My Lords, it is a great pleasure to move that this House takes note of the report from the Fraud Act 2006 and Digital Fraud Committee—the committee I had the pleasure of chairing—Fighting Fraud: Breaking the Chain, which we published last November. I declare my interests as a non-executive director of the Financial Services Compensation Scheme, chair of the Association of British Insurers, and a non-executive director of Santander UK. I am very grateful to the Senior Deputy Speaker for ensuring that this and other reports from inquiries of this House are considered by this House before we reach the Summer Recess.
I thank my fellow committee members, many of whom are in the Chamber today. It was a truly collaborative and non-political inquiry. I am especially grateful to my noble friend Lord Young of Cookham and the noble Lord, Lord Vaux—who unfortunately cannot be here today—who suggested the original subject matter for the inquiry. On behalf of committee members I thank our excellent staff, who supported us throughout the process. We thank all those who gave evidence, both written and oral, and especially those who were prepared to tell their stories of being victims of fraud and scams and to be named in the report.
Fraud is not a victimless crime; it involves a severe loss of trust. It can involve life-changing amounts of money being stolen, and it is truly devastating for those who have been victims. When we started our report, we had to consider our approach, what we were going to look at and the scope. As has already been said in the Chamber this week alone, the scale of fraud in the United Kingdom is enormous: 41% of crime in England and Wales in 2022 related to fraud. Those aged 16 or over are more likely to be a victim of fraud than any other crime.
We focused on authorised push payment fraud, where a victim has been socially engineered into transferring funds from their bank account. This fraud alone costs the United Kingdom hundreds of millions of pounds every year. As noble Lords who have looked at the report will see, we also considered the whole of the fraud chain. It is often too easy to pick out certain parts of the fraud chain, particularly the final part—cashing out. This occurs where the money is moved from one bank account to another, often a mule account, and often heads overseas extremely quickly. We wanted to look further up the fraud chain at the inbound route, which involves phishing and smishing, use of SMS messages, fraudulent advertising and the old-fashioned physical approaches where people are defrauded. We of course looked at the interaction, where number spoofing, social engineering and the use of fraudulent websites are prevalent.
Our report came up with 65 overall recommendations. I certainly do not have time to go through them all in the time available, but we identified six key steps to break the fraud chain. Unfortunately, the UK’s advance payments infrastructure is one of the key reasons why the United Kingdom has become a global centre for fraud. We recommended that the speed with which payments can be made must be delayed in certain circumstances, to allow banks more time to review risk signals and contact customers about the proposed payment.
My Lords, it is an enormous pleasure to follow the noble Baroness, Lady Morgan, who opened this morning’s proceedings with the lucidity that also characterised her inclusive chairmanship of the fraud committee, on which I had the pleasure to serve. The report that we are here to address is a powerful piece of diagnostic work and is testament to her energy and commitment, as well as the hard work of the excellent committee staff.
As we heard, there is an extraordinary disjunction between the seriousness of the offence of fraud and the resources we devote to its prevention and to the pursuit and prosecution of those responsible. Fraud accounts for 41% of all crime against the individual, while only 1% of our law enforcement focuses on economic crime.
I welcome the Government’s pledge, in their recently published Fraud Strategy, to create a new national fraud squad comprising 400 specialist investigators, but I should be grateful if the Minister would share some specifics. The committee’s report shows the extent to which digital fraud has increased, with 80% of fraud now cyber enabled. How will these new officers be equipped to deal with the complexities of online fraud, including fraud which takes place on the dark web or through blockchain? Those tasked with such investigations will need either to be drawn from sectors where these skills already are both essential and scarce or, to put it mildly, to be put through some extensive training.
One of the recurrent themes in the report is an inclination to be tentative about the data on which conclusions are based. That is a function of a wider problem, with the absence of consistent measurement in government statistics. In 2010, the National Fraud Authority, an executive agency of the Home Office, first published its Annual Fraud Indicator. Its authors assessed the UK’s total loss to fraud to be £30 billion per year. In 2011 it was £38 billion, and in 2012 it had risen to £73 billion—a rise of about 150% at a time when reporting of fraud dropped off the crime statistics.
My Lords, I was a member of the Fraud Act 2006 and Digital Fraud Committee, and it was a great privilege to serve with the noble Baroness, Lady Morgan, who so ably chaired it.
The committee was driven by the massive increase in fraud. We discovered that scams are being delivered not only online but through text and messaging services, using ever more sophisticated technology. The new threat is coming from deepfake technology. Only a few weeks ago, a video appeared on Facebook that seemed to be a CNN report, with the CNN logo strapped across the base of the screen. Regional executives of a major bank appeared the video promoting what appeared to be one of their big new funds. They were followed by a succession of customers who said that they had made up to £50,000 each by investing in the fund. The user was then urged to click on a link that facilitated investment into the fund but needed the user’s bank details to do so. Once fraudsters have this information, they can impersonate the user to take out a loan, make a purchase or do any number of fraudulent financial transactions.
The deepfake fraud is just the most up-to-date example of ID fraud. This is one of the first scams to use deepfake technology. The bank executives’ images and voices had been captured from their previous appearances on television and in videos and manipulated to make them appear to be pushing the fund. The bank had a terrible time trying to stop the dissemination of this fraudulent content. It had to play a terrible game of whack-a-mole. As soon as was it was taken down from one Facebook group, it appeared on another. It also appeared in other parts of the internet and went viral on platforms and phone services. Deepfakes are just the latest generation of scams. They are so powerful because the visual medium is still seen as more trustworthy than others. The bank is so concerned that any future video appearances by executives will have to be stamped with a watermark on screen as a means of authentication, which it hopes will make future manipulation of their images more difficult.
My Lords, the committee, of which I was a member and which was so excellently chaired by my noble friend Lady Morgan of Cotes, reported last November. We heard from 56 witnesses. They covered a range of experience: academics, Ministers, the police, the Crown Prosecution Service, prosecutors in the courts, the Home Office, financial services, regulators and a range of internet platforms and service providers, as well as telecoms companies. Above all, we heard from the victims.
The picture was absolutely clear. We face in this country a really serious problem with fraud. Too many of our institutions have failed to take it seriously enough or to address it effectively. We have to act, and now. Our report identified the issues. It provided in one easily readable, if quite long, document a route map for police, government, regulators and major commercial players. There is no excuse to say that they do not know what to do, or to deny that there is a problem.
I will remind the House briefly of some core findings. Fraud is the most commonly experienced crime in England and Wales, yet is excluded from the crime figures. It accounts for approximately 41% of all crimes against individuals. Losses total at least £4 billion a year. The Bank of England has admitted that it directly affects consumer confidence. Most fraud happens online; 80% of reported frauds are cyber-enabled. The exponential growth in fraud and scams, we found, has been invisible. Fraudsters face little risk of being caught. Victims are embarrassed to report it. Law enforcement is underresourced.
We found that this underprioritisation has created a permissive culture across the Government and law enforcement agencies. This then permeates through to affect the attitudes of the private sector players in the fraud chain—internet service providers, telecoms companies and the like. They have not stepped in to do what they can to prevent customers being scammed. Indeed, I received an email to the effect that they feel they have not had a fair hearing from our committee; I do not know whether others did.
My Lords, I was not a member of the committee but I very much welcome this report and the introduction to it from the noble Baroness, Lady Morgan. I came to the report afresh and of course the figures are shocking. It is astounding that people are placed under this sort of pressure. I could go through and repeat the figures that have already been given, but the central thing is that this is 41% of crime and is given 1% of the anti-crime budget. That is clearly wrong, particularly when the 41% is probably massively underreported. While this is a cyber problem, the report makes reference to analogue fraud, which clearly causes a lot of pain, suffering and financial loss. However, the massive growth is taking place in cybercrime: why would you go and knock on someone’s door when you can send them an email?
I have three substantive points to make. First, it would be interesting to know the extent to which the committee considered this: it seems to me that we need a specialist agency to tackle this epidemic. Reading the report, the general line seems to be that it should still be part of the mainstream police system, yet the task is so specialist and immediate, requiring massive action, that we need a specialist task force to undertake it, at least initially. I understand the objections to setting up yet another body, when we already have bodies that have a responsibility to sort this out, but the scale of it requires—at least for a period of time—a specialist action force of some form. That of course will need funding, and that clearly should come from the links in the fraud chain. The providers are providing the tools with which the fraud is undertaken, and it is reasonable to expect them to meet more of the cost of tackling it.
Secondly, I emphasise yet again the relationship between fraud and poor mental health. The report includes some interesting work on vulnerability to fraud, but that relationship has a special place. It is a relationship where there is a cause: many people suffer poor mental health because they have been victims of fraud. At the same time, people who already suffer from poor mental health are clearly more vulnerable. The figures in the report show how fraud is distributed but do not give the respective sizes of those populations within the population as a whole—so they do not tell the full story and it would be interesting to get some more figures on that. I emphasise that any action needs to take into account the specific position of people who have, or are at risk of, poor mental health. I hope that the Minister can at least make some sort of reference to the importance of tackling that.
My Lords, I too was not of a member of the committee chaired by the noble Baroness, Lady Morgan, but was compelled to come today. I hope your Lordships will forgive me a short personal detour about why I was particularly keen to come and speak this morning. I have been absent from the House for many months, partly because of severe hospitalisation. I will not bore Members with physical details but I am lucky to have a leg and a life right now, so I feel as if I am winning in being able to stand up here and talk about this subject. I particularly wanted to come this morning because of two personal reflections from that time.
First, as Members are fully aware and as has just been mentioned from across the Chamber, this issue affects people at their most vulnerable. When you are at death’s door, you are at your most vulnerable, and in hospital I met several people who related to me, in waiting rooms or while I was lying on tables in various places waiting for doctors and nurses, how anxious they were about what was happening in the online world, particularly while they were in hospital and unable to cope with the volume of things being sent to their devices. It really struck me how I normally manage this in my daily life, being a relatively competent technology person—so that was the first point.
Secondly, coming back into the working world after a long absence, the volume of text messages and emails—not to my parliamentary account but my personal email, which is in my own name, so I guess it is relatively easy for scammers to come to—was absolutely appalling. I was taken quite by surprise and felt somewhat that the scales had been lifted from my eyes. So forgive the personal detour, but that is why I am so pleased to be able to speak this morning and to make three short points in my contribution.
My noble friend Lord Colville of Culross has already mentioned the first of them, which is that the biggest and most dramatic shift in technology that has occurred not just while I have been slightly absent from the House but over the last few months is that of generative AI and the platform shift happening there. Everyone is reading the headlines and I am not going to repeat what I am sure has been much debated here in the Chamber. But it is striking to me that this report was published last November and I think the committee would probably have put many different points about the use of AI just in the short period of time since. I cannot come up with a solution, but it is important to recognise how fast technology is changing and how innately complicated it is to keep up with the massive developments in how platforms are being used and individuals are able to create and generate content.
My Lords, it is a real pleasure to follow the noble Baroness. We are all absolutely delighted that she has made a recovery from her recent hospitalisation and is once again able to take part in our proceedings. The points she made about AI and the skills shortage are well taken. I look forward every weekend to reading her column in the Sunday Times. It is also a pleasure to be reunited with the fraud squad who took part in the committee and to endorse what others have said about the qualities of our chairman and support staff.
The theme running through our inquiry and this debate is the mismatch between, on the one hand, the incidence of fraud and the damage it causes and, on the other, the resources devoted to it. This was well summed up by the Chief Inspector of Constabulary, Andy Cooke, an impressive witness. He said that:
“You could probably times the £80 million by five and you would start to make a small dent in relation to the scale of the problem”.
His comments were reinforced by what Mark Fenhalls, chair of the Bar Council, told us:
“The state has retreated from the investigation and prosecution of fraud over the last 15 years”.
Prosecutions went down from 20,000 a year in 2010 to about 5,000 a few years ago. The government response to our report, while welcome, was drafted by one of our more cautious civil servants:
“We recognise that there needs to be improvements in the response to fraud, from the reporting process through to investigations”.
But, in fairness to the Government, the Minister Tom Tugendhat took a more robust approach when he gave evidence.
Before I sat on this committee, I was doubtful about the success of police and crime commissioners. However, I was impressed by the performance of Mark Shelford, the Avon and Somerset police and crime commissioner, and his approach to fraud. I was delighted to read in his report:
10:59 am
Viscount Waverley (CB)
My Lords, this has been a most productive debate on an issue I fear might only get worse, unless it is robustly addressed. As always with the challenge of putting forward original contributions while being tail-end Charlie, I will focus on some key takeaways. Having reflected on some of the extensive points that stood out from the committee’s report and the Government’s response, I have little doubt that a number of challenges should be urgently addressed, including the fact that law enforcement and government lack efficient co-ordination and operational capability. That is just the beginning, to illustrate the scale of the problem.
Due to the level and sophistication of fraud, companies must adopt a culture of suspicious inquiry. To protect and support their sales efforts, companies need free access to case studies, and FAQs and proactive alerts would be of interest. Merely reporting to Action Fraud, while formalising and gathering the data, in no way ensures that wider sharing of data and, ultimately, regulatory and criminal action and remedies are enforced. Anti-fraud measures such as Action Fraud have been ineffective when compared to what could be achieved if they were exploited properly. More focus should be on action and, importantly, on ensuring the knowledge and experience to act quickly.
The all-important technology used by criminals is better anonymised, making effective follow-up difficult. Law enforcement and government lack the necessary latest digital technologies to counter the threats, including securing the wrong technology for the job, which could take years to unpick.
Insufficient accountability for delivery exists, and it is too easy to hide non-delivery. Current legislation overcomplicates and hinders the process of evidence collection and quick action, with insufficient consideration given to the private sector to assist law enforcement agencies and government. This contrasts with the military model, which actively seeks help.
I will venture a number of pointers for consideration. Enabling better use of the private sector and factoring in the experience of qualified investigation companies, with the added benefit of leveraging operational capability, is as relevant to the fraud environment as it is in many instances where government could usefully adopt a differing mindset. I also suggest enabling access to the latest anti-fraud technology held by private companies, through government frameworks such as ACE and tracer, developing the co-ordinated and technology-sound effort that is urgently required to counter fraud threats.
Advances in technology make the task more challenging, with sophisticated frauds often launched from outside the UK, making detection and response difficult. Those who perpetrate modern frauds are technology-savvy, sophisticated criminals who meticulously plan their activities to protect and preserve revenue streams.
11:08 am
20 of 28 shown
We said that fraud needed to move
“to its rightful place as a top priority for law enforcement”,
and
“should be included within the Strategic Policing Requirement”.
Law enforcement related to fraud is significantly underresourced. Only 1% of law enforcement spend is focused on tackling economic crime; that bears no resemblance to the 41% of crime in England and Wales that I mentioned just a moment ago.
We recommended that, to address
“the mind-boggling variety of acronyms and alphabet soup of departments, taskforces and Ministers with responsibility for fraud, a cabinet sub-committee with a clear mandate to tackle fraud should be established, chaired by and accountable to the Security Minister”.
We said that:
“Several sectors involved in the fraud chain have failed to prevent rampant fraud for too long”,
and we recommended that the Government must
“introduce a new corporate criminal offence of ‘failure to prevent fraud’ across all sectors to address this”.
The Online Safety Bill, which is well known to so many of us,
“contains several important measures to prevent fraudulent content and scam advertising from appearing on online platforms”.
We recommended that tech companies must be held accountable when they fail to prevent their users becoming victims of fraud.
We also said that, to create clear advice for consumers that they could follow to help them prevent fraud and report if they become a victim, the Government
“should oversee the introduction of a single, centrally funded consumer awareness campaign in partnership with industry”.
Overall, we were very critical of what has become too much of a permissive culture around fraud in this country.
Part of the committee’s remit was to look at the efficacy of the Fraud Act 2006. We found that, overall, it is still
“a highly effective piece of legislation that has simplified the fraud landscape and it has the flexibility to adapt to future technological developments”.
So, what happened after the report was published? Too often, one of the dangers of reports is that they end up getting some attention and being welcomed, someone might do something, and then they sit on a shelf for a bit. However, I am pleased to report that, apart from just getting a response from the Government, which I will come on to in a moment, we have seen some significant progress on issues raised in our report. Perhaps our timing was just right. We deliberately wanted to write a truly comprehensive report on this issue to bring it all together in one place. It was quite long; I think my noble friend Lord Young said that it might be a bit too long and he probably had a point.
I thank my noble friend the Minister for the Government’s response. Broadly, five of our six key recommendations have been taken forward in one form or another. In fact, the change so that fraud is reflected in the national strategic policing requirement was made before the Government’s response was even published.
However, the big step forward was the publication of the Government’s Fraud Strategy in early May. The strategy was long overdue, and it would be fair to say that my noble friend the Minister himself was relieved to finally get it over the line so that we could all stop asking him when it would be published and start looking at the details.
I welcome the appointment of Anthony Browne MP as the Government’s anti-fraud champion. It is not quite what we wanted in terms of a Cabinet sub-committee, but having somebody to draw all the strands together and work with government departments and agencies is a significant improvement.
Changes will be made to Action Fraud, which I think we referred to as “Inaction Fraud” in our report. We understand that the Government are working on a broad awareness campaign. The need for a clear, consistent message for the public on how to protect themselves from fraud and scams cannot be overestimated. We understand that the Government will also take forward the ability of banks and payment service providers to slow down payments where they have evidence that the payment is going to a fraudster’s account.
Just this week, the House debated the Economic Crime and Corporate Transparency Bill. I welcome the Government’s introduction of the failure to prevent fraud offence and the reform of corporate criminal liability and the identification doctrine. These are significant steps forward and very welcome reforms. Unsurprisingly, of course, they never go quite far enough for all those who have been campaigning. I think we have further debates on this to come.
What remains outstanding? We still think, and there are still calls by bodies such as Stop Scams UK—I want to recognise its work—that there is a need for a single scams body or authority of some kind. There is an opportunity for a significant increase in international collaboration. Fraud is an international crime. The UK, unfortunately, has a world-leading place in fraud being perpetrated. Therefore, we can share our experience on how to tackle this on the world stage.
The big outstanding issue that I am sure other noble Lord will refer to is that all parts of the fraud chain are not yet being held accountable or incentivised to prevent fraud. In 2023, 78% of authorised push payment fraud cases started online, and 18% started via telecoms companies. Those figures are from UK Finance; Ofcom has found very similar figures. There is no doubt that social media platforms, technology platforms and telecoms companies are the places where customers most often encounter fraud, and they need to be incentivised to prevent that fraud and to protect their customers. I doubt that the voluntary code proposed in the fraud strategy will be sufficient and I am sure we will return to this, not least by pushing for a facilitation offence where those companies and platforms facilitate the offence of fraud.
The Online Safety Bill goes far in cracking down on fraudulent advertisements, which is very welcome, but it does not deal with fraudulent emails or the inaction of the internet service providers and telecoms companies. There is also more to do on data sharing, in terms of both sharing and permission to share data about customers but also data disclosure by the platforms and telecoms companies about the amount of fraud perpetrated via their services. Only by being clear and transparent about that level of fraud will law enforcement and other agencies know exactly where to tackle it.
This is a matter of direct relevance to everyone in this country, both individuals and businesses. As I said at the start, it can be life-changing and devastating. As the Bank of England said to us in evidence, it directly affects consumer confidence. There is a huge opportunity to crack down. The Government have taken some important steps; I like to think that our report played a part in that. We will watch how they proceed. I beg to move.
That year, Theresa May, then Home Secretary, transferred responsibility for fraud to the NCA. In 2017, at the request of the NCA, the same academics who informed the national fraud indicator published a national fraud indicator figure of £190 billion per year. A month ago, the same experts published an annual fraud indicator for 2022. The total annual loss now stands at £219 billion, £8.3 billion of which was fraud on individuals. That figure was £3.5 billion in the 2010 indicator.
So, after a further unexplained hiatus in transparency reporting, the situation has again markedly deteriorated. It is little wonder that about six months ago the NAO said about fraud that the Government do not have the data they need and are unable accurately to measure the impact of their policies. This inability persisted up to and including the publication of the fraud strategy. It would be useful to know on what basis we can judge the likely effectiveness of the measures therein in the absence of consistent and reliable data on which to base such judgments. Perhaps that explains why the gleaming promise held out as a measure of success for this strategy is a reduction of fraud by 10% in time for Christmas 2024—it appears conveniently close to the last date on which a general election must be held, one might think. This is hardly a Napoleonic ambition, given that the best data we have now suggests that the Government in one form or another have presided over an increase of more than 550% in total fraud since 2011.
In focusing on the scale of the problem, I emphasise that the victims of fraud range across vulnerable individuals, major corporations and small businesses as well as the public sector, and the Government themselves account for a significant amount of the total. I recall the powerful testimony we heard from the Bank of England, making it clear that fraud directly affects and undermines consumer confidence. Under successive Governments an attitude has prevailed that fraud is an unfortunate by-product of our strengths. Apparently, fraud has become so prevalent in the UK because of the widespread use of the English language, our position as a digitalised global financial hub, our adoption of the faster payments system, and the emergence of crypto assets. These are all said to be pull factors for fraudsters. Every element of this description could be applied to the United States, and yet UK residents are exponentially more likely to be victims of fraud than their US counterparts. This is a British problem, and its scale demands that it be a national priority. The answer is not to dilute those strengths but to ensure that they are hedged about by clear preventive mechanisms and appropriately severe financial penalties for those found to have enabled fraud. I do not wish to move on to the ground more properly covered in the Online Safety Bill or the Economic Crime and Corporate Transparency Bill but merely note that some of these questions are being covered as they journey through your Lordships’ House.
Fraud is not merely a serious offence; it is a direct enabler of far more serious offences. Organised crime, drugs, arms and human traffickers, kleptocrats and fugitives from justice all use money gained by fraud to fund their activities or to escape justice. To some extent, we have the appropriate mechanism for punishment already in place. The committee’s report examined the Fraud Act 2006 and found it to be effective, although greater maximum sentences would be desirable, but our ability to use the provisions in that legislation have been weakened by a significant decrease in the number of prosecutions of fraudsters, outdated disclosure procedures, and court backlogs. Recent data from the Law Society of England suggests that the Government’s promise to reduce the backlog is sitting rather awkwardly alongside figures that show it to be rising, so I suspect we may waiting a little time for that problem to abate.
In coming to the end of my remarks, I am conscious that I have painted a somewhat bleak picture, but none of this is inevitable. I note the Government’s acceptance of five of the committee’s six principal recommendations, in part or in full, and I hope to see the resources made available to ensure that that acceptance is matched by action. Fraud is not a victimless crime. As has already been said, it targets the most vulnerable, reduces the financial resilience of millions of households across the country, diminishes their confidence in the institutions on which they are supposed to rely and can drive them to desperate measures. Earlier this week, Ipsos released data showing that 7% of 18 to 75 year-olds have been driven to such straits that they have used an illegal moneylender in the past three years. We have all heard the rhetoric around predatory capitalism, but the fact that loansharking has become one of this country’s few growth industries renders satire redundant. This report shows a critical need for cultural change, it outlines the necessity for clear lines of accountability and enforcement and, most of all, it testifies to the need for far more effective preventive measures. I look forward to hearing how the Government intend to translate these needs into action.
The Online Safety Bill will put the onus on user-to-user services to prevent fraudulent content appearing on their platforms, but the growing practice of smishing—sending fraudulent messages to collect personal financial information through text and direct messages—is also worrying law enforcement officers. These scams are increasingly disseminated on SMS and MMS platforms, and so are out of scope of the Online Safety Bill. According to CIFAS, 2022 saw the highest-ever volume of identity fraud cases. They were up by nearly one-quarter from the previous year. Nearly all the cases related to mobile phone products.
In the committee hearings we heard evidence of how criminals are frighteningly ingenious at finding ways to capture a user’s ID, both online and on mobile phones. The fraudsters send messages which often seem innocent enough, such as completing a crossword puzzle or taking part in a survey, all of which involve the user giving away their personal financial details. I recently heard about a victim who received an SMS message giving details of an expected delivery from DHL. When they called the number, they were put through to a fraudulent call centre, which asked for money to be paid for customs duty in order to release the package through Customs and Excise. Fraudsters are even using ID impersonation to break the secure customer authentication service which was set up especially by the banks as a secondary source of verification. They do this by diverting the message which is meant to go to a customer’s number and then take control of it.
CIFAS told me that in the past 12 months, there has been a rise in cybercrime service platforms on the dark web. One of these sites is selling up to 30,000 fake profiles, which can be used to push fraud, at a time. The whole fraud ecosystem is incredibly sophisticated. There are specialist roles for each stage of the fraud. First, there is a fraudster specialising in stealing ID, then another who uses the information to open bank accounts and set up customer profiles, and finally there is a specialist who can siphon off the money to the criminal. It seems to me that the major way of dealing with this is to incentivise platforms and telecoms companies, which are the enablers, to crack down on fraudulent activity online. I wholeheartedly support the attempts by the noble Baroness, Morgan, to extend the “failure to prevent” law to cover more enterprises and more harms but, despite wins on Report on the Economic Crime and Corporate Transparency Bill this week, the Government still seem reluctant to adopt the ideas in her amendments.
I have already mentioned the Online Safety Bill, which leaves so many of the systems which deliver fraud out of scope. Like the noble Baroness, Lady Morgan, I would like to see telecoms companies being held to account. They have already taken some steps to reduce fraud. The committee heard evidence about BT’s spam shield, which is blocking spam messages to users. SIM farms, where a mass of phone numbers can be bought to be used to send fraudulent text messages to tens of thousands of customers, are now being clamped down on but, as the committee’s report states, these current approaches by the telecoms sector are uneven, with counterfraud policies being introduced inconsistently across the sector.
It seems to me that the enabler of the fraud ought to be held responsible, at least in part. The banks are paving the way. The Payment Systems Regulator is already changing the liability for banks whose customers have been involved in fraud. It has set out a path for introducing a 50:50 split between the issuing banks and the bank that accepts the funds on behalf of the fraudster. In July it will consult on the draft legal instruments to put reimbursement requirements in place. The following month, it will consult on the maximum level of reimbursement and guidance on customer gross negligence. By October it hopes to get the final legal instruments to Pay.UK. Early next year, these measures will come into force. The regulator will also demand transparency, the publication of data on how well banks are protecting customers from fraud and the promotion of intelligence sharing.
The telecom companies are also enablers. Either they can take part in a compensation scheme along the lines of the banks or they can, as paragraph 522 of this report suggests, be part of a
“regulatory strategy equivalent to the Online Safety Bill that is directly applicable to telecoms platforms and services”.
In their response to the report, the Government said that, despite progress being made by the industry, more could be done to protect the customers. Instead of supporting a duty to prevent fraud, they suggest that the operators join the voluntary telecoms fraud sector charter. The Government have spent much time ensuring that online platforms are mandated to protect users against fraud. In a world in which fraud is now being delivered increasingly through direct messaging and SMS, why is one sector being mandated to take action while another is allowed to take part in counterfraud action voluntarily?
Organised criminals around the world turn to the UK as a lucrative market to commit fraud. As we have heard, their proceeds are used to fund human trafficking and the drugs trade. The telecoms sector has to date had no real incentive to prevent fraud and has allowed blame to be placed elsewhere for too long. There have been no sticks, and certainly no carrots. It must do more to tackle phishing emails, smishing texts and fraudsters making spoof phone calls, as well as those emails that infiltrate our machines.
Until all fraud-enabling industries fear significant financial, legal and reputational risk for their failure to prevent fraud, they will not act. We were clear that the Government must act to introduce a new corporate offence of failure to prevent fraud across all sectors to address this, and we did not limit that to so-called large companies.
I welcome the important measures in the Online Safety Bill to prevent fraudulent content and scam advertising on online platforms and to hold tech companies accountable when they fail, but these will bite only on fraudulent advertisements. They are an important plank but they are only one plank—you cannot build a house from them. The telecoms industry, financial services, the insurers, indeed all our great service industries in this country, must face the same requirements and get their act together.
The Government published their Fraud Strategy in May and appointed Anthony Browne MP as anti-fraud champion. That is a good start but it is not enough. Let me explain: I applaud the proposals to ban cold calls on all financial products, to ban SIM farms, to make it harder for fraudsters to spoof UK numbers making it look like they are calling from a legitimate UK business, and to stop people hiding behind fake companies, and I applaud the plans to create new powers to take down fraudulent websites—but we need a facilitation offence. Telecoms companies must be put under duties to do more. Plans to improve the law enforcement response and trade and charters addressing areas of business activity are welcome, but they are not enough to ensure the changed culture needed to drive down fraud in this country.
Surprisingly, to date the Government have been reluctant to introduce what we regarded as adequate provisions to push business to take steps to prevent fraud. Regulation has to be proportionate, of course, but reasonable steps to prevent fraud taken by all businesses will reduce the opportunities for these scammers. They will help our economy grow; everyone will be more prosperous as a result. Thankfully, on Tuesday this week, this House expanded the scope of the duty to prevent fraud imposed by the economic crimes Bill. I just hope that it will not be taken out in the other place, because it would likely bounce back again here.
Only if all businesses are driven to take proportionate steps to stop fraud will things change. Economic benefits for all will flow. The costs to business and the consumer will be off-set by a clean, fraud-minimised environment. We will all win. People have to look at the big picture, beyond the ends of their noses. If the Government are serious about their promise to make sure that every part of the system is incentivised to take fraud seriously, they must not only introduce new charters for business but ensure that the different sectors, whether banking, finance, tech, insurance or telecoms, are all driven to make life much more difficult for the fraudster. That requires a duty to prevent fraud applied across the board.
Enforceable obligations must apply not just to large businesses. The six key steps we identified in the report are critical. Ministers must act now, and they must act decisively.
My third point is about the alphabet soup of bodies that are rightly set out in an appendix. Unfortunately, one was missed: I can add to the list the Fraud Compensation Fund. It sounds pretty general but it does not compensate all fraud; it compensates a very narrow and specific form of fraud in relation to pension schemes. If a pension scheme loses assets through fraud and the employer is insolvent, the Fraud Compensation Fund, which is an offshoot of the Pension Protection Fund—the financing is different—has to provide the compensation. I highlight that point because, self-evidently, it is little known and there are still important questions that need to be pursued about people’s entitlement under that scheme and its funding. I raise that just to give it a bit more visibility, but it is clearly part of the fraud landscape and will need to be included in any further list of the alphabet soup.
My noble friend Lord Colville mentioned the appearance of deepfakes, but this has been amplified exponentially with these new technologies. It is not only the volume and scale but the sophistication: synthetic people can now be created. I was reflecting that my voice is probably the last one a scammer would choose to use, thank goodness—I do not think anyone would fall for an outward call from a “Baroness Lane-Fox of Soho” suggesting an entrepreneurial opportunity. Looking at my own entrepreneurial adventures, they would probably put the phone down immediately.
In all seriousness, as the bank example already given has shown, this is a very complex issue. While I recognise that the report suggests that AI should be used to look at sets of data, and I agree with that recommendation, we also need to proceed with caution and think carefully about the boundaries and guardrails around how the latest wave of technology is used. This is an extremely urgent matter, in my opinion.
My second point is that, as the new president of the British Chambers of Commerce, I think it essential, as the report suggests, that we link up with business. I would like to make a case again for small businesses to have special treatment. It is very hard right now to run a small business: you face cash flow pressures, increasing energy costs, wage inflation and all the other things that I know are debated frequently in this Chamber. In addition, I have noted from multiple conversations with our members their profound anxiety about how the names of their own organisations are being used by others—let alone the things for which they have their own responsibility. While I recognise that corporations need to take responsibility, and I certainly believe that technology and telecoms companies should be doing more, I think there is still work to be done to educate small businesses to build the cyberdefences they need.
I was talking to a small insurance company in Doncaster which had faced a horrible issue where somebody else was using its name for outbound calling. It was not something the company had the capacity to look after and worry about and it did not get help from any of the law enforcement agencies locally. It was providing the already stressed entrepreneur with another point of stress in these economically difficult times.
So, generative AI and small businesses are mentioned; the final thing mentioned frequently through the report is the skills we need to address this challenge being so profoundly lacking across all sectors. I have thought about this deeply over the last decade. We are still in a very profound skills crisis in this country. Just yesterday, the Open University, of which I am chancellor, released a report examining the extremely deep level of skills we need across multiple sectors, including cybersecurity. This is true across many businesses, both in the public and private sectors. We need to make this an urgent part of the agenda. I do not believe we will be able to be as resilient as we should be unless we have a deeper skills strategy. We have local skills investment partnerships, which I understand are working well. We should be using them more and thinking sectorally about how we can make sure that we have the skills we need. Those are the things that struck me from reading the report. I am delighted to be able to share my thoughts again in the Chamber and thank the noble Baroness, Lady Morgan.
To close, I was reflecting on being at lastminute.com back in 1999. I clearly remember a moment when I found a fax on our fax machine—despite the appearance of incredible technology, we were using fax behind the website—that had a customer’s credit card details on it. I was about to fax it to the supplier to get the booking confirmed. I remember thinking “Maybe this is not such a good idea”. Fast-forward to now: we never imagined that this is where the technology would have led us—to the incredible speed, pace and ability to create this fraud at scale. It is depressing. It is not what I think the technology landscape should have tilted towards, but we are where we are. The massive shift in generative AI recently, as I have said, combined with the economic climate we face, makes these recommendations vital. I hope we can go further and faster than the report suggests.
“I personally have taken on the national lead role for economic and cybercrime on behalf of the Association of Police and Crime Commissioners”.
We need more like him.
I will focus my remarks on authorised push payment fraud and compensation. The Payment Systems Regulator, the PSR, reported that there are more incidents of APP fraud than any other type of fraud in the UK, with 95,000 incidences in the first half of last year and gross losses of £250 million. I wholeheartedly agree with one part of our recommendation in the report, which has been adopted: that the recipient bank should be in the frame as well as the paying bank. The paying bank is acting on the instructions of a legitimate customer. The recipient bank has allowed a fraudster to open an account, almost certainly with false details, or is operating an account on behalf of a money mule, aiding and abetting a crime. If banks devoted the energy with which they pursue noble Lords, who are politically exposed persons, to explain how we got every penny we own to checking up on the authenticity of the new accounts operated by fraudsters, there would be a lot less crime.
I want to refer to an exchange which did not feature in our report. It took place on 10 March last year, when one of our witnesses was Revolut, which is basically in the money transfer business. I asked a question about suspicious authorised push payments:
“What percentage of customers do you convince that it is a fraud and that the payments should stop? To what extent does the customer just go on?”
This was the answer from Nicholas Taylor:
“Our machine learning models correctly identify over 90% of attempted APP fraud … It is incredibly difficult to break the spell. We have all the normal warnings before you make a transfer, but our models detect and block a payment post fact, where we think it is a fraud, and then we make the customer talk to one of our agents. Even after we have directly intervened, 80% of them still go on to make the payment”.
We heard at an IPT breakfast seminar last July that the larger banks have even more sophisticated systems, using behavioural biometrics, data analysis and other technologies to detect fraudulent payments, and their experience is the same. Sadly, as we heard from one of the brave victims who gave evidence to us in Birmingham, at least one victim went ahead despite repeated warnings from her bank. I think that exchange influenced our response to the issue of reimbursement. We said:
“While we recognise the case for mandatory reimbursement of victims of APP fraud, we are concerned that a blanket reimbursement policy may lead to increased levels of moral hazard and fraud, and the perception that it is a ‘victimless crime’. In some cases, it may even lead directly to new avenues for APP-reimbursement frauds”.
We asked the Government to revise their proposals to legislate to allow the PSR to mandate blanket reimbursement of APP fraud conducted via faster payments. The government response did not take on board the risks of an overgenerous compensation scheme, it just recognised the urgency to protect consumers and said that they have given powers to the PSR to direct banks to reimburse victims of APP fraud.
The PSR then issued a comprehensive consultation document on proposals for reimbursement and responded earlier this month on 7 June. This was one comment on its proposals:
“Under the new legislation, 100% of consumers’ APP fraud losses will have to be reimbursed by PSPs, except in extreme cases of negligence on the part of the customer, which will—by all indications—be extremely rare”.
I am all in favour of improving the current position, in which only 46% of fraud is reimbursed. We need minimum standards and a common approach, but the proposals will apply to all cases, except where the customer has acted fraudulently or with gross negligence.
My concern is that, with consumers protected in this way, some customers may be willing to make more risky payments without properly considering the consequences, whereas we should be considering exactly the opposite. The proposal means that people who are careless will be fully compensated. I think this is overgenerous. If you are careless with your wallet, your insurance company certainly will not compensate you. If you are careless and damage your car, you will not be compensated. Obliging the banks to compensate you unless you have been grossly negligent is overgenerous, weakens the message that people should be careful and, far from deterring fraudsters, will encourage them. It is also inconsistent with the paragraph I quoted from our report. There is time to put this right, as the PSR is still consulting, before finally agreeing the regime. I will not be popular for saying this, but I urge them to think again.
Given the level of criminality, an anti-fraud tsar should be given oversight to ensure accountability. Often, the problem with digital fraud is that the legislation and, therefore, the ability to respond is simply not there. The creation of a working group under parliamentary supervision, or a central figure such as a tsar or anti-fraud commissioner to implement quick-fix measures, would produce dividends. An operational fraud centre that not only analyses but co-ordinates, such as an effective Action Fraud and the NECC—with clear operational power and capability—would, additionally, greatly assist, as would providing a due diligence and educational hotline for the public to report suspect activity, alongside a central social media monitoring tool to alert people to fraud attempts.
I suggest encouraging companies to incorporate anti-fraud measures, as is the case with modern slavery and anti-bribery, and an expert asset recovery unit to recover assets in civil fraud cases, along with enabling private funds to help sponsor anti-fraud activity. Two examples of developing a robust, unified and co-ordinated response from government, law enforcement and the private sector are: urgently developing a working group to conduct a thorough review of what hinders—and, conversely, what helps—fraud investigations; and reviewing the unintended consequences of data laws that restrict fraud investigation, alongside a lighter-touch GDPR and the reinstating of the successful multiagency asset confiscation unit within the Ministry of Justice. This has been spoken about for years, with various initiatives launched, such as Action Fraud, but they have failed to have the intended impact.
I suggest deepening co-operation with banks—while recognising their advances on the algorithm sets to watch for incoming fraudulent transactions and spotting and responding to fraud—and devising a deeper co-operation model between banks, tech companies and the legal, accountancy and investigation companies which often encompass former law enforcement officers. This is a quick fix, and existing models of interbank co-operation could be adopted. There is frustration at the lack of action in this regard.
The FCA is a pivotal organisation, and the combined endeavours with the director of the NECC, her successor and the NCA intelligence director—all of whom left the NCA to take up senior roles in the FCA—should be taken full advantage of to include strengthening tactical issues to lead to better strategic oversight and direction from the FCA. Government should urgently bring forward measures to enable the FCA to regulate crypto assets and enlarge current rules, relaying the results of examination of blockchain, under regulation, to private companies, which have fewer priorities and extensive resources.
An urgent review that uses experienced investigators and advanced investigation tooling, including AI, to assess where assets could be recovered would be useful. I did not think of it this morning, but I wish I had asked ChatGPT what comments it would make on anti-fraud measures that might assist this debate; I will do so this afternoon.
We should ensure that Companies House becomes a more active, transparent gatekeeper and is provided with appropriate resources, aided by developing a dedicated whistleblowers’ anti-fraud hotline, combined with the appropriate legal protection for whistleblowers, similar to Crimestoppers, with reward incentives as a viable way to combat fraud. The noble Baroness, Lady Morgan, spoke of the need to incentivise the whole anti-fraud environment, and she is absolutely right. The list goes on, but implementing operational response by adopting the counterterrorism “four Ps” mantra of pursue, protect, prevent and prepare should be fully applied to identify and frustrate fraud.
I acknowledge conferring with Harod Associates to confirm some salient points of detail. The question of how private investigation companies could be more usefully utilised and added to the toolkit should be examined. Often equipped with more powerful investigation tools, and with many fraud investigators under the command of former law enforcement seniors, they could provide a significant resource to assist. Set fees for many of these companies could be set at government rates and recovered as costs.
Many existing recommendations are felt to be hard to achieve, or advance with glacial speed. The more involved I become in an unrelated national review, the more I find that government working in silos instead of in partnership is a national trait; a sea-change in government’s mindset is required. I noted references to the international space and fully intend to include fraud in my ESG programme. I encourage government to do likewise.