In this Interview with Mike Haley, the CEO of CIFAS, we explore all things fraud, not just in the UK but around the world. Mike is one of the worlds leading experts on combatting Fraud and CIFAS is the oldest and probably the largest fighting financial crime “private to private” and “private to public” information sharing collaboration in the world focussed on fraud).
1 – Is Fraud at epidemic even pandemic levels and if so, what’s driving it?
The description of fraud as an epidemic or pandemic seeks to raise the spectre of a disease that is widespread and out of control, however, we often use these labels without considering their epidemiological roots. An epidemic is a disease that affects a large number of people within a community, population, or region, whereas a pandemic is a disease affecting more than one country or region. Whilst fraud in the UK is at unprecedented levels – over 40% of recorded crime – the global impact of fraud in multiple jurisdictions leads us to conclude that we are indeed facing a pandemic of fraud – one that causes widespread disruption to financial services and hardship for many businesses and individuals, across the globe.
There are many reasons why fraud has grown and explanations for why it can be considered out of control. In my view the two most significant drivers for the increasing levels of fraud are the long-term historical shift in acquisitive crime – from theft to fraud – driven by the ubiquity of the internet, and secondly is the lack of policing of the internet and fraud.
Criminals follow the money and so, as the cost and value of tangible objects has dropped, and more and more value is being stored digitally, criminals have turned their hand to fraud. People rarely carry cash these days and our money is locked in online accounts, electronic wallets and on plastic cards. Secondly, to access those stores of value, to obtain a loan or credit card, open a bank account or a mobile phone contract, or order goods, you need to apply online and often through an internet enabled device. Both organised criminals as well as the opportunist can now apply, using stolen or lost identity data obtained on both the surface and dark web, with little risk. Credentials to take over an account are widely breached and available, and criminals have developed techniques, such as social engineering to persuade people to willingly give up those credentials through phishing, vishing and smishing. The tools to conduct fraud are widely available, with fraud-as-a-service available on dark net marketplaces, lowering the cost of entry to conducting fraud. And then there is the sheer scale of fraud attack enabled by the internet and modern communications – it is low cost for the scammer to send millions of scam calls, text, and emails to see who bites. Fraudsters are dis intermediated from the process, hiding behind anonymity, often in another part of the country or world to where the fraud is taking place.
Add to this the low risk of being apprehended and the lack of a deterrent and you have the recipe for a high reward and low risk and criminal path. Whilst criminals moved with the times, policing has not. In the UK only between one and two percent of police resources are dedicated to combatting fraud, and the police that do tackle fraud are not always skilled or trained in investigating fraud. Fraud has not been recognised by politicians as a genuine crime and so there has been a long-term failure to invest in sufficient resources to police fraud. Additionally, there are no global regulators or policing of the networks, and for too long the social media companies have not recognised that they have a role to play in stopping fraudulent adverts and communications reaching their customers. Fraud is therefore a low cost, low risk, lucrative business, and it’s no wonder that criminal enterprises have arisen to take advantage.
2 – Do we have to accept this as a cost of the digital and data age in which we live which provides so many benefits but also with it comes a certain level of unintended consequences?
Whilst we do have to accept that modern communication methods and the storage of value in digital lockers increases the risk of fraud – I reject the notion that we must accept the cost. The dire response is due to the lack of political will and the failure to increase police resources in line with the growth of the problem – so it is a man-made problem, and we have the ingenuity to tackle it. We have largely designed out car crime and we can substantially reduce the fraud problem through technical means and collaboration. Spam filters now take out the vast majority of scams and phishing emails preventing them reaching their intended marks, new technologies have arisen to enable the identification of suspect devices or detect the change in behaviour of an individual returning to an internet session. A range of identity verification and authentication services have arisen to detect imposters. And sophisticated algorithms monitor billions for transactions to detect anomalies. However, the response by fraudsters has been to turn to exploiting the customer to evade the technical hurdles now in their way.
Social engineering of the victim through convincing an individual to make a transfer on some ruse is a sign of the success of technical measure to reduce account take over and account opening fraud. We now need to look to technical ways to deal with scams – sharing data and intelligence between financial institutions, telecoms companies and social media platforms – where much fraud is initiated.
3 – How has the fraud and scams threat evolved during your time working to combat fraud and scams?
When I first started tackling, what was then known as mass marketing fraud, the communication means were letters and small ads. Some victims were receiving hundreds and thousands of scam letters and calls every week and deceptive telemarketing and scam letters was a significant, but largely invisible problem. Scam victims sent cash and cheques through the post or were persuaded over the phone to send large sums through money transfer agents. The fraudsters were successful, and it was a multi-billion-pound industry, however, the growth in the reach of email and the internet has led to a second industrial revolution for scammers, who can now reach millions of their marks at very low cost. The introduction of faster payments now means that the con-artist does not need to persuade their victim to take cash from a bank, find a Western Union outlet, complete a form, and send them the money to secure their lottery win or invest in a sure-fire return – now from the comfort of your home in minutes the victim of the scam can create a new payee and pay thousands to the fraudster. The fraud communications have also evolved from a poorly worded email from a supposed Nigerian Prince to messages by SMS or online that are indistinguishable from genuine contact from your bank, e-Shop, or delivery company. Modern fraud is perpetrated on a grand scale, is more sophisticated and global.
However, fraud technology has also come a long way from those early days of fraud detection. In the 90’s, there wasn’t any identity fraud technology whatsoever. There were no bureau alerts, no identity fraud scores, and no bad actor databases. Now we have consortium data, sophisticated data analysis, device reputation software, phone trust scores, and in-session behavioural analytics, all in real time.
4 – Is the UK somehow more at risk of being targeted and becoming victims of Fraud and Scams – Are their inherent factors that make the UK more susceptible to Fraud and Scams?
I do think that there are factors that come together to make the UK more of a target for scammers. The ubiquity of the English language is one such factor – as the most spoken language in the world – there are more criminals that speak English and more English-speaking targets – in and outside the UK. An example being the Indian call centres where the Microsoft and remote access scams originate, where English is widely spoken but little German for example. Secondly, the UK has greater take up and penetration of internet and mobile services: 93% of the population have a smart phone and 95% are internet users. We have high rates of internet and mobile banking and perhaps are now less likely to stand for friction in the journey, impatient to get a loan or credit card decision. We were also among the first jurisdictions to introduce faster payments, a key enabler of Authorised Push Payment fraud (scams). Lastly, we have an aging and asset rich population, some looking for investment opportunities, or to make ends meet. All these factors are ruthlessly exploited by scammers.
But I think we also have a better grip on the scale of the problem in the UK – although much maligned – the national fraud reporting centre – Action Fraud and the National Fraud Intelligence Bureau, do bring together data on the scale and harm of fraud and there is a single place to report, whereas other countries probably do not understand the scale of their fraud problem.
Fraudscape 2023 from CIFAS
The 2023 edition of Fraudscape, from Cifas sets out the challenges and threats facing the fraud prevention community, and the areas on which we need to focus to fight fraud and financial crime together more effectively. The report combines data from our National Fraud Database (NFD) and Internal Fraud Database (IFD), along with intelligence provided by Cifas members, partners and law enforcement.
5 – What role did CIFAS play in combating Fraud and Scams historically and how has it evolved to what it is and does today?
Cifas was set up to facilitate the sharing of data and intelligence to combat fraud. As a not-for-profit our sole aim since our inception in 1988 is to help our members prevent and detect fraud through providing an exchange utility on instances of fraud. We have grown from our initial 9 members in retail credit to 663 organisations across 13 different sectors, including banks and building societies, telecoms, insurance, credit card issuers, loan companies, asset finance companies and most recently local government and the online gambling sector.
We achieve our aim primarily through maintaining the National Fraud Database (NFD). The NFD is run on the principle of reciprocity – or give to get – our members are bound to record any instances of fraud they discover to the NFD, and they can use that data to identify fraud risk. The NFD is used primarily at account opening, but can be utilised throughout the customer lifecycle, and can be accessed through several intermediaries such as Credit Reference Agencies or via an API. Last year members reported preventing losses of £1.6 Billion through using the NFD.
We have evolved from distributing that data by fax! to a sophisticated data matching technology. It is a real-time, 24/7 data service, which provides returns against searches made by members that trigger one of our data matching rules. Over the years we have added a document upload feature, a facial matching capability, and search and local based analytics. Last year more than 100 million searches were made against the 6 million records we hold, 1 million of which are cases of fraudulent conduct recorded by our members.
Twelve years ago, we also launched the Internal Fraud Database (IFD) to share data on those who had defrauded their employer.
6 – What outcomes is CIFAS most proud of and what are the ingredients that drive that success?
Over 35 years of our existence we have saved our members over £20 Billion that would have otherwise gone into the hands of the criminals or the dishonest – that is something of which we are enormously proud. But what makes us unique and successful is the community that we have built and the trust that we engender as an independent third party that operates on a not-for-profit basis with the sole aim of preventing fraud and financial crime. Cifas is viewed by our members as a crucial layer of defence in our members fraud prevention armoury
We have also built-up deep expertise over the years in data governance and running a secure, legal, and reliable, real-time data sharing scheme. Our data is the ‘gold standard’ and can be used to make risk-based decisions, and this gives us the platform now to expand into sharing data and intelligence much wider than confirmed fraud to financial and economic crime more broadly.
Data sharing is our core business and to do that effectively you need skilled and knowledgeable people in data governance and a modern and reliable technology that underpins our data sharing scheme. We have had a long-term partnership with global technology player CGI, who have been brilliant in supporting the development of the technology, improving the search capabilities, reliability, and speed. We moved to the Microsoft Azure cloud six or seven years ago now and that has also ensured we have the capacity to increase our services and provide direct API look up.
We share personal information on individuals whose conduct is proven to be fraudulent. To run a scheme that maintains regulatory, public and member trust we invest heavily in our data integrity processes. We are a transparent organisation, and we handle some 4000 Data Subject Access Requests on average per week, we handle complaints about filings from individuals, and ensure that the rules of the scheme balance our members legitimate interests to protect themselves from fraud and financial crime with the rights of the citizen under data protection legislation. This is the unglamorous but necessary work that is required to provide our members with trusted data and intelligence.
Our ability to share fraud data arises from a privileged position. Cifas started sharing fraud data almost a decade before the 1998 Data Protection Act and we were successful in securing provisions in the Act that recognised the legitimacy of sharing data to prevent fraud. Similarly, recital 47 to the GDPR recognised that sharing personal data to prevent fraud was in the legitimate interests of business and this flowed into the 2018 Data Protection Act. There is therefore a clear legal basis for sharing data to prevent fraud. Unfortunately, it has never been as clear when it comes to sharing data on financial crime attempts to introduce gateways to share data on money-laundering such as the Criminal Finances Act have not created the legal certainty and confidence to share financial crime data between private institutions. This is all set to change, in the UK, with the passing of the Economic Crime and Transparency Bill, which provides both for direct private to private sharing and envisages the creation of a utility to share such data in bulk – such as banks to bank data sharing on customers exited for suspicion of being involved in financial crime. So long as the correct data governance framework is in place this could revolutionise the identification and mitigation of financial crime risk across regulated entities.
7 – Is this a model for other Countries to consider – IS CIFAS working outside the UK?
I believe it is a model that can be exported – in fact it has been to Southern Africa. Our sister organisation, the Southern African Fraud Prevention Service (SAFPS), that we helped to establish is equally successful and innovative. I meet regularly with the CEO at the SAFPS and at the Australian Criminal Finances Exchange (ACFX) – who run a similar service, to compare notes. Cifas is also currently working with the Banking and Payment Federation in Ireland to deliver a shared fraud data service in the republic in the next year.
We are always open to using our expertise to help other countries to create their own fraud data sharing schemes. The slowness of adoption is that such data sharing often requires an explicit legal gateway to enable the sharing of fraud data – in the UK we have this and in Ireland it is being introduced. However, our long-term ambition, though, is to facilitate the sharing of fraud and financial crime data across borders.
8 – What would you like to see that’s not yet mainstream or moving fast enough which could help combat Fraud and Scams?
There are no international standards and organisations for combating fraud: no common language or typologies and limited exchange of information across private to private and private to public domains. We need concerted effort by international institutions, such as the OECD to facilitate the sharing of data and intelligence on fraud, recognising it’s the predicate offence in nearly half of all global money laundering and a threat to international security and global financial institutions. If we are serious about eradicating fraud and wider economic crime, we need to start the hard work to creating an international coalition and for fraud to be taken seriously. That must start with a change in political will in the UK.
9 – What do you make of the U.K. Governments Economic Crime Strategy announced in March 2023?
I welcome the second Economic Crime Plan, which I believe is a positive step towards reducing fraud, and that the first outcome of the plan is to cut fraud. I especially welcome the recognition of the important part that sharing data plays in combatting fraud, however it is essential that if this is to be effective, it includes sharing law enforcement data and intelligence with industry and public sector partners.
The Economic Crime Plan also commits to increasing law enforcement capacity to pursue fraud and money-laundering, which alongside the recent announcement that fraud will be included within the Strategic Policing Requirement (SPR), is a step in the right direction.
It waits to be seen whether the introduction of a new offence of ‘failure to prevent fraud’, which will hold companies ‘criminally liable for fraud conducted by an employee, where procedures are not in place to prevent it’ will bring about a fundamental cultural shift in companies’ actions but I am optimistic that over time it will.
In my view the measure that has the potential for most impact is the introduction of the Economic Crime and Corporate Transparency Bill and reforms to General Data Protection Regulation (GDPR) which are set to remove the legislative barriers to economic crime data sharing. This will allow for the sharing of customers exited on suspicion of being involved in economic crime and will provide a more holistic picture of risk to deal with issues such as money muling.
We now await the release of the Home Office Fraud Strategy, which has been delayed since last summer. It is critical that the Economic Crime Plan and Fraud Strategy commitments are aligned and form an effective and joined-up cross agency response to fraud and all its challenges. I am hopeful that the Fraud Strategy will provide more dedicated law enforcement resources to provide a step change in prosecutions and disruption of fraud.
10 – As a result of this interview I have your name, CV, mobile number, e mail address, photo and know a lot more about you than I did before we decided to do this interview – I assume I could get this information pretty easily anyway either online or if I was a fraudster or scammer quite cheaply – how do you go about making yourself as safe as you can from fraudsters and scammers?
It is true that so much of our personal data is readily available to criminal elements. This was set out in our report Wolves of the Internet, where our research revealed that much personal data is sold in plain sight on the surface web. That will include my own personal data.
You would be pleased to know that I follow the sensible steps we advise others to do – such as regularly checking my credit reference report and bank statements, reducing my social media settings to friends only, and having a very sceptical attitude to calls, emails and texts I receive! I also use a password protector and generator.
Like so many people I have been impersonated in the past – and my most important contribution I can make to ensure everyone is protected from impersonation is a significant project replace our existing Protective Registration product with a new scalable service t to protect identities. This seeks to make nugatory the use of stolen personal data by bringing citizens into the decision to open a new account or facility through an App. In time this could be extended to larger or potentially risky transactions too. It will be ground-breaking and have widespread coverage. It is an ambition now, but we are building a beta test environment this year.
Who is Mike Haley?
I was fortunate to have a grounding in fraud investigation at what was then Her Majesty’s Customs and Excise and now HMRC. I cut my teeth investigating large scale VAT and Excise fraud and had great role models and training. I followed a path in fraud investigation through the London Borough of Ealing and then to the NHS Counter Fraud Authority, where I initially managed the London Regional Fraud team, before moving up to a role supporting the CEO in developing fraud strategy across the NHS. For that move I will always be grateful to Jim Gee, who headed the service at the time, and opened my eyes to wider counter fraud strategy. From there I gained outstanding experience at the Office of Fair Trading (OFT), where I first headed cross border enforcement and then gained promotion to the post of Director of Consumer Protection.
That organisation allowed me to be innovative and pursue frauds such as mass marketing and Timeshare fraud, as well as rogue traders. During my time at the OFT, Lord Goldsmith instigated the Fraud Review, and much of the innovations we had introduced at the OFT, including multi-agency work on mass marketing fraud, and consumer education initiatives, were called out in the report. That led to being appointed as a Director at the National Fraud Authority (NFA), which was a recommendation that came out of his report. That was an exciting and challenging time to be at the centre of the national effort to combat fraud, as we created new capabilities such as the National Fraud Reporting Centre and the National Fraud Intelligence Bureau, and I led on the creation of multi-agency strategies to tackle identity fraud, mortgage fraud, public sector fraud and mass marketing fraud. The NFA, unfortunately, did not survive the swing of the austerity axe, and was, I believe to this day, to have been a false economy. I moved then to head fraud at the MoD and then to the Solicitors Regulation Authority as Director of Supervision before seeing the role of Deputy CEO at Cifas seven years ago. That was an opportunity I could not turn down as my whole career was leading to an understanding that fraud can not be solved by investigation alone and needs a strategic and preventative approach. Four years ago, I took over as CEO at Cifas and consider it has the potential to develop truly transformative solutions to fraud and financial crime problems, where collaboration or data, intelligence and knowledge sharing is paramount. Along the way my proudest personal achievement was to study at the Open University and gain a first degree and master’s degree in Criminology – with a specialism in white collar crime of course.