UK banks’ GCHQ deal can’t excuse fraud inaction

A data sharing deal between financial services firms in the UK and the Government Communications Headquarters (GCHQ) doesn’t remove the spotlight from banks’ inaction when it comes to preventing fraud, according to market participants.

“While it should be a huge help to banks that GCHQ is happy to share real-time cybersecurity information in the fight against credit card fraud, banks should not be reliant solely on this support. It is the banks themselves who should be taking action,” said Alex Boothroyd, senior banking fraud specialist at SAS UK and Ireland, in an email.

According to 2018 figures from UK Finance, unauthorized financial fraud losses across payment cards, remote banking and cheques totaled £844m in 2018, an annual increase of 16%. UK Finance members also reported 84,624 incidents of authorized push payment scams with gross losses of £354m.

In October the Financial Conduct Authority (FCA) fined Tesco Bank £16.4m for its role in a 2016 cyberattack which saw cybercriminals siphon £2.26m. In April TSB announced it would begin refunding all innocent customers who have fallen victim to fraud, even if they had been tricked into handing over their details.

For Mark Crichton, senior director of security product management at OneSpan, there is always a focus on institutions. “They are responsible for taking more of a proactive approach in helping to fight fraud online, or more importantly, to help safeguard their customers. At the same time, I don’t think that the banks are doing nothing.”

GCHQ director Jeremy Fleming, in a speech at the government’s CyberUk event last week, outlined how the intelligence agency would be cooperating with banks, using automation to alert customers rapidly.

“Our incident management team has worked on more than 1,500 significant cyber security incidents,” said Fleming. “Using automation, it has reduced the harm from thousands of attacks a month … we will share intelligence with banks to enable them to alert customers close to real time. We’re optimistic they will make a major difference to the user and by de-mystifying cyber security we will encourage many more people to adopt good cyber security measures.”

A spokesperson for National Cyber Security Centre (NCSC), a division of GCHQ, wrote in an email: “The National Cyber Security Centre works closely with banks and the wider financial services sector to ensure their platforms are as secure and resilient as possible. Working together, we’re helping build cyber security into the heart of next generation systems.”

OneSpan’s Crichton says a strong focus on fraud data will be crucial to the partnership.

“I think [the partnership] will gather legs,” he says. “I think initially, the data is going to be high level, it’s going to be dark web data that the GCHQ has been able to access. Vendors, third parties and financial institutions themselves have access to this data, but GCHQ probably has a broader remit to search into the dark web in a different sort of way.”

The NCSC and the Information Commission Office (ICO) announced last week that the two bodies would increase cooperation when it comes to the prevention and management of cyberattacks. While the NCSC will encourage proper meeting of regulations, the ICO will mitigate risks of already-attacked firms.

“Its important organisations understand what to expect if they suffer a cyber security breach,” said ICO deputy commissioner James Dipple-Johnstone in a statement alongside the news. “Organisations need to be clear on the legal requirements when to report these breaches to the ICO, and the potential implications, including sizeable fines, if these requirements aren’t followed.”

Dealing with data

For Boothroyd, AI-powered fraud prevention can help to alleviate the pressures on customer fraud teams. “As the techniques used by fraudsters become more advanced, so too must companies’ defences if they are to maintain the trust of their customers whilst saving them money.

“AI provides the capabilities that businesses need to protect customers against this form of fraud. It is therefore vital that they invest in the necessary technology if they want to stay ahead of the curve rather than relying on the protective tools of intelligence officers.”

A voluntary code of good practice set up by the Authorised Push Payment Scams Steering Group is due to go into force on May 28, which requires banks, building societies and other payment services providers to put protective measures in place to prevent bank transfer fraud.

Educating consumers about the anti-fraud benefits of data sharing is paramount, adds Crichton. “Maybe consumers could construe this news as banks sharing their information with GCHQ, and we can’t know what sort of picture that might build up in their minds. There is a responsibility for us as an industry to promote the message that this news should be viewed as a positive.”

“Banks must not simply deal with the repercussions of fraudulent activity,” said Boothroyd, “they must tackle the issue from the outset. While it is true that part of the solution rests in educating customers around the techniques that scammers use, technology will play a more vital role in foiling fraud.”

Related reading