British authorities find it difficult to cope with growing online and ATM fraud, but the U.K. banking sector is not collaborating as closely as it could be to prevent attacks, mainly due to concerns over ambiguities in privacy legislation, officials and industry specialists said.
Cash-strapped and focused on Brexit, Britain will not allocate new funds to fraud-fighting projects in the foreseeable future, despite an increase in criminal activity of late, said Richard Riley, the director for serious organized crime in the office for security and counter terrorism within the government's Home Office. The industry must cooperate more in order to bring down losses, he added.
Concerns about sharing information
Only 17% of fraud cases in the U.K. are reported to the police, according to the latest Crime Survey in England and Wales, which was published Oct. 19 and said: "Quite often in the case of bank and credit account fraud, victims may report the incident straight to their financial institution rather than report it to the authorities."
The U.K. launched the Joint Fraud Taskforce in 2016 as a policy forum for the government, the police and banks, while Action Fraud, the national fraud intelligence center running under the command of the City of London Police, has been operating since 2006. But so far, results have been patchy, Riley — who is also the chairman of the Joint Fraud Taskforce — admitted. This is partly due to the unwillingness of some banks to share information because of what they claim are regulatory hurdles, he said at the RBR ATM & Cyber Security conference in London on Oct. 10.
"We could be doing more — information sharing between banks, for example," he told the conference. "We are engaged with the banking sector in a very healthy [and] constructive debate about the limits of the current legislative framework we have to allow banks to share information with each other. We think we can push the boundaries quite a long way. There is genuine concern, I think, particularly from some of the lawyers and some banks that that might not be the case. There is a way through that, we believe. Within the [current] legal framework, we think there is more that can be done."
The Home Office confirmed that the law that has some lenders worried about sharing information is the U.K. Data Protection Act 1998, which governs how organizations may share the personal information of individuals. It makes clear exceptions from its usually strong restrictions for cases of crime, including fraud, and some banks are happy to follow Home Office guidance and share information because of this provision. However, one lawyer said the letter of the law is ambiguous when it comes to monitoring and preventing potential fraud, making some banks reluctant to reveal account-holder details without being certain that the case will indeed be classified as a crime.
"When it is clear that there has been criminal activity, there are routes to sharing information by banks both with the authorities and other parties in the sector and still comply with their obligations under the Data Protection Act," said Richard Jeens, a partner at law firm Slaughter and May who specializes in data protection law. "In circumstances where a crime is yet to be established — or if you are talking about day-to-day monitoring and prevention, so that there might not actually be any criminal activity or any legal proceedings going on — then that might be a more difficult scenario for banks to share specific personal data."
'A big problem'
"The answer," according to Jeens, "is usually to share anonymized information."
UK Finance, the biggest trade organization for banks in the country, declined to comment on the discussions between the government and the lenders. But some of the 40 British banks that joined the Joint Fraud Taskforce see no legal obstacles to collaboration and have started sharing information about security breaches and online fraud with each other, the police, UK Finance and the payments company Vocalink, which operates the national payments system, said Jason Daniels, an ATM cash manager for Nationwide Building Society.
"We do share information — in the interest of tackling fraud — with other high street banks and industry organizations," he said on the sidelines of the conference. "We provide evidence of fraud and even CCTV," he added. "ATM providers submit reports of credit-card fraud and physical attacks."
That other banks do not submit detailed reports was "a shame because the more information we have, the more appropriate the response will be," Daniels concluded.
He acknowledged that some progress had been made since the formation of the taskforce but said the project was still "very new" and it was not doing enough to prevent the abuse of anonymous, prepaid ATM cards, which were "a big problem" for the sector.
As far as the British police is concerned, online bank fraud is such a frequent and multinational crime that it would be impossible to bring all perpetrators to justice, especially if they operate from outside the U.K.
"We can't investigate our way out of [fraud]. This has to be prevented," detective Tara Owens, a London Metropolitan Police officer specializing in fraud, told the conference, urging industry players to collaborate more with each other and the police to deter wrongdoing.
In 2016, the U.K. lost £1.94 billion to bank-related cybercrime, most of which was fraud, according to Owens. She added that there were six million victims of fraud in the U.K. that year, most of them small businesses.