from the Chair
Chair, Financial Fraud Action UK
Last year was the first full 12 months of FFA UK as a standalone body and we have certainly hit the ground running. The threat from fraud is ever-changing, but so too is the way industry adapts its response.
In recent times we have seen criminals increasingly attempt to target consumers and business directly through deception and impersonation scams. By tricking customers into giving away their personal and financial details, or moving money to ‘safe’ accounts, fraudsters have tried to circumvent the advanced security systems used by financial institutions.
This change in criminals’ methods means that empowering customers with the knowledge they need to protect themselves is central to the fight against fraud. Last year we launched Take Five to Stop Fraud, FFA UK’s largest ever behaviour change campaign. Its core message asks everyone to pause and think before they respond to any financial requests or share any personal or financial details – to take five.
Since its launch in September, Take Five has featured widely in the national media, inside member branches, at ATMs, on social media and has been supported by many partners. Changing behaviour does not happen overnight, but so far 65% of those who have seen the campaign say they would behave differently the next time they face a potentially risky scenario.
FFA UK has been advancing the way which industry responds to fraud. The Banking Protocol, a collaboration between banks and local police services managed by FFA UK, is one such innovation.
The protocol stops frauds in which victims are tricked into going into their local branch to withdraw or transfer funds to pass on to fraudsters. It brings criminals to justice, by creating a system whereby branch staff can contact police and be guaranteed a speedy response. Piloted in London, in the first 12 weeks of the initiative the Banking Protocol prevented £1.1 million in financial crime, with 14 people arrested and one criminal convicted already.
Last February I represented FFA UK at the launch of the Joint Fraud Taskforce by the Home Secretary. The Taskforce has subsequently made substantial progress in focusing the combined efforts of banks, government and law enforcement in tackling fraud, with FFA UK leading work on behalf of the payments industry.
Following the Which? super-complaint on scams, FFA UK provided evidence to the Payment Systems Regulator clearly demonstrating the need to address the legal and other barriers that prevent banks from openly sharing information on push payments. We also agreed that FFA UK would work with our members to collect better data on authorised fraud and ensure customers who are reporting these scams receive a more consistent response in the future.
The powerful, collective voice FFA UK provides for the industry has led to our membership expanding in 2016, and I am pleased J.P Morgan, Triodos Bank and Valitor all joined the organisation last year.
Over 2016, our vision of creating the most hostile environment in the world for fraudsters has been at the core of our work. By building on last year’s achievements and through our collaborative work, FFA UK is well placed to be at the centre of the fight against fraud in the future.
Chair, Financial Fraud Action UK
Alex Grant stood down as Chair of the FFA UK Board at its meeting in March 2017, but remains a board member.
Director, Financial Fraud Action UK
Managing intelligence-sharing systems on behalf of the industry will always be a vital part of our work, and FFA UK is also leading efforts to improve how financial institutions, and others, respond to the changing fraud landscape.
With fraudsters routinely using information stolen through data breaches to commit their crimes, being able to put protections in place on affected customer accounts quickly is crucial. Together with government and law enforcement, we have developed a new protocol for organisations who have suffered a data breach. The protocol gives advice on communications and identifying the stolen data, and sets out how banks should be informed of a effectively and efficiently.
The theft of payment card data is a key driver behind remote purchase (card not present) fraud, which makes up the majority of card fraud losses. During 2017, FFA UK will be leading for our members on work under the Joint Fraud Taskforce in pursuing a strategic action plan to tackle remote purchase fraud, bringing together retailers and the international card schemes, as well as law enforcement and government.
Through the Taskforce we are also developing a scheme to give the legal framework for banks to investigate, trace and establish the ownership of stolen funds. It is an important development that would mean banks can retrieve and repatriate money to scam victims with impunity.
We are also continuing to help customers to spot scams and stay safe. The launch of Take Five last year was a major step and, working with government and other sectors, we want this campaign to grow in 2017.
We have already seen great examples of other organisations using the Take Five brand for their fraud prevention work, such as Cifas, Trading Standards and BT, with organisations like the Financial Conduct Authority now taking it forward too. With partners using Take Five as the umbrella brand for fraud awareness, customers will have confidence that the advice comes from a trusted source.
Last year the FFA UK board voted to integrate with a new trade association, UK Finance, bringing together other key trade associations including the BBA and The UK Cards Association. This will help to bring the industry work on fraud and money laundering into one place, strengthening the work we do at the heart of the finance industry. While the work to create this new organisation is underway, it will be business as usual at FFA UK where we remain focused on our core aim of creating the most hostile environment in the world for fraudsters.
Director, Financial Fraud Action UK
Fraud Action UK
We provide a forum for our members to work together on non-competitive issues relating to financial fraud. Our primary function is to facilitate collaborative activity between industry participants and with other partners committed to fighting fraud.
Our key aims are to:
We do this by:
FFA UK works in partnership with The UK Cards Association in developing and delivering fraud strategy on credit, debit and charge cards. UK Cards is the trade body of the card payments industry, representing financial institutions which act as card issues and acquirers. FFA UK works with the Cheque & Credit Clearing Company on credit clearing and cheque fraud.
FFA UK sponsored and supported Save Gelly, Get Safe Online’s social engineering campaign.
FFA UK joined the Home Secretary, and representatives from law enforcement and the banking industry, in launching the Joint Fraud Taskforce.
The value of prevented fraud was published for the first time as part of the 2015 annual fraud figures. The data showed banks stopped £7 in every £10 of attempted fraud.
FFA UK called on all candidates in the Police and Crime Commissioner elections to commit to four pledges to protect local people from fraud. The pledges included making tackling financial fraud and cybercrime a priority for their Police and Crime Plan.
FFA UK hosted its first government and banking fraud alignment day bringing together FFA UK, government and regulators (HM Treasury, Cabinet Office, Home Office and PSR) in relation to fraud prevention.
DCPCU was awarded European Law Enforcement Unit of the year 2016 by the EMEA Chapter of the International Association of Financial Crime Investigators for Project Sandpiper*.
Eleven people were arrested in a joint DCPCU and Visa Europe operation proactively targeting remote purchase fraud, which saw the banking industry and retailers share live data for the first time.
Security Minister John Hayes visited FFA UK and DCPCU to learn about how the payment industry and police work together to tackle fraud.
Start of the funds in flight proof of concept to identify networks of money mule accounts.
Launch of the Take Five campaign, the first time FFA UK and all major banks and key financial services providers across the UK came together to launch a national behaviour change campaign to combat financial fraud.
FFA UK presented on the need for collaboration in educating consumers to prevent fraud at the Labour and Conservative party conferences.
Officers from the DCPCU and Police Scotland carried out operations related to 1,985 fraudulent transactions, with losses of more than £680,000, as part of the second Retail Week of Action.
The Payment Strategy Forum published its Payments Strategy. FFA UK provided expert advice to the forum on the fraud requirements.
FFA UK agreed to take forward work on authorised fraud, following a super-complaint from Which? to the Payments Systems Regulator about how these scams are handled.
The Joint Fraud Taskforce
In February 2016, the then Home Secretary Theresa May launched the Joint Fraud Taskforce (JFT).
Collaboration is fundamental to effectively tackling fraud and this is the basis under which the JFT operates. It brings together industry, including FFA UK, along with government and law enforcement, to use their collective forces to remove vulnerabilities, promote fraud prevention and target fraudsters and so reduce the number of victims of fraud.
The initial focus of the JFT was to understand the risk, with work to identify and agree the key threats, vulnerabilities and drivers of fraud. A ‘Wanted Fraudsters’ campaign resulted in the arrests of a number of the individuals featured. The Take Five campaign was launched and the JFT helped to deliver the Banking Protocol in London (see Protecting Customers section).
In September the new Home Secretary, Amber Rudd, chaired the first Joint Fraud Taskforce Oversight Board attended by ministers, law enforcement and senior industry representatives.
It was acknowledged the JFT had had initial success and on the basis of these the time had come to consider the big strategic issues that would have greatest impact on the levels of fraud in the UK. A number of workstreams were established to support the JFT in delivering that shift:
Responding to the Payment Systems Regulator
In September the consumer group Which? made a super-complaint to the Payment Systems Regulator (PSR) on scams involving bank transfers.
FFA UK took the lead role for the payments industry, working with our members, in responding to the super-complaint. Our detailed submission highlighted the significant number of initiatives already undertaken, or underway, to combat scams in the push-payment environment.
The response emphasised the challenges and the legal barriers which currently prevent banks from recovering fraudulent funds and refunding victims of scams. It also explained the difficulties in building additional security layers into a system without increasing friction in the customer payment experience.
To address these issues, FFA UK requested the regulator work with the industry to define the criteria needed to enable standards and fair and equitable liability models to be established to underpin a funds repatriation scheme.
In its response to Which?, the PSR highlighted that FFA UK will work with members to improve the collection of statistics on authorised fraud, so as to ensure it is able to provide greater clarity on the scale of these types of fraud. We also committed to ensuring customers who report these scams receive a more consistent approach in the future.
Take Five, a national fraud awareness and behaviour change campaign spearheaded by FFA UK, launched in September 2016 with events held at London Waterloo, Manchester Piccadilly and Glasgow Central rail stations.
Take Five is the first time FFA UK and all major banks and key financial services providers across the UK have come together to launch a national behaviour change campaign to combat financial fraud. It has been financially supported with additional contributions from campaign partners Cifas and the City of London Police. The campaign aims to put consumers and businesses back in control with straightforward advice to help prevent financial fraud.
It focuses on those financial frauds directly targeting customers, such as email deception (known as phishing) and phone and text-based scams (sometimes known as vishing and smishing), and is designed to remind people that it pays to stop and think.
FFA UK members supported the campaign with in-branch activities and promotion through their communications networks. Support from key stakeholders including government, law enforcement, Cifas and others also contributed to the success of the campaign launch which saw widespread coverage across TV, radio, national print, online, and social media. Take Five spokespeople carried out 39 broadcast interviews and were quoted 150 times in print media.
Each month since launch there has been Take Five campaign activity focused on raising awareness and changing behaviours of priority audiences. Activities included a partnership with the British Chambers of Commerce aimed at 5,000 businesses with messages around invoice fraud and CEO impersonation, as well as reaching some five million employees with more general Take Five advice.
With customers shopping online in large numbers for Black Friday and Cyber Monday, the Take Five campaign also highlighted how millions of consumers put themselves at risk of financial fraud in order to secure an online bargain. The story created a platform to issue advice to consumers and generated over 140 pieces of coverage including 16 national print and national online articles.
With additional funding secured, including government support, for a second phase of Take Five, FFA UK will continue to work in partnership with members and other key stakeholders to deliver campaign activities ultimately resulting in measurable behaviour change.
Supporting other campaigns
FFA UK also works closely with a range of other organisations that regularly deliver financial fraud and scams awareness campaigns to consumers and businesses, supporting their activities through our communications channels.
In 2016 FFA UK partnered with organisations including HM Government (Cyber Aware campaign), Trading Standards (Friends Against Scams), law enforcement (Little Book of Big Cyber Scams), Citizens Advice Bureau (Scams Awareness month), Get Safe Online (Think Twice Before You Act campaign) and the Financial Conduct Authority (ScamSmart campaign) to deliver awareness messages on a range of fraud related themes.
Together, the industry also continuously works to enhance its collective response to fraud. FFA UK leads this industry-level work, with the aim of creating the most hostile environment in the world for fraudsters.
The Banking Protocol
During 2016 FFA UK worked with the Metropolitan Police Service and National Trading Standards to create and deliver the Banking Protocol. Initially piloted across all bank branches and post offices in the London and Greater London area, the Banking Protocol is a crime prevention partnership aimed at:
The success of this initiative stems from the commitment made by senior police officers to ensure a swift police response to all 999 calls received from participating banks quoting the term ‘Banking Protocol’. In the first 12 weeks of this initiative £1.1 million in financial crime was prevented, 14 arrests were made and one criminal conviction was achieved.
Frauds identified and prevented by this initiative included rogue traders, courier fraud, investment scams, romance scams, advance fee fraud and even a money mule.
Throughout 2017 FFA UK will be working with police forces to complete a national roll-out of the initiative, ensuring a consistent approach to these crimes across the whole of the UK.
Project Lead, Partnerships & Doorstep Crime
The data breach protocol
Data breaches are currently the single largest enabler of fraud, providing criminals with the financial details they need to make purchases or access customers' accounts.
Throughout 2016 we worked with government and law enforcement agencies, providing input to a new protocol to prevent data breaches or mitigate their effects. The data breach protocol highlights the importance of knowing what data is held and where it is located and how to manage external communication.
Most importantly the protocol also details how an affected organisation should inform banks in the most effective and efficient manner in order to safeguard customers' accounts.
FFA UK is working with the Joint Fraud Taskforce to unite cyber and fraud interests under this single protocol to deliver a streamlined and effective response.
Payment Accounts Directive
The Payment Accounts Directive allows non UK domiciled individuals from EU states access to banking services in the UK.
FFA UK led the industry response to the directive by engaging directly with HM Treasury and the Financial Conduct Authority. We highlighted concerns from members, and provided expert insight, on the challenges banks would face in verifying account applications from non-UK domiciled individuals and the risk this could make opening mule accounts easier.
The Industry Strategic Threat Management process has been used to assess the impact of the directive and allows industry to adopt mitigating activity if required.
Card not present action plan
Card not present (CNP) fraud, also called remote purchase fraud, happens when stolen payment card details are used to make a purchase on the internet, over the telephone or via mail order.
The details are fraudulently obtained through methods such as scam phone calls and emails, or digital attacks such as malware and data hacks. CNP fraud losses on UK issued cards have increased year on year, from £220.9m in 2011 to £432.3m in 2016.
The industry is committed to tackling CNP fraud. Through the Joint Fraud Taskforce, FFA UK and its members are working closely with government, law enforcement, merchants, international card schemes and other key stakeholders that play a key role in the CNP payment process to develop a strategic action plan to impact on rising fraud levels.
Payment Strategy Forum
The Payments Strategy Forum (PSF) was created by the Payment Systems Regulator to identify, prioritise and help deliver initiatives where it is necessary for the payments industry to work together to promote collaborative innovation. FFA UK worked closely with the PSF in the development of its ‘Payments Strategy for the 21st Century’, published in November 2016.
We reflected the needs of our members to the PSF and provided subject matter expertise to ensure the financial crime prevention solutions outlined in the strategy were in line with the types of financial crime which most impacted banks and their consumers. The strategy established a Financial Crime Working Group Workstream and FFA UK is closely involved in a number of the worksteams established to deliver the strategy
Dynamic CVV on payment cards
Every payment card has a card verification value (CVV), also referred to as a card verification code (CVC), a three or four digit security number usually printed on the reverse of the card.
In recent times cards have been developed with a small, digital display built into the reverse. On these cards the CVV is time-based, meaning the number changes after a certain period, with the new code shown on the display. Some cards also have a small keypad which can be used to generate one time passwords.
During 2016 FFA UK undertook comprehensive research, on behalf of our members, into dynamic CVV payment cards and their potential effectiveness in combating remote purchase (card not present) fraud. We also investigated the possibility of using the technology to enable mutual authentication over the telephone between a bank and its customer.
The research looked at the various different aspects of the technology including the latest variety of cards now available in the market, the cost to adopt and implement them, additional uses and an assessment of the strengths and limitations of these cards.
This research was undertaken to better inform our members of the options available to them when considering new fraud prevention solutions for their customers, and was well received.
The funds-in-flight proof of concept
A money mule is someone who knowingly or unknowingly allows their bank account to be used to transfer or move stolen or illicitly gained funds. Criminals use money mules to launder and transfer money obtained through frauds through a network of accounts in an attempt to hide their tracks.
Working with VocaLink, FFA UK initiated and ran a funds-in-flight network proof of concept, which followed the flow of funds across the payment platform to identify networks of money mule accounts.
Originally planned to involve three or four banks, member interest levels were such that eventually 12 banks participated. The results have been highly positive and have provided the industry with a platform to analyse and follow funds across networks of money mule accounts.
The findings will now assist in developing a methodology to investigate money mule networks and a scheme to repatriate funds back to victims who have been scammed into making payments themselves.
A key strand of FFA UK’s work is to act as a channel for data and intelligence sharing across the payments industry, and with a wide variety of partners.
This coordination is supported by our intelligence hub, the Financial Fraud Bureau, together with our Fraud Intelligence Sharing System (FISS) that allows FFA UK to share insights with other agencies, including the Police, National Crime Agency, National Fraud Intelligence Bureau (NFIB) and the Cabinet Office’s Counter Fraud Data Alliance.
Financial Fraud Bureau (FFB)
Established in 2010, the Financial Fraud Bureau leads the payments industry’s collective initiatives on fraud intelligence and data sharing. Its key roles are:
Official crime stats
In October 2015 the quarterly crime statistics publication produced by the Office for National Statistics (ONS) included, for the first time, the number of fraud crimes reported by financial institutions and other organisations via FFA UK to the National Fraud Intelligence Bureau (NFIB) hosted by City of London Police.
The data shared with the NFIB relates to only those crimes where there is sufficient intelligence for law enforcement to act upon, and therefore does not cover every case of fraud.
Working with telecommunication companies
Fraudsters will often use the phone to target their victim, whether with a call or by text message.
Throughout 2016, FFA UK continued its work with the telecommunications industry as part of collaborative efforts towards reducing opportunities for fraudsters to misuse legitimate phone services such as SMS, sim swap, number redirection and caller ID to defraud bank customers.
FFA UK is also closely involved with telecommunications companies so as to support and influence their education and awareness campaigns.
It is fully sponsored by the cards and banking industries, with an on-going brief to investigate, target and, where appropriate, arrest and seek successful prosecution of offenders responsible for card, cheque and payment fraud crimes.
It is headed up by a Detective Chief Inspector and comprises officers from the City of London Police and the Metropolitan Police Service, who work alongside banking industry fraud investigators and support staff. Established in 2002, the payments industry invests nearly £3.3 million per year in its operation.
In 2014, the DCPCU launched a two year project, Project Skynet, aimed at targeting new and emerging threats to the payments industry, in particular cybercrime.
Funded by the EU, the project began with an independent academic study conducted by the University of Bristol into card fraud and how the DCPCU can best investigate cyber-enabled payment fraud.
Officers from the DCPCU subsequently received specialist training in e-crime. They also worked with law enforcement agencies overseas in Hungary, Finland, Romania, Austria and Iceland, increasing collaboration and developing intelligence sharing partnerships across Europe.
As a result of the project, the DCPCU is now the leading European law enforcement agency tackling remote purchase fraud through ongoing collaboration with industry, including banks, card issuers and retailers.
The DCPCU, working closely with industry and other partners through Project Skynet, has made significant progress in understanding and tackling remote purchase fraud. In total there have been over 70 arrests as a result of project activity.
While the two-year project finished at the end of 2016, remote purchase fraud remains a key focus of the DCPCU using the skills, expertise and international partnerships that have been developed as part of the initiative.
Retail weeks of action
In June and October 2016, the DCPCU led two weeks of action aimed at identifying suspects concerned in remote purchase frauds as part of Project Skynet.
During the operations, officers from the DCPCU worked alongside those from Police Scotland, as well as with Visa, Europol, banks, card companies and a number of high profile retailers.
Information shared by the organisations involved was used to target individuals suspected of using stolen card details to purchase high value goods, with officers executing warrants at addresses across the country.
In total, the operations related to losses of more than £900,000 and led to 20 arrests. Officers also seized items including electronic goods, high value fragrances, designer clothes and homeware, as well as false ID documents and cash.
A fraudster who ran a counterfeiting factory from his home was jailed for five years and four months in September. James Koma, aged 49, of Belvedere, Kent, was jailed by a judge at the Old Bailey.
When officers from the DCPCU raided Koma’s house in May 2016, they found significant items which could be used in the counterfeiting and production of cheques and counterfeit identity documents.
Items included counterfeit and stolen cheques and blank documents for vehicle registrations and immigration certificates. Documents and pictures thought to be related were also found on a computer following analysis, while paraphernalia associated with counterfeiting was also found.
The total value of the fraud was estimated to be
with a further £450,000 of declined attempts
Much of the action FFA UK took through 2016 demonstrates our role in ensuring our members’ interests are recognised and reflected in ongoing discussion with government and regulators.
This has included the work of the Joint Fraud Taskforce, responding to the Which? super-complaint and with the Payment Strategy Forum.
We have also continued our work alongside the BBA in supporting the Joint Money Laundering Intelligence Taskforce, which is working to improve intelligence-sharing arrangements to support the fight against money laundering and other criminal activity.
In July we were pleased to be able to welcome Home Office Security Minister Rt Hon John Hayes MP to a briefing at FFA UK. Topics covered included the role of FFA UK, how our data intelligence sharing worked, a briefing on Take Five and an introduction to the DCPCU and Project Skynet.
*The value of the media coverage is based on the cost of buying the equivalent amount of advertising space in that media outlet.
as at 1 January 2017