The Home Office has released the Joint Fraud Taskforce Oversight Board Minutes from September 11. There are a number of interesting bits of information in the minutes and they provide a view as to what government is doing to reduce scams and fraud.
Among the items that were discussed is the production of lesson plans to deliver anti-fraud and identify fraud education to 11-18 year olds in schools. This is an important move. It targets an age group that seemingly have few barriers when it comes to data and technology.
The meeting also discussed reducing CNP scams and implementation of the EU PSD2 directive. Another move aimed at improving help for victims of fraud was the introduction of a 555 number.
Stronger CNP rules to improve online payments
The Minutes also show that there has been movement on improving online payments. The current Card No Present (CNP) process is open to abuse. Mark Bennett, President of MasterCard UK set out what the card issuer has been doing. Of particular interest is the implementation of the secure authentication system from the EU Payment Services Directive (PSD2). This legislation was passed in December 2016 and countries have two years to implement it.
The first set of legislation the UK focused on was very light when it came to the secure authentication system. This is because the section dealing with this, Chapter 5 Operational and Security Risks and Authentication adds in many new compliance requirements. The minutes show that there is still significant concern in the UK around implementation. Bennett said that: “..there was still a need to identify and agree adequate metrics to measure the impact of this work and committed to provide the Home Secretary with a more detailed proposal on metrics before the end of October.”
For those who have and will become victims of CNP fraud, there will be concern that things are moving too slowly. Interestingly the committee agreed that: “..thought should be given to identifying unintended consequences of changes to the way payments are made, especially through mail order and telephone channels.”
Accenture has already warned that PSD2 could cause more people to rely on Third Party Payment (TPP) service providers for banking transactions. It believes that this will make it harder, not easier, for banks to detect fraud. Part of that is that as banks and other financial institutions open up their APIs for TPPs, it creates a larger attack surface for cyber adversaries.
Improving fraud reporting
A significant part of the discussion focused on the need to improve fraud reporting for victims. At present this is not easy. Most local police forces will redirect customers to their card provider or bank first. Neal Barcoe, Head of Fraud and Corruption, SCOC, OCST told the meeting that there was progress on improving the response to victims. He outlined several steps that are being taken including:
- Public Available Standard (PAS) aimed at raising standards across organisations to protect customers from frauds and scams launching in October 2017.
- Phase 2 of the Take Five campaign focussing on older couples.
- Continued rollout of Banking Protocol. By July there had been 763 calls to law enforcement with £5.3 million prevented from being handed over to fraudsters and 58 arrests.
- Opt in fraud prevention measures for customer accounts.
- Developing a multi-agency response to victims of fraud.
Will 555 speed up reporting of fraud?
All of this is good news but it doesn’t improve the reporting by victims of scams and fraud. One solution to this came from Brian Dilley (BD) Chair of FFA UK and Lloyds Banking group. He suggested that the FFA UK was considering a central reporting telephone number. He went to say that using a simple number like 555 would help victims of fraud/scams contact someone quickly.
Who should answer it is not clear. Dilley suggested the number could simply be: “a triaging point to redirect victims to the appropriate agency.” This is unlikely to sit well with many victims who already feel that they get the run around between agencies.
Alternatively, Dilley said it could: “sit in front of enhanced data sharing/analytics.” By standardising all the reports it could collate intelligence across the country. It would certainly provide a better and more coherent view on the problem. The challenge is how to get the data sharing to work effectively.
There have been numerous attempts to get police forces to share data more effectively. At best, the majority have been fairly usable. At worst they have been expensive white elephants. Making this solution bring together data from financial institutions, victims, police forces and other companies/agencies will be hugely challenging. There will be serious data privacy issues to overcome. While the government could simply bundle this with an exception to GDPR, privacy advocates are likely to kick back.
What does this mean
These minutes give little snapshots into what is happening to deal with major issues. They sensibly include companies and organisations outside of government to get a wider perspective. This helps to stop the perception of rules made by civil servants with no real understanding of commercial issues.
Victims and victim support groups will also welcome steps to tackle two major issues around fraud. Reducing the risks associated with CNP is long overdue. However, the warnings from Accenture and the explosive growth of TPPs will need to be addressed. The idea of bringing couriers into the loop will take a lot of explaining and convincing before they become a trusted party.
Looking at ways to make it easier to deal with scams and fraud is nothing new. Successive governments have proposed options but they have had limited effect. The idea of nationally collating all the data to spot scams and predict where scammers will strike next is attractive. However, do not underestimate the challenges of implementation and security of the system. All that data in one place will be a honeypot for cybercriminal groups and hacking groups.