As always, the conference provided invaluable insights into current fraud trends as well as prevention initiatives and activities by government, law enforcement and the private sector. It is evident that the partnership between these bodies in combating fraud is growing and strengthening.
City of London Police Update
Commissioner Ian Dyson highlighted three significant things that are affecting the fraud landscape in the UK: The Crime Survey for England and Wales, the Joint Fraud Task-force and the National Cyber Security Centre.
It was interesting to note that according to the Crime Survey (an independent survey accepted by the Office for National Statistics), fraud and cyber-crime now make up approximately half of crime in the UK. Commissioner Dyson also commented that the Joint Fraud Task-force is growing in capacity.
The launch of the Banking Protocol to protect vulnerable people has seen a good response and is now live in around 35 forces across the UK. The Task-force is now setting its sights on “cardholder not present” fraud. He concluded by saying the National Cyber Security Centre shows the government is serious about cyber-crime. Action Fraud, run by the City of London Police, also has a new system coming in that will make it better and easier for users to report crime.
Mike Hulett of the National Cyber Crime Unit, part of the National Crime Agency, gave some interesting statistics: 47.5% of all UK crime involves cyber and 68% of large UK businesses had identified a cyber security breach or attack in the past 12 months. He cited the UK’s sophisticated internet infrastructure as the main attraction for online business, luring in cyber criminals and fraudsters.
Mr Hulett explained the 4P approach in tackling cyber-crime: Pursue, Prevent, Protect and Prepare.
Regarding prevention, it was both interesting and alarming to learn that boys between the ages of 11 and 14 are perpetrators and continue to be a specific focus group. Mr Hulett touched on the different types of cyber attacks and gave tips on how to manage risk. He emphasised this involves the whole business, not just the IT department, and that processes, systems and people, should be continually evaluated.
The London Digital Security Centre
Jon Unsworth, Chief Executive of the London Digital Security Centre (LDSC), gave an overview of how they are helping SMEs in London to operate and grow their businesses online in a secure digital environment. Membership is free and the LDSC delivers masterclasses, workshops, consultations and digital security clinics across London. They also provide affordable and appropriate products for SMEs.
General Data Protection Regulations (GDPR)
Keith Dewey of DataGRC, provided an overview of the key requirements of GDPR, with a specific focus on the implications for anti-fraud practitioners. He simplified it by stating that GDPR is “basic privacy” and a regulation for “decent behaviour”, adding that businesses should not process data unnecessarily or against the will of an individual. Unfortunately, the provisions of GDPR read far less simply. In addition, businesses in the UK will have to contend with the new Data Protection Bill currently going through Parliament, which will add addendums to the GDPR.
For fraud prevention, the provisions of GDPR Article 32 (“Security of Processing”), set measures which will assist, including “pseudonymisation and encryption of personal data” and the implementation of “appropriate technical and organisational measures”. More generally, for a business to have a defensible position under GDPR, it must be able to demonstrate it has adequate governance, legal agreements, data management processes and privacy operations (including data subject access rights) in place.
Article 6 sets out the requirements for lawful processing of personal data. Where consent of the data subject is absent, specifically in covert investigations, fraud investigators may have to satisfy the “legitimate interests” criteria, i.e. that the processing is necessary for purposes of a legitimate interest – it is thought a fraud investigator relying on this criteria will have to show that the processing of the personal data was strictly necessary for purposes of “preventing fraud”. It is, however, not yet clear whether this extends to the “detection and investigation” of fraud.
Mr Dewey stressed the importance of documenting all processes relating to data; including how it is collected, where it is stored and how consent is obtained. Privacy and consent statements also form part of the evidentiary paper trail. Agreements with clients, customers and third parties are key.
Forensic Linguistics and Fraud
Dr Kate Haworth, of the Centre for Forensic Linguistics at Aston University, presented a case for the inclusion of forensic linguistics in fraud investigations. Dr Haworth asserted that language is a key element in almost any fraudulent endeavour, as it is used to impersonate, persuade or deceive.
One technique of forensic linguistics, which has proved useful in fraud cases, is forensic authorship analysis. This involves analysing language and punctuation use, spelling variations and other linguistic differences to distinguish the most likely
author of a disputed text among a small number of suspects.
Dr Haworth also encouraged the intelligent use of language when interviewing suspects. She recommended the use of the PEACE framework (Planning and Preparation; Engage and Explain; Account clarification and challenge; Closure; Evaluation). This technique involves forming a rapport with the interviewee; explaining the reasons for the interview; listening; probing for details and verifiable information; challenging inconsistencies and asking for explanations; repeating until closure; and, finally, evaluating the information.
Avoiding restriction and coercion is important, particularly when working with law enforcement. Keep questions open-ended and be aware of the function of the language you use.
The Kweku Adoboli Rogue Trader Case: The Investigating Officer’s Perspective
Detective Sergeant Paul Curtis gave his account of the rapid investigation involving Kweku Adoboli, a former trader at UBS who lost $2 billion as a result of unauthorised trading. DS Curtis’ team was thrown into a complex case involving technical trading methods.
In just a few hours, his team was forced to learn the intricacies of Adoboli’s fraud. DS Curtis explained that fraud investigations have three areas of focus: material, assets, and people. His team had to work quickly to understand these.
In the end, Adoboli owned up and was convicted. The fallout was catastrophic for UBS. DS Curtis emphasised the necessity for strong internal controls, particularly in financial markets. Adoboli had been able to run his fraudulent trades without supervision, and when the first alert of losses came in, passed it off as a delayed return, before only doubling down on his fraud and making the situation worse. His fraud could have been easily prevented.