WEDNESDAY 13 DECEMBER 2006

MR PHILIP ROBINSON AND MR ROB GRUPPETTA

  Q162  Chairman: Mr Robinson and Mr Gruppetta, thank you very much for coming to talk to us and answer our questions. Would you now like to introduce yourselves and then make any opening statements should you wish to do so.

  Mr Robinson: My name is Philip Robinson and I am the Director of Financial Crime in the UK's Financial Services Authority.

  Mr Gruppetta: My name is Rob Gruppetta and I work at the FSA with Philip on his Financial Crime Team.

  Mr Robinson: We have no need to make a statement.

  Q163  Chairman: Let me start out with a simple question: how secure is on-line banking?

  Mr Robinson: You have heard a lot of evidence already about that. Our view is that it is very secure generally because it often requires more security than non-on-line banking. There may be questions about how the security is used, but certainly where you require somebody to have to deliver some security password to get access, that is generally more secure than other mechanisms of payment in cash.

  Q164  Chairman: Do you bank on-line yourself?

  Mr Robinson: I do, sir.

  Mr Gruppetta: So do I.

  Q165  Chairman: You make payments et cetera, as well as just monitoring your account?

  Mr Robinson: I do. I often make payments very late at night, often when my daughter has asked me to top up her bank account at university, as we have all done, so I am certainly a very active user of on-line banking facilities.

  Q166  Chairman: There is general agreement among those who have submitted evidence to this inquiry that the current reliance on shared secrets for on-line security is wholly inadequate. What pressure has the FSA been putting on the industry to raise security to more acceptable levels?

  Mr Robinson: In 2004 we actually reviewed the information security issue from a financial crime perspective, and we have mentioned that in our submission. What we found in 2004—and I will talk in a minute about what we have done in 2005 and what we will do in the future—was that in general the very large institutions were very up to speed and they were aware of the threats and risks. They had very strong disciplines in managing their IT and in the environment that we saw at the time we felt that the large institutions did well. We found though that the middle-sized and smaller institutions just did not have the same rigour of practices. We publicised that information in 2004 and we followed up with one or two other interventions in 2005 and 2006 to make sure that the issues were being addressed. As a risk-based, proportionate regulator, our starting point is always to look at the systems and controls that firms are implementing. Indeed, that is our requirement under the Financial Services and Markets Act. We are not a direct regulator of the behaviour of the banks, for example, towards their customers; that is the Banking Codes Standards Board. So our starting point is are the firms managing their financial security risks properly and, if not, what are they doing about it? We publicise good and bad practice and we followed up on that information through our supervision of banks through 2005 and 2006.

  Q167  Chairman: So can we expect to see Chip and PIN style authentication—what Visa call dynamic pass code authentication—generally available for on-line credit cards and, if so, when do you think it will be widespread?

  Mr Robinson: I think that we need to make a distinction between on-line payments for purchases —there are around 26 million individuals who do that sort of thing—and people who have on-line bank accounts. The difference in the nature of those two relates to the way you can communicate with the customers. If you have got an on-line bank account many of the alerts and other concerns that people were talking about earlier on can be brought to people's attention if they are going to go on-line. There are various other ways of doing that. If you are dealing with people who are making on-line payments with a credit card, they may not have an on-line bank account and they may not themselves therefore get access to these on-line warnings, and other things may be necessary. The reason I made those comments in that way is really that you need to focus on the risk that is being presented. The two factor authentication already exists in many areas with the existence of a Chip and PIN card and the knowledge of a PIN. The problem with that is that in the area of customer not present fraud, which you have heard is a growing area, and I would say is one of the larger growing areas in fraud of that nature, you do not have the capacity to put that two factor authentification into play unless you have some other mechanism. It is my judgment that that is the direction in which the industry will go. Our starting point is that we would not necessarily instantly require institutions to do anything. Our starting point would be to ask the question "are they managing the risks that are presented by their channels of operation?" So a bank that is not offering, for example, an Internet banking opportunity—and there are many that are not—would not need to have that level of protection. A bank that did might feel that it was appropriate to do that or it might want to do some other level of protection. Really we would be looking at whether institutions are managing the risks presented by their propositions to customers and the nature of their experience, are their fraud losses going up or are they being managed well.

  Q168  Earl of Erroll: Of course the banks are offloading a lot of risk onto the merchants. Is the risk actually being taken in the right place or should the banks be taking the risk because they are the people who might be able to do something about that?

  Mr Robinson: I think our very clear view as the FSA is that in a world of electronic commerce, particularly on-line banking but it would apply in every respect, you need to have a shared responsibility. The sharing should be between consumers, merchants (in the case being talked of here) or third party acquirers of personal data, and the banks themselves. So it is a shared responsibility between the bank, the third party and the customer. I do not think it is possible to make that responsibility exist in any one area because the very nature of the electronic channel is that it is an open network and it is susceptible to compromise at the weakest link. You said, I think, that banks are moving the liability from themselves to the merchants. That may be a matter that you would wish to discuss with the banking sector as a whole. From my side, we are looking at the fraud losses suffered by the banks and secondly, particularly when it comes to individual customers, are they treating their customers fairly? I have no direct remit to look at the way they are treating their commercial partners other than where it affects those two areas.

  Q169  Baroness Hilton of Eggardon: Could you outline for me your powers and your role in relation to on-line banking services? Do you have sanctions that you can apply?

  Mr Robinson: We have powers under the Financial Services and Markets Act. Under the financial crime objective we are given we are required to "reduce the extent to which it is possible for the firms we regulate [a bank or somebody else] to be used for a purpose connected with financial crime." That is broadly defined as fraud and dishonesty, market abuse and dealing with the proceeds of crime. We have a range of powers given to us under the Financial Services and Markets Act, ranging from civil administrative sanctions through to in some cases under the money-laundering regulations criminal prosecution powers, and indeed we have, under the insider dealer regulations.

  Q170  Baroness Hilton of Eggardon: Presumably that is a last resort. I just wondered what your normal relationship is with on-line banking services? Do you have an on-going dialogue with them that keeps them in line or not?

  Mr Robinson: We have an approach to banking supervision, most of the on-line supervision you are talking about originated from the banking sector, although I am sure not all, which is based around for a large bank a close and continuous relationship—that is not close in a cosy sense but very close monitoring at a high level. On a quarterly basis for example, you would see our supervisors discussing with the bank the latest trends, including fraud trends, that they are experiencing. That information is fed through our risk model and fed out to other supervisors so that we pick up the issues that are arising and feed them back in so that all of our supervision processes try to pick up on those risks. We very infrequently use our statutory enforcement powers despite the way it can often appear to people. We frequently, though, issue proposals to change behaviour in the form of a risk mitigation programme. As part of our risk mitigation assessment we will identify where Firm A seems to be doing less well than its peers, for example, or where its own systems have identified concerns, and will require them, through an audit letter, to change those issues which we will then follow up. We give them a follow-up point—it might be three months, it might be a year depending on what the issue is—and we will make sure that they deliver on that. Only if we find that an institution is failing to respond to those sorts of prompts do we move into the more invasive supervision processes which could involve a detailed review by our own expert financial crime review teams or the commissioning of an external report, the responses to both of which we would expect the firm to adopt, and if the firm is not doing that, or indeed has consistently failed to do what we require, we consider public enforcement action which has a proper appeal process and so on.

  Q171  Baroness Hilton of Eggardon: In view of the rapidly rising amount of fraud that there seems to be in relation to on-line services do you think you are being sufficiently interventionist, sufficiently rapid in your response to the current situation?

  Mr Robinson: I think it is the rate of growth that is very high. The absolute amounts of on-line fraud, for example, are not so great compared to the general level of fraud experienced in the sector. We are interested in the rate of growth and that rate of growth has meant that, for example, in the last two or three years in our financial risk outlook, a document we publish at the beginning of the year, we have alerted firms to the financial crime issues we have seen and our supervisory approaches have been driven by a wish to look at those issues and we are very active in following up concerns, so I would say that we believe that we have got a proportionate response to this but we are continuing to look very carefully from a risk perspective because the rate of growth is very high. Our starting point would be if the market is not delivering a solution then we should intervene.

  Q172  Lord Young of Graffham: Mr Robinson, identity theft is apparently costing our economy an alarming £1.7 billion a year. Can you break that down in some way? How much of that is Internet related, how much of that is really people just impersonating others?

  Mr Robinson: We can break that down a little bit. There is some information, I think, in our annex, but can I ask Mr Gruppetta to cover that particular point?

  Mr Gruppetta: This particular figure, £1.7 billion, was put together by the Home Office as part of its work on the ID Fraud Steering Committee, of which we are a member, and the constituent organisations put forward figures for certain acts which they felt constituted ID theft. Due to the fact that some of those acts are quite different from each other it is quite difficult to break it down in terms of how much of that occurred on the Internet, I am afraid, but we can, if you would like, provide you with the breakdown of each of the 16 members' figures.

  Mr Robinson: Let me give you some illustrations to help understand the difficulty.

  Q173  Lord Young of Graffham: Forgive me: I think the figures, if you could write to us, would be useful.

  Mr Robinson: Certainly, we will do that.[7] May I add something about the difficulty? There is a combination of, for example, industry data that talks about estimating their financial losses due to ID fraud. There is information from the Home Office about the estimated cost to the Immigration Service of undertaking enforcement activity, and from the Passport Service, the cost to the Passport Service of measures to counter identity fraud, so it is a complete mix of information.

  Q174Lord Howie of Troon: We are told that there has been a rise in the rate of "phishing". Are you greatly concerned about this or do you see it as a minor issue in the general picture of financial fraud?

  Mr Robinson: If I may I will make one or two preliminary comments and again ask Mr Gruppetta to deal with this one. As I have already said, the size of, for example, on-line fraud, banking fraud, customer not present fraud, is not very large in the quantum of fraud as a whole. However, the rate of growth is what concerns us. We have some things that we are going to do and I will ask Mr Gruppetta to speak about that.

  Mr Gruppetta: As Philip said, we are very concerned about the rate of increase. I think it is about 8,000 per cent in the past two years, if you look at month-on-month figures.

  Q175  Lord Howie of Troon: Very big?

  Mr Gruppetta: Very big, but in terms of the actual size of the losses associated with that in the grand scheme of total fraud in the UK it is still quite small. However, we are concerned because obviously these phishing attacks are becoming more and more sophisticated. You do still see some quite primitive ones but they are becoming more sophisticated at the other end of the scale, so it is important that consumers do receive advice on how to stop phishing attacks and what measures and precautions they should take so that they do not fall victim to such attacks.

  Q176  Lord Howie of Troon: You mentioned a very large percentage increase, quite staggering in its way. It is quite easy to get a big percentage increase from a low level. Is that part of the answer?

  Mr Gruppetta: The figures we have, which come from APACs, and the actual figures I have got in front of me are different from the month-on-month ones that I referred to just now, but if we just take these as an example, from January to June 2005 there were 312 unique phishing incidents. In January to June, the same period for this year, 2006, there were 5,059 unique phishing incidents. We understand that that type of increase in the figures has continued throughout this year, so we were starting from a fairly low base in that there were 312 attacks. I suppose it depends how you define what is low, but it is much higher now.

  Q177  Lord Howie of Troon: 8,000 per cent?

  Mr Robinson: It does have some worrying aspects about it though. It is very easy to perpetrate these attacks in large volumes and so the consumer understanding of the issue and equipping consumers to know how to respond to what I think will continue to grow as a challenge is one of the key issues. Ninety-two per cent of the phishing targets seem to us to be in the financial service industry or connected to it, and indeed most personal financial data, whichever way it is acquired, will ultimately end up being used to defraud people in the financial system and therefore it is of interest to us wherever or however it is acquired.

  Q178  Lord Howie of Troon: Could I ask you a question about banks? I gather that the bank marketing departments send out what you might call unsolicited emails and I am wondering if there were to be a general presumption that any unsolicited email supposed to come from a bank is fraudulent. The word is "supposed", of course.

  Mr Robinson: My Lord, are you saying that the first presumption should be that marketing emails should not be responded to? It is probably a good presumption, actually, not necessarily because they are fraudulent.

  Q179  Lord Howie of Troon: When people ring me up and say, "I have got a terrible opportunity for you", I have a great tendency to hesitate for a moment and just listen before I put the telephone down, because my presumption there is that this is fraudulent. Is that a sensible attitude on my part?

  Mr Robinson: Regrettably, I think that not everybody takes the view that if it is too good to be true it is too good to be true, and not just in this area do we see these sorts of scams. I am sure we are all very familiar with the kind of 419 scams where people say you have won the lottery, give me some money. The earlier evidence session talked about the issue of marketing and how to separate from the plethora of marketing material that which is fraudulent and that which can simply be ignored and that which you might respond to because it may have advantage. I think this issue of aligning marketing activities to incorporate thinking about managing fraud risk is something we have been talking to firms about over a number of years. Over the last two or three years, where we have started to talk to firms about how they manage their fraud risk in a more direct way, one of the things that comes up is the importance of every part of the institution thinking about how to prevent fraud in the way they are acting, and that means that when you are designing a product it makes sense to design a product that does not facilitate fraudulent behaviour. We are also doing that with institutions in the context of money laundering because that is another area of our remit. I do think it is a good question to ask if there are very large numbers of marketing material hitting your inbox, but how do you determine which are real and which are not when they all often look the same because the phisher or spammer has made it look just like it comes from your institution or an institution like yours. Typically, the phishing emails will impersonate a bank and they will send it willy-nilly to a name and address list or an email list that they have bought, possibly legitimately, on the Internet from people that market lists and they will send it out to anybody on the basis that if they send it to 10 million people some of those people might be banking with X bank and a small portion of those people that bank with X bank will respond to this email, and it is that small proportion that then get their money stolen. They may get 10 out of sending a million emails but that is enough. If you mix that issue up with the other things going out from banks it is very important. I noticed earlier on that there was reference to whether a website should identify itself. Reference was made by Visa to the secure system that is used increasingly by vendors. If the phishing issue becomes a really big problem in terms of the actual losses and those losses are not mitigated in any other way, then looking at some mechanism for identifying what is legitimate and what is not is going to be important.