Refusing to Share Fraud Data Is Turning Telcos into Scapegoats

Some people are optimistic about how much governments can be relied upon to tackle pervasive societal problems. I do not share their optimism. One example of a problem that governments have shown themselves unwilling or unable to tackle is the epidemic of fraud that occurs without any face-to-face interaction between the fraudster and the victim. Whether you examine levels of funding for specialist police, numbers of prosecutions, or what politicians actually say, the inescapable conclusion is that governments want businesses to prevent fraud and reimburse any victims of fraud because the public sector is not going to do much of either, and is certainly incapable of deterring fraud. Governments want businesses to solve the problem of fraud because the governments have neither the money, ideas nor determination needed. So why are businesses failing too? They may not want to pay for fraud prevention, but they will be forced to pay for fraud whether it is prevented or not.

A recent exchange of recommendations and responses between a UK parliamentary committee and the UK government will illustrate the scale of the challenge and the need for businesses to act. The transparency of this exchange makes it ideal for analysis, but the same issues can be found with governments worldwide. The following extracts are taken from the House of Commons Justice Committee’s October 18 report on ‘Fraud and the Justice System’ and the UK government’s official response on January 10.

The Justice Committee’s explanation of the scale of fraud and the level of policing:

Fraud accounts for more than 40% of all crime yet receives only around 2% of police funding. Out of the 20,000 new police officers being recruited, only 380 are planned to be deployed in the response to fraud. If the Government is serious in its ambition to reduce fraud, it needs to ensure it is allocated sufficient resourcing within police budgets to help identify and prosecute crimes as well as prevent these crimes from occurring.

From the government’s response to this recommendation:

Given the nature of fraud and the scale of the challenge to tackle it, the Government recognises that increasing law enforcement resource alone will not be sufficient and that private sector partners will need to play a significant part in combating this crime.

The Justice Committee comments on the need for collaboration with the private sector:

Our inquiry has repeatedly heard that the most effective way to tackle fraud is to prevent it occurring in the first place. This requires co-operation across the private and public sectors, with the Government using its convening power to unite stakeholders around the ambition to reduce fraud.

From the government’s response:

We will work with industry to remove the vulnerabilities that fraudsters exploit; with intelligence agencies to shut down fraudulent infrastructure; with law enforcement to identify and bring the most harmful offenders to justice; and with all partners to ensure that the public have the advice and support they need.

The Justice Committee recommends fraud would be reduced by placing more burden on comms providers:

We acknowledge that telecommunications and tech companies are taking steps to improve their response to fraud, however they remain platforms through which the majority of frauds impacting the general public are conducted. There still appears to be a lack of engagement on this subject from those sectors, not least amongst the telecommunications companies. Fraudsters may be using increasingly sophisticated technologies and methodologies to conduct their crimes, but we are not convinced that the largest companies in those sectors do not have the capabilities to increase their efforts to tackle these changes and prevent frauds, particularly in paid-for advertising, from appearing on their systems. Fraud may not have a significant impact on the bottom-line of those companies, however they have a duty of care to their users to ensure everything possible is being done to design frauds out of their systems in order to protect the public.

The Government should prioritise putting in place charters with the social media and tech companies to capture their commitments and responsibilities in relation to tackling fraud, and to enable them to be held to account by government for their progress in this respect.

The government agrees that they should dictate solutions to the private sector.

The Government agrees with the recommendation of the Committee that further charters, including with social media and tech companies, are an important programme of work. The Home Office is intending to launch a tech and online charter with industry, next year, which will include public and private actions that will drive down fraud in these sectors and improve collaborative working. The Government will outline its approach to future charters in its upcoming Fraud Strategy.

The Justice Committee warns that data protection rules are being used as an excuse not to share information about fraud.

We are concerned to hear that there is a perception that legislation such as GDPR is preventing the sharing of information and intelligence across sectors where frauds were suspected. Data-sharing laws should not restrict the sharing of information for law enforcement purposes, or where this information could prevent a fraudster being able to move to a new bank or platform to continue their crimes.

The Government should provide an update of its review of the legislation in respect of the sharing of data with a Specified Anti-Fraud Organisation. The Government should also look more broadly at the operation of data-sharing legislation with regard to the tackling of fraud and bring forward proposals to ensure data can be shared for the purposes of combatting fraud as soon as possible.

The government accepts the recommendation and says they will reinforce existing data protection exemptions that permit the sharing of data to reduce fraud.

Sharing data is an important way to identify and disrupt fraudsters from exploiting platforms, services and people to commit their crimes. The Government is clear that this should be a priority for companies and organisations and encourages efforts in this space.

The Government is taking two important steps to support information sharing to prevent economic crime.

Firstly, GDPR establishes the prevention of fraud as a legitimate interest for sharing information. The DCMS [Department for Digital, Culture, Media & Sport]-led Data Protection and Digital Information Bill will make it easier for businesses to share information under GDPR for the purposes of preventing economic crime, including fraud, by providing greater assurance around the lawful foundation a business has for sharing data.

Secondly, Reforms in the Economic Crime and Corporate Transparency Bill will also enable businesses, in certain situations, to share information more easily for the purposes of preventing, investigating or detecting economic crime by disapplying civil liability for breaches of confidentiality for firms who share information to combat economic crime.

The UK government has a long track record of being bumbling nincompoops when it comes to responding to developments in communications technology, but I give them credit because most other governments are even more incompetent. (Canada’s government deserves special mention for the reckless stupidity of their recent efforts in this arena.) As bad as Britain’s rulers may be, they will likely set precedents that others will follow. European data protection laws have always included an exemption that permits information to be shared with the goal of reducing crime. Nevertheless, we should welcome governments who make it harder for businesses to lie that their obstinate refusal to share fraud intelligence is motivated by an earnest desire to respect data protection law.

I have been in situations where I had to accept the brazen dishonesty of a so-called anti-fraud professional saying they will not share data because that would be against the law. These people are not lawyers and nor have they read the data protection legislation. The speed with which they jump to that excuse reveals how little they care to examine what is permitted. And if that were not sufficient proof of dishonesty, the same individual might comment three sentences later about how the data was valuable so it should not be given away for free, even though the ‘free’ exchange of information in this case is to prevent somebody suffering harm. Conversations like these have happened so often in my presence that I know many readers of Commsrisk must have found themselves in similar situations. This is why I have sympathy for politicians who criticize telcos for a ‘lack of engagement’ with fraud prevention, even as I criticize law enforcement for being even more apathetic.

The trend lines for fraud are clear:

  1. Fraud is getting worse.
  2. The private sector is expected to do more to reduce fraud.
  3. One cheap way to do more is to share more anti-fraud intelligence.

This then leads to three questions for communications providers:

  1. Are comms providers anticipating change by developing efficient ways to safely exchange anti-fraud intelligence?
  2. Are intermediaries developing imaginative ways to facilitate this exchange?
  3. Are lawyers working for comms providers doing a better job of defining when fraud data can be shared?

Every reader of Commsrisk knows the answers to these three questions. Apart from a few exceptions, the answers are:

  1. No
  2. No
  3. No

I have a very low opinion of politicians, so it says something about the failings of this industry that politicians are right to criticize comms providers. Most customers are aware of how eagerly comms providers seek to exploit their personal data and how little has been done to protect this data from privacy breaches. It is simply not credible that these same companies pretend that data protection is the reason they will provide almost no data about fraud unless legally compelled to do so, even though the comms sector is especially suited to data-oriented methods for preventing fraud.

It is understandable that comms providers want to minimize legal risks by only giving actionable data to the police. However, that strategy is also daft. Legal risks are not the only risks. We know how rarely the police will act upon the data they receive; companies need to be proactive in helping each other to tackle fraud without always waiting for a publicly-funded body to get involved. If fraud is allowed to get worse then businesses must suffer because consumers will not be able to absorb the cost.

significant gains would be made if more comms providers shared fraud intelligence amongst themselves. And if not, then comms providers deserve their steadily worsening reputation with politicians, police, the public, and even with each other.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.