Huge scale of insider bank fraud revealed
A Money investigation suggests about 50 cases are reported to police every year and many more are kept secret. Many of these fraud cases are reported by what is called a ‘whistleblower’ member of staff within a community, who believes legal wrongdoing is occurring. There is a special section of the law (such as California Whistleblower Law) that deals with these cases in order to protect and reward the whistleblower.
Fraud can happen everywhere every day, to anyone. It can be a large-scale or small-scale crime too. For businesses or corporations who experience what they believe is fraudulent activity, they can hire forensic accounting or someone who can advise in mobile forensics, such as Eide Bailly for example. There is always help out there, however, calling the police is usually the first course of action a person or a company will take.
However, the full scale of fraud committed by staff at Britain’s banks is being swept under the carpet because the financial giants can simply dismiss the culprit and never tell the police, a senior detective warns today.
His comments come as a Freedom of Information (FoI) request by Money reveals the true extent of fraud over the past five years allegedly committed by staff at a bank or building society. The total lost from 39 frauds reported to seven police forces was 5.4m.
However, these figures are probably just the tip of the iceberg, because the 37 other forces in the UK said they were unable to provide the data. Banks are also under no obligation to report such fraud.
Last weekend, about 9,000 customers of Tesco bank lost a total of 2.5m in a cyber-attack. The bank said it could not comment on whether an insider was involved because there was an ongoing police investigation. Tesco claimed no personal data was stolen.
In an exclusive interview with Money, David Clark, a detective chief superintendent who heads the economic crime directorate at the City of London police, said there is no doubt that the true number of frauds being committed by bank insiders is considerably higher than the number being reported.
“The actual figure will be larger,” he said. “I will not hesitate in saying that, and I would say that we do see an upward trend of employee fraud.
“There is no compulsion for banks to report everything to the police. Sometimes [banks] do make the choice that it’s in their interests to release that person from their employment and deal with it internally. But I would say they should report it to the police, absolutely. What I wouldn’t want is for that person to go on to further employment or be pushed in a different direction to do the same again.”
If the number of confirmed cases is reflected nationwide, it suggests that about 50 instances of insider fraud are reported to police forces every year, with an annual loss of nearly 7m.
Most people assume banks report fraud to police automatically, just as an ordinary citizen who witnesses a crime would feel obliged to do. Clark’s comments will raise concerns that banks are hiding the full extent of the number of people they employ who are helping to fuel Britain’s fraud epidemic.
Another way banks hush up insider fraud is to ask victims to sign a confidentiality agreement, preventing them from speaking about their experience.
Increase in fraud
Financial Fraud Action UK (FFAUK), an organisation that is funded by banks and collates fraud figures, does not record the number of cases involving bank staff. Banking fraud losses hit 392m in the first six months of this year, a leap of 79% compared with the same period in 2012.
Banks often blame the victims of fraud, accusing them of being lax with their personal information, which can be used by fraudsters. They also wash their hands of any responsibility if a customer is duped into authorising transfers to a criminal’s bank account. This is why private investigators are often hired by customers in these situations. If you’re a business owner and there are rumours of any suspicious activity, this may be why you may find yourself or your business under surveillance. External sources are often required to uncover evidence of fraud, as banks are unlikely to take accountability for any negligence on their part.
However, victims who are contacted over the phone are often convinced the fraudster is from their bank because the caller seems to know so much about their account – everything from their bank balance to their latest transaction, down to the last penny. This is perhaps why there are an estimated 1.6 million fraud campaigns targeting iOS and Android users. There are more figures listed with the other latest phone security statistics here, but that figure alone suggests fraudsters see mobiles as an area to target.
Money made its FoI request following the shocking case of Feezan Hameed Choudhary, 25, nicknamed “Fizzy”, who, along with his accomplices, stole 113m from bank customers.
He paid 250 to corrupt staff at Lloyds each time they provided information about the bank’s customers. In September, Choudhary was jailed for 11 years. In total, 19 people were convicted, including three Lloyds employees.
The forces that did reveal their figures to Money were Cambridgeshire, Hertfordshire, Suffolk, Warwickshire and West Mercia, Bedfordshire, West Yorkshire and the Metropolitan Police Service in London. The other forces said the request would take too long to process.
After seeing the results of Money’s investigation, Steve Baker, the Conservative MP for Wycombe and a member of the Commons Treasury committee, said: “When bank staff abuse positions of trust to commit or facilitate fraud, it is particularly outrageous . . . We are all made vulnerable when people in trusted positions abuse that trust. It cannot be tolerated.”
Should banks tell police about fraud by their staff?
Clark of the City of London police says he does not know the extent to which banks deal with fraud cases internally – so neither the police nor FFAUK know the true extent of fraud.
He said: “It’s a matter for them [the banks]. They may well take that civil route with as much of a [financial] penalty to the person as possible. When they do report, we are always robust and we’d always suggest prosecution. In abuse-of-position cases, we’d always prefer a longer sentence.”
Asked if there is a risk that a dismissed staff member might be able to work at another bank, he said: “I wouldn’t say they’d be able to get a job at another bank. I think the banks take a course of action that would mean that that doesn’t happen.”
He added: “It’s never my position to advise a bank as to what security measures or level of scrutiny they should take in vetting their staff. That’s entirely up to them.
“However, if a bank reports a matter of internal employee fraud to us, I would encourage them to do it as soon as possible.”
Region by region, the losses add up
Money asked all the UK’s police forces for the number of reported fraud cases over the past five years, where a member of staff at a bank or building society was allegedly involved in committing the crime.
The forces were also asked for the number of cases that led to a conviction and the total loss from these frauds. Police forces are not obliged to hold conviction data, which is held by the Crown Prosecution Service, so different forces reported different details.
The Metropolitan police had nine reported cases over the past five years with a total loss of 4.2m, but the force does not hold conviction data. By contrast, Warwickshire and West Mercia police reported four cases with a total loss of 934,146. All cases led to a conviction.
West Yorkshire police had 10 reported cases with a loss of 160,976. Four workers were charged and three convicted.
Since April 2013, this type of financial fraud has been reported to Action Fraud, a national agency, instead of individual forces, which again means the real figures are likely to be even higher.
The National Crime Agency and the City of London police deal with financial fraud cases and only sometimes ask for the involvement of local police.
Money also made an information request to Action Fraud, but was again told it would take too long to process.
How can a scammer know so much about me?
Last year, Money reported the case of Andy and Trisha Evans, from Tunbridge Wells in Kent, who lost 22,500 after transferring money from their Santander bank account to fraudsters.
They were contacted on the phone by someone claiming to be from their bank’s fraud department saying they needed to transfer their life savings immediately to a “safe” account.
At the time, Trisha said: “He knew exactly how many accounts I had with Santander, including my Isas, as well as how much was in each account, down to the last penny.”
Santander would not refund the loss because the transfer had been authorised. It insists it is “confident there is no staff involvement” after carrying out a full review.
The bank said: “As we stated previously, fraudsters are very sophisticated at duping customers into sharing personal and security information with them.
“In many cases, the customer may have been vished or phished [telephoned or emailed] for account details previously, which means the fraudster has already started profiling the customer and maybe also accessed their account online or intercepted their post.”
Sir Peter Burt, the former chief executive of Bank of Scotland, said: “How do fraudsters know the balance in someone’s account or the fact that someone’s last payment was exactly 40.28 made to British Gas?”
How banks suppress reports of internal fraud
Banks are obliged to refund fraud losses if the victim was not to blame and did not authorise a transfer. However, in cases where a bank staff member is involved, they may ask the victim to sign a confidentiality agreement as a condition of having any money returned.
In July last year, Money revealed how Royal Bank of Scotland (RBS) tried to prevent a fraud victim from speaking to the press after a six-figure sum was stolen by an employee of NatWest, which is owned by RBS. The bank asked the reader to agree to a confidentiality clause in their settlement agreement but the reader, who wishes to remain anonymous, refused to do so and spoke to Money instead.
Five months later, the RBS staff member, Lesley Austin, was jailed for three years for stealing more than 260,000. She was able to operate undetected for about six years.
At the time, RBS said a confidentially clause was “a standard commercial clause in settlement agreements”. It insisted it “would have considered removing it in these circumstances”, given that our reader objected so strongly.
Lloyds bank also required some victims of Feezan Hameed Choudhary to sign confidentiality agreements. The bank said it was not a “general policy” for customers to do so as a condition of having their loss refunded; it depended on the circumstances. If Lloyds did not agree that it was liable for a customer’s loss but opted to make a refund on a commercial basis – to keep a loyal customer happy, for example – it might include a confidentiality clause in a settlement agreement, the bank said.
The British Bankers’ Association, which represents the industry, said: “There is no industry-wide policy on confidentiality agreements”.
Can a bank refuse to pay if I speak out?
No. Under Payment Services Regulations 2009, a bank is obliged to refund victims if a payment or transaction is unauthorised and the victim is not to blame. The legislation does, however, allow banks not to refund victims who authorise a transfer, even if they were duped into giving money to a conman.
A lawyer, who does not want to be identified because he works for banks, said those that insist on confidentiality agreements before making a refund can be taken to court, as it would be a breach of their own terms and conditions.
He said: “The role of the regulator is important here because it would be burdensome for a customer to take legal action against a bank for the return of funds.”
What do experts say?
Burt, who had to deal with cases of bank insider fraud during his time at Bank of Scotland, said it was “morally unjustifiable” to try to gag victims. He said: “There have been one or two recent cases of individuals who have paid a few hundred pounds to bank staff to pass on information. It’s extraordinarily difficult to stop that from the bank’s point of view.”
Last year, 153 organisations reported 585 cases of “insider fraud” to Cifas, the fraud prevention agency. It works with the police and over 300 organisations, including banks. It does not say how many of the insider frauds relate to banks.
Cifas said: “We urge all organisations to do more – as well as developing an anti-fraud culture in the workplace and improving vetting processes.”
What do the banks say?
The British Bankers’ Association said: “Banks are aware that criminals have targeted employees and have put in place intelligence-sharing measures with law enforcement and at an industry level to address the risks. Banks are also working with the police to seek prosecutions.”
Katy Worobec, director of FFAUK, said: “The security of customer accounts is of the utmost importance for all banks and there are robust checks and processes in place to identify and eliminate any potentially fraudulent activity by staff.”
What does the regulator say?
The Financial Conduct Authority said: “We require banks to have systems and controls in place to counter the risk of financial crime – risk of all types including fraud, money laundering and data security breaches.
“We expect firms to employ staff who possess the skills, knowledge and expertise to carry out their functions effectively. Vetting and training should be appropriate to employees’ roles. We also emphasise that firms must take special care of their customers’ personal data.”