WEDNESDAY 13 DECEMBER 2006

MR PHILIP ROBINSON AND MR ROB GRUPPETTA

  Q180  Lord Howie of Troon: On the question of trust or trustworthiness do you think information of this sort which comes by way of email is less trustworthy than similar information that comes through the post in the old-fashioned way?

  Mr Robinson: It may be, but I think that the volumes of this suggest that the numbers of fraudulent material that come to you is very likely to be higher because it is cheaper to send it. They do not have to pay for a stamp and so on, but I also think there is a problem with consumers being less wary on this channel. I said in a speech last week that the evidence seems to be that despite the fact that everyone has been warned about phishing, a small proportion of consumers, but it is only that small proportion who are ever at risk anyway, are prepared still to respond to this. Despite the fact that large numbers of people have been warned about it, and you talked about it being on the Internet and I have a leaflet here that was received by one of my children about fraud awareness from a bank that has lots of information about phishing and that happens mostly with all banks, but there is an issue of consumers listening, and I think there is a question of their perception of vulnerability on this channel which is rather an interesting contrast to the fact that they also seem to be fearful about it and I do not think we have clear data on this one.

  Q181  Chairman: But do you not think we are at a point now when banks should not send any unsolicited emails to customers? You say phishing might be bad in terms of the total fraud sum that occurs, but phishing is a phenomenal problem if you are using a computer now. When we turn on our computers now 50 per cent of what we receive is this stuff. If banks send out no emails, and I think we have reached the point that banks should send out no emails, then we can start to put a lid on this because there would be a general awareness that people were never going to receive an unsolicited response from their bank, that anything to do with banking they will reject immediately.

  Mr Robinson: My Lord Chairman, I have two responses to that if I may. I do not think it is correct to say in general (although it may be in your experience) that 50 per cent of the material on people's websites is phishing. Phishing is a very specific set of emails to collect personal data where they present themselves—

  Chairman: I am talking about that combined with spam and unsolicited marketing.

  Q182  Lord Harris of Haringey: Most of us get one a day, do we not? I certainly do.

  Mr Robinson: There is a great deal of spam.

  Chairman: There is a great deal of spam. If you only get one spam email a day you are in a very fortunate position.

  Lord Harris of Haringey: No, there is a lot more spam. I mean one phishing email a day.

  Earl of Erroll: I have some quite good filters so I do not receive them.

  Baroness Hilton of Eggardon: I do not.

  Chairman: I think we had better move on.

  Q183  Lord O'Neill of Clackmannan: You have said several times, Mr Robinson, that consumer response is important. The difficulty is that consumers find it difficult to respond on a number of occasions. The obvious thing would be that if you had made a fairly substantial or what would be for the individual, an important financial transaction, would it not be desirable for them to be required to make personal contact with their financial institution either by phone or by going into a branch? To do that you either have to have a call centre that can communicate easily with you or alternatively a branch which is relatively near at hand, let us say, within 24 hours, but the whole thrust of Internet banking has been the reduction of cost and in many respects the facility that is afforded to the consumer is a secondary consideration. Comment please.

  Mr Robinson: I think that the move from the physical to the Internet channel or telephone banking in advance of that is driven by both customer satisfaction and cost factors. You mentioned earlier on that there is some sort of reward that arises because there is a higher interest rate often on these Internet savings accounts. We can see that consumers are interested in having the flexibility and the freedom that comes from being able to make payments and do things at different times on the Internet, and there are considerable benefits that flow to consumers from being able to do that but there are some security concerns that need to be put on the other side, so I do not think it is a clear statement to say it is second best. The other thing about large transactions is that what is a large transaction depends on the nature of the account. It is very much like we find in the money laundering area where you need to monitor the account for what is normal and abnormal. If I might give one example, this was a physical example and it could also happen electronically, I went to a shop to buy shoes and the person that put the amount the amount into the credit card machine pressed the double zero button too many times. I was not aware of this and as soon as this went in the telephone rang and it was the credit card company who asked to speak to me, was I there, yes, and told me that the shoes were going to cost me £6,000 instead of £60 or something, and I was very glad that they did. This response arises where there is an abnormal transaction, but obviously that was a very abnormal transaction. If consumers wanted to have this system of going into branches then I suspect the banks would provide it.

  Q184  Lord O'Neill of Clackmannan: I take your point about the golden boot syndrome, but that tends to be a feature of credit card transactions, not banking transactions. I have found by travelling to other parts of the country or having a slightly different pattern of expenditure going to a shopping mall where I make purchases I have never done before, I have had that: I have been asked to verify certain things and I can never remember them and it is always very embarrassing, but it is reassuring. The point I am making is that the banks do not seem to be as rigorous as the credit card companies and there could be remedies to hand if there were a requirement on the customer—you have said consumer response, but I think there is sometimes a lack of consumer awareness that if they were entering into a transaction which was not common, that it would be to their advantage to contact the bank about it. I am not sure if you as a regulator can do very much about that but you can heighten awareness, but the complacency of the banks in these matters makes me very suspicious because they seem to think that because Internet banking is a bit cheaper, a bit more cost effective, it is a hit they can take. At the moment, of course, we are in the dark about this because they will not publish any information about this. We have had the trade association who, understandably, are merely the mouthpiece of the banks, but I think we may have to get the banks here themselves, just the big five, to justify it. Do you understand the frustration of some of us where we are really in the dark as to the size of the problem in terms of individual institutions and the like?

  Mr Robinson: I understand that you are looking for transparency—

  Q185  Lord O'Neill of Clackmannan: And accountability.

  Mr Robinson:— about the size of the losses. Ultimately, of course, any losses are paid either by the shareholders or the customers, or perhaps both; it is a share out, so it is not a no-loss environment.

  Q186  Lord O'Neill of Clackmannan: Too true.

  Mr Robinson: Certainly the ability with which institutions manage their fraud losses is, if you like, a competitive element to that and one of the things that we have tried to do over the last three years is that if you think about it too competitively, in other words, "I am better than you; therefore I can have better margins or lower costs", you are playing into the hands of the criminal because what will happen is that the criminal will take their techniques and move into your institution rather than somebody else's or they will go from a bank to an insurance company to do similar things, and so what we have been trying to do over the last two or three years is to get the institutions to share information very rapidly, collect information, share it and also share information about good practice. The BBA, for example, publish a fraud managers' guide which brought together at a particular juncture their current experiences and they have these working groups that look at mitigating the risks. From my perspective as a regulator, making sure that firms have adequate systems of control to mitigate financial crime or fraud risk in this case, I can see these behaviours going on but I agree with you that they are not always transparent to everyone outside, but they are certainly happening.

  Q187  Lord Harris of Haringey: One of your objectives is to maintain confidence in the financial system, and on 5 December Detective Superintendent Russell Day of the Metropolitan Police was quoted as telling an all-party group of MPs that "banks were keeping quiet about attacks on their systems" largely because of concerns over public confidence, and you may remember the press were saying, "Are you saying that there is fraud taking place in financial institutions and they do not refer it on to the Met because they are afraid of it because it can damage them or because they do not think you can cope with it?" and they also replied yes. Do you agree that there is some evidence that there is a reticence by banks and financial institutions to come clean about the problems of fraud and about breaches in their own security because of this public confidence argument?

  Mr Robinson: I think the banks are wary about feeding concerns by publishing information that will be misrepresented; I think that is correct. Certainly, when the officer answered yes about their concerns, he was asked a double question there in the quote that you gave, and the second part of it was about do they think that the Met will not do anything about it. It is correct that the likelihood of fraud reported to law enforcement being investigated is very low indeed.

  Q188  Lord Harris of Haringey: I hope we can pursue that on a separate occasion as well. Are you saying therefore that there is fraud which takes place which is not reported simply because there is an assumption that it will not be dealt with properly?

  Mr Robinson: That it will not be investigated, yes.

  Q189  Lord Harris of Haringey: Earlier on, and I paraphrase the witnesses we heard, and you were here as well so you know what I am talking about, we asked about whether businesses should be legally obliged to notify customers and others of security breaches, and essentially we were told by the witnesses that really this would frighten the customers and so on. I actually found that quite frightening as a customer because what I was being told was they are going to keep to themselves the fact that my security has been breached in case I am more frightened. Do you think that is a way of maintaining confidence in the financial system?

  Mr Robinson: I think that transparency about what has occurred is essential to maintain confidence. Our research at the end of 2005 looked at aspects of consumer confidence in the Internet banking channel and we will be repeating that. What it showed was, for example, a real concern that if the liability was moved from the banks to the customers they would move away from the Internet banking channel which showed the fragility in their confidence. Maintaining confidence in the financial system includes maintaining confidence in the transaction mechanisms in the system. I think that being open about what has happened is important. After all, it is the personal data of the individuals concerned. What was interesting was that no-one made reference to the Information Commissioner because this is personal data subject to the Data Protection Act and the Information Commissioner is the regulator for that area. One of the things that we are going to be investigating, and I might ask Mr Gruppetta to say other things about it, is how we should work with the Information Commissioner and with other regulators and entities that have personal financial data such as utility regulators and so on, because utility companies have this data for payment purposes, and some of the compromises we have been seeing have been personal data in the utility or telephone areas, which, of course, as I have said, gets used in the financial system. Understanding who has responsibility for making sure that the issues are dealt with correctly is something we are trying to do.

  Mr Gruppetta: As Philip said, we have seen evidence that there have been security breaches in areas outside the financial services sector as well. I know there was a Channel Four programme, Dispatches, earlier this year which pointed to data compromises in particular institutions, and although this was banking data and, of course, the media reported this as banking data, it did actually come from other types of firms, particularly mobile phone companies were highlighted in that programme as being a fairly weak link. What we are trying to do is speak to other regulators of firms which hold banking data for payment purposes to see how we can work together and try and improve security right across the industry. As Philip said, part of this is going to involve myself and a colleague visiting the Information Commissioner and we are going to see him next Thursday just to talk about our respective responsibilities and what we might be able to do to mobilise some action in this area.

  Q190  Lord Harris of Haringey: Would the FSA welcome clarity in the law requiring financial institutions to notify customers and others of security breaches?

  Mr Robinson: The answer is that at this juncture I do not know whether I would welcome it or not. The reason I say that is that if the advice of law enforcement, for example, is that there should be no disclosure, and I have seen that happen in a number of cases because they are worried that that will compromise material further, I think it is very difficult to say that in every case there should be complete transparency. I realise that that is not necessarily in accordance, for example, with making sure that customers are aware that there has been a compromise, but I think there is a kind of tension of forces here because our presumption would be that making information available to customers is what we would expect to see, but if law enforcement or others are saying that that will create an additional risk to fraud occurring, it is difficult to see that in every case you could make it a mandatory requirement. I think that is the sort of thing we need to look at with the Information Commissioner and others to see how that plays through, because the general presumption ought to be, and I think it is one we would have, that if information has been compromised that belongs to a customer and it could be helpful to them to know about it, and it does not create additional threat to them, they should know about it.

  Q191  Lord Mitchell: This is on the subject of victims of on-line identify theft. How long and what cost on average does it take British victims of online identity theft to clear their names?

  Mr Gruppetta: CIFAS, which is the UK's fraud prevention service, published some information on this fairly recently, and the information they published said that for a typical victim of identity theft in the UK, the main cost was time rather than money and it would take a typical victim between three and 48 hours of their own working time to put things right. However, if there was a total hijack of an individual's identity where perhaps 20 or 30 financial products or relationships with financial organisations were affected, you could be talking about a much greater amount of time, something around over 200 hours, I think they said. The cost of this in the report was about £8,000 where there was a total hijack. In reality we think a lot of that cost would probably be borne by the financial institutions involved, but obviously then, as Philip said earlier, it does affect probably the entire customer base or the shareholders of that firm, so it is wrong to say that nobody loses out in these instances.

  Mr Robinson: Which is why, of course, the rate of growth in these things is what becomes important to us because a small number of these do not affect consumers very much at all but if a large number occurs it has a direct effect on consumer protection and on market confidence.

  Q192  Lord Mitchell: In the United States victims are able to put locks on their credit records and everyone can have a free copy of their credit record once a year. Do you think we ought to introduce that here?

  Mr Robinson: I think that access to credit information starts at a very low cost. It would be a market decision whether they wished to make that available for free. We certainly advise people on our own website, and indeed the ID Fraud Group on which we sat which produced this identity theft leaflet which was issued, part of that says that you should check your credit account and says that on average that could cost you around £2, and I realise that that is still £2 but it is not a very large a mount of money. The key question really is getting consumers into a behavioural pattern where they are doing the same online for identity risks as they do with their physical risks. Most people lock their house when they leave, most people lock their car when they leave their car, and I am afraid we are moving into a world where if you are going to use electronic banking it will not be the bank's branch that locks the door at night; it is going to have to be you locking it when you close your computer down.

  Mr Gruppetta: If I could come back to the specific point about being able to lock your credit record, there is a facility available in the UK through CIFAS where, if a consumer believes that they might be at risk of identity theft or some data has been compromised, they can register for what is called protective registration at CIFAS. What CIFAS does then is put a marker against this individual so that if a financial product is taken out of that individual's name the banks will know that this is a higher risk application and they will look at it in more detail.

  Q193  Lord Mitchell: Would it be in your view helpful, if there was a credit application made in someone's name, that that person should automatically be notified that that application had been made?

  Mr Robinson: In general terms equipping people to understand what is happening in their name would be the sort of thing that we would support. It fits very closely with our financial capability agenda because that is about equipping people to understand the financial system better and information disclosure of what is going on is a very helpful way of alerting consumers. There is always a cost involved and again our general proposition would be that the market needs to look at what is demanded. It comes back to what consumers are demanding and whether or not if it is provided they will take advantage of it. We have just heard, and I think correctly, that unsolicited emails are often just ignored, so there is a real cultural aspect that needs to be sorted out. Personally I think that alerting people that something is being asked in their name, just like phoning up and saying, "This is £6,000 for a pair of shoes", is a very good way of helping consumers protect themselves.

  Q194  Earl of Erroll: In the interests of bringing the online and offline world into alignment we heard earlier that the banks are now going to allow you to keep the money after a short period of time, in fact they said six days, even in a case of fraudulent transaction, so you have got certainty that the money is in your account. Should we be doing the same with online transactions because that only applies to cheques?

  Mr Robinson: I think you heard what earlier witnesses said about the banking code's guidance. The only observation I would make in addition to that is that the electronic world is often a lot faster and some of the things that may be possible to do with the cheque clearing mechanism may not be possible in an online world but the banking code's commitment on repayment is—perhaps you can help me, Rob.

  Mr Gruppetta: If a consumer has not acted negligently they will only be liable for the first £50 of fraud.

  Earl of Erroll: And this will be on the online world as well as the offline.

  Mr Robinson: That is already in the online world.

  Q195  Chairman: Let me ask a final question. In the USA, they have recently banned US credit card companies and banks from making payments to online gambling companies. Many observers predict that this will bring alternative payment mechanisms such as "eGold" into the mainstream. Are you satisfied that such mechanisms are being properly regulated?

  Mr Robinson: eGold is not regulated in the UK. It is available and used in the UK and it is not a UK regulated product. It is also used in a number of ways to make criminal payments, as has been said, on the paedophile sites and so on. What this demonstrates is the importance of the questions that were being asked earlier on about cross-border co-operation because the big difference between the electronic channel and the physical channel is that you have no idea where the other person is and it comes back to this question about the emails, where are they coming from? My advice to any consumer who started to move into any exotic exchange mechanism like eGold is that they should step very carefully in the way that one of your colleagues mentioned earlier on about what seems to be a good idea often turns out not to be. I can see no reason why there should be a large scale move to alternative payment systems like this for online payments. The issue is maintaining consumer confidence in the existing channels which are well regulated. This channel is not accepted, for example, by PayPal and other people like that for online payments and I think the message to consumers ought to be to keep out of areas which are not well regulated.

  Q196  Lord Howie of Troon: Can you tell me what eGold is?

  Mr Robinson: It is an interchange mechanism where you are exchanging amounts of virtual gold, the value of which goes up and down, rather than currency and the reason why it has been created in this way is to avoid some of the obligations that arise if you are doing it in money because if it is in money it will need to be regulated.

  Chairman: Thank you very much. We have run on much longer than we thought we would but your answers have been very useful indeed to us. Thank you very much for coming to talk to us.