In May, the UK’s National Crime Agency (NCA), the equivalent of the FBI in the U.S., highlighted the use of Suspicious Activity Reports (SARs) information to help link criminals to multiple fraud actions. The UK is undertaking a serious effort to share financial data to help fight banking fraud. The recent UK 2023 Fraud Strategy document identified one of the key goals is to use more intelligence gathering and establish data sharing between financial institutions, telecom and tech companies to identify and block fraud.
As one example of data sharing, let’s look deeper into the NCA’s use of SARs. First, the NCA reports that nearly 90% of fraud and scams are underreported by consumers. Thus, the only place where fraud/scam data may be is in the financial institution SAR. There were still an estimated 3.7 million fraud/scam offenses that occurred in England and Wales in 2022.
Next, the NCA discussed how local Police Economic Crime Units (ECU) work with the police report and the related SAR, when available. The ECUs will also respond to vulnerable person SARs and engage with these victims as they may still be in the middle of an active scam.
The National Assessment Centre (NAC), the UK government agency under the NCA that assesses serious organized crime in the UK, will analyze SARs “to understand how the scale of the fraud threat develops….and to enhance understanding of the nature of the fraud threat in the UK and overseas.”
Another organization, the Multi-Agency Fraud Targeting and Insight Centre (MAFTIC), use SARs to help identify high-harm networks. They look for keywords in the SARs and do link analysis to identify possible additional crimes and victims. One example was analyzing a SAR linking an address to an account believed to be the recipient of fraudulent funds. They found other cases using the same address. In another example, using SARs to search for a subject’s mobile number identified links to a high volume of bank accounts. The accounts were used by different individuals to launder proceeds of crime by an organized crime group. Another group they identified via SARs was responsible for £25 million in payment diversion and investment fraud.
What these stories really highlight about using SARs to fight fraud is the significant benefit of sharing data associated with fraud and scams. Not nearly enough data sharing is done in the UK, the U.S. and elsewhere. This needs to change.
In the U.S., financial institutions get worried about running afoul of the FinCEN 314b regulations associated with data sharing for AML/fraud activity. 314b has onerous penalties for failure to properly follow it. FinCEN needs to address this concern to clarify that financial institutions can participate in data sharing for fraud and scams (as it wrote in the December 2020 314b updates) and hopefully without some of the limitations of the 314b regulation (e.g., any person directly involved in sharing 314b data must be personally registered with FinCEN).
There are proposals within the UK 2023 Fraud Strategy to expand data sharing for financial fraud and scam activities. In Europe, and elsewhere, there are always concerns about the impact of data sharing and privacy of data. In fact, in April, the European Data Protection Board (EDPB) wrote that the EDPB is concerned that proposed changes to “allow private entities, under certain conditions, to share personal data between each other for AML/CFT purposes concerning suspicious transactions and data collected in the course of performing customer due diligence obligations” do not provide sufficient data protection for individuals. Somehow, there needs to be a balance between protecting the privacy of individuals and the protection of individual’s financial accounts. And remember, the loss from financial scam activity, other than in the UK, is generally borne by the individual.
In 2021-22, we saw successful data sharing in Estonia. Estonian banks developed an AML Bridge to share financial crime data. “The pilot was initiated with the full support of Estonia’s Financial Supervision and Resolution Authority (FSA), Data Protection Inspectorate (DPI), and Financial Intelligence Unit (FIU).” One of the results was saving “€500,000 per month of customers’ money from reaching criminal-controlled accounts.”
In more good news, just last month, the Australian Banking Association (ABA) announced the new Fraud Reporting Exchange (FRX) platform designed to help banks quickly report fraudulent payments as they are transferred to another bank. According to the ABA, “Banks are now better placed to jointly identify funds which have been fraudulently transferred, which should improve their ability to prevent any further losses to a customer.” This is a great example of data sharing.
These success stories from SARs reporting, the Estonia AML Bridge and (soon) the new Australian FRX platform are just the tip of the iceberg of what could be done with full data sharing. The UK’s 2023 Fraud Strategy will help make data sharing in the UK a reality. But what about other countries?
Until data sharing is more prevalent, FIs and law enforcement are working with one hand tied behind their back. The fraudsters know this and will continue to take advantage.
Here are some additional resources related to the topic: