AML Talk Show Hosted by Stephen Platt
Well good afternoon, and welcome to The AML Talk Show with me, Stephen Platt. I hope that wherever you are listening from, that you are safe and well, and are enjoying seeing, as it were, the light get bigger at the end of this very, very, very long COVID tunnel. I'm delighted to have the opportunity today to welcome our guest, Mike Haley, to join me to discuss his role as the chief executive of Cifas in the UK, and more generally to engage in a dialogue about fraud and the position in relation to the finance industry's efforts to bear down on fraud risk in the UK and the lessons that we might be able to learn as an AML community from the successes and failures of the industry in tackling fraud.Mike has been the chief executive of Cifas since May 2018. For those of you who don't know, Cifas is a not for profit fraud prevention membership organization and the UK's leading fraud prevention service, managing largest database of instances of fraudulent conduct in the country. Cifas member organizations are drawn from all sectors, not only financial services, of course. And they share their data across those sectors to reduce instances of fraud. It's a really, in my opinion, brilliant initiative. ...
Well good afternoon, and welcome to The AML Talk Show with me, Stephen Platt. I hope that wherever you are listening from, that you are safe and well, and are enjoying seeing, as it were, the light get bigger at the end of this very, very, very long COVID tunnel. I’m delighted to have the opportunity today to welcome our guest, Mike Haley, to join me to discuss his role as the chief executive of Cifas in the UK, and more generally to engage in a dialogue about fraud and the position in relation to the finance industry’s efforts to bear down on fraud risk in the UK and the lessons that we might be able to learn as an AML community from the successes and failures of the industry in tackling fraud.
Mike has been the chief executive of Cifas since May 2018. For those of you who don’t know, Cifas is a not for profit fraud prevention membership organization and the UK’s leading fraud prevention service, managing largest database of instances of fraudulent conduct in the country. Cifas member organizations are drawn from all sectors, not only financial services, of course. And they share their data across those sectors to reduce instances of fraud. It’s a really, in my opinion, brilliant initiative.
With over 30 years’ experience of tackling and preventing fraud, Mike has been determined to bring together that strong cross sectoral collaborative approach to the challenge of fraud prevention. He has a master’s degree in criminology, he has led investigative teams in the National Health Service, The Ministry of Defense, The Office of Fair Trading, HM Revenue and Customs, and the Solicitors Regulation Authority. A wealth, clearly, of relevant experience and subject matter expertise. He has also worked at the National Fraud Authority directing cross sector fraud prevention strategies.
Mike believes, I know having spoken to him in the past, very passionately that the battle against fraud is one that cannot be won alone, and by collaborating as a community, we can be much more effective in our efforts to put a spotlight on fraud, not only to protect each other, but also to make the UK a safer place to live and do business. So Mike, after that, I’m afraid, rather lengthy introduction -but it was important to give our audience a really clear understanding of who you are and where you come from – after that rather long introduction, it’s a pleasure to have you on the show. How are you doing this afternoon?
I’m doing well, thank you, Stephen. And likewise, it’s a pleasure to join you today, and everyone at RiskScreen.
Well thanks very much, Mike, for taking the time. I want to start, as I do with all of these interviews, by asking you just to tell us a little bit more about yourself, your background, and I guess in particular, what we’re all interested in knowing, is where your passion for tackling fraud comes from.
Yeah, that’s a very good question because I think like many people, when I left university, you look around for a job which is a stop gap before you find your real calling in life. And I immediately joined from university Her Majesty’s Revenue and Customs, Customs and Excise as it was at the time, and I think after not very long, maybe nine months, as a VAT officer.
I found a fraud and my boss at the time said you’ve really got a nose for it. In Customs and Excise, they say you have the revenue nose if you can sniff out where there’s wrong doing, and he was a great mentor in a way, in that he let me take that case on and investigate it, and I really cut my teeth in customs, and quickly moved into the investigation division. And I think it was around pitting your wits against fraudsters, against organized crime, and because I was in London, north and west, it was mainly fraud rather than being at a court or airport, in north and west London. So very rapidly got a taste of fraud and that’s where I think I found my calling.
So I always think I cut my teeth in customs and then moved through very many different roles, I was in the NHS counter-fraud service when it was started and had the London regional fraud team under my remit. And then had the kind of twin track between regulatory roles, as you pointed out, The Office of Fair Trading, I was the head of consumer protection for about eight years – eight, nine years – and learned a lot there. And also the Solicitors Regulation Authority, so risk and compliance and the fraud route kind of come in together. But I think where this has led me to is that, you sometimes can get a bit jaded investigating, reinforcing the same cases, or types of cases, and feel eventually, I’m not actually getting anywhere.
And that’s why I think Cifas was such an amazing opportunity when I first joined as deputy chief executive officer six years ago, and now CEO for the last three years, in that after criminal investigation, you recognize that prevention is better than cure, and also that data that approaches really provide the biggest opportunity to address the problem at scale. And I recall that when I got the CEO job, a colleague and criminologist, says what are you going to do with a new train set, in terms of making a huge impact around fraud? And I think that Cifas just has fantastic capabilities and enormous network of members that can collaborate to defeat fraud.
So my passion is bringing together organizations, bringing together interested parties, people who also have a passion for detecting fraud, for preventing fraud, and tackling dishonesty; and giving them a vehicle to express themselves and make an impact.
Fascinating, it’s really interesting to hear about the background, and in particular, that early experience, that early win that you had in your career in uncovering that fraudulent activity, which has clearly influenced your subsequent career path. Now, it’s important, I think, Mike, and I hope you’ll agree with this, it’s important to set right at the outset, that whilst fraud and money laundering are often talked about together, they are of course, very different. If we look at the continuum, I suppose, of criminality, fraud is a form of predicate crime that generates criminal property, that is then the subject of money laundering.
So fraud is a predicate crime for money laundering. Do you agree with that? Is that the way that you view these two issues?
Certainly. I would’ve made the point that wherever there’s a fraud, generally, there would be a need to launder the proceeds, so frauds can happen within financial institutions, and then it’s already there to be laundered. So I do see fraud and money laundering as best viewed as a continuum, but also you’re quite right, and it’s something I read in the financial crime news, Global Threat Assessment, John Cusack pulled together I think, where he points out something like 50 percent of the money laundered around the world, originates from a predicate offence of fraud.
So it’s a significant part of the money laundering issue, but it’s a predicate offence. Also, because it’s around, fraud is a crime, acquisitive crime, to get hold of assets and money, it’s already wrapped up in the financial institution. So I think there’s a real intermingling of fraud and financial crime. And that’s why I think that really, we need to bring the two worlds closer together within financial institutions between those concerned with money laundering and those concerned with fraud.
A number of really interesting points there though, I want to dive into a bit further. Interesting that you quote John Cusack’s paper, John does some great work in this space. And it’s a fascinating figure, 50 percent of what’s laundered is derived from fraud, which makes as it were, the laundering detection challenge, extremely difficult because as you say, the proceeds of fraud is generally already within the system, so it’s very difficult to identify for example, through looking at placement activity, because there is no placement activity, right? If you’ve committed a fraud, the money’s already in a bank, that’s very different to a situation in which somebody’s smurfing money from drug trafficking activity or whatever, into a financial institution. So there’s less opportunity to prevent it from entering the system, because as you say, it’s generated at the heart of the system.
And I think you can really see that with the biggest concern of many of our banking members, around authorized push payment fraud, where an individual is socially engineered to believe in a certain scheme or to send money to a safe account, to transfer money from an account which they control, which is definitely therefore set up on the basis of, all customers’ due diligence would say that this is a genuine account, and then they’re authorizing that payment, and then it’s gone into another bank account now.
So fraud is starting and there’s no entry point. It’s been transferred from an account that’s already held and then to accounts which can be cashed out and are controlled by the criminal. And also of course, we see the accounts that they go through are often now accounts which are allowed to be used by account holders, the money mules, so it’s now going into another account where it’s not directly controlled by the criminal, but is being abused; an individual is being abused or allowing their account to be abused. So even then with the layering effect, if you like, that’s already going through accounts which again, have been set up genuinely largely now. And I think it’s quite a reaction to, perhaps the success in the past of combating other types of fraud, now that authorized push payment fraud and then the transfer through money mule accounts is all interlinked and it’s quite sophisticated.
Yes, very very interesting. And of course, because laundering is predicated on fraud as we’ve said, as the scale of the fraud problem grows, so clearly does the scale of the laundering problem that results from it. So there is a really powerful case, isn’t there, for us to examine both of these issues, frankly, in partnership, as you say.
Now how do you feel, Mike, the finance industry, let’s just focus on the finance industry, if we may, because that’s where most of our listeners are drawn from. How do you feel the finance industry in the UK is doing in tackling fraud? I mean, a bit of an unfair question, but how would you score it out, out of ten, if it were a student?
I’d probably give reasonably high marks of something like 7 out of 10, I think that from the outside of financial institutions, it’s easy to throw bricks at the financial institutions and we see that very much around the kind of sterile debate that’s going on around who pays for fraud, which tends to be, the banks should step up and pay when someone has been a victim of a scam. And we’ve started to lose sight of actually the frauds doesn’t care who pays them, the criminal doesn’t, whether that’s the bank that loses out or the individual does, we should be concentrating on the fact that there’s a crime underlying, there’s a fraud that’s underlying a lot of this money laundering.
So I think that the financial institutions invested quite heavily and continue to invest quite heavily in new technologies, in biometrics, in making sure that onboarding now uses faces, voices, looks at devices, so there are device recognition software that’s been brought in, there’s the data sharing schemes like ourselves, so there’s a huge amount invested by financial institutions to prevent and detect fraud, but clearly it’s an arms race and fraud changes as soon as one technique is closed down, others open up. So I think there needs to be continued investment, and perhaps this is one of the differences between fraud and money laundering, of course, because that fraud hits the bottom line, it’s a cost of business. And if it goes above certain risk thresholds, which an institution thinks will affect its profitability, then it will invest more.
Whereas of course, money laundering I think is very much seen as a regulatory risk, and it’s about reducing regulatory fines and sanctions, more than dealing with the problem, I would say. So it’s different incentives.
Yes that’s very interesting, and in fact, I want to come on and explore the question of incentives in a great deal more detail with you. I mean, the scale of the fraud challenge is enormous, just as the scale of the AML challenge is enormous. And I was looking at some figures yesterday about the estimated value of frauds that have been committed in the UK during COVID, which is catnip for fraudsters, as you know. And you refer to it as an arms race. It is an enormous challenge, isn’t it? And I think you’re right, my impression certainly is whilst the industry doesn’t always get the credit I think it deserves for the efforts that its making to combat fraud, those efforts really should be applauded given the scale of the challenge.
Now, both fraud and money laundering is on the rise, we know that, they’re at all time highs; the consensus, certainly as far as AML is concerned, is that industry’s not doing a very good job in tackling it. From what you’ve said, that’s perhaps a different story with fraud. Can I ask, what’s your impression of at the way the finance industry is going about combating money laundering, do you think you would score 7 out of 10 in that regard as well?
I guess the question I’d look at in a different way, rather than what the financial institution should be scored and maybe look at a whole-of-system score. Because I think some of the issues that are really faced by the industry in terms of tackling money laundering are the lack of say, private-to-private intelligent sharing. So we know that suspicious activity reports go into the National Crime Agency, and it’s a one way flow, very little comes out of value, and very much goes in.
So there is kind of big gaping holes around information and intelligent sharing whether that surrounds modus operandi technologies, typologies, sharing of adverse incidents, transaction monitoring and sharing, I think on money laundering there’s a less mature industry than in fraud, in terms of sharing that type of information. So I think that hinders the fight against money laundering within the UK. So I think we look at the UK system as a whole, even with creations of initiatives such as the JMLIT which started to look at how law enforcement could supply back the information, it still on a very small scale compared to the size of the problem.
And as I said, there’s just a lack of that private-to-private data sharing. Although there are some useful initiatives such as, going on in the Netherlands at the moment, around transaction monitoring across financial institutions, so I’d say that it’s a lesser score, but I wouldn’t say it’s the fault of the financial institutions, more of the regime that we have. And quite a lot of that is the lack of legal clarity about what can be shared particularly private-to-private.
Yeah, it’s a brilliant, it’s a really, really interesting answer. You think that perhaps the part of the answer to what is perceived to be the lack of effectiveness of the AML regime in the UK is a symptom of that cultural difference in the way in which we approach fraud and money laundering, whereas with fraud you’ve placed at its heart, data sharing as between institutions and in the money laundering arena, there’s very little data sharing, in fact, it’s just fraught with danger when it comes to the question of data because of the lack of clarity around the rules. That’s really, really interesting.
Now, we’ll come back to that in a bit more detail in a moment, but you earlier alluded to your motivations and I wonder, just putting aside mechanisms for a moment, we’ll come back to mechanisms, but I do wonder whether motivations are also an important part of why we continue to see so much scandal within the AML sphere. Is it because the motivations are different? If banks are tackling fraud, to prevent commercial loss to themselves as well as of course, to others, but every fraud that takes place can hit their bottom line whereas they’re tackling money laundering not to prevent loss, but as you said earlier, to comply with laws and regulations, and also because they want to be good corporate citizens and they realize it’s not the right thing to do to help criminals benefit from their ill-gotten gains. But the motivations are clearly different, one really hits them in the pocket, whereas the other one only hits them in the pocket if they are victims of some enforcement action that’s taken by a prosecutor or a regulator. You think there’s something in that, do you?
I absolutely do, and I think also perhaps to bring in an elephant in a room, is that you’ve painted the rosiest picture of the incentives of financial institution in terms of its corporate social responsibility to tackle money laundering and to also be seen to doing the right thing. But of course, in itself, it can be a very profitable activity. Organized crime gangs are a big business and we’ve seen that with institution after institution having failings internally because of the, probably there are individual incentives, there are team incentives, and organizational incentives for funds to be flowing through the financial institutions and we’ve seen that again and again.
So despite what can be seen to be quite terrifying levels of fines, and very significant fines for regulatory failings when they’ve been found, it’s still doesn’t seem to have rooted out some of that cultural and institutional overlooking of significant money laundering. And we’ve seen it for Mexican cartels, we’ve seen it for bribery and corruption around procurement, frauds, so you know there’s been so many examples and I’m not sure that whether the regulatory regime and that fining has absolutely changed the culture. So yes, in the best sense, many organizations want to do the right thing, many actually end up not doing the right thing.
And that’s fascinating. What you’re essentially saying, and I agree with you Mike, is with fraud prevention, there’s no upside in turning a blind eye to fraud, whereas there is a potential upside to turning a blind eye or at least paying lip service to AML. If we look at the downside risk, it’s not as great as it is with fraud because it doesn’t hit your bottom line, worse than that, there is a real upside to not taking it terribly seriously, because you can boost profits and that incentive operates at all levels; at an individual level, as you said, executive level, and an organizational level, and that is a really important point.
I mean, Charlie Munger, Warren Buffet’s partner, famously said, didn’t he, show me the incentive, and I’ll tell you the outcome. And if we look at recent cases, like the Danske Bank case, like the NatWest case, which is obviously the first case in which the FCA is looking to prosecute for breach of the regulations. If you look at all of these money laundering cases, the anatomy or the taxonomy of these scandals is remarkably similar. I mean, you look at them and think, well how on earth could that have happened despite the massive investment that these organizations are said to have made in their AML controlled environments?
It’s on record as how many people work now in transaction monitoring and money laundering teams, and also the investment in technologies to identify it. There has absolutely been significant investment in probably all over the world, billions of pounds, and definitely hundreds of millions, and yet, we still have the same scandals. I love that saying you just mentioned there from Warren Buffet’s associate, I do think incentives work if you can get the incentive regime right, then behaviors will follow. I don’t think it, it doesn’t seem to me to be quite right at the moment.
And perhaps, given there will always be a very significant upside to turning a blind eye to dirty money and taking excessive risks, do you think that we just simply have not got the jeopardy right? Do you think the fine levels, the punishments, the penalties are not sufficiently great to dis-incentivize that kind of conduct in the AML sphere?
I think it needs some serious thought, doesn’t it? I think we’re probably at risk of violently agreeing that that jeopardy isn’t quite high enough, but there have been eye watering fines, but then I guess some of the institutions too have that eye watering levels of profit in many years. Maybe there’s other examples that need to be said, does a bank need to be literally closed down or do there have to be such a reputational impact on an organization? So as we see now with NatWest, but will that mean that businesses won’t bank with NatWest or individuals? I don’t think so. I think it’s seen as something which just is a regulatory problem, so I don’t have an answer, but I think it’s worth opening a debate about if we’re going to collectively invest so much time, effort, and money into the regime and yet it doesn’t seem to really land. Then what would be the incentives, what would be the punishment, what would be the right regime to drive behaviours that will to start having inroads into to the money laundering problem.
What is fascinating, what this discussion does shed light on, is that there is much that can be learned by the AML world as it were, from the anti-fraud world. That much is clearly evident. And you and I both know if you talk to the best teachers, you talk to the best parents, talk to anybody who’s responsible for influencing behaviors, they would tell you that wielding a big stick is not necessarily as effective as winning hearts and minds. And what you’ve done extremely well in the anti-fraud space is that you’ve won hearts and minds and you’ve brought industry together. And a big part of the reason for that is the mechanisms that you alluded to earlier that you have designed and have promoted.
Now what lessons from those mechanisms do you think we can learn, Mike?
Yeah, so I think that would be my starting point if we, maybe the starting point is that when Cifas was created by, initially the retail credit industry, it was because a number of organizations recognized they were being hit by the same fraudsters again and again, and they weren’t sharing that information amongst themselves. In fact, there’s a history within our organization or kind of founding story, if you like, that the retail credit industry came together, the fraud and financial crime managers there, at that time in 1988, to put pressure on the police. They were saying to the police, what more can you do? These criminals are just going from store to store, getting store cards and stealing our stuff, and it’s the same people, what are you doing about it?
And then as now, the police, well we don’t have enough resources to do it, you’ve got to solve this problem, so what are you doing about it? So they threw the problem back and the industry said okay, right, the police aren’t going to solve this, they’ve thrown it back, so what shall we do? Well so they’re identifying those fraudsters, we better start sharing. So the solution came from those founding fathers, if you like, of the fraud industry who came together and said what do we need to be doing, what do we need to be sharing to be able to reduce the impact of these persistent organized fraudsters.
So that started off a process of leaving competition at the door, coming together and collaborating, and recognizing that collaboration on sharing data intelligence and knowledge was going to be the way forward. Now it’s taken time of course, you know that was 32 years ago, it started off with eight organizations and now we have over 600. And it started off in the retail credit industry, but then the banks recognized, the card issuers recognized, and the loan industry, mortgages, all started recognizing that the fraudsters just didn’t attack one industry, they attack wherever there’s money. Wherever they can get value, they will attack. And therefore, they’re seeing the same fraudsters or the same across the industries.
And so it’s taken time, and each new industry as it sees a fraud problem, looks around for a solution, and we already have that infrastructure created, so now we have telcos in membership, we have started to take on the online gambling industry who at certain stage of maturity, start to recognize they must share data amongst themselves – like say the insurance industry does with the insurance fraud bureau – and at second level maturity there is, we should be sharing across sector because if we silo our data and silo our intelligence, then that’s not how criminals operate. And I think the next level of maturity would be global data sharing, because fraud and financial crime are global industries.
So I think I’ve seen, one it’s creating the community which leaves competition at the door. Secondly, I think we’ve got a real advantage, because of that longevity, that our sharing data for frauds for purposes of preventing detecting fraud is recognized in the data protection act, is recognized in the European legislation, the GDPR, there’s recital 47 which talks about the legitimate interest of business to process personal data and an example is given is for preventing fraud. So there is, because we’ve been around and made that argument, the legal provisions that followed which enables the data sharing, and thirdly, I think there’s just an issue of if you put in place a scheme of good data governance and security, you can create trust that this can be done at a low risk for participating organizations.
So we’ve been doing it for 32 years now, so it doesn’t come overnight, but it’s a model that is needed in financial crime more widely, money laundering specifically, to really start turning the tide, identifying money laundering, and doing something about it. But this came from industry, it wasn’t imposed on industry by regulation, and I think that’s a real big difference. And I would say, what the industry came up for in fraud is more successful than the regulatory regime imposed by a government.
Yes, fascinating answer that. And so if we contrast that with what we see in the money laundering sphere, there are two major issues I count there. Number one, you used the phrase a couple of times, we leave competition at the door, you recognize as sort of anti-fraud specialists, as a community, that a rising tide lifts our boats. That as an economy, we’re only as strong as our weakest anti-fraud link as it were, it’s imperative that you work together as a collective to fight it. Now that’s enviable. We just simply don’t see that in the AML space. In fact, what we see despite the best efforts of a lot very of well meaning people, we actually, I think sometimes see AML failure as an element of competition.
If a bank gets whacked with a six billion dollar fine, well hey you know that’s the cost of doing business and they’re going to have to suffer that and know it’s part of the game, right? And we’re all in this competing for a biggest share of the market slice as we can get. So that’s the first thing, it’s one of attitude, it’s one of community. And then the second point you make is around mechanisms, whereas the law provides for data sharing mechanisms in the fraud prevention space, it does the opposite when it comes to AML.
People are scared stiff of tipping-off offences and goodness knows what else, so this militates against information sharing. And there’s a consequence, that rising tide, that tide that I mentioned earlier, is never going to rise. How do we address this, do you think? I mean what we seem to be saying here is that the problems are systemic. We need government to begin to legislate differently in order to encourage different behaviors through legal mechanisms.
I absolutely agree. And there aren’t actually some green shoots of what’s possible here because the Home Office does recognize there needs to be a testing of the current data protection legislation to see whether there can be the similar types of fraud that you’re in for financial crime, and for us to resolve some of those tensions between POCA [Proceeds of Crime Act] and GDPR. And how that is being operated is, there’s a pilot going to be run this year by Cifas, but it’s actually on behalf of UK Finance and the Home Office.
So we’re providing the technology platform and our expertise in data governance and data processing, but UK Finance is taking the lead at bringing together organizations, bringing together the banking community to explore how can we do this in a way which is legally compliant, resolve those tensions between tipping off and the transparency agenda of data protection legislation. And it’s going to be conducted in the ICOs sandbox.
So I think this gives the real opportunity to find out can we do it under existing legislation or does there need to be a change to UK legislation, and the Home Office will lead that. So I think we got a really good chance to resolve this kind of very fundamental issue around how can you get such scheme of sharing private-to-private and within the UK, which people are confident to actually participate in, because it will be a firm legal basis for it. I think that really does hold everyone back from doing what they would like to do and what they think is right in terms of tracking money laundering.
You need to be able to see both ends of a transaction to really identify whether there was a genuine risk of money laundering. And I think it could actually be really helpful for individuals, we see so many defensive SARs that are put in and that could really affect an individual because we’re now sharing information on a suspicion, where if we shared the information, we could actually say well that one looks like a perfectly reasonable transaction, there’s no suspicion there, if you see both ends. So you could end up, this actually could be helping to reduce the risk to individuals, to innocent parties because we are sharing more. So I think it’s not just about identifying when it’s a genuine money laundering concern, but it will also be protecting innocent parties.
So I think there’s a lot to be gained and this pilot should be kicking off later this year. It is with a view to seeing does our legal regime, is it the best it could be to enable this sharing? Do we need a 314b like in the US or do we need something equivalent or better, or do can we do it under existing legislation? We just haven’t had the confidence to do it.
It’s a brilliant initiative, Mike, and I am going to be really interested to see what the upshot of it is. I’ve always been skeptical of the FATF model and its relevance and applicability in certain parts of the world with stark cultural differences to the jurisdictions that the principle sponsors of the FATF model and approach. And I think that, not including a requirement for jurisdictions to have legislative models and mechanisms to encourage private-to-private information sharing on money laundering is a glaring omission from the FATF model.
Are you seeing any leadership around this kind of initiative emerging from International standard setting, what is like the FATF or is this purely domestic, a Home Office led initiative?
So at the moment, it’s a Home Office and domestic initiative, and I’ve had to take my hat off to Nick Lewis who’s really pushed this agenda. But I do think if we can, we also see through RUSI’s future financial intelligence sharing program that there is a lot of good practice in different parts of the world. And as I mentioned in the Netherlands, there’s been a couple of initiatives around transaction monitoring sharing. So at the moment, it seems to me in different jurisdictions wrestling with that problem rather than a supranational body such as FATF taking the lead, but I could be wrong with that. Maybe they pick that up once they see some examples of this being effective, but I recommend anyone to look at the work by RUSI on the comparisons of intelligence and public private partnerships around the world too.
Yeah, oh RUSI do some terrific work in this area, Tom Keatinge in particular, is a superstar in this area. And this is I’m sure something, that should raise with David Lewis, executive secretary of the FATF, who’s been a guest on this show, I’m sure that David would be very, very interested in this kind of initiative and its outcomes.
[crosstalk] answer that is the, sometimes the timing of these things, technological development such as privacy enhancing technology which is now being more widely utilized wasn’t there in the past so there could suddenly become a way for that type of data sharing to be more prevalent because some of the concerns around sharing customer date for example, can be reduced.
Yes, yes. Now look, Mike, for the benefit of our listeners in the AML space, I want to just dig a little bit deeper if I may, to understanding more of the sort of granular work of Cifas, in facilitating the data sharing that you’re referring to. How does this work? Do organizations literally on this peer-to-peer platform as it were, do they share their suspicions, concerns about individuals or does it also extend to learnings from root cause analysis conducted internally so they’re spreading information about fraud methodologies. What sort of data is being shared amongst your members?
So, I would probably approach that we have three different tools that we provide to a membership. One is the National Fraud Database, so this is a utility of shared fraud cases. Secondly, we then have what we call our member portal which is a secure platform for peer-to-peer discussions, sharing of intelligence, sharing of new modus operandi, and to be asking each other questions. And then we have something called Fraud Check which is now on a digital basis where if you have a match in the data to another organization, you can be put in touch with your equivalent in the other financial or other membership institutions. So the core is a national fraud database and I’ll explain a little bit about how that works.
So that takes in primarily, or the biggest amount of the greatest useful data is when a member finds a case of fraud, it will then – it is then obliged under our rules – which is based on a core principle of reciprocity, so if you join Cifas and are a member of the national fraud database, you’re obliged to put the frauds that you discover into the database if you’re going to get the benefit of being able to access that data.
So what would happen if a member discovers a fraud, it will file a case to the national fraud database, it will be generally, it would have information about the individual; the name, address, date of birth, their address, their financial details, their contact details, email address, mobile phone numbers, it could have documents attached to it, identity documents, pay slips, depending on the type of the fraud and the sector that the organization’s in. And it must meet our standard proof before a case is filed.
A standard proof is that the member has to be sure that a fraud has been attempted or conducted. They don’t have to report that to the police, we actually supply all that information that comes in on the databases to the National Fraud Intelligence Bureau. It’s not reaching a standard beyond a reasonable doubt, it’s just that they were sure it’s a fraud, they must have sufficient evidence that fraud has been taken and they must’ve taken action such as ending a facility, closing an account, rejecting an application. Then that data is immediately available to all the rest of the memberships in real time so you can search against it. And how members tend to do that is on their onboarding process. One of the checks will be to check everything in an application to open a bank account against every element of that data against the database.
And so we have a set of data matching rules, it’s a rules based system, which would then say is it the same individual, same addresses, is it same contact details, same bank account, with some fuzzy matching, and it will come back and say what data matching rules have been fired or not. So it could come back and say his email address has been seen in frauds in the last week, therefore you might want to take at this application to see whether you want to continue with that application.
So we call it confirmed fraud. That fraud, are you sure it’s fraud? It doesn’t have to be standard beyond reasonable doubt, and once it’s there, it’s searched against, now in built to a lot of the onboarding process, accounts opening processes of most of our members can also be used as an investigative tool, to be able to search on any element of what’s in that data. So that’s the bulk of that data, I think it has something like 700,000 individuals on there. Two and a half million phone numbers, a million and half emails, and then several million other records which come from different sources. For example, Operation Amberhill is a metropolitan police unit that looks at identity fraud and if they raid an identity factory and find that different documents have been created, identity documents for fraud, or for any purpose, but they’re fraudulent documents, that’s also loaded. So you’ll see that there’s lots of a rich database of information to be searched against in real time.
So there’s a national fraud database, and that’s how that operates. If a member makes a match against it, they can access the case that the first member files, and if they need to speak to them, they can use our fraud check system, and then have an A to B conversation about what did you see, what more information do you have, to be able to make a risk based decision about whether to onboard a customer or whether to reject a customer. So it’s both sharing intelligence through the portal, where we share the different typologies, modus operandi, what’s going on intelligence; and then there’s actual fraud data in the national fraud database.
Very very interesting. It’s a brilliant mechanism, it really is, and clearly there is a huge volume of highly valuable data there that you’re hosting and facilitating access to by your members, which is brilliant. You talked earlier, Mike, about the third level of maturity which is international cooperation which much be right because like money laundering, fraud doesn’t respect boundaries or borders. What ambitions does Cifas have in that regard?
So our ambitions are big on that scale. Obviously, just reflecting on what can be learned in financial crime and money laundering from fraud, I think that there’s a mature system of international cooperation from FATF and other organizations on money laundering and international standards. We don’t have anything similar at all on fraud, so we’re way behind on that globalized picture of the fraud problem and yet because of technologies and the internet, you can sit in Kiev and make hundreds of applications to financial institutions in the UK using data you’ve found on dark websites so we need to be able to get better on a global basis. So what our ambitions are is that at the moment, there are only two other organizations similar to Cifas in the world. One is in South Africa which we helped set up, and one in Australia, the Australian Criminal Financial Exchange, and we cooperate but we’ve not yet reached the level of being able to share data because of different legal bases that we have in the three different jurisdictions.
We are contracted to create a shared fraud database for the Banking and Payments of Ireland and they’re going through the process of getting their department of justice and their data commissioner on board. And we’re helping in the Netherlands to create a Cifas-like structure or shared fraud database on the basis of our technology and rules.
So I see in the future we need to be creating as many Cifases as we can in different jurisdictions and then starting to join up those data sets and being able to compare them. That may well be, we can do that through using proven enhancing technology to get around the difficulties of the different legal underpinnings on data protection. But I think we could also take a leap and start thinking how can we start sharing data between global companies and global banks. Particularly, for merchants, there is so much data now available, particularly for the big tech companies, and I think we might take a leap from trying to create some hundred Cifases one every few years to actually can we crack a global data sharing scheme maybe based on this primacy and enhancing technology.
It’s not for me just like a dream, it’s like a necessity. Because fraud is such a global industry and we could just displace it where the individuals who are behind and the organized crime gangs are to someone outside of the jurisdiction. We’ve seen it through policing, police have given up in some instances because the perpetrators are overseas. We can’t sit back and let that happen. It’s a tough road to go down though, Stephen, as you can imagine. But even this afternoon I’m having discussions with global merchants around how we can create such a global exchange of fraud data.
But that is absolutely our ambition and because it’s a necessity in the global age.
Yes, I totally agree, I totally agree. Well Mike, we wish you all the very best in your ambitions to allow other countries around the world to benefit from the expertise and the mechanisms and the specialisms that you’ve developed at Cifas. I’m very very conscious of time, so on behalf of our live listeners and all those many more listeners who will download the podcast, thank you very much for sparing time, Mike, I know how busy you are. It was a genuinely insightful discussion and there clearly is very much that the AML community can learn from the fraud prevention community and from Cifas in particular, to the extent that KYC360 as the global AML knowledge portal with now about 50,000 regular AML professional users to the extent that we can help you with that and the realizations of those ambitions as it were for the greater good, then I am sure that we will do all that we can in that regard.
Thank you all for listening, this podcast will be available on KYC360, and other variety of other platforms during the next 24 hours, but for now, stay safe, stay well, and I look forward to speaking to you all again in our next AML Talk Show. Goodbye.