UK banks covering up cybercrime losses - City of London Police

A widely-held suspicion that UK banks are covering up the true scale of cybercrime has been confirmed by the City of London Police chief Adrian Leppard, who says that up to 80% of online crime goes unreported to the authorities.

14 comments

UK banks covering up cybercrime losses - City of London Police

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

Speaking at a Tech UK conference, Leppard says that the vast gap between what is reported and the actual threat level arises "primarily because banks are happy to write off incidents as costs, thereby costing the consumer collectively and funding ongoing cyber-criminality".

The Commissioner told the audience that the scale of the threat is much greater than the public think, so much so that it may have even surpassed what drugs have delivered to the criminal economy.

He argues that the banks' unwillingness to report the true extent of cybercrime, makes it harder to gain an accurate picture of the threat to the national economy and the resources required by police to counter the criminals.

In November last year, a Treasury Select Committee hearing into cybercrime and fraud heard evidence from Dr Richard Clayton, a senior researcher in security economics at the University of Cambridge, who said that "insider" accounts of fraud losses at banks are double the numbers generally reported publicly.

This followed a July Home Affairs Committee report on e-crime that accused British banks of letting cyber-crooks carry out crime in a 'black hole' of impunity by failing to report or investigate fraud.

Sponsored [On-Demand Webinar] Global Trade Based Financial Crime: Where Trade and Payments Meet

Related Company

Comments: (14)

A Finextra member 

Why do banks fail to tell the truth? Is it an image problem? Is it an ego problem? or Is it a failure problem?

Whatever the problem it is not the truth, therefore what else is the banker not telling you the truth about? Like raising children, credibility becomes a life long problem, once it is gone it is difficult to earn back, Bankers?????????????????

A Finextra member 

Whatever reasons lying behind this is a serious problem. If this is correct the banks are funding serious crime and pass the bill to their customers. If you think this is bad, just think that it happens with the government's blessing - the regulators don't make this illegal.

Ketharaman Swaminathan

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

That's a serious allegation. I'm sure the Police Chief has the evidence to back it up but I'll still be eagerly awaiting the reactions of banks to this charge. Under Commonwealth Law, isn't it even illegal to not report a crime?

A Finextra member 

Ketharan: If it's illegal in UK it's good. In many other countries it's not. Think of it: card fraud could have been a fraction of what it is today but as long as governments accept that added security would harm business and allow that the schemes pass the bill to consumers... it continues. I pass the blame to governments, more than the banks.

Bill Trueman

Bill Trueman Director at Riskskill.com

We need to be very careful about articles like this, and comments like this too. 

The issue here is about REPORTING not dealing with (investigating, prosecuting and deterring) the crime. 

The real question here is, of the crimes that are reported to the authorities (i.e. the police), how many are investigated and how many are prosecuted and how many organised gangs identified and stopped and how many opportunists deterred. We can assume that the answer to these will be "almost ZERO %" on all counts.

I have sat with senior COL police people over many years (mainly in the 1990s) - who have refused to accept reports of fraud from banks, because they have no resources to investigate and prosecute. Accordingly £100 millions's of card fraud ARE reported and not progressed, and £100 million's of insurance fraud go the same way without even being reported - except for the MAJOR, MAJOR cases that are accepted by the police from the Insurance fraud bureau.

Try and get Leppard to accet such cases is nigh on impossible as only the top - fraction of 1% are progressed. And do not even start talking about or reporting to the police the Inland Revenue, Local Authority, NHS, Benefits etc. fraud because they won't look there either.

In the UK, we are held up globally (mainly the banks) for the exceptional fraud collation and reporting on card and banking fraud and insurance fraud - and we were leading with the statistical collation of fraud as UKPLC. This was all done 20 years ago as a fall-out from the Levi Home Office reporting - and 'wrapped up nicely' except for the police investigation, and prosecution bit, which is still absent.

So it is easy, but also abhorrent that a police officer shoudl stand up and throw stones at an industry that has been doing its bit for a long time. The industry also funds the fraud reporting centre that HE RUNS as part of the COL police force - so it is actually a) Under his control and b) HIS issue too!

BUT.... lets look at what we are talking about here..... We are asked to believe that banks are "covering up Cybercrime". What is this cybercrime? As far as the banks are involved, the banks lose money from criminals who are attacking the banks to obtain money through the abuse of the systems and processes. This is always how it has happenned and the banks are good at losing money in this way. Just because a new term started to be used 3-4 years ago - does not change the fraud position:

- Banks are attacked and lose money

- Some of it will always get misrecorded as bad-debt when the crooks have managed to con the banks that it was thus. The agreement with all parties has always been that this will not be considrered as fraud (Cybercrime) and will not get reported. The police adamantly refuse to accept such reports too - believeing that the banks have brought this upon themselves by lending money in the first place to these cybercriminals (Ironic eh?).

- Cybercrime / fraud losses are experienced, reported and not investigated.

It is OK to moan at the banks these days - for everything, and often they are to blame for a lot of their mistakes, but in this case we must be careful to spot that here we have a big policeman throwing stones from a very big greenhouse. 

Perhaps we should start asking him a few big questions and stop this outrageous reporting. It is probably too that he was taken out of context in this reporting, as I am afraif that I cannot believe that a responsible policeman would be so stupid as to criticise his partner banks, his funding bodies and people who are patiently waiting for him to do his job rather than trying to do theirs.

 

 

A Finextra member 

This is not a surprise, for years banks have not reported fraud or even staff theiving money out of the cash till. Its all about PR and a perception that a bank is safe and secure. 

The big issue is that Banks are caught in a situation where payments rely on a technology built for a market in the 1970s. There was no internet, no e-money, no cyber payments and as such, no need really to secure card details as you needed to have the card in your hand to actually make a payment. The same is no longer true, so trying to secure what simply is un-secured information is costly and, as these types of stories prove, not effective...

I've written about this time and time again.    

A Finextra member 

In addition to what Bill and Andrew already higlighted, the problem also lies in estimation of losses. Instances of credit card fraud are pretty straightforward and easy to calculate. However, it is much more complex in case of data breach. Lost data can be used for fraud the next day, in a month, in a year or it may not be used at all.

I am not sure if law enforcement agencies are very supportive in cases where banks cannot identify or provide tangible estimates for their loss. Furthermore, if such cases come to the light, the usual approach is to pass the buck and banks are often at receiving end.   

Nevertheless, underreporting of such issues is a serious problem and it needs to be addressed properly. One way around this could be mandatory disclosures and increased collaboration between the banking industry and law enforcement agencies through a unified body.  

 

Ketharaman Swaminathan

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

@BjornS:

I don’t think it’s as simple as that. The two choices at either end of the spectrum are:

Zero Fraud Miniscule Revenue: Amp up security to the extent that there's little chance of fraud but many hurdles between customer's wallet and merchant's till. Don't give a damn to the increasing friction and the risk to the sale or ensuing loss of revenue suffered by the merchant. Merchant passes on the cost of lost revenues to customers but bank has no fraud loss cost to pass on to customers.

Zero Friction Massive Fraud: Drop security to such an extent that nothing stands between the customer's wallet and the merchant's till so that there's no risk to the sale or ensuing loss of revenue suffered by the merchant. Treat the ensuing fraud loss as cost of doing business. Bank passes on the cost of fraud loss to customers but merchant has no cost of lost revenues to pass on to customers.

Evidently, both options entail some costs to be passed on to customers. Who is to decide which cost is higher or which option is better?

The Indian regulator seems to have chosen the first option, thereby making India perhaps the only country in the world that uses not just Chip+Signature (USA) and Chip+PIN (Europe) but Chip+PIN+Signature. 

Zero Friction resembles the approach followed by the US regulator, which has mandated Chip a decade after it became a standard in ROW and, then, Chip + Signature.

Different strokes for different folks.

Bill Trueman

Bill Trueman Director at Riskskill.com

@Ketharaman - but it is certainly not as simple as a binary choice, because rarely are the processes vested in one organisation. For instance in making a payment using a card, there can be 5-10 intermediaries/parties that are involved in the process (including even Apple) and several of them involved in the risk ad the assignment of the risk/losses/ exposures - with a mirad of competitors in the pot and across multiple jurisdictions too. Accordingly, such decisions involving 'frictions rates' and revenue balancing are only post-event academic considerations. Markets are driven by consumer / commercial needs, pricing to make money (or not make net - losses) and then to let someone else address the problems with the holes that are left when the fraudsters attack the 'processes'.

 

Whlst the conversation started in the UK - you have moved this to the Indian payments model - which sounds very confusing and filled with risk for the Indian merchant and cardholder in respect of knowing what to do, and understanding their respective liabilities. I think thatthe liabilities and risks will be associated with the CHIP/PIN infrastructure with allowable fallback with associated liability where this is not possible. Chip/Pin AND signature is just plain stupid. 

Ketharaman Swaminathan

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

@BillT:

My entire comment was directed at @BjornS's comment that seemed to imply that there's only one option and that it entails fraud loss cost. I wanted to point out that there's another option that entails revenue loss cost. I used India to illustrate one end of the spectrum and USA to illustrate the other end of the spectrum. I agree that there could be other choices in between the two ends of the spectrum. I totally agree with you that Chip+PIN+Signature is plain stupid!

A Finextra member 

@Ketharaman: I firmly believe that fraud can be dramatically reduced using security technology and good processes. Chip and PIN is a good example. In Europe we see increased card usage, user acceptance and less fraud. The fraudsters now earns their money in the US magstripe heaven. From the perspective of the society it makes sense to reduce the fraud rate using different means. Mandatory public fraud reporting is one of them, and probably very efficient. Transparency in this area would initiate long awaited security investments to the benefit for all of us.

Bill Trueman

Bill Trueman Director at Riskskill.com

@Bjorn - I am REALLY struggling to identify how Mandatory fraud reporting is a way that even €1 can be saved. And to whom should fraud be mandated to be reported to? 

If reporting is to the Police, then nothing gets done with the data, and no one knows what to do with it and it get leaked, lost or both. It certainly does not get investigated or prosecuted - with less than 1% going through the process of what is reported today. I woudl support 100% mandatory reporting, were it mandated that all fraud reported shoudl be investigated and prosecuted!

Then the question would be: what woudl you mandate should be reported? Actual losses, attempted frauds, suspected frauds, frauds without evidence etc? The bigger categories of fraud are the latter ones. BY FAR. 

No - it would be VERY COSTLY for all of us, extremely bureaucratic and moreover rather pointles - if not accompanied by equal action-based requirements.

I have absolutely no idea what you mean by your last statement/sentence.

Ketharaman Swaminathan

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

@BjornS:

If, as you say, card use has increased and card fraud has come down concurrently, that's Utopia and suggests that Europe has struck the right balance between the two options at either end of the spectrum. In that case, banks may not have any fraud to report to police and this whole discussion is somewhat pointless? 

Why should fraudsters move over only to magstripe USA? Why can't they continue to operate in Europe in online transactions, where Chip+PIN is not applicable? 

IMO, trying to eliminate fraud is fool's errand and, beyond a certain extent, will have counterproductive effect on revenues and go against a basic principle of doing business, "No Risk No Reward". Since a full explanation of my pov will digress from the main topic of this article, I shall refer you to my comments below another more relevant post: https://www.finextra.com/news/fullstory.aspx?newsitemid=27087

A Finextra member 

Most banks just takes the hit and moves on to fix the flaw. In particular of the losses are small. Reporting it may means months of investigations and legal costs and reputation issues.

[Webinar] Exploring the ethics of AI in bankingFinextra Promoted[Webinar] Exploring the ethics of AI in banking