On November 30, the UK government and 11 internet companies (including Google, Microsoft, Facebook, TikTok, X, and LinkedIn) signed the voluntary Online Fraud Charter. This Charter contains serious commitments to action that are needed to help reduce fraud in the UK. Reuters quoted British Prime Minister, Rishi Sunak, as saying, "Fraud is now the most common crime in the UK, with online scammers targeting the most vulnerable in society. By joining forces with these tech giants, we will continue to crack down on fraudsters, making sure they have nowhere to hide online."
Getting the major internet companies to meaningfully join the fight to stop financial fraud and scams has been a difficult process. UK banks have been vocal about requiring internet companies to make this happen realizing they have an important part to play in taking real actions to help stop scams. Why? internet platforms are the place where a majority of online financial scams originate.
- TSB Bank reports that “scams that come through these Meta-owned companies account for 80 percent of all fraud cases within the three biggest fraud categories at TSB.” The bank also noted that 86% of impersonation fraud cases resulted from scam activity on Meta platforms.
- Barclays data revealed that four out of every five scams it encounters originate on tech platforms, including social media, online marketplaces, and dating apps.
- Lloyds Bank data further supports the prevalence of scams on internet platforms reporting that 80% of scams start online.
The Four Commitments from Internet Companies
So, what is in this Online Fraud Charter and what are these companies voluntarily committing to? First, the Charter recognizes that the newly approved UK Online Safety Act, where the implementation is being overseen by Ofcom, will have requirements that overlap parts of this Charter. There will be ongoing reviews to make sure there are no duplications or inconsistencies. More on the Online Safety Act later. Second, the Charter allows the signees up to six months to put the controls in place. And as this is voluntary, unlike the Online Safety Act requirements, there are no penalties involved for non-performance.
Now, let’s look at four of the key proposed controls in Table 1. These controls focus on ensuring fraud, money mules, and associated behaviors are stopped online.
Table 1. Four Key Proposed Controls
|
Blocking |
Reporting |
Takedowns |
Advertising |
|
Have effective processes to identify and remove fraudulent content and accounts |
Adopt a simple mechanism to report fraud, within 2 clicks of a button |
Remove fraudulent content immediately |
Deploy verification measures for new advertisers |
|
Block users that have been previously removed for fraud |
Have process for law enforcement and trusted partners to report suspected fraud on the platform |
Take appropriate and timely enforcement action against persons entering fraudulent content |
Screen advertisements for suspicious content and continuously scam for fraudulent embedded URLs |
|
For dating sites, give user choice to verify accounts. |
Develop warnings when users are contacted by unknown accounts |
Have clear process to reinstate victims’ accounts following account takeovers |
Assess URLs that redirect to another web page |
|
Deploy verification measures for sellers of goods |
For dating sites, warn users about suspicious contacts. |
|
Allow users to quickly report on fraudulent adverts |
If you look at these four key controls, there is significant control activity included. The obvious question is whether the platforms are capable of technically achieving these controls. The good news is with the advent of GenAI, maybe we can see it adopted for the good to help with these controls. After reviewing these controls, I would think UK banks would agree that if they can be implemented, it would be a big help. But it’s important to point out that some scams start with a telephone call, a mobile text message, or a secure message from WhatsApp or Telegram. The telephony/messaging will not be part of this Charter. And remember, most internet messaging is encrypted, so the platform vendor cannot read it.
In addition, the Charter requires the internet companies to have dedicated liaisons to respond to law enforcement requests. The Charter also requires these companies have fraud intelligence sharing. They should be prepared to work with the UK Government and associated fraud control entities (e.g., National Cyber Security Centre- NCSC) in determining what data should be collected and the best ways to share this data. This should also include analyzing established and potential ways (e.g., GenAI) fraud is occurring on these internet platforms. The Charter also addresses the communication that these platforms can provide to educate users on fraud.
Perspectives from the Banking Community
The Online Fraud Charter is a good first step towards involving internet platforms in the fraud fight. However, skepticism remains about how serious these companies will be. I know many fraud fighters who in the past have brought fraud to the attention of internet platforms, only to be ignored. Examples include bogus LinkedIn accounts and fraudulent websites promoting crypto investments. In the Home Office press release, there were a number of quotes from government leaders about the value of this Charter (“World first agreement to tackle online fraud”), but none from the internet company signees. With the announcement of a big partnership, all sides usually want an important quote to demonstrate their commitment. Maybe it was just too many signees to get quotes from them.
In a Finextra article, Liz Ziegler, fraud prevention director at Lloyds Banking Group, commented, "This action (the Charter) is vital given 80 percent of scams start online and we look forward to seeing tech firms move with seriousness and pace to address the fraud their users are falling victim to, with the government holding them to account."
In an Independent article, Paul Davis, director of fraud prevention at TSB said, “Now we have the Charter, it’s down to all signatories to match their commitment with meaningful concerted action – putting the right protections in place to reduce fraud and take responsibility to protect millions of consumers on their platforms.”
I think Liz Ziegler and Paul Davis speaks for other UK banks. They really want this Charter to be the first step in a successful attack by internet companies on fraud in the UK. They want to believe the signees are going to take this seriously. We sure hope they do—as it is their customers (and the banks’ customers) being scammed for large amounts of money by these fraudulent online actions.
Drawing Parallels to the Online Safety Act
In some ways linked to this Charter is the consultancy Ofcom (UK Office of Communications) began a few weeks ago. Ofcom is the regulator charged with implementing the recently approved Online Safety Act which has a primary goal to protect children online and remove fraudulent content from online platforms. The primary platforms being addressed are user to user (U2U) platforms, such as dating sites social media, and search engines.
In this first consultancy (asking for feedback before final requirements are published in 2024), Ofcom is starting to draft proposed controls. A big difference between what Ofcom is doing and the voluntary Charter, is that Ofcom’s regulations will come with penalties and potentially large fines for failure to meet these requirements. According to Ofcom, “Our initial Code of Practice on Illegal Harms will recommend services adopt protections to address all types of illegal content covered by the Act. In addition, the draft Codes will recommend some targeted measures against some of the most egregious illegal harms.”
Ofcom also states that, if necessary, they will “launch enforcement action where we determine that a firm is not complying with its duties.” A few key points from the November consultancy summary document include:
- Requirements for a governance body and a named individual to oversee the implementation of the Ofcom requirements
- Evidence of new kinds of illegal content on a service, or increases in particular kinds of illegal content, is tracked and reported to the most senior governance body
- Content moderation systems or processes are designed to take down illegal content swiftly
- Keyword search is used to detect content containing keywords strongly associated with offences concerning articles for use in frauds (such as the sale of stolen credentials)
- Complaints system & processes are easy to find, easy to access and easy to use
- There is a dedicated reporting channel for fraud
- Internal search moderation policies are set having regard to the findings of risk assessment and any evidence of emerging harms on the service
More on the Ofcom consultancy can be found in a recent blog by Jonathan Frost.
Outside the UK, Other Countries are Starting to Act
As we assess the potential impact of this Charter in the UK, we must look at what this means in the rest of the world. Obviously, this would be effective in any country if these internet companies choose to deploy it. I think starting in the UK is wise, as these vendors can see what will successfully work, along with their bank partners, law enforcement, and UK government fraud agencies.
Elsewhere, in Australia, in May 2023, the Australian Securities and Investment Commission (ASIC) announced the imminent introduction of a cross-industry code to hold banks, telcos, and social media platforms responsible for scam safety and make them liable to reimburse people who lose money through scams. The Australian government released their consultancy for a mandatory Scams Code Framework on November 30 requesting comment on its proposed cross-industry code. This will make Australia the second country to involve internet platforms in the fraud fight. The government proposal also includes telcos, and we have seen telcos recently included in the proposed Singapore regulations around SMS phishing reimbursement. Singapore is proposing a Shared Responsibility (reimbursement) Framework (SRF) for phishing scams involving banks, telcos, and the customer (the victim).
Summary
The UK Online Fraud Charter is a very important first step to get internet companies engaged in the battle against online fraud and scams. They have so much to offer in this fight. In reality, they can volunteer now, or they will be dragged into the fight later. The UK’s Ofcom proposal to protect children and bank customers on the internet will have teeth to support its regulations. If the Australian ASIC delivers its code by year end, it may involve internet companies and telcos in the actual reimbursement process.
And it will not stop there. Other countries will look (and are already looking) at what the UK is doing. I call the UK the fraud laboratory of the world. What starts in the UK (attacks and solutions) ends up in other nations within three years. For those outside the UK, take this as a blueprint for what is coming to your door soon.
In summary, we must remember there is a human behind every story. Scams and fraud are destroying the lives of so many – financially and emotionally. Banks, telcos, and internet companies need to do everything they can to reduce financial crimes.
As they say in Hollywood, “Take 1, Fighting Fraud on the Internet.”
