them. Our website is already rich in material about swindles and scams – people promoting worthless shares, advanced fee frauds and so on. There is also plenty of guidance to customers about not getting involved with unauthorised firms, and services to the customer to allow them to check whether a firm is authorised or not. Some of you may also have read in the papers about our recent survey on boiler room scams (scams involving high pressured selling techniques to encourage UK investors to buy worthless shares) and the profile of the victims. And we have just published a leaflet on these scams, which some of the trade associations are helping to promote.

Consumers themselves have some responsibility here. The FSA's statutory objective talks about our securing the appropriate degree of protection for consumers. What we need to do is to give consumers the information they need on which to base their own decisions. The public need for example to know why it is they need to be more careful with their personal details, so as to protect themselves against the growing risk of having their identity stolen. There is some excellent work being done by the likes of the credit reference agencies, the Police, APACS, CIFAS ('The UK's Fraud Prevention Service') and the Home Office to get this message over. And we will wish to encourage firms to do more to warn their customers about how to protect themselves against, say, identity fraud. In all this activity, what we are trying to do is to inform people, so that they know for example what the fraud risks are in investing through an unauthorised company or throwing away a bank statement rather than shredding it.

Consumers also have the responsibility to be honest. The ABI have helpfully highlighted this issue. In a survey of the general public they conducted last year they found that nearly half the respondents would not rule out making a dishonest insurance claim in the future, and 7% admitted to having made a fraudulent claim. Overstating your losses in an insurance claim is wrong. Knowingly providing wrong information when applying for financial products is wrong. And at the end of the day we all pay for such crimes through the impact of fraud on the costs of the products we buy. It is not for the FSA to lead a moral crusade. But we recognise a challenge to the industry - and indeed society - to promote the message that dishonesty is wrong and a tax on us all.

 

(b) Challenges for the industry and the fraud specialists


One of the problems we all have is that there are many areas of fraud where what we know is roughly how big the tip of the iceberg is, and have little idea what there is under the water or indeed how many other icebergs there might be out there. We wish to work with, encourage and support firms, trade associations, law enforcement and fraud specialists to build up a better understanding of fraud risks and what works well in mitigating them. We also need to be more effective in alerting firms over things and people to look out for - what criminals are up to and who those criminals are.

  • In scoping fraud, issuing alerts to firms and promoting good practice for dealing with fraud we are not starting from scratch here. I mentioned Chip and PIN earlier. Let me mention a few other examples:
  • information sharing is one of our most powerful weapons against fraud, for the fraudster rarely only strikes once. The likes of National Hunter and the credit reference agencies do much to help fight the fraudster. We ourselves provide the secretariat for the Financial Fraud Information Network, FFIN, which brings together regulators and law enforcement agencies;
  • then there are the trade associations, some of whom are very active in this area. The Association of British Insurers, British Bankers' Association, Building Societies Association, Finance and Leasing Association and Association of Private Client Investment Managers and Stockbrokers, to name but five;
    • the various networks for the practitioners on the front-line;
    • the Fraud Advisory Panel, whose publications on good practice and the nature of the fraud risk are a key resource;
    • the charity Public Concern At Work, promoting whistle-blowing;
    • the consultancy firms;
    • and also the Police, with their work on fraud prevention and consumer education.

This is not an exhaustive list. It is purely to illustrate that there is plenty of work around which we need to build on to help us learn more about what the criminal is up to, tell people about it and establish how we can stop it.

But that activity is fragmented, and how far does it reach? Does it give the industry a readily accessible menu of fraud remedies that firms can choose from? For differing budgets and palates, and changing as the fraud risks evolve? Trade associations have a key role here – some of them already do just this. I see a role here for the consultancy firms too – to do some more 'thought leadership' about how firms can manage their fraud risks better. And the remedies do not all have to be elaborate, they just have to fit the appetite, the risk appetite that is, of the firm. A smaller firm may have fewer risks to address, that might be reduced by things like minimising its handling of cash, having a simple whistle-blowing arrangement, and ensuring that their cheque book needs two signatories. A larger firm might need a larger suite of safeguards – not just the basics but also some specialist software, a dedicated fraud team, a strong internal audit interest in fraud defences etc - the Full Monty.

Back to top

 

(c) The FSA's role in the fight against actual fraud


For the most part, our focus is not on actual fraud – it is on the defences that industry has in place. An exception to this is the action which we take against people offering financial services without our authorisation. This practice is not a bit of petty rule-breaking. Boiler room scams, for example, can lead to people losing their life savings: there can be significant consumer detriment here. So by stopping criminals who are posing as legitimate financial businesses, we meet not only our financial crime objective, but all the three others in FSMA too: consumer protection, consumer awareness and market confidence. This 'perimeter policing' is an important part of our fight against fraud.

Another area where we engage directly with fraud is in our role as gatekeepers to the industry. Firms may not undertake 'regulated activities' without our authorisation, and individuals may not perform specified 'controlled functions' without our approval. So our authorisation and approval processes screen potential entrants into the regulated community and a large number of individuals working in that community. In this screening, we consider the fitness and propriety of firms and individuals. For example, we will have regard to whether an applicant firm, or individual, has been convicted of any criminal offence (in particular ‘offences of dishonesty, fraud, financial crime’).

When it comes to actual frauds, however, dealing with those who penetrate industry's defences is a matter primarily for law enforcement and prosecutors. If the intruder gets through the defences, it is not for us to investigate and deal with him. But we are for example a rich source of intelligence on fraud and we must share this effectively with our law enforcement colleagues. And we are ready and willing to bring our regulatory tools to bear alongside law enforcement in tackling actual frauds. We want law enforcement to regard us as a valuable partner with a 'can do' attitude – as committed as they are to tackling the criminal and with a distinctive contribution to make to the disruption of crime.

 

(d) Government and law enforcement policy on fraud

The strongest theme of responses to our discussion paper on fraud was that the police were under-resourced to tackle fraud. This came as little surprise: as I said earlier fraud should not be top of the police's list of crimes to tackle. But fraud is nonetheless a serious issue. Not only is it a tax on us all, it is also often the crime of choice of those needing funds to commit organised crime. For example the Dedicated Cheque and Plastic Crime Unit (DCPCU) tell us that many of the frauds they deal with are the work of organised criminals. I also find myself talking at conferences to police officers about low value, high volume frauds. To officers involved in terrorist finance work, that is. For fraud is the easy option for the terrorist in need of money to live on as they plan their atrocities (we saw two people convicted in the UK last year for credit card fraud to raise funds for terrorism for example); and it only takes a few thousand pounds to plan and commit a terrorist attack. Fraud is very much part of the lifestyle of the terrorist and organised criminal, because it is the cost-efficient and low risk way of making the money they need to commit other crimes. So spot the fraud and you spot the criminal who's up to something much more worrying; prevent the fraud and you might just choke off the other crimes.

There has been some very good news on fraud from the Government over the last couple of years. We've got the Serious Organised Crime Agency coming along, with a remit including crime against business. We heard last week that the Government is intending to progress reforming the law on fraud. This is a very welcome development, which will make prosecution a greater occupational hazard for the fraudster and will make it much easier for the Government to set targets for law enforcement's response to fraud. The Government has put extra money into the Serious Fraud Office. And there is all the excellent work that the Home Office is leading over identity fraud. So plenty of green shoots there.

We've also seen a growing appetite to enhance police resources through imaginative approaches to public/private partnership. The DCPCU, the Metropolitan Police's Vehicle Crime Unit, and the expanded City of London Fraud Squad, to name but three.

Naturally the Government has to relate its priority on fraud to the harm involved. So the Home Office's current work on measuring the harm of organised crime, and on measuring the cost of identity fraud, is extremely welcome. We hope this will produce hard evidence to justify fraud against the financial sector being given a higher priority, especially where it involves organised crime. A priority to be reflected in the annual National Policing Plan, for example. And in the decisions that Chief Constables make about where they put their resources - I know that the industry's experience is that the number of staff working on fraud is simply too low, and that all too often it is the fraud squad officers that are reassigned to work on the big one-off cases. We also would welcome fraud featuring in the schedule of work of the Inspectorate of Constabulary (where some thematic work on fraud might well be helpful).

We would also like to see a much more strategic approach to fighting fraud. I see a parallel here with how society approaches the need to make our roads safe. Motor accidents cause enormous suffering and cost. How does society respond? Through a partnership approach. The car designers build safety features into their cars. The Government sets speed limits and police objectives over traffic offences. The police tackle those who break the law. Each organisation contributes in a different way, to deliver what is best for society. Just what we need over fraud. High volume, low value frauds committed by individuals working alone are never, realistically, going to be a big priority for society; and therefore for the Government and police. So to tackle such frauds we need to look mainly to the private sector. For firms to have good fraud prevention measures; and for the industry as a whole to give strong support to law enforcement action, whether this be through sponsorship funding or through doing lots of work on cases before handing them over. In contrast, when it comes to the frauds with an organised crime element, or frauds where the criminal is active in more than one place (Levels 2 and 3 crime, in police terminology), it is a very different matter. The industry still needs to do what it can, but it is law enforcement who need to bear most of the weight. The industry alone cannot realistically be expected to have much success in preventing and disrupting organised crime involving fraud.

What we need is for the Government to lead on the production, with the industry and law enforcement, of a thorough assessment of what really needs to be done on fraud, and then to act on those findings. Pulling together such a strategy need not be costly. It would offer the prospect of the more holistic approach to tackling fraud generally, including in the financial sector, that is so badly needed.

What would be the elements of such an approach? Let me highlight four key elements:

  • better information-sharing powers and infrastructure, so that the information that the public and private sector have on fraud can be pooled and put to good use;
  • a concerted effort to gather data on the harms associated with fraud;
  • more working together of the public and private sectors, to a common aim;
  • a stronger criminal justice system response, so that risk to the fraudster of conviction and being sanctioned is considerably greater than it is now.

Back to top

 

Closing remarks


So then, what are the key elements of our new strategy for Fighting Fraud in Partnership? What does each of us need to do differently?

  • Firms

    At the forefront of the fight against fraud. We call on their senior management to ensure that their systems and controls are effective and proportionate to the risks.

  • Trade Associations

    With an important leadership role over fraud. Whom we encourage to work together and with us to improve our understanding of the risks and how to manage them.
  • FSA
    Who will pay more attention to how firms address their fraud risks as we go about our day-to-day business of regulation.
  • Government
    Whom we call on to give a higher priority to fraud, particularly fraud with an organised crime dimension, and to work with all the relevant stakeholders on a comprehensive fraud strategy.
  • Consultancy firms and others providing fraud prevention services
    Who can help build up a better understanding of fraud risks and how to manage them.

  • Consumers

    • Who need to take responsibility for protecting themselves against fraud, and need to act honestly.
    • (And to help consumers protect themselves, we need to build on all the communications work that is currently around in Government and the industry.)

To conclude, we must make the financial services sector a more hostile environment for the fraudster. As we launch today Fighting Fraud in Partnership, we call on all those involved in fighting fraud to help deliver on the aim of our new policy: to improve the defences against fraud in the financial services sector; to make life harder on the criminal.

More Speeches: