Fraud Management in the Financial Services Sector
Speech by Edna Young, Head of Financial Crime Operations, FSA
Fraud Advisory Panel Discussion Forum
20 February 2007
As we all know only too well, fraud in the financial services sector is no new phenomenon. From the FSA's perspective, looking back at Philip Robinson's announcement of the FSA's fraud policy in October 2004, it is clear that a lot has happened since then, and that this year is a key point in the fight against fraud. The recommendations of the fraud review present us with a once in a generation opportunity to tackle fraud. A new framework with stronger and deeper partnerships, new institutions and a national strategy will enable all of us to take the fight to those who commit fraud. The recommendations are, as the Fraud Advisory Panel itself commented, a landmark.
And this is vital because, as everyone here appreciates, although fraud is notoriously difficult to measure, we can be sure of the harm and damage it causes, ranging from harm to the consumer who has lost his life savings, to the financial institution which has lost hundreds of thousands or millions of pounds. There is also evidence of financial fraud feeding terrorist activity both in the United Kingdom and internationally. So you don’t need me to tell you that fraud poses real dangers to the very fabric of our society.
We at the FSA aim to play our role in taking the fight to fraudsters. Using our regulatory tools to tackle fraud forms part of our overall statutory objective on financial crime. We see ourselves in this area as complementing actions taken by firms themselves, given their clear commercial interest in reducing the extent to which they are affected by fraud.
Let me now highlight the tools we have in place in the fight against fraud, before I discuss our fraud policy as well as some initiatives we are working on to address fraud.
Our tools in tackling fraud
FSA organisation and training
This year we have put in place a new structure to deliver our financial crime objective more effectively. Our financial crime expertise was spread throughout the FSA. In order to increase effectiveness, we now have have a new Financial Crime and Intelligence Division which brings together all our financial crime and intelligence expertise. Part of this new division is a new operations team that I am setting up. The aim of the team is to provide the FSA with the capacity to undertake more thematic and case work on financial crime issues, including those where firms or law enforcement agencies may alert us to an urgent problem. This is all part of raising the FSA's - and the UK's – game in the fight against financial crime.
Within the FSA we have also rolled out a new training programme over the last year or so to enhance the ability of all our staff to identify and address financial crime risks in firms. There is foundation level computer-based training to give all staff a basic understanding of financial crime. And we have also invested in a series of full day workshops to deepen supervisors' understanding of fraud (and other financial crime issues) and how to take to a risk-based supervisory approach in this area.
Supervision
The FSA regulates over 28,000 firms. One of the FSA’s requirements for all the firms we regulate is that they should have effective systems and controls for preventing financial crime. These systems and controls need to be proportionate to the risks that the firm faces. And we want firms to understand that their financial crime risks are business risks, and need to be managed like their other business risks, all of which vary depending on the nature and size of their business. So the systems and controls for a high street bank will be very different from those appropriate for a small mortgage broker, for example.
The FSA is moving increasingly to a principles-based approach to regulation. So we are not prescriptive and we recognise that a one-size fits all approach doesn’t work and would be overly burdensome for most firms. So what we seek to assess is whether a firm has a strong anti fraud culture, with a clear and consistent lead being given from senior management and a clear allocation of responsibility for the day to day management of fraud risk. We look at the staff training arrangements, and at how information on fraud is captured and presented to senior management and to the board.
A firm’s senior management must be actively involved in its anti-fraud governance for it to be effective. They need to be involved from the outset and not just when things go wrong. They need to provide the ethical lead and the direction for their firm in tackling fraud.
We also look into individual frauds that are reported to us to see whether they reveal weaknesses in systems and controls that need to be addressed. Where we identify a type of fraud affecting a sector or the whole industry we disseminate information to the industry about these risks, as we did last year when we became aware of fraudulent activity in the commercial property sector. We also set up a project to establish a consistent approach to dealing with mortgage fraud by mortgage intermediaries. We worked together some of the major lenders and with the Council of Mortgage Lenders to agree criteria for reporting mortgage fraud. The outcome of this work was published in April 2006. By October 2006, we had received 107 referrals, and two firms had their permission to conduct regulated activities cancelled.
Enforcement
The use of our enforcement tools is always an option, although, as I'm sure you know, the FSA is not an enforcement-led regulator. We will firstly look to work with the firm to iron out problems. However, we will consider formal disciplinary action where there has been a significant breakdown in systems and controls, or evidence of failure to address weaknesses that had been previously identified. What we bear in mind in deciding on whether we impose sanctions on a firm is the extent to the threat to one or more of our statutory objectives, for example. Let me give you two examples of failures in systems and controls that were sufficiently serious to lead us to fine the firms concerned.
Capita
Last March the FSA fined Capita Financial Administrators Limited (CFA), a third party administrator of collective investment schemes, £300,000 for poor anti-fraud controls over client identities and accounts.
The FSA was particularly concerned that:
- First, the initial instances of fraud were discovered by clients rather than by CFA. Had these clients not alerted the firm, there remained a risk that it would not have identified the frauds or taken action to assess and revise its controls, which it has now done;
- Secondly, the cumulative impact of the individual failings represented a significant risk to the FSA objective of reducing the risk of financial crime.
While the firm allocated significant resources to investigating the discovery of the attempted frauds in August 2004, at that time they failed to assess wider fraud risk. I am glad to say that CFA has now carried out a comprehensive review of its anti-fraud systems and put in place an improved control framework and new management team to support this. And we are pleased that CFA has implemented a number of controls that are consistent with best practice in the industry.
Nationwide Building Society
As you will no doubt have seen in the press, last week the FSA fined the Nationwide nearly £1mn for failing to have effective systems and controls to manage its information security risks. The failings came to light following the theft of a laptop from a Nationwide employee's home last year. During our investigation, we found that Nationwide did not have adequate information security procedures and controls in place, potentially exposing its customers to an increased risk of financial crime.
We also learned from Nationwide that they were unaware that the laptop contained confidential customer information and did not start an investigation until three weeks after the theft.
Nationwide's failings occurred at a time of heightened awareness of information security issues as a result of government initiatives, increasing media coverage and an FSA campaign about the importance of information security.
We took swift enforcement action in this case to send a clear, strong message to all firms about the importance of information security. Nationwide has co-operated fully in the course of the investigation and has undertaken a number of actions to address this failure, including: taking a range of additional measures to increase security around accounts; informing customers of the loss of information; affirming its existing policy to reimburse any customer that has suffered financial loss as a result of this incident; and commissioning a comprehensive review of its information security procedures and controls.
Thematic work
Another tool available to us is the thematic work we carry out. Thematic work looks at a particular issue or set of issues across a sample of firms. It helps us identify the scale and nature of risks which emerge from our supervisory work or from collaboration with external partners such as law enforcement. Our thematic work enables us to make information on best practice avaiable to both the industry and our supervisors. We can also use the work to help us decide whether any regulatory intervention is appropriate.
Fraud Governance report
We have already carried out thematic work in relation to fraud. For example, during the second half of 2005 we carried out a review of high level management.of fraud risk within a sample of 16 firms (mainly larger financial groups) during the second half of 2005. As part of our review, we also met leading consulting firms, industry bodies (including APACS and the ABI), the police and Ros Wright as chair of the FAP. We set out our findings in a report published last February. Our central conclusions were that:
- First, larger financial firms, driven by mounting losses, have taken steps to strengthen their fraud management capabilities.
- Secondly, chief executives and other senior figures recognised that they needed to manage the increasing threat of fraud in a more effective and integrated way. Firms needed to take steps to protect themselves and their customers from fraud. Smaller firms in particular needed to analyse their vulnerability to attack and consider the threats to their business in a structured way as the impact of a fraud attack on such a firm is often greater.
- Thirdly, firms saw insider fraud as a threat of particular importance.
We noted several areas where firms needed to work harder. The report found that firms that underinvested in anti-fraud measures tended to suffer relatively high levels of losses. As Philip Robinson commented at the time, a robust fraud strategy is one that is sponsored at the highest level within a firm and embedded within the culture. Fraud threats are dynamic and fraudsters constantly devise new techniques to exploit the easiest target. Firms need to continue to invest in more effective systems and controls and manage their responses to fraud in order to avoid being targeted as the weakest link.
Looking ahead, we have identified one especially high risk area to consumers from rising information security and hi-tech crime risks. We will be taking forward a co ordinated work programme in this area over the next year, to examine the risks in more depth and consider how they can best be mitigated.
This work, some of which is already underway, will involve both close collaboration with other regulators, as personal financial data is increasingly held outside the financial sector (e.g. by phone or utility companies), and a review of offshoring, as such data is often held outside the UK (e.g. in offshore administration or call centres). And it underscores the close connection between our financial crime and consumer objectives.
We have already undertaken to look again at the financial crime and information security risks associated with the offshoring of significant functions in financial services firms.
The other workstreams we are considering are:
- The security of consumers’ banking data held outside the financial services industry, where we will work with the Information Commissioner's Office and others to discuss measures to improve the security of banking information in sectors outside our own scope;
- Data loss through employees, where we will study the potential for breaches of information security through deliberate or accidental employee action (such as the careless disposal of sensitive consumer data; or the removal of sensitive consumer data from the workplace), and the systems and controls firms have in place to mitigate such risk;
- Identity theft risk arising from financial marketing practices, where we will look at issues such as the appropriateness of marketing literature which contains non-essential, and sometimes sensitive, consumer data, such as unsolicited credit card cheques and partially completed credit application forms, and also the inclusion of sensitive personal information in other types of communications from firms such as pension statements.
Working in Partnership
We have long recognised that the most effective way to tackle fraud is by working in partnership with other organisations and bodies including government, law enforcement, the financial services industry, consumers and of course the Fraud Advisory Panel. Better sharing of data and intelligence between partners is essential in tackling fraud. We want to foster an environment where information sharing is not only encouraged, but actively seen by all as a means both to reduce crime and to increase profitability.
Working in partnership also means that we should not only get better at exchanging information between expert agencies, but will also help us to provide information to consumers that will better equip them to play their part in the fight against fraud.
Consumer awareness and education
There is plenty of information on our website, and others', about cons and scams, warnings to consumers about not dealing with unauthorised firms, and on how to check if a firm is authorised or not. We are looking at how we can work more effectively with others who get early warning of new scams to get this information out more quickly to both firms and consumers. The FSA also participates in and supports the work of the Home Office-led ID Fraud Consumer Awareness Group, which has a website dealing with ID Fraud issues, and developed a widely distributed leaflet.
Alongside awareness, education should play a key role in emphasising that making bogus or inflated claims is as unacceptable as any other sort of fraud. Research conducted by the ABI has found that false claims cost the insurance industry over £1.5 billion a year. This adds around 5% to the premiums paid by honest customers.
Moreover, the ABI response to the Fraud Review published last April states that one of the most worrying aspects of insurance fraud is the extent to which it is socially acceptable. An earlier survey revealed that, while 2% of respondents admitted having made a false claim and 6% admitted having exaggerated a claim, a much larger number (37%) of respondents admitted they would not rule out inventing a claim, and fully 47% would not rule out exaggerating a claim. These numbers may indicate that the actual incidence of fraud is higher than admitted by respondents.
We need to get across the joint message that fraud is not a victimless crime, that inflating an insurance claim is just as unacceptable as any other dishonest behaviour, and that the cost of fraud is borne by us all, whether as customers paying higher prices, investors receiving lower returns, or employees whose jobs may be put at risk if our employers lose money through fraud.
I have already mentioned our supervisory approach when dealing with firms and what we expect from them. I believe the starting point for any firm is probably to assess and analyse its particular vulnerabilities to fraud and then to establish proactive prevention and detection strategies. A "one size fits all approach" is not appropriate – we will be looking for risk-based thinking and the appropriate risk-based action.
I now turn to the crucial role played by some of our partners in the fight against fraud.
Trade Associations
At the FSA, we have regular meetings with trade associations to discuss financial crimes issues, including fraud trends. Trade associations can play a key role in collating information from their members and providing advice to them on how to manage their fraud risks more effectively. We see them as providing the lead in developing and disseminating best practice. And we have been really encouraged by industry initiatives to collaborate to fight serious fraud through advanced data sharing development. That is why we strongly supported the insurance industry's initiative to set up the Insurance Fraud Bureau last July.
The Public Sector
We at FSA already work very closely with partners in law enforcement and other investigative agencies in the public sector. I believe there is more we and the industry could do with public sector partners, particularly if some of the legal barriers to sharing information could be eliminated. I am especially encouraged by the new powers the Serious Organised Crime Agency has to share information with a very wide range of organisations in a very wide range of circumstances. That could reap really valuable rewards. And I hope it may also be a harbinger of further moves to make data sharing easier.
Government strategy on fraud
We welcome the new Fraud Act, as it will simplify the law and seek to reduce the length and complexity of trials. More specifically, we are pleased that the Fraud Act includes new measures for modernising the law to equip investigators and prosecutors with the necessary tools to keep pace with the changing world of fraud, including new threats such as phishing and internet fraud. We believe the Act will help improve prosecutions by providing clear definitions of fraud and should reduce the risk of cases being lost through technical points.
We also welcome the Fraud Review and its recommendations, and we are keen to ensure that the impetus behind it is not lost. I cannot stress enough how supportive we are of the development of a National Fraud Strategy; this is something Philip Robinson called for in October 2004, when the FSA's fraud policy was launched. And we also welcome the recommendation to implement a National Fraud Reporting Centre. So we again call on the Government to provide a strong lead on fraud going forward, just as it has done on money laundering. We look forward to hearing soon how the Government plans to respond to the Review.
Thank you for your attention.