- Security TWENTY
- Women in Security
Matthew Cox, Managing Director EMEA, Fraud, Security & Financial Crime, at the Silicon Valley analytics firm FICO looks at strategies the UK Government could consider in response to reports that ‘Bounce Back Loan’ fraud could cost the UK billions of pounds.
When the bounce back loan scheme was set up, the UK Government rushed so fast because they needed to, and they didn’t put all the normal controls on loans at the bank level. For example, to qualify a business had to have been established before March 1 — I would have thought they’d have made it a requirement that they were in business from 2019 and before. Also, there was very little proof of business health needed. As a result, the fraud is estimated at £15-26 billion. As long as a simple fraud check was completed, the government has 100 per cent liability for these loans, which means the taxpayer does.
From a fraud MO perspective, we are seeing two things;
Each business was supposed to only be able to make one bounce back application, but there are no controls to restrict a business to one application. There are businesses that have applied three, four, five times, so they are getting multipliers on the £50K or 25pc annual turnover they’re supposed to get. Some business owners may be ready to cash out and could have received five loans for 125pc turnover.
I could pretend to be a director of your company and start making applications for loans on your company. You might not even find out that this has happened until you need to start paying next spring. Fraudsters will try to put mail redirection on businesses, so that people at the company won’t get the mail confirming the loan. But in fact, as we’re in lockdown, those bounce back loan confirmations may be sitting in vacant offices. When people get back to their offices, they might find a bounce back loan letter. That means there’s a big balloon potential for fraud next spring when the payments start coming due.
The programme was a great success, but there will be a lot of clean-up to do. The Government will now have to consider having a consolidated collections process across the banks that made the loans. Initially, the Government asked the banks to pump this money out, and now that they’re realising the potential scale of fraud and bad debt, they’ll be looking to the banks to help get that money back. It will be difficult to do much about impersonation fraud — that money will be gone, siphoned off to cryptocurrency, international payments and cash.
What can be done now? If I was the government, I would look to implement network analytics used in identity fraud detection across all the applications done through the UK banks. Don’t wait until the payments are due to start — using advanced link analysis, you can find all the connections between loans, like common phone numbers or company names or addresses. Get all the data together, use the analytics to find everyone who made more than one application, put all those into a bucket, then start contacting them. The money may be gone, but no one can abscond with it, they can’t even leave their house! Then run some first-party fraud definitions on the rest, and tell the suspicious accounts, “I need to talk to you.” Banks should consider using automated notifications, like SMS and App Push for account holders that have made an application.
Payments on these loans aren’t due for the first 12 months — that means any potential fraud is just sitting there festering for 12 months. It will be harder to get the money back in 12 months. The government should start working on this problem now, rather than waiting a year.