Prevention is better than cure, to counter frauds and scams, those taking part in three workshops agreed, jointly run by the Centre for Financial Crime and Security Studies (CFCS) at the defence and security think-tank RUSI and the membership body Stop Scams UK, in April and May.
A digest of the discussions is on the RUSI and Stop Scams UK websites. Being able to stop a fraudulent payment being executed in the first place should be the primary aim of any kind of data-sharing, particularly cross-sector, the first workshop heard. Disrupting the criminal business model and reducing the return on investment of fraud in this way was seen as a desired outcome by all. One participant gave an example of where this type of data-sharing between sectors is proving beneficial in a collaboration between a bank and a telecoms provider to use call data to better understand what behaviour may indicate that the customer is being socially engineered to make a payment.
Stopping scams at an earlier stage requires there to be a distinction drawn between tangible intelligence about a fraud that has taken place and signals or ‘flags’ that may indicate that a fraud will take place, or that a particular customer is vulnerable to a fraud. While scope for sharing data is vast, it remains difficult for organisations to fully grasp the extent of their own data, let alone that of another organisation, the workshop heard.
A second workshop covered the barriers to sharing data – which are cultural rather than the actual GDPR law; because the UK’s data protection regime allows for processing data expressly for the purposes of fraud prevention in the context of ‘legitimate interests’. Those in the discussion raised that even within organisations, there is likely to be a difference in attitudes and risk appetites towards sharing between those in operational/fraud prevention roles and those in compliance/legal roles.
An ability to articulate the benefit of sharing a specific data point, rather than having a ‘shopping list’ of information that one may want to share or receive, is very powerful both in communications with the regulator and in your organisation, it was felt. Given the volume of data available, it can be time-consuming to assess the benefits of sharing specific data points and how to share. Likewise, given the number of industry initiatives, it is not always clear where an organisation’s limited resources should be best used.
A third workshop covered work going on, and potentially; such as development of a customer propensity model, potentially via the Credit Reference Agencies (CRAs). Might businesses do more, with open source intelligence (OSINT) already around, and could all sectors be making more and/or better use of publicly available data. An example given was the UK regulator the Financial Conduct Authority (FCA) Warning List, which includes firms that the FCA are aware of who are operating without authorisation or carrying out fraudulent activities, including cloned firms.
Among the possibilities: might banks share email addresses associated with business email compromise (BEC) fraud to tech companies; might banks pass voice biometric data of known fraudsters to telecoms firms; and share addresses of known money mules to social media platforms, to try to identify ‘mule herders’?
Stop Scams UK recommended to its members that to share data effectively, organisations should be bold in their ambitions but start small, to show the benefits and to overcome internal barriers. More generally, Stop Scams UK wants ‘an environment that is more permissive to responsible data-sharing, particularly of scam signal and good data’, and more specifically ‘regulatory guidance to enable organisations to reevaluate their risk appetite to the sharing of data’.
Stop Scams UK chair Ruth Evans was among the speakers at the annual conference of the London Fraud Forum, last week. More on counter-fraud in the December print edition of Professional Security magazine.
