Fighting fraud in Partnership
Speech to be delivered by Edna Young, Financial Crime Sector Manager, FSA at the BBA 4th Annual Fraud Conference 27 June 2005
Introduction
I am delighted to have this opportunity to speak to you this morning.
Earlier this year I took on the role of the FSA's Financial Crime Sector Manager, a role which involves supporting the work of Philip Robinson, the Financial Crime Sector Leader, and co-ordinating the FSA's approach to delivering our financial crime objective, both internally and externally. I soon discovered the size of the task. While, as Philip said in his speech on money laundering last week, there have been some significant and very welcome changes over the past year, there is still plenty to keep us all busy. And I think we all know that the criminals are equally busy devising ways round whatever barriers we put in their way. So the partnership which is my theme this morning is an essential part of winning the battle with them.
Structure
This morning I am going to set out a high level view of where the FSA fits into the financial crime landscape, before discussing our new approach to fighting fraud which Philip Robinson announced last autumn. I will look at how this approach affects the different stakeholders in the financial services sector, and how we aim to bring those parties together – to develop a partnership approach.
FSA's role
Reducing financial crime is one of the FSA's four statutory objectives, alongside maintaining market confidence, promoting consumer awareness and protecting consumers.
The Financial Services and Markets Act gives us responsibility for "reducing the extent to which it is possible for a business carried on by a regulated person… to be used for a purpose connected with financial crime."
In fulfilling this responsibility, we are required to look at firms' awareness of how their business can be used in connection with financial crime, and to ensure that they take appropriate measures to prevent it, facilitate its detection and monitor its incidence.
The Act defines financial crime as including fraud and dishonesty, as well as misconduct in a financial market and handling the proceeds of crime.
There is, therefore, a very strong statutory framework within which we work and one which puts specific obligations on firms as well as us.
So the financial crime objective is extremely wide-ranging. But, as in other areas, the Act leaves it to the FSA to determine exactly how to approach the task. And alongside the statutory objective we also have the Principles of Good Regulation to guide those decisions, including the need for proportionality, and for economy and efficiency.
I think it is fair to say that the focus of the FSA's financial crime objective has, in the past, been mainly on money laundering and market abuse. This should not be surprising. Money laundering is, after all, where the market incentives for firms to comply are weakest. Successfully combating fraud, on the other hand, should result in bottom-line savings for firms. So it might be assumed that there was no need for any regulatory action on fraud – we should no more need to encourage firms to reduce fraud than to increase profits.
Where the financial sector is now
But life isn't quite like that. On the contrary, it is clear from the available data (and I recognise that these are nothing like as good as we would like) that the market doesn't provide the complete solution. A study in 2000 commissioned by the Home Office estimated the cost of fraud against the private sector in the UK as a whole at around £1.3 billion, equivalent to £25 for every adult and child. And the total economic cost of all fraud, against both public and private sectors, was estimated to be up to £14 billion - £230 for everyone on the UK. Even then, the authors cautioned that the figures were likely to be an under estimate.
Of course not all the fraud, even against the private sector, hits the financial sector. But more recent data paint a less than rosy picture:
APACS figures show that plastic card fraud losses were over £1/2 billion in 2004, a rise of 20% on 2003. If Chip & Pin had not been introduced, the estimate is that the figure would have been nearer £800 million by 2005. But while Chip & Pin is a welcome development, not least as evidence of the market working to remedy a problem, we must all be on our guard to the potential displacement of criminal activity to other areas, including "card not present" fraud and cheque fraud. That is certainly the pattern that has been seen in other countries that introduced Chip & Pin systems earlier.
The figures for non-plastic fraud published by the British Bankers' Association suggest an increase of 11% in the value of fraud committed in 2004, compared to 2003 – with losses totalling nearly £108 million.
Insurance fraud is also on the increase. The Association of British Insurers (ABI) has estimated that the total amount of fraud suffered by insurers on general personal lines is over £1 billion per year, and that around 10% of the total value of personal motor insurance and 15% of the total value of household claims are fraudulent. The costs of these fraudulent claims will inevitably be reflected in higher insurance premiums paid by all policyholders.
In relation to identity fraud, figures from CIFAS suggest a 20% increase in cases reported to them. Recent reports suggest significant increases in corporate identity theft as well as in the misuse of Directors' details. There is also increasing evidence of an organised element to certain types of identity theft.
The number of active phishing sites has reportedly been rising at an average monthly rate of 15% since July 2004. The methods used by identity fraudsters evolve and become more sophisticated over time.
And all this just covers fraud committed by outsiders, customers and others. There is also growing concern about fraud committed by insiders, some of whom may have been infiltrated, or existing staff coerced, by organised crime.
The FSA's fraud policy
These figures suggest that the FSA has value to add in the fight against fraud. This was backed up by the responses we received to Discussion Paper 26, published in December 2003.
Against this background, the FSA's fraud policy was launched in October of last year, in a speech by Philip Robinson at our first Fraud and Money Laundering conference. I say first, as I hope we will be holding another conference on these issues later in the year.
We acknowledged then, and we continue to acknowledge, that the FSA is only part of the jigsaw in the fight against fraud, which is why our new policy concentrates on what we call a partnership approach. I will spend some time outlining who those partners are, and what we feel we and they can contribute.
Before I move on to this, let me first emphasise that our fraud policy will see an increase in our activity in this area, but not a corresponding decrease in either our activity or our interest in the other areas of financial crime, anti-money laundering and market abuse: when we spend more time raising awareness of and seeking ways of improving data on fraud that doesn't mean we're less interested in AML. So I find it a bit depressing to hear that that is how some senior management are interpreting our increased interest in fraud. It simply isn't so.
The FSA
We see the FSA itself as an integral part of the partnership approach to the prevention of fraud, and we will make our contribution in 3 main areas, which I will deal with in turn:
Supervision
We will be looking more closely at fraud as part of our supervision of individual firms, taking a risk-based approach. What does this mean? Essentially that we will be looking for effective and proportionate fraud management systems and controls in relation to the risks that firms face. This is against the background of our requirement in the FSA Handbook that firms take reasonable care to establish and maintain effective systems and controls for countering the risk that they might be used to further financial crime. Those risks, like all the other risks firms have to manage, will vary depending on the nature and size of their business. As in other areas, we won't take a "zero failure" approach. If we had discovered how to prevent all fraud without closing down all business activity, I'm sure law enforcement would love to hear about it.
At a high level we will be seeking to assess whether a firm has a strong anti fraud culture, with a clear and consistent lead being given from the top; whether there is a clear allocation of responsibility for the day to day management of fraud risk; what staff training arrangements there are; what information on fraud is captured and what information is regularly presented to senior management and to the board. I don't think it would be a sign of good anti-fraud governance if the only information senior management ever received or sought on fraud were after the event reporting.
We will also be interested to follow up on specific frauds that are reported to us – in particular if these suggest that there may be underlying fraud management issues. Where new types of fraud are affecting a sector or the whole industry we will do our best to ensure that industry gets to hear about these risks.
In most cases where we think there are issues or actions that need to be taken, we will address these via normal supervisory action such as risk mitigation programmes.
And we are investing in a programme to heighten supervisors' understanding of fraud (and other financial crime issues) and how to take to a risk-based supervisory approach in this area.
Enforcement
The use of our enforcement tools is always an option, but as always this is likely to be very much the exception rather than the rule. However, we would consider using them if, for example, there were significant systems and controls weaknesses, evidence of failure to address weaknesses that had been identified previously, or if there had been significant consumer detriment.
We will, of course continue to "police the perimeter", and to take action against those who conduct regulated activities without authorisation.
Thematic work
Last November we published a report entitled "Countering Financial Crime Risks in Information Security". The report noted that while some major firms had built their defences after being targeted by hackers and fraudsters, small and medium-sized firms were less well prepared.
The report also highlighted the need for senior management to take on responsibility for information security. It emphasised the need for firms to review and update their defences continuously to keep on top of the increasingly sophisticated methods used by criminals.
The report found that traditional threats to information security still existed in some firms because they had not invested adequately in their security frameworks. These were not all "technical" issues: some did not properly control employee access rights or user administration in their networks. Legacy systems with poor security design were also identified as a common threat.
However, others had responded to the emergence of new information security threats, such as phishing. These new threats have served to remind firms of the need to secure their assets (and their customers') from both internal and external threats. The report identified security awareness campaigns as an effective defence strategy being used by firms.
We are carrying out a range of other thematic work on fraud issues over the coming months. Much of this will be discovery work, to inform us better of the extent and risks in the sector we regulate, looking at areas such as anti fraud governance (how senior management take responsibility for managing fraud risk), as well as revisiting areas like insurance claimant fraud to follow up and expand on previous work. The results of this work should put us in a better position to assess the overall risk to the industry from fraud, and to decide what our role on fraud should be in the future.
One issue we will want to consider, and on which we will be seeking views in a Consultation Paper on "Handbook Review" we are to publish shortly, is whether we should extend to fraud risk some generic guidance provisions we will be proposing on money laundering risk, for instance on regular reporting to senior management on the adequacy of systems and controls.
Consumers
An integral part of the partnership approach to combating fraud is the potential role played by consumers.
There is plenty of information on our website, and others', about cons and scams, warnings to consumers about not dealing with unauthorised firms, and on how to check if a firm is authorised or not. We are looking at how we can work more effectively with others who get early warning of new scams to get this information out quickly to both firms and consumers. The FSA also participates in and supports the work of the Home Office-led ID Fraud Consumer Awareness Group, which has launched a website dealing with ID Fraud issues.
Important work is being done by trade bodies, credit reference agencies and individual firms to try to educate consumers about some of the risks they face, including the need to take care of their personal details, and to update the security measures on their own computers. This is very welcome, and seems to be effective. Anecdotal evidence does suggest that these messages are now getting through. So it will be important to keep them up to date, so that consumers are aware of the current methods criminals are using to try to defraud them.
Alongside education, there is also the direct responsibility on consumers to be honest. Research conducted by the ABI suggests that a significant percentage of the population would not rule out making a dishonest insurance claim.
Consumers need to provide full and correct information when applying for financial products, and we, collectively, need to get across the message that fraud is not a victimless crime, that inflating an insurance claim is just as unacceptable as any other dishonest behaviour, and that the cost of fraud is borne by us all, whether as customers paying higher prices, investors receiving lower returns, or employees whose jobs may be put at risk if our employers lose money through fraud.
The overall message to consumers is a very simple one – don't commit fraud, and do what you can to avoid being the victim of fraud.
Firms
I have already mentioned some of the "indicators" our supervisors will be looking out for in the coming months when they visit firms.
We are looking to senior management to adopt a risk-based approach, identifying the risks associated with the sector or the parts of the world in which they operate, and those specific to their firm. They must then ensure that they have systems and controls in place to mitigate these identified risks. We will also be looking at firms' appetite for fraud prevention – what steps they are taking and how they selected them.
The starting point for any firm is probably to assess and analyse its particular vulnerabilities to fraud and then to establish proactive prevention and detection strategies. A "one size fits all approach" is not appropriate – we will be looking for risk-based thinking and the appropriate risk-based action.
We have seen greater publicity in recent months given to the risk of staff fraud, and to the efforts of organised crime to infiltrate staff into firms. Firms need to be aware of the risks in this area and ensure not only that all staff are properly vetted before they start work, but that they have ways of identifying previously reliable staff members who start to defraud the firm or its customers, whether for their own reasons (I am sure everyone has read about the Joyti De-Laurey case) or because they have been co-opted or coerced into fraudulent activity. Staff also need to be trained to recognise the risks of fraud around them.
Sharing information - Trade Associations
I think we all recognise we can maximise the return on our own efforts in this area only by working with others. That is why Philip Robinson described this as a partnership approach, and why we encourage firms, trade associations, law enforcement and fraud specialists to get an improved understanding of fraud risks and what works well in addressing them. As I said earlier, we all also need to be more effective in alerting firms (and consumers) to issues to look out for: what the fraudsters are up to; what new scams they are designing; how they're getting round new security features on websites, and so on.
Trade associations can play a key role in collating this information and providing advice to their members on how to manage their fraud risks more effectively. We see them as providing the lead in developing and disseminating best practice. And we have been really encouraged by what we have seen in recent months.
Some trade associations are already very active in this area. For example, the welcome publication of the BBA's "Fraud Manager's Reference Guide". I suspect (and hope) it's not only fraud managers in banks who will find this useful. In addition, APACS, CIFAS and the BBA, in conjunction with the Home Office Identity Fraud Steering Committee, have worked to launch a valuable new online training package to help businesses tackle identity fraud.
Firms have historically been reluctant, fearing reputational risk, to reveal the fact that they have been the victims of fraud. They have been just as reluctant to share details of frauds committed against them, perhaps fearing the loss of competitive advantage if they did so. However, information sharing is a powerful tool against fraud, and it is good to see a number of data sharing initiatives within the industry. National Hunter, CIFAS and the credit reference agencies already do much to help combat the fraudster. And progress is being made across the general insurance industry to collaborate to fight serious fraud through an advanced data sharing development. We would encourage all insurance firms to participate in this.
We want to foster an environment where the sharing of information is encouraged, and learning lessons from others' experience is used to good effect against the would-be fraudster, not exploited for competitive advantage.
Sharing information - The Public Sector
It's not only the private sector that needs to get better at sharing. I think we in the public sector (by which I mean organisations with public functions) are much better at this than we used to be. To take one example, the Financial Fraud Information Network for which we provide the secretariat (a secretariat I have to confess I have been running for the last few years) was set up as early as 1992 to bring together regulators and law enforcement agencies to share information on cases of mutual interest. But there is more we could do, particularly if some of the legal barriers to sharing information could be eliminated. I am especially encouraged by the ability the Serious Organised Crime Agency will have to share information with a very wide range of organisations in a very wide range of circumstances. That could reap really valuable rewards. And I hope it may also be a harbinger of further moves to make data sharing easier.
Government-led strategy on fraud
The Government is inevitably the key driver in the fight against fraud. We acknowledge the steps they have already taken, and would like to encourage more. In particular, we acknowledge the work already underway in relation to ID fraud, under the stewardship of the Home Office.
I have already mentioned SOCA's ability to share information with a wide range of organisations. It is also very welcome that SOCA's remit will include crime against business. We are already developing a relationship with the SOCA team, and will be looking work very closely with them. Indeed, we have just agreed to undertake a joint project focusing on criminal money flows.
We also welcome the new Fraud Bill, which should simplify the criminal law as it relates to fraud, and make prosecution more likely and more risky to those who commit fraud.
There has also been evidence of an increased appetite to enhance public/private partnerships. Examples of this include the Dedicated Cheque and Plastic Crime Unit, the Metropolitan Police's Vehicle Crime Unit, and the expanded City of London Fraud Squad.
We see these developments as the start of moving fraud up the Government's agenda. So they are all welcome. But we would repeat our call for Government to continue the momentum it has already created, to give fraud a higher priority, and to work with all the stakeholders to develop a comprehensive fraud strategy.
Recent encouraging signs
I said at the beginning of this speech that I had been struck by the size of the task we face. But, let me say again, I have also been struck by the progress we have seen. In particular I would like to acknowledge and encourage the signs we see of collaborative working.
We are seeing Trade Associations working together on fraud strategy, for example the establishment of the APACS Council Fraud Control Steering Group.
The publication of the BBA's Fraud Manager's Reference Guide is an important step in the development of industry-wide best practice. And we know of other trade associations developing similar publications for their own sectors. For example, the Building Societies Association has recently issued a new Fraud Prevention Manual, which gives valuable guidance to its members.
The sharing of information on fraud and the collection of data is being taken forward in work led by CIFAS. In addition, National Hunter and the credit reference agencies are busy in this area. Trade associations are leading work on specific fraud topics, including cheque and credit card fraud and staff fraud. And I mentioned earlier the valuable work being done in the general insurance sector.
The public sector continues to be active – the City of London Police has received additional funding to enable it to expand its economic crime department to support its work with the SFO and to take the lead in investigating complex fraud cases in London and the South East.
There are encouraging signs of the partnership approach with the police – for example, the Dedicated Cheque and Plastic Crime Unit is now fully funded by the UK banking industry. In addition, the Metropolitan Police Vehicle Fraud Unit is funded by the members of the Finance and Leasing Association.
I mentioned the growing problem of corporate identity fraud - Companies House and The Metropolitan Police recently launched a new initiative, under the auspices of Operation Sterling, to alert businesses to the risks and advise them on how to minimise the chances of their company's identity being hijacked.
Conclusions
In summary, all the signs are that fraud is on the increase in the financial sector, and that we all have more work to do to frustrate the activity of criminals, who are becoming more innovative. In short, we all need to run faster to catch up, let alone get ahead.
We have consulted with the industry about where we can add value in the fight against fraud, and launched our new policy in October 2004. But remember: our fraud work is in addition to, not instead of, our work on AML and market abuse.
We will focus our attention on senior management responsibility for managing fraud risk and the importance of a lead from the top. We will expect firms to have in place systems and controls proportionate to the risks they take.
We are, however, but one stakeholder in this anti-fraud campaign and we will encourage others to play their role – we want to encourage a partnership approach.
We will encourage the Government to take the lead, including the development of a national fraud strategy.
We will ask trade associations to build on the work they are already doing – to disseminate best practice and to encourage the sharing of information – to provide leadership to their members.
Consumers also have a part to play, as both potential victims and potential fraudsters.
Perhaps I could close by issuing a challenge. A challenge to establish new and even more productive ways of working together and sharing information, which we can discuss and, I hope, celebrate later this year.