30 March 2017
visit http://events.sap.com/gb/fsi-forum-2017/en/home

UK banks covering up cybercrime losses - City of London Police

14 April 2015  |  11397 views  |  14 cyber attack

A widely-held suspicion that UK banks are covering up the true scale of cybercrime has been confirmed by the City of London Police chief Adrian Leppard, who says that up to 80% of online crime goes unreported to the authorities.

Speaking at a Tech UK conference, Leppard says that the vast gap between what is reported and the actual threat level arises "primarily because banks are happy to write off incidents as costs, thereby costing the consumer collectively and funding ongoing cyber-criminality".

The Commissioner told the audience that the scale of the threat is much greater than the public think, so much so that it may have even surpassed what drugs have delivered to the criminal economy.

He argues that the banks' unwillingness to report the true extent of cybercrime, makes it harder to gain an accurate picture of the threat to the national economy and the resources required by police to counter the criminals.

In November last year, a Treasury Select Committee hearing into cybercrime and fraud heard evidence from Dr Richard Clayton, a senior researcher in security economics at the University of Cambridge, who said that "insider" accounts of fraud losses at banks are double the numbers generally reported publicly.

This followed a July Home Affairs Committee report on e-crime that accused British banks of letting cyber-crooks carry out crime in a 'black hole' of impunity by failing to report or investigate fraud.

Comments: (14)

Roger G LeBlond
Roger G LeBlond - Roger G Leblond - Corpus Christi | 14 April, 2015, 15:09

Why do banks fail to tell the truth? Is it an image problem? Is it an ego problem? or Is it a failure problem?

Whatever the problem it is not the truth, therefore what else is the banker not telling you the truth about? Like raising children, credibility becomes a life long problem, once it is gone it is difficult to earn back, Bankers?????????????????

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 14 April, 2015, 18:21 Whatever reasons lying behind this is a serious problem. If this is correct the banks are funding serious crime and pass the bill to their customers. If you think this is bad, just think that it happens with the government's blessing - the regulators don't make this illegal.
Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 14 April, 2015, 18:30

That's a serious allegation. I'm sure the Police Chief has the evidence to back it up but I'll still be eagerly awaiting the reactions of banks to this charge. Under Commonwealth Law, isn't it even illegal to not report a crime?

1 thumb up! 1 thumb up! (Log in to thumb up)
A Finextra member
A Finextra member | 14 April, 2015, 18:48 Ketharan: If it's illegal in UK it's good. In many other countries it's not. Think of it: card fraud could have been a fraction of what it is today but as long as governments accept that added security would harm business and allow that the schemes pass the bill to consumers... it continues. I pass the blame to governments, more than the banks.
Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Bill Trueman
Bill Trueman - Riskskill.com - London | 15 April, 2015, 10:33

We need to be very careful about articles like this, and comments like this too. 

The issue here is about REPORTING not dealing with (investigating, prosecuting and deterring) the crime. 

The real question here is, of the crimes that are reported to the authorities (i.e. the police), how many are investigated and how many are prosecuted and how many organised gangs identified and stopped and how many opportunists deterred. We can assume that the answer to these will be "almost ZERO %" on all counts.

I have sat with senior COL police people over many years (mainly in the 1990s) - who have refused to accept reports of fraud from banks, because they have no resources to investigate and prosecute. Accordingly £100 millions's of card fraud ARE reported and not progressed, and £100 million's of insurance fraud go the same way without even being reported - except for the MAJOR, MAJOR cases that are accepted by the police from the Insurance fraud bureau.

Try and get Leppard to accet such cases is nigh on impossible as only the top - fraction of 1% are progressed. And do not even start talking about or reporting to the police the Inland Revenue, Local Authority, NHS, Benefits etc. fraud because they won't look there either.

In the UK, we are held up globally (mainly the banks) for the exceptional fraud collation and reporting on card and banking fraud and insurance fraud - and we were leading with the statistical collation of fraud as UKPLC. This was all done 20 years ago as a fall-out from the Levi Home Office reporting - and 'wrapped up nicely' except for the police investigation, and prosecution bit, which is still absent.

So it is easy, but also abhorrent that a police officer shoudl stand up and throw stones at an industry that has been doing its bit for a long time. The industry also funds the fraud reporting centre that HE RUNS as part of the COL police force - so it is actually a) Under his control and b) HIS issue too!

BUT.... lets look at what we are talking about here..... We are asked to believe that banks are "covering up Cybercrime". What is this cybercrime? As far as the banks are involved, the banks lose money from criminals who are attacking the banks to obtain money through the abuse of the systems and processes. This is always how it has happenned and the banks are good at losing money in this way. Just because a new term started to be used 3-4 years ago - does not change the fraud position:

- Banks are attacked and lose money

- Some of it will always get misrecorded as bad-debt when the crooks have managed to con the banks that it was thus. The agreement with all parties has always been that this will not be considrered as fraud (Cybercrime) and will not get reported. The police adamantly refuse to accept such reports too - believeing that the banks have brought this upon themselves by lending money in the first place to these cybercriminals (Ironic eh?).

- Cybercrime / fraud losses are experienced, reported and not investigated.

It is OK to moan at the banks these days - for everything, and often they are to blame for a lot of their mistakes, but in this case we must be careful to spot that here we have a big policeman throwing stones from a very big greenhouse. 

Perhaps we should start asking him a few big questions and stop this outrageous reporting. It is probably too that he was taken out of context in this reporting, as I am afraif that I cannot believe that a responsible policeman would be so stupid as to criticise his partner banks, his funding bodies and people who are patiently waiting for him to do his job rather than trying to do theirs.

 

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Andrew Smith
Andrew Smith - CB Infrastructure - London | 15 April, 2015, 12:27

This is not a surprise, for years banks have not reported fraud or even staff theiving money out of the cash till. Its all about PR and a perception that a bank is safe and secure. 

The big issue is that Banks are caught in a situation where payments rely on a technology built for a market in the 1970s. There was no internet, no e-money, no cyber payments and as such, no need really to secure card details as you needed to have the card in your hand to actually make a payment. The same is no longer true, so trying to secure what simply is un-secured information is costly and, as these types of stories prove, not effective...

I've written about this time and time again.    

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 15 April, 2015, 13:21

In addition to what Bill and Andrew already higlighted, the problem also lies in estimation of losses. Instances of credit card fraud are pretty straightforward and easy to calculate. However, it is much more complex in case of data breach. Lost data can be used for fraud the next day, in a month, in a year or it may not be used at all.

I am not sure if law enforcement agencies are very supportive in cases where banks cannot identify or provide tangible estimates for their loss. Furthermore, if such cases come to the light, the usual approach is to pass the buck and banks are often at receiving end.   

Nevertheless, underreporting of such issues is a serious problem and it needs to be addressed properly. One way around this could be mandatory disclosures and increased collaboration between the banking industry and law enforcement agencies through a unified body.  

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 15 April, 2015, 14:44

@BjornS:

I don’t think it’s as simple as that. The two choices at either end of the spectrum are:

Zero Fraud Miniscule Revenue: Amp up security to the extent that there's little chance of fraud but many hurdles between customer's wallet and merchant's till. Don't give a damn to the increasing friction and the risk to the sale or ensuing loss of revenue suffered by the merchant. Merchant passes on the cost of lost revenues to customers but bank has no fraud loss cost to pass on to customers.

Zero Friction Massive Fraud: Drop security to such an extent that nothing stands between the customer's wallet and the merchant's till so that there's no risk to the sale or ensuing loss of revenue suffered by the merchant. Treat the ensuing fraud loss as cost of doing business. Bank passes on the cost of fraud loss to customers but merchant has no cost of lost revenues to pass on to customers.

Evidently, both options entail some costs to be passed on to customers. Who is to decide which cost is higher or which option is better?

The Indian regulator seems to have chosen the first option, thereby making India perhaps the only country in the world that uses not just Chip+Signature (USA) and Chip+PIN (Europe) but Chip+PIN+Signature. 

Zero Friction resembles the approach followed by the US regulator, which has mandated Chip a decade after it became a standard in ROW and, then, Chip + Signature.

Different strokes for different folks.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Bill Trueman
Bill Trueman - Riskskill.com - London | 15 April, 2015, 16:17

@Ketharaman - but it is certainly not as simple as a binary choice, because rarely are the processes vested in one organisation. For instance in making a payment using a card, there can be 5-10 intermediaries/parties that are involved in the process (including even Apple) and several of them involved in the risk ad the assignment of the risk/losses/ exposures - with a mirad of competitors in the pot and across multiple jurisdictions too. Accordingly, such decisions involving 'frictions rates' and revenue balancing are only post-event academic considerations. Markets are driven by consumer / commercial needs, pricing to make money (or not make net - losses) and then to let someone else address the problems with the holes that are left when the fraudsters attack the 'processes'.

 

Whlst the conversation started in the UK - you have moved this to the Indian payments model - which sounds very confusing and filled with risk for the Indian merchant and cardholder in respect of knowing what to do, and understanding their respective liabilities. I think thatthe liabilities and risks will be associated with the CHIP/PIN infrastructure with allowable fallback with associated liability where this is not possible. Chip/Pin AND signature is just plain stupid. 

1 thumb up! 1 thumb up! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 16 April, 2015, 10:38

@BillT:

My entire comment was directed at @BjornS's comment that seemed to imply that there's only one option and that it entails fraud loss cost. I wanted to point out that there's another option that entails revenue loss cost. I used India to illustrate one end of the spectrum and USA to illustrate the other end of the spectrum. I agree that there could be other choices in between the two ends of the spectrum. I totally agree with you that Chip+PIN+Signature is plain stupid!

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 16 April, 2015, 14:21

@Ketharaman: I firmly believe that fraud can be dramatically reduced using security technology and good processes. Chip and PIN is a good example. In Europe we see increased card usage, user acceptance and less fraud. The fraudsters now earns their money in the US magstripe heaven. From the perspective of the society it makes sense to reduce the fraud rate using different means. Mandatory public fraud reporting is one of them, and probably very efficient. Transparency in this area would initiate long awaited security investments to the benefit for all of us.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Bill Trueman
Bill Trueman - Riskskill.com - London | 16 April, 2015, 22:44

@Bjorn - I am REALLY struggling to identify how Mandatory fraud reporting is a way that even €1 can be saved. And to whom should fraud be mandated to be reported to? 

If reporting is to the Police, then nothing gets done with the data, and no one knows what to do with it and it get leaked, lost or both. It certainly does not get investigated or prosecuted - with less than 1% going through the process of what is reported today. I woudl support 100% mandatory reporting, were it mandated that all fraud reported shoudl be investigated and prosecuted!

Then the question would be: what woudl you mandate should be reported? Actual losses, attempted frauds, suspected frauds, frauds without evidence etc? The bigger categories of fraud are the latter ones. BY FAR. 

No - it would be VERY COSTLY for all of us, extremely bureaucratic and moreover rather pointles - if not accompanied by equal action-based requirements.

I have absolutely no idea what you mean by your last statement/sentence.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 17 April, 2015, 06:25

@BjornS:

If, as you say, card use has increased and card fraud has come down concurrently, that's Utopia and suggests that Europe has struck the right balance between the two options at either end of the spectrum. In that case, banks may not have any fraud to report to police and this whole discussion is somewhat pointless? 

Why should fraudsters move over only to magstripe USA? Why can't they continue to operate in Europe in online transactions, where Chip+PIN is not applicable? 

IMO, trying to eliminate fraud is fool's errand and, beyond a certain extent, will have counterproductive effect on revenues and go against a basic principle of doing business, "No Risk No Reward". Since a full explanation of my pov will digress from the main topic of this article, I shall refer you to my comments below another more relevant post: http://www.finextra.com/news/fullstory.aspx?newsitemid=27087

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Otmane El Chamali
Otmane El Chamali - El Najd - Fes | 19 April, 2015, 16:58

Most banks just takes the hit and moves on to fix the flaw. In particular of the losses are small. Reporting it may means months of investigations and legal costs and reputation issues.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

New York watchdog blasts cyber security at banks' third party vendors

New York watchdog blasts cyber security at banks' third party vendors

09 April 2015  |  6783 views  |  2 comments | 13 tweets | 8 linkedin
Europol shuts down banking botnet: US puts up $3 million reward for Russian cyber fugitive

Europol shuts down banking botnet: US puts up $3 million reward for Russian cyber fugitive

25 February 2015  |  5065 views  |  0 comments | 7 tweets | 5 linkedin
Bank chiefs frightened by cyber risks - PwC

Bank chiefs frightened by cyber risks - PwC

17 February 2015  |  10056 views  |  2 comments | 11 tweets | 18 linkedin
Hackers nab $1 billion in global cyber heist

Hackers nab $1 billion in global cyber heist

16 February 2015  |  8550 views  |  0 comments | 11 tweets | 12 linkedin
More than one billion records compromised by data breaches in 2014

More than one billion records compromised by data breaches in 2014

12 February 2015  |  8294 views  |  0 comments | 19 tweets | 20 linkedin
US and UK to stage cyber war game against banks

US and UK to stage cyber war game against banks

16 January 2015  |  13866 views  |  0 comments | 20 tweets | 24 linkedin
Russian criminals hack in to bank networks to steal $18 million

Russian criminals hack in to bank networks to steal $18 million

22 December 2014  |  10514 views  |  0 comments | 16 tweets | 19 linkedin
Banks accused of failing to report true scale of cybercrime

Banks accused of failing to report true scale of cybercrime

07 November 2014  |  29240 views  |  4 comments | 19 tweets | 12 linkedin
Lloyds employees stand trial over alleged £2m cyber-fraud

Lloyds employees stand trial over alleged £2m cyber-fraud

24 April 2014  |  5901 views  |  0 comments | 2 tweets | 2 linkedin
Banks losing millions to new wave of ATM hacks - FFIEC

Banks losing millions to new wave of ATM hacks - FFIEC

03 April 2014  |  9481 views  |  4 comments | 8 tweets | 16 linkedin
Barclays cybercrime gang members convicted

Barclays cybercrime gang members convicted

14 March 2014  |  6118 views  |  0 comments | 4 tweets | 2 linkedin
UK banks give cybercrooks impunity by failing to report fraud - MPs

UK banks give cybercrooks impunity by failing to report fraud - MPs

30 July 2013  |  6094 views  |  4 comments | 5 tweets | 1 linkedin

Related blogs

Create a blog about this story (membership required)
visit abe-eba.euVisit capgemini.com

Top topics

Most viewed Most shared
Danish banks add Dankort payments to mobile walletsDanish banks add Dankort payments to mobil...
15190 views comments | 2 tweets | 7 linkedin
European Commission opens public consultation on fintechEuropean Commission opens public consultat...
13753 views comments | 53 tweets | 32 linkedin
MAS to roll out national KYC utility for SingaporeMAS to roll out national KYC utility for S...
12528 views comments | 33 tweets | 46 linkedin
hands typing furiouslyTwo key technologies driving Machine Learn...
8938 views 0 | 16 tweets | 4 linkedin

Featured job

Six Figure Base + Commission + Stock Options
London

Find your next job