Oireachtas Joint and Select Committees

Wednesday, 24 May 2023

Joint Oireachtas Committee on Finance, Public Expenditure and Reform, and Taoiseach

Authorised Push Payments Fraud: Banking and Payments Federation Ireland

Photo of John McGuinnessJohn McGuinness (Carlow-Kilkenny, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I note that the minutes of our meeting on Wednesday, 17 May 2023 were agreed at an earlier private meeting.

In today's session, we will hear from representatives of Banking & Payments Federation Ireland, BPFI, namely Ms Niamh Davenport and Mr. Richard Walsh. Both are very welcome.

Witnesses who are physically present or who give evidence from within the parliamentary precincts are protected pursuant to the constitutional statute by absolute privilege. They are reminded of the long-standing parliamentary practice that they should not criticise or make charges against any person or entity by name or in such a way as to make him, her or it identifiable or otherwise engage in speech that might be regarded as damaging to the person or the entity's good name.

I invite our guests to make their opening statements.

Ms Niamh Davenport:

I am joined by Mr. Richard Walsh, BPFI's director of industry collaboration and innovation. We welcome the opportunity to appear before the committee.

In recent years, the fraud landscape in Ireland has evolved significantly. Fraud previously consisted of criminals hacking into bank systems, online scams and even some in-person attempts. Nowadays, fraudsters have found that it is easier to manipulate customers into making transfers than to impersonate them directly. This type of fraud is known as authorised push payment, APP, fraud, and it is what we are here to discuss today.

In an APP scam, a criminal will trick the consumer or business into sending money directly from their account to an account the criminal controls. In most cases, the customer fully believes they are making a legitimate payment, even when it has been flagged to them by their banking provider that it is high risk. Examples include investment scams such as fake cryptocurrency schemes, romance scams, accommodation scams and, for business customers, invoice redirection and CEO impersonation scams.

Financial institutions have a clear role to play in preventing fraud, a commitment that the industry takes very seriously through a range of measures both at industry level and within each institution. However, it is important to note the first sight a financial provider will have of an APP fraud is when the transaction has already taken place. The payment occurs at the end of what can often be a long engagement between the criminal and the victim. Therefore, the banks cannot combat this crime alone.

APP fraud losses are driven by the fraudsters abusing online platforms to scam victims. This can include investment scams advertised on search engines and social media, romance scams committed via online dating platforms, and purchase scams promoted through auction websites. Once the victim has authorised the payment and the money has reached the criminal's account, the criminal will quickly transfer the money to numerous other accounts, often abroad, where it is cashed out. We know that in the UK almost 80% of these types of scams originate through online advertisements. Therefore, critical to tackling and ultimately reducing losses and the impact on consumers is a greater understanding of where and how these frauds and scams originate and blocking these channels to criminals.

Simply focusing on the payment and reimbursement of payments will fail to reverse the increasing number of incidents of fraud and to protect consumers and businesses. It will only reward criminals and enable them to fund more serious and lucrative crime. As An Garda Síochána will verify, money stolen through APP scams is used to fund drug trafficking, human trafficking, sexual exploitation and terrorism.

To combat APP fraud effectively, Ireland needs a centrally led, whole-of-system response whereby social media companies, telecommunications companies, financial services, the State and An Garda Síochána can collaborate to devise appropriate strategies to better share intelligence, implement protections for consumers and develop barriers to criminals. Close, cross-sectoral collaboration on intelligence-sharing would be a significant game-changer in fraud prevention in Ireland. There is currently a very siloed approach among the various industry sectors and agencies in identifying and combating financial crime. Our European and UK colleagues have benefited from national collaboration projects, particularly shared fraud databases, as a key resource in effectively combating fraud. The UK database, for example, has been operational for over 30 years.

This sentiment was also echoed in the Hamilton report, published by the Department of Justice in December 2020. This report encourages greater inter-agency co-ordination, collaboration, and information-sharing and also recommends a clear cross-government financial crime strategy. As the report's summary of recommendations notes:

Ireland has at present, no national strategy for combating economic crime and corruption. Given the range of agencies involved, the Review Group recommends the development of a multi-annual strategy to combat economic crime and corruption and an accompanying action plan. This will facilitate a joined-up and cohesive approach to combating economic crime and corruption in this jurisdiction and provide a basis for measuring progress.

This collaborative approach is not happening in any significant way in Ireland. Financial institutions have had some good successes in combating the wave of fraudulent SMS text messages that impersonate genuine bank messages; however, to keep pace with the changing landscape, we believe a national strategy should be built on three pillars of defence: cross-sector collaboration, education and awareness, and information sharing. These are pillars on which we have built our own industry strategy.

I shall now address cross-sector collaboration. To effectively combat fraud, it is crucial to address the source and prevent scams from reaching consumers in the first place. Cross-sector collaboration will allow us to target the channels currently used by criminals to contact victims and disrupt fraud at the source. BPFI is participating in a ComReg-led project to reduce the number of spoof callers. The project has successfully blocked almost 10 million phishing calls since September 2022. BPFI also co-ordinates the bimonthly joint intelligence group, which brings together financial institutions and An Garda Síochána and facilitates the sharing of fraud trends and typologies. BPFI has worked closely with An Garda Síochána on the banking protocol project, which trains bank branch staff to identify and assist customers who may, on presenting at a bank, be under coercion or the influence of a fraudster.

Further cross-collaboration work is needed with Internet providers and social media companies. They have a significant role to play in blocking fraudulent websites, monitoring network traffic and taking down fake advertisements. Collaboration creates a united front against fraud, and by leveraging the expertise and resources from across all stakeholders it becomes possible to disrupt the fraud ecosystem and protect consumers from falling victim to scams.

I shall now address the second pillar. In 2017, BPFI launched its FraudSMART programme, which was developed in conjunction with its members. It aims to raise consumer and business awareness of the latest financial fraud activity and trends and provide simple and impartial advice on how best to protect themselves and their resources from fraud. FraudSMART regularly raises awareness about the APP fraud scams we are discussing, among many others. Through a variety of channels, including national media, social media, radio advertising, email alerts and in-person events, the programme provides information on the tactics fraudsters use and highlights key warning signs and red flags to help consumers to become more vigilant and protect themselves from fraud. Over the past six months, for example, we have focused on raising awareness of investment scams, online scams and invoice redirection and have partnered with Age Friendly Ireland and the Small Firms Association as part of this work. Ultimately, empowering consumers and businesses through education helps to close the gap that fraudsters exploit when manipulating customers, and this is what our FraudSMART programme sets out to achieve.

The final pillar is information-sharing, which involves shared fraud databases. Shared fraud database schemes seen across Europe and the UK, which schemes support the sharing of information across financial institutions and law enforcement, are critical in the fight against financial crime. Enabling collaboration and the sharing of information about known fraudsters, fraud schemes and emerging trends allows the industry to act in real time and prevent the fraud from taking place. The benefit of a shared fraud database extends beyond prevention. It assists law enforcement to investigate and prosecute more effectively and it also protects customers who believe their identities may have been compromised.

By pooling resources and information through a shared fraud database, banks and law enforcement bodies can enhance fraud-prevention efforts and endeavour to stay ahead of evolving fraud techniques. BPFI has worked with members to develop an industry-shared fraud database that is ready to stand up once legislative amendments currently with the Department of Justice are approved.

The three pillars – collaboration, education and awareness, and information-sharing – provide a solid foundation on which to further build a fraud-prevention ecosystem in Ireland. However, more work is required. With potential regulation changes making a significant difference and the development of a national economic crime strategy that brings key stakeholders together, we can ensure that Ireland is not a prospective destination for fraudsters.

BPFI and its members will continue to seek insights and best practice from other jurisdictions along with having our own initiatives to prevent fraud. Adopting and improving upon successful strategies employed elsewhere can contribute to the development of a robust anti-fraud framework in Ireland. The key difference we note in other jurisdictions concerns their level of intelligence-sharing, cross-sector collaboration and national strategies. By working together, it becomes possible to gather and share intelligence, identify patterns and proactively address emerging fraud trends.

However, we must look at other jurisdictions as a whole rather than adopting individual pieces of their fraud strategies in isolation. Each jurisdiction has its unique fraud landscape and challenges. By examining their fraud ecosystem comprehensively, including the regulatory framework, technology infrastructure, industry collaboration and consumer education initiatives, it becomes possible to understand the holistic approach they have taken to combat fraud. By studying successful fraud prevention models, we can gain insights into the most effective strategies for identification and prosecution.

Photo of John McGuinnessJohn McGuinness (Carlow-Kilkenny, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I thank Ms Davenport for her comprehensive opening statement. I would like to acknowledge Eamonn Doran in the Public Gallery. A student from UCC studying politics and international affairs, Mr. Doran is welcome. I wish him well in his studies and in his future employment. I call Deputy Jim O'Callaghan.

Photo of Jim O'CallaghanJim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I thank the witnesses for attending and, like the Chairman, I thank Ms Davenport for the extensive and thorough opening statement.

When it comes to fraud, there are some parts that we are aware of and others that we are not. I know from talking to constituents that many of the issues now are that they may get a text message from a service provider that is not, in fact, from the service provider but purports or pretends to be, and which requires them to click on a link to pay for an eFlow bill or whatever. Is that the most common form of fraud that we are experiencing at present?

Ms Niamh Davenport:

It is the most common form we are seeing. We are due to have more figures come out in approximately two weeks. If we look at the second half of 2021, H2 2021, the latest period for which we have figures, the type of fraud the Deputy is referring to is unauthorised fraud. The cases we were discussing in our statement are authorised frauds. In the latest figures we have, unauthorised accounts for €37.1 million for a half a year compared with €7.6 million for authorised, which is what we are talking about today. That is roughly four times higher based on the latest figures for the types of scams the Deputy is referring to. eFlow is the most common one we are seeing at present.

Photo of Jim O'CallaghanJim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

eFlow.

Ms Niamh Davenport:

Yes.

Photo of Jim O'CallaghanJim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I thought so. It is a difficult task for the Garda but are people ever apprehended for perpetrating these crimes?

Ms Niamh Davenport:

It comes down to the evidence the Garda has. The Garda is obviously working extensively in this area and would like to get more prosecutions but it is hard to do that without the evidence.

Photo of Jim O'CallaghanJim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Is Ms Davenport aware of any convictions that have been given to date?

Ms Niamh Davenport:

There has been a number of convictions over the past year. There was a particularly large conviction last year. I cannot remember the exact figures but there was a large case last year where a number of people were arrested and the number of fake text messages we receive decreased. However, fraudsters will always evolve and adapt to new scams.

Photo of Jim O'CallaghanJim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

If somebody makes the mistake of, for instance, clicking on to the eFlow text message or whichever fraudulent one it is, am I correct that the purpose presumably is to give details of his or her bank account to the fraudsters?

Ms Niamh Davenport:

Yes. In that case, the fraudsters are not looking for, say, the €2 eFlow payment. They are looking for the financial details and they will use them then to make other payments, either online or elsewhere.

Photo of Jim O'CallaghanJim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Let us say someone did not realise it was a fraud at the time. How long does it take the victim to become aware that they have been defrauded?

Ms Niamh Davenport:

Sometimes it is a matter of minutes. They realise something did not seem right or they investigate further. Our advice, which we push through our education and awareness programme, is that, no matter what type of scam people should always take their time. Whether it is a text message scam or an email scam, there are always common themes. It is obviously how they are presented. There is a sense of urgency and the scammers try to make people rush. The key advice is to take your time and do not be rushed.

Photo of Jim O'CallaghanJim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

If the fraudster is successful and money is unlawfully taken out of the customer's account, who picks up the tab for that?

Ms Niamh Davenport:

It depends. In the unauthorised cases, it is on cards most of the time. That would be on someone's Mastercard or Visa card. They are dealt with, obviously, through the chargeback scheme with Mastercard or Visa card. The ones we are looking at today are investigated case by case. A thorough investigation is done on all authorised push-payment scams and it would depend on how much money the banks can recall. That is why we always say time is of the essence. The Deputy asked about timing. It is important to report a fraud as soon as possible.

Photo of Jim O'CallaghanJim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Is there no consistent approach across the board? Does it depend on the circumstances of each fraud?

Ms Niamh Davenport:

With the authorised push payment, it depends on the circumstances, the level of control and if the banks have intervened. We often have cases where the bank has called the customer before a payment is made or, for example, in branch, they will question it, but if the consumer still wants to make that payment, the payment will be made.

Photo of Jim O'CallaghanJim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

What is a romance scam?

Ms Niamh Davenport:

Unfortunately, romance scams are quite long scams. They might take place over a number of months. People tend to meet online and the fraudster builds up a fake profile. They will contact someone through a dating website and then they will maybe move off and have WhatsApp chats, etc. They will eventually ask for help or have an issue where they need help with something. They might say a family member is ill and ask the person to transfer money. They might not even ask that money be transferred. It would be something along those lines. It could be that the person is coming over to visit but needs to pay for baggage or something like that. There is a range of different excuses that they will use.

Photo of Jim O'CallaghanJim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Are these people who have only met online and have not met face to face?

Ms Niamh Davenport:

They have not met face to face. Something important to note with the romance scams is there is a huge level of trust already built up. These can take anywhere from a number of weeks to six or seven months or even up to a year. The fraudster engages with the person over time and builds up trust. The person thinks he or she is in a relationship with this person and wants to help in a situation, for example, involving a family member. There is a good level of trust built up. The scams have generally taken place before the payment is even made.

Photo of Jim O'CallaghanJim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Is it correct that Banking and Payments Federation Ireland would like to see the establishment of a shared fraud database in Ireland?

Ms Niamh Davenport:

That is correct. We have been working on this for a number of years. There is a secondary piece of legislation with the Department of Justice. We are waiting and hoping that will get approval as soon as possible. It is something that has been useful in preventing fraud in other jurisdictions, particularly the UK. As I said, we have the project ready to go. We are ready to stand up the database as soon as that legislation goes through.

Photo of Jim O'CallaghanJim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

How would it operate in practical terms?

Ms Niamh Davenport:

To clarify, it relates to confirmed fraud. Something that we suspect would not be added to this database. If, for example, a bank received fake documentation on account opening, it could add it to the database and another bank member could see that and prevent an account being opened in that institution with the same fake documents. At the moment, someone can open a bank account and go down the road and open another one.

Photo of Jim O'CallaghanJim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Is it a database of alleged fraudsters or a database of attempted fraud, if Ms Davenport knows what I mean?

Ms Niamh Davenport:

It would have to be confirmed fraud. There are rules and controls around what can be put up. There are quite detailed controls around what can and cannot be added to it. There could be samples of fake IDs and fake utility bills. That kind of thing is going into it.

Photo of Jim O'CallaghanJim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

When Ms Davenport says "confirmed fraud", do I take it she does not mean somebody has been convicted for it?

Ms Niamh Davenport:

Not convicted but it has been confirmed, for example, that a document is fake.

Photo of Jim O'CallaghanJim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Ms Davenport referred to secondary legislation going through the Department of Justice. I should know this. What is the legislation that would deal with this? Is there legislation in place at present that provides statutory protection?

Ms Niamh Davenport:

At the moment, under the general data protection regulation, GDPR, there are concerns around the sharing of information. We want to make sure that information is treated with the respect it deserves but from a financial crime point of view, if there is a legitimate interest, we would like to be able to share that information. The statutory legislation is to allow that within the controlled environment.

Photo of Jim O'CallaghanJim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

In effect, the data regulation Act does not currently permit the sharing of this information among financial institutions.

Ms Niamh Davenport:

It is unclear. Some jurisdictions will interpret it. For example, the UK, which is under GDPR, will share the data. Other jurisdictions have concerns as well. It is to make sure we are doing this in a lawful manner.

Photo of Jim O'CallaghanJim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

The BPFI is seeking an amendment of the data regulation Act to ensure there is no doubt that financial institutions are permitted to share this information in respect of confirmed fraud. Is that correct?

Ms Niamh Davenport:

Mr. Walsh was closer to the drafting than I was.

Mr. Richard Walsh:

The Deputy is correct. We can get the specific areas of address and send that information to the Deputy afterwards.

Photo of Jim O'CallaghanJim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Obviously, this is for the benefit of the public and also for the sharing of information among financial institutions. What institutions would have access to this information?

Mr. Richard Walsh:

The intention would be to have it open to anyone who has a legitimate interest, particularly in account opening. I refer to anyone who is opening accounts and needs to register a customer. They would often use documentation in a process that we call "KYC", know your customer. People would be familiar with the process whereby if they are opening a bank account, they have to present documentation such as a passport, utility bills and proof of address. What we are seeing with the shared fraud database is fraudsters will often either steal identities or forge these documents.

When they do that, they will then bring that set of forged or compromised credentials around to many banks and credit unions and An Post. They may even bring these credentials into mobile operators so they can get high-end phones on monthly repayments. The purpose of the shared fraud database is that if one of these institutions has a strong suspicion that such credentials are either compromised or forged, it can then register it on the central database. Any other institution will then be able to see this as a red flag. The instruction is to treat this with extra caution if an account is being opened.

I might add that there is a second-use case in this. It is quite common to hear stories of people who have been on calls with fraudsters for up to 40 minutes. The fraudsters will present themselves as being from a bank or financial institution. They will get copies of the customer's passport, utility bills and security questions and it is only after such a call ends that the customer will often realise something was off about it. He or she will then ring the bank and discover it was a call from a fraudster and not from that institution. In that case, the bank would be able to offer to place this customer and his or her details on the central database for protection against someone else opening an account in that name. The customer would be clearly marked as a victim and would not be treated in any negative way by any other institution. This is just for the customer's protection.

Photo of Jim O'CallaghanJim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

If the Oireachtas is thinking of changing the law, generally at the forefront of our minds will be the interests of the public and consumers. Since so many people are the innocent victims of this type of fraud, would it be a good idea for the Oireachtas to introduce legislation that would provide for a mandatory redress scheme to allow people to reveal they were the victims of this type of fraud and place an obligation on the financial institution concerned to provide redress?

Ms Niamh Davenport:

We spoke about this in preparing for this meeting. Taking as an example unauthorised payments, such as text message scams, these would all be refunded through the chargeback scheme. We have full refunds in most of those cases. They are still investigated. We take this approach rather than just doing a mandatory refund because we do get false claims and first-party fraud as well. Every case, whether unauthorised or authorised, is investigated on a case-by-case basis.

When it comes to the authorised push payments fraud, every case is also investigated. We know there is a similar scheme in the UK. Even though it is a redress scheme - it is called the reimbursement code - only about 66% of those cases get refunded in the UK. We are at similar levels here without having that redress scheme and, as I said, we are already refunding in the cases of unauthorised payments.

We are not against bringing in any protections for the consumer. These are very important to us. We must also be careful, however, that we do not introduce a culture of fraud and become a destination for fraudsters. The UK has many more attempts at fraud and many more of them are successful. As I said, for half a year, our figure was €7.6 million. For authorised push payments fraud in the UK, the equivalent figure was £538 million. We are, therefore, in a significantly different place. This is partly because the UK is a destination for fraudsters because it is known to be refunding.

Additionally, the UK also put many other preventative measures in place before bringing out its code. It is important to remember that the UK had shared fraud databases and other prevention measures in place as well as the ability to share information on the preventative side before implementing the refunds. It is important not to take must one aspect of the legislation in the UK. The House of Lords also recommended several months ago to examine the telecommunications and Internet companies as well because that is where the advertisements are being placed. There are several things we would have to do in conjunction with any change before bringing out the code here.

Photo of Jim O'CallaghanJim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Can I take it that the BPFI is not opposed to this proposal but thinks it needs to be carefully considered?

Ms Niamh Davenport:

It needs to be very carefully considered.

Photo of Jim O'CallaghanJim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I thank the witnesses.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

I thank the witnesses for coming before the committee and I thank the committee for agreeing to our proposal to host this module. There are very few people in the State who have not been victims of fraudsters or whom fraudsters have attempted to make victims of. We are all inundated with these text messages, whether these purport to come from eFlow or An Post. These days, we do not really know if we have to pay a customs charge or not because it is quite confusing for many people.

We are discussing authorised push payments and we touched on unauthorised push payments earlier. To clarify, it was stated that the value of unauthorised push payments, such as phishing and eFlow and An Post fraud attempts, in the six months for which we have data, amounted to €37 million. Is that correct?

Ms Niamh Davenport:

Yes, those are the data we have for 2021.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

Regarding authorised push payments for the year for which we have data, that is 2021-----

Ms Niamh Davenport:

For the same period, it was €7.6 million.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

For the entire year, we are talking about close to €17 million. Is that correct?

Ms Niamh Davenport:

Roughly, yes.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

This was an increase of 35% in that year. Even though we do not have data for 2022 or the first part of 2023, we can all reasonably expect this level has gone up significantly.

Ms Niamh Davenport:

It is the route that fraudsters have decided is the easiest and most profitable way to go about things.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

Yes.

Ms Niamh Davenport:

We must remember that fraudsters are professionals. This is their daytime job and they have decided this is the most profitable route to pursue

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

Yes. Work was done on this by the banks. I am sure many of us here and those watching would have got calls from the bank to say there had been an attempt made to buy an 85-inch television or a trip to the Bahamas, and the response would have been that this was nothing to do with us and those payments have been stopped. For unauthorised payments, a rule of thumb is that they are all reimbursed, unless the people concerned confirmed they had gone to the Bahamas and had then turned around and said it was not them. In that case, there would be no reimbursement. The rule of thumb, however, is that all such instances are reimbursed. Is that correct?

Ms Niamh Davenport:

Correct. It is done through the chargeback schemes.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

Okay. What we are looking at here is the issue of customers being defrauded and ending up substantially out of pocket. Regarding authorised push payments, which is what we are discussing, the value of these types of payment is significantly higher than the most common types of unauthorised push payments. Is that correct?

Ms Niamh Davenport:

Yes, on average, per case, that is correct.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

We could be talking about someone being out by €4,000 as compared to someone being out by perhaps €90 in a credit card scam.

Ms Niamh Davenport:

Yes. We did some research earlier in the year on credit cards, and I think the average loss was about €1,700 for credit card scams. It is still obviously much lower than €4,000.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

Yes, it is a lot lower. I was looking at the report from the BPFI which stated the average card payment fraud was only €90.

Ms Niamh Davenport:

Yes. That is just for cards in general.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

I am sorry. That is across all cards.

Ms Niamh Davenport:

Yes. I agree there is a significant difference.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

We touched on some of the types of scams out there. We have the romance scam, which is a difficult one because in some cases a vulnerability is being preyed on. In some cases, there may be an issue of shame because people were defrauded in this way and a reluctance to come forward and explain they were this type of victim. It is good that some people are now coming forward and speaking publicly because it helps others to do that too. We also have other types of scams where people are seeing sponsored advertisements on social media. We will have representatives of Facebook, Twitter, Amazon and all those companies before the committee as well. A sponsored ad on Facebook, for example, could be advertising a weekend away or a holiday for a family in the Canaries for €4,000. People think this is great. They make the payment and then find out they have been scammed. These are termed authorised payments because the people have authorised the payment.

Ms Niamh Davenport:

Yes.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

That is why the levels of scamming are much higher. Given the trend in this regard, is it fair to say we are losing the fight against the scammers? They are steps ahead of us. There has been a 35% increase in authorised push payments and there are significant levels of unauthorised push payments. The number of people defrauded and the value of the amount of money pocketed by the fraudsters has also increased.

Ms Niamh Davenport:

Those figures are for 2021. The impact of Covid-19 did change the fraud landscape over several years. Everything has moved online. As we said in our opening statement, we have seen that 80% of these types of fraud originate online and this was because we all shifted online overnight. The fraudsters are always going to be one step ahead. They are always evolving and adapting. The fact that we even moved this landscape of the authorised push payment is evidence of that. Five, six and even seven years ago, we would have seen people impersonating the bank all the time. We do not see those types of attempted frauds as much now, which is why the fraudsters have moved to try to manipulate customers into making the payments themselves.

The banks, on an individual basis, and we, on an industry basis, are doing a lot within the current regulatory framework. We are doing what we can. As I said, we have the joint intelligence group with the Garda. We have our education and awareness and we are working with ComReg cross-sector. We definitely need to do more. The biggest players we need to more with are the likes of the online companies that we are dealing with. That is where it is originating and where the advertisements are. It is on social media and the Internet. We do not have figures for this year yet but I expect that investment scams are one of the highest ones over the past number of months. We have done much education and awareness on this, working particularly with Age Friendly Ireland because the fraudsters look at the 55-plus age group of people about to retire. We are trying to keep everyone aware of what is going on. As prevention is better than cure in this regard, we need to prevent it in the first place.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

I agree 100%. To go into that with my next line of questioning, we see that the trends are increasing. More people are being scammed and the value of the scams is increasing. When we get the 2020 and 2023 results, it is likely to have gone in the same direction. In the meantime, we do not have a national strategy for combating economic crime. It is just batshit crazy that 4,000 people were scammed out of €16.8 million in 2021 - which they did not get back from the banks - and we do not have a national strategy for combating economic crime, despite the fact that the Department of Justice told us that quarter 1 of 2021 would be its target for submitting such a multi-annual strategy and action plan. Does Ms Davenport have any understanding of why there is such a delay in the Department of Justice - which, again, we are calling before this committee - developing a strategy on an issue that is out of control? I looked at the strategy in Britain, which is on its second strategy, and it is running to more than 100 pages. I know that strategy is not based on pages, but the Department is two years late. Does Ms Davenport have any understanding when we are likely to see this? Why have we not had urgency from the Government regarding the existing and growing threat of fraud and, in particular, APP fraud?

Ms Niamh Davenport:

We welcomed the comments from the Hamilton report in 2022 and we would like the national strategy on this. We believe the only way is by everybody coming together to play their piece in it. By letting the fraudsters into the online space and into customers’ lives, we are only rewarding the fraudsters at the end of the day, because they are the ones walking away with the cash at the moment. If one talks to An Garda Síochána, it is funnelling much more serious crimes, such as drug trafficking and human trafficking, which we are also doing much work on. What is the delay? I do not think I can comment on what the Department of Justice is saying. We are eager and in regular communication with its officials. We have the statutory instrument, that secondary legislation, and we hope it gets brought in as soon as possible. As I said, we are ready to act as soon as it is brought in.

Mr. Richard Walsh:

I wish to add something. Certainly, the Deputy’s observation that the underlying trend is growing is absolutely true and it is a global phenomenon; it is growing. Compared with the UK, Ireland has done quite well in respect of APP. I will not say it is at a low level but if you average the APP losses across the Irish population versus the UK population, Irish citizens are probably suffering about half or just less than half of what the UK is suffering. Our concern is that the UK is now bringing in measures that will see it tightening up and fraudsters finding greater difficulty to operate in the UK. We will certainly see them start to now focus on Ireland. It most important that we do not end up being the most vulnerable country, because we will draw attention. That is why we are very keen to see that multiyear strategy be driven by the Government.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

There are two ends to this. First, we want a strategy where we are all pointing in the same direction. This is online fraud. As I said, 4,000 people lost €17 million. Some 4,000 people were, on average, robbed of more than €4,000 each that year. The same probably happened last year and it is likely to be more this year, yet we do not have a national strategy. The second issue that I cannot get my head around, which was touched on, is that we do not have a sharing of information. Mr. Walsh talked about Britain and how Britain is closing down. Britain has information sharing in respect of a fraud database and has for quite a while. The Netherlands has the Dutch transaction monitoring initiative that maps out networks of linked fraudulent accounts. I know the banking industry has been looking for this ability to share information. Can the witnesses explain to this committee why the Department or Government are not allowing banks to share information to try to stamp this down? We are talking about APP frauds, where the victims are the customers. However, in terms of unauthorised frauds, it is the banks that are taking a hit. Obviously, resources have to be put in. Why is the Department not moving with urgency to allow for a shared fraud database across the sector?

Mr. Richard Walsh:

We have been asking for this for quite a number of years. It took quite a while for the office of the data commissioner to reach a point where it was comfortable with what was being proposed. Incidentally, we are looking to replicate the model that the UK has and bring in the same not-for-profit vendor that runs the UK database. I think it is well understood. However, that secondary legislation is required. That went over to the Department of Justice about a year ago. We are in regular contact with its officials. They had hoped to have it in place, I think, in the first half of the year but they are now signalling that there are delays. As of now, unfortunately, we do not have a date. The Department of Justice was very supportive over those years and it wants to see this database coming in as well.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

In the absence of that, BPFI is chairing a kind of intelligence group that includes the Garda, the banks and other agencies to share fraud trends and typologies. Is that correct? However, they obviously cannot share the core information because their hands are restrained in respect of that.

Ms Niamh Davenport:

Exactly. To note, that would not be real time either; there is a lag. As the shared fraud database would allow real-time prevention of fraud, it is really beneficial to preventing fraud.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

Regarding the group the BPFI set up, I commend its work on that but I note the restrictions. It is looking after the fact. The horse has well bolted down the fields and the customers and banks have been left short-changed as a result of this. If we had the shared information fraud database and our national strategy, is it still the banking industry that should be chairing that type of group or should it be more agency-led?

Mr. Richard Walsh:

It should be a Government strategy. The banks definitely have an important role within that. We see telecoms being able to play a positive part. Regarding social media companies, it is important to be able to prevent upfront these advertisements going in front of customers and they should look to see how they can rapidly take these down. There is an all-sector approach to this. With regard to the banks, I imagine we would be an active participant though I do not know if we need to be the people who are leading out on it.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

In respect of the banking industry's awareness campaign, is paid advertisement being taken out on social media platforms to get that message across?

Ms Niamh Davenport:

Yes. We do paid advertisements on a regular basis with the social media platforms. We also run large campaigns. We will do regular alerts on social media and we also do email alerts through our own website as well. Consumers can sign up to email alerts. I always take an opportunity to urge anybody listening to sign up to those alerts. Yes, we are doing regular campaigns. We are also doing large campaigns with them later in the year to get to the younger generation and to get the youth demographic aware of the frauds around.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

How do the witnesses feel about the social media companies being in a win-win situation? They are taking money from the fraudsters in terms of paid advertisement to scam us and then they are taking money from the industry to try to prevent the scammers. Do social media companies and telecommunication companies that are accepting paid advertisement on their platforms have a responsibility to compensate victims?

Ms Niamh Davenport:

That has been suggested in the UK, for example. That is the approach it will take going forward. I keep coming back to the 80% but that is where the scams originate.

There should be some accountability and responsibility. As we have not had much engagement with those companies here, I cannot really say what they are or are not doing. I know they are proactive in trying to take down websites and fake advertisements if they are alerted to it. At the moment, from what I understand it is consumers and banks alerting them to these fake websites and fake advertisements.

Mr. Richard Walsh:

The Minister of State, Deputy Ossian Smyth, set up a nuisance communications task force to challenge the mobile operators to see what they can do to help reduce the number of fraudulent calls and SMS messages that have been distributed. On the back of that we have started a good engagement with ComReg. We have worked on one or two initiatives together, which have shown very positive results. To me, that is a taster of what we could do in Ireland if we can get this cross-sectoral approach going.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

Let me go back to the victim in this, and the 4,000 people scammed in 2021. They did not get any compensation. They were out of pocket and that was it. They are changing the laws in Britain. The voluntary code between the ten large banks was mentioned and that is now moving to a statutory code. The consultation is finished. A policy statement has been issued by the British Government, stating that victims would be reimbursed by the industry. Online platforms and telecommunications have a responsibility there as well. There is a clear cost-benefit analysis in this. The regulator has looked at this in detail. It has suggested this would push down the level of approved push payment fraud in Britain. The view of the industry is that this obviously puts cost on its members. The members are the banks. What is the view of the industry on introducing similar legislation here? From reading the British cost-benefit analysis, I believe it has a lot of benefits. I acknowledge I raised this privately with BPFI. I have encountered a case where somebody who lives in the North was a victim of an authorised push payment fraud. Both bank accounts were used - one in the North and one in the South. We will pretend it is a romance scam in this case. Somebody is conned into believing they are in a romance scam. The person supposedly falls ill. Transactions are being made to help them. One bank account in the North has no money left in it. The one in the South starts making payments to it. In the North, all of that money is reimbursed. In the future, when this legislation passes in Britain, it is guaranteed to be reimbursed. There are set minimums, it has to be over a certain level, there can be an excess of £35 and so on. These romance scams are not €90 or £90. They are €9,000, €19,000 and €90,000 in some cases. They are huge amounts of money. In the South, she was told she has to paddle her own canoe because there is no support there. The legislation in Britain will make it mandatory on industry to reimburse those types of authorised push payment frauds. Should we not have the same here?

Ms Niamh Davenport:

Every case here is investigated individually. To clarify, the €7.6 million for the second half of 2022 was for gross losses. It was not necessarily the full loss to the customer. On average, we are reimbursing 50% and 60% through recalling the funds. We have to err on the side of caution. Investigating each case is necessary. I am not saying no funds will be returned, but investigating assists with identifying the source of the fraud in the first instance. Second, it is very important to identify that if there is a vulnerable customer there, we can assist him or her in other ways. Automatic refunds do not allow for investigations. Moreover, the level of fraud in the UK is far higher than it is here and makes it a destination for fraud. While we are saying controls are good, we have to look at all avenues when it comes to fraud prevention. I would suggest that we should focus on fraud prevention and stop it happening in the first place.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

Of course you have to but-----

Photo of John McGuinnessJohn McGuinness (Carlow-Kilkenny, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

The Deputy should conclude..

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

I will finish on this point. I do not believe that defence stacks up. I understand the industry does not want the cost placed on the banks. However, there is an automatic reimbursement when it comes to the largest volume of fraud. If Ms Davenport genuinely believed what she said, she would say we should stop all that as well. There is nothing to prevent investigation even if there is reimbursement. While Britain is compared with Ireland in terms of what is happening at the moment, Britain is operating under a voluntary code. That voluntary code is about to go to a statutory basis where it will be a lot stricter. As has been mentioned, we will be focused on this area and therefore, there is going to be a change. The cost-benefit analysis is clear. The cost-benefit analysis carried out by the regulator in Britain is very detailed. It states the regulator's belief that the main benefit will be that approved push payment fraud will reduce dramatically in Britain as a result of this measure. Banks will invest significantly in deterring this because they will be on the hook. The regulator there also identified that some banks are worse than others. I would like to hear if that is the case here but I know I am out of time.

Ms Niamh Davenport:

We are closely watching the UK voluntary code becoming mandatory. It is something we need to look at but we need to look at their ecosystem as a whole, rather than at that one piece of legislation. They are also dealing with the social media companies and online companies and looking to them for compensation too. It is a whole model we have to look at, rather than just simply saying we need to reimburse the consumer. The model in the UK is appropriate for their ecosystem, the level of fraud they have and the cost benefit for the level and number of attempts at fraud they have on their population. While we have to do the same here, I urge that the whole ecosystem be looked at, including the intelligence and information sharing, education and awareness and bringing the telecommunications providers and online companies into the fold too.

Photo of Rose Conway-WalshRose Conway-Walsh (Mayo, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

Has BPFI done any investigations into the role of artificial intelligence, AI, in this regard?

Ms Niamh Davenport:

We have not done any investigations specifically at industry level. However, we have obviously seen that AI is beneficial in preventing fraud. It can identify patterns and typologies quite quickly. From the point of view of technology, it is obviously expensive to bring in but it can also go to the other side as well. We have seen the first case of fraud with AI in the UK. Someone was able to impersonate a voice. It is one of those things. There needs to be balance to it but there are definitely benefits to using AI to prevent fraud.

Mr. Richard Walsh:

To add to that, there is then the detection of fraud using AI. We have just come to the end of a trial that BPFI did with the University of Galway, Bank of Ireland, IBM and a UK not-for-profit called Stop the Traffik. It looked to identify evidence of human trafficking in transaction histories. The trial has just concluded. The AI was successfully able to identify 20 new different ways, or collections of red flags, that banks can now look for in real time as transactions occur. That is something Bank of Ireland is looking to put into its real-time monitoring. AIB is looking at it too, and we want to see which other banks we can do that with. AI could be a powerful tool for real-time detection of behaviours a human eye might not pick up.

Photo of Rose Conway-WalshRose Conway-Walsh (Mayo, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

It could also escalate. In the absence of having a national strategy, a co-ordinated approach and all of those things, AI could work the other way. My concern is that, as other jurisdictions are ahead of the curve in combating all this, then the fraudsters will obviously move to more vulnerable jurisdictions. That leaves us more vulnerable all of the time.

Ms Niamh Davenport:

We are always conscious of trends. We liaise with colleagues in the EU on a regular basis to find out what trends they are seeing. It generally moves across to us. We try to stay ahead of it in terms of knowing what is coming, but it is hard when we do not have the ability. The roadblock for us at the moment when it comes to anti-money laundering, AML, or fraud is information sharing. It is where we have become stuck at this point. We are doing everything we can within the regulatory framework. We are trying to improve on processes we already have, but it is typologies and patterns we are sharing. It is not the live, real-time prevention of fraud that information sharing could provide.

Photo of Rose Conway-WalshRose Conway-Walsh (Mayo, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

Therefore it continues to get worse. I have been dealing with a case of an authorised push payment where a confirmation text from Apple Pay came in at the same time they were attempting to make an online purchase. It was essentially attaching their bank account to the fraudster's Apple Pay account.

Assuming that the text was to confirm the purchase the person had approved, this allowed the fraudsters to make a transfer out of the bank account without being prompted by the banking app for approval each time. In the space of one minute, they had made payments of €50, €200 and €400. The transfers only stopped when the bank account was empty.

Ms Davenport stated that the first sight the bank or financial provider has of the authorised push-payment fraud is when the transaction has already taken place. The same could be said for unauthorised transactions. However, it is long-standing practice that banks monitor suspicious activity, especially that relating to credit cards. In the case I outlined, after Apple Pay was opened for the first time, fraudsters immediately began making transfers that were clearly suspicious and, yet, the bank took no action. Do banks have a responsibility to monitor suspicious activity and protect customers, where possible, from authorised fraud? How is that suspicious activity monitored? What protections can the customers expect from their banks? What are the statutory rights of customers who are impacted by app fraud? How does credit card security compare with debit card security? What is the justification for the disparity between them?

Ms Niamh Davenport:

I will start with the final point on debit cards and credit cards. There is no difference because the card is either a Mastercard or a Visa. The cards are covered equally under the Mastercard or Visa schemes. Whether the card is debit or credit does not make any difference. Each bank takes its own preventative measures, which include transaction monitoring. A bank would have its own risk assessments and set different limits. Not every transaction can get picked up, especially the lower ones. Fraudsters will often test. It would depend on the banks own controls and risk assessments. Banks try to prevent such transactions. I cannot comment on that case because it has to do with Apple as well. An improvement was made in that regard. The transaction going through Apple can add a layer of complication. I do not know if there was a takeover on the phone or handset, or what may have happened in that incident. This is where telcos come into play. They can identify messages appearing on screens.

Photo of Rose Conway-WalshRose Conway-Walsh (Mayo, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

What are the statutory rights of the customers in the case of app fraud?

Ms Niamh Davenport:

What does the Deputy mean by app fraud?

Photo of Rose Conway-WalshRose Conway-Walsh (Mayo, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

I refer to when people use the authorisation app.

Ms Niamh Davenport:

It depends. From a bank's point of view, it would be more about how the transaction is made. It is not necessarily about the channel or app, but whether a person has used his or her debit or credit card. It is more about how the transaction takes place, as opposed to whether it takes place on an app or online. That does not make a difference.

Photo of Rose Conway-WalshRose Conway-Walsh (Mayo, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

That is a bit of a problem because there is ambiguity as to where the fault lies. It is important that we recognise it is not always clear when an authorised or an unauthorised payment is made. I have dealt with another case where the individual was confident of having not approved the payments, but the bank told the individual it would have to investigate, to determine where the fault lay. In that case, thousands were taken and the family in question needed that money just to get by. They were left with no money. However, the bank told them it would take six weeks to determine who was at fault. The payments situation was suspicious from the beginning. Gucci handbags were bought from retailers in London, when the family lived a very modest life in Mayo. What is the average time taken to determine whether a payment was authorised or unauthorised?

Ms Niamh Davenport:

I do not have that information to hand. I can definitely come back to the Deputy on it. It depends on the level of investigation. We will be giving key information under the education-and-awareness pillar we talked about earlier, later in the year. We have seen apps downloaded from the Apple or Google stores, that is, from the authorised store. The apps are available through Google and Apple. We will advise people to be careful of what they allow these apps access to on their phones, because they can trace and monitor a person's keystroke movements and copy them. They can see a person logging into his or her online banking and have access to it. Depending on the case, it may take longer to investigate, but this is another reason we need to get everybody in the room together. These apps are in the stores on Apple, Google or Android phones. A recent example I heard of was a torch app somebody downloaded that was monitoring the person's keystrokes and passwords. There is reason for caution. We will be giving an alert, but we have only heard of these cases recently. We will be engaging in education and awareness around the issue. It was news even to me that phones could do that.

Photo of Rose Conway-WalshRose Conway-Walsh (Mayo, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

What co-ordination does the BPFI have with the app stores in trying to prevent it?

Ms Niamh Davenport:

We do not have anything. We are just looking at what we can do for our own education and awareness and to get the message out there. We use our FraudSMART programme to do so. This is why everything here is silent at present. We would welcome any cross-sector collaboration.

Photo of Rose Conway-WalshRose Conway-Walsh (Mayo, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

Is it safe for people to use their banking apps?

Ms Niamh Davenport:

The banking apps are safe. This has nothing to do with them; it is what people are downloading. It is the same as clicking on a link online, such as a business email compromise. Education and awareness is needed for everyone on what they are downloading to their phones. Photo apps are one example. All of these apps are available through the Apple store. Whether it is a link in a text message, something one clicks on online or an app, one should be careful about what one is downloading and allowing access to. The terms and conditions are there.

Photo of Rose Conway-WalshRose Conway-Walsh (Mayo, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

Should those apps be available through the Apple store if they can be used to do what we are taking about?

Ms Niamh Davenport:

I assume the app goes through the Apple process. I could not comment on that. I am not technology based in terms of IT. We would have to put it to the companies.

Photo of Rose Conway-WalshRose Conway-Walsh (Mayo, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

Would the BPFI have contacted Apple to say it has concerns?

Ms Niamh Davenport:

I believe members have contacted Apple, but I could not answer that question.

Photo of Rose Conway-WalshRose Conway-Walsh (Mayo, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

It is important Apple is asked for a response, because people are left vulnerable.

Ms Niamh Davenport:

We are seeing a new type of fraud emerge. It is has emerged in the past two months. Nothing has come through to us yet, but, as the Deputy said, methods of fraud keep emerging and being adapted. There will always be new fraud trends. We all need to be in the room together to discuss the issue.

Photo of Rose Conway-WalshRose Conway-Walsh (Mayo, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

The BPFI would have a responsibility to get a response from Apple. When will data for 2022 be released?

Ms Niamh Davenport:

In a matter of weeks. We are finalising the data.

Photo of Rose Conway-WalshRose Conway-Walsh (Mayo, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

How is that work resourced and conducted?

Ms Niamh Davenport:

How are the data gathered?

Ms Niamh Davenport:

I ask the Deputy to bear in mind they are BPFI members' data, rather than any data outside of BPFI members. A programme of work was conducted within our organisation whereby members were contacted during a long process of getting the information and making sure it is consistent and tested. The purpose of this was to make sure we are reporting accurately.

Photo of Rose Conway-WalshRose Conway-Walsh (Mayo, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

Fraud involving authorised payments is reported less than that involving unauthorised payments. In the first example I gave, an individual contacted a bank and by going through the individual's transactions, it was determined how the fraud was conducted. The individual did not report it to the Garda, because the individual knew he or she was not entitled to get his or her money back. Is that information recorded anywhere by the industry, or is it lost, because it is not reported to the authorities?

Ms Niamh Davenport:

Banks will have an obligation to report suspicious transactions or any information they have to An Garda Síochána by means of suspicious transaction reports, STRs. An Garda Síochána will be able to speak to this and provide more numbers, but more than 60,000 STRs have been registered so far this year. A significant number of suspicious transactions go to An Garda Síochána for investigation. What I would say to anybody is to report what has happened to the bank and to An Garda Síochána. The latter is looking for that information. Regardless of whether one fell victim, it could be a piece of the jigsaw An Garda Síochána needs in order to prosecute. It is very important, first, to get the information to the bank to try to get that recall in. The sooner one acts, the easier it is to get money back. Second, it should be reported to An Garda Síochána, for it to put the picture together as well. Much of the money goes overseas. An Garda Síochána would have the ability to contact investigators overseas, share the information and do the recalls. People should always report it to both their bank and An Garda Síochána.

Photo of Rose Conway-WalshRose Conway-Walsh (Mayo, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

Would the Garda have the resources? Perhaps we can speak to the Garda when it comes before the committee. I am concerned, particularly in light of the recent reports from the Director of Public Prosecutions, DPP, that it is severely short of staff in there.

Ms Niamh Davenport:

We liaise with An Garda Síochána. I spoke to Detective Chief Superintendent Pat Lordan yesterday. He would send the same message about reporting as much information as possible. He regularly speaks to our members on this and also speaks at some of our events. It is very important to get as much information to try to prosecute. It is key.

Photo of Bernard DurkanBernard Durkan (Kildare North, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I apologise for arriving late. I was otherwise engaged. I welcome our guests this afternoon. To what extent is technology being developed that would be triggered by an attempted scam of the nature that has been discussed? What exists at present? I know about this to my cost from getting money at the hole in the wall. I put in my usual PIN, and I always check it, to be told that it is wrong. Obviously a check was being done. I then put in a different PIN, assuming I had made a mistake the first time. This means I have made two attempts and only one remains. More careful use of this particular technique would be better. I compare it with a situation that used to happen whereby people who were making a withdrawal or a payment got a telephone call. Perhaps that was in the old days when more people were employed in banks. How might this be utilised in future, given the existence of continued attempts at scamming?

Ms Niamh Davenport:

Technology plays a key role in identifying transactions that may be suspicious or concerns. Particularly in these types of authorised push payment frauds, the banks call someone if they identify it. However, the consumers may believe it is a legitimate payment that they want to make and will proceed, despite warnings from the bank. This is the case particularly with romance scams and some of the investment scams that we have seen with regard to cryptocurrency. There is a lot of work. Technology is key to identifying these transactions as early as possible.

Photo of Bernard DurkanBernard Durkan (Kildare North, Fine Gael)
Link to this: Individually | In context | Oireachtas source

Is it possible to highlight a situation, perhaps with a red alert, to the effect that an attempt has been made? I know the banks have the technology to see that several attempts have been made to put in a PIN and shut down a card. In the case of a debit card this can be quite an inconvenience if someone needs cash. We will not speak about cash in the context of the machine in Leinster House at present but we will talk about it again in the very near future. It would be a help to have a red alert system so people know they need to watch what is happening.

Ms Niamh Davenport:

We can take back this suggestion. There are some things that various banks do at present. For example, if there is a transaction on an account that they feel is suspicious they will text and people get a real-time text message. We have done a lot of education and awareness on this to make sure people know that if there is a link in a text they get from their bank, utility company or from wherever the text comes, it could be a fake text message. Banks will never ask someone to click on a link in a text message. It is a very effective tool and it has proved very successful. If there is a suspicious transaction, people can reply as to whether it was or was not them with "Y" or "N". No link will ever be sent. It is very secure and very successful. I do not have the rates on it. There are different tools but I can take back that more red flags could be used for customers, along with education and awareness.

Mr. Richard Walsh:

Where the technology can really become effective is where two sectors are working together, such as mobile operators with banks. Banks can work with mobile operators to be able to define what to look out for and what to block. Working through ComReg, our ambition is to see how many of these messages we can block from going out in the first instance to prevent people being presented with a text that has a link in it, for example.

Deputy Durkan spoke about how people might inadvertently get caught up by security checks and get locked out. There is a trade-off between protecting an account from repeated attempts to access it versus the inconvenience of someone being locked out. This discussion has been going on for as long as the ATMs have been out there.

Photo of Bernard DurkanBernard Durkan (Kildare North, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I appreciate it but I do not always appreciate it at the time. It happens once every six or seven months, especially when people are tired and it is late in the evening. There is a pattern whereby the banks question a number put in late in the evening on the basis it could be a scammer. More than likely it is not a scammer but they want to be sure and I realise this.

A particular service that I note has been useful is with regard to people being charged twice. They get a note that something has been paid. It could be large or small but there are two identical amounts. I saw one where the two amounts were not identical. One was an add-on on the part of a customer. I realise that it is protection and that we must be ready to avail of it all the time but-----

Mr. Richard Walsh:

Duplicate payments could be the website or the merchant's site accidentally sending through two payments. Every payment has a unique identifier and the banks check to see whether a unique identifier has not been used before. If two transactions came in that were absolutely identical it would raise a red flag. Of course it is possible that if something is being bought online the website might have reprocessed a payment with a different identity number. This may not necessarily be deliberate or fraudulent. It could be an accident. They would be seen as two separate payments, albeit coming from the one website.

Photo of Bernard DurkanBernard Durkan (Kildare North, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I realise that measures have to be taken to protect the customer and I am glad to see it but I want to come back to the original question. Much more needs to be done with regard to technology. Social media has been mentioned. It has many advantages but it also has disadvantages. I am not inclined to believe everything I see or hear on social media and I would not want anybody else to do so either. Companies have to advertise on social media. Let us not forget there could be fake advertisements and I am sure there are such things. If there are, how prevalent are they?

Ms Niamh Davenport:

We do not have figures for Ireland but we know that in the UK, 80% of the authorised push payment frauds we are discussing today originated online. These are advertisements and investment scams. They are the most common ones we have seen here recently. We have done a lot of media alerts, email alerts and in-person events specifically on investment scams. What we see in these particular cases is the age group of those aged over 55 who are about to retire and take out their pension lump sums. They are tempted into believable websites. Given the cost-of-living crisis, they might be investigating how to increase the fund for a better retirement. There are advertisements online and the websites are very believable. There is follow-up. People might put in their details for a call-back. A brochure might be emailed replicating well-known Government funds or bonds. Customers are being lured into these. They are all being advertised online. This is the source of it.

Photo of Bernard DurkanBernard Durkan (Kildare North, Fine Gael)
Link to this: Individually | In context | Oireachtas source

Is there a possibility that because the advertiser is a person of high repute, the online advertisement could lose some of its value?

Ms Niamh Davenport:

I apologise, I have missed the question.

Photo of Bernard DurkanBernard Durkan (Kildare North, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I will say it another way. If something has been advertised on television and radio, when a customer sees something of that nature online, the immediate reaction might well be that something is a scam because it is on social media.

Ms Niamh Davenport:

Apologies, I understand now. We can be trusting sometimes that if it is advertised on a certain platform over another we may believe that it is true. I would urge caution and say that everybody should be suspicious of any type of investments or advertisements where they are handing over money. This can be whether it is to pay for a handbag or a much bigger sum for an investment scheme. People should always be cautious about what they are clicking on online and what channel they are using. Scams are literally everywhere around us, unfortunately.

Photo of Bernard DurkanBernard Durkan (Kildare North, Fine Gael)
Link to this: Individually | In context | Oireachtas source

Would it be beyond possibility that in Irish banks, a particular branch might be contactable by a customer directly as opposed to going through a call centre?

Ms Niamh Davenport:

I will bring that back to the banks. I did contact my own branch directly recently so I think it is possible.

Photo of Bernard DurkanBernard Durkan (Kildare North, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I accidentally got through on one occasion. Unfortunately, on more than one occasion I had to go through the whole "press button one, then press button two, then sorry the line is broken down, goodbye" rigmarole.

Photo of Richard Boyd BarrettRichard Boyd Barrett (Dún Laoghaire, People Before Profit Alliance)
Link to this: Individually | In context | Oireachtas source

I have a lot of sympathy for that last point, and the desire to torture a human being in person.

I thank the witness for the very informative, educational contributions because it is all new to me. There is so much jargon that my head is spinning already. I will try to understand a little bit more with a few questions.

For the authorised push payments, do people get reimbursed currently?

Ms Niamh Davenport:

Yes, they do. It is not automatic and an investigation takes place. On average, between 50% and 65% would get reimbursed.

Photo of Richard Boyd BarrettRichard Boyd Barrett (Dún Laoghaire, People Before Profit Alliance)
Link to this: Individually | In context | Oireachtas source

For the idiot's guide, as it were, why would a person not get reimbursed? What are the circumstances that determine whether a person gets reimbursed or not?

Ms Niamh Davenport:

Under the current process, the case will be investigated. This is why I always say that time is of the essence in reporting the fraud as quickly as possible. The bank will do a recall on the transaction and it will try to get the funds back. Also, an Garda Síochána can investigate if the funds have gone. The fraudster is literally sitting waiting for that money to come in to his bank account. As soon as it comes in the fraudster disburses it among a number of other bank accounts. The quicker a person acts and the quicker we can recall the payments, the more money we can attempt to get back. If there is no money to come back, there is no money to come back, so that is the difference.

Photo of Richard Boyd BarrettRichard Boyd Barrett (Dún Laoghaire, People Before Profit Alliance)
Link to this: Individually | In context | Oireachtas source

That is the difference? Okay.

Ms Niamh Davenport:

That is why we always say, time is of the essence.

Photo of Richard Boyd BarrettRichard Boyd Barrett (Dún Laoghaire, People Before Profit Alliance)
Link to this: Individually | In context | Oireachtas source

In the unauthorised push payments, regardless of whether the money is gone at the other end, the bank reimburses. Is that the case?

Ms Niamh Davenport:

Yes. It is generally different types of payments. In the case of the unauthorised payments, it is generally a card payment on a person's debit or credit card. With the authorised push payments in terms of the romance scams or investment scams, a person is going into their bank and making an online transfer from one bank account to another. It is a transfer as opposed to a card payment.

Photo of Richard Boyd BarrettRichard Boyd Barrett (Dún Laoghaire, People Before Profit Alliance)
Link to this: Individually | In context | Oireachtas source

Okay. I will catch up with a full understanding of it. The reason, in authorised versus unauthorised payments, banks do not automatically make the reimbursement is because they are in a way saying that there is a bit of culpability on the part of the person because they did authorise the payment, even if the person was defrauded and they did it believing this, that or the other. Is that the case?

Ms Niamh Davenport:

Yes, if the person did authorise the payment. There are certain levels of controls in place. This is why it is important that it is looked at on a case by case basis. In some of those cases that we are talking about, customers have received a phone call from the bank telling them that they should not make this payment. However, the customers will sometimes still go ahead and make the payment. We have to make that payment under a PSD regulation if the customer wants to do so. Even though we have tried to stop them, some people will still want to make the payment.

Photo of Richard Boyd BarrettRichard Boyd Barrett (Dún Laoghaire, People Before Profit Alliance)
Link to this: Individually | In context | Oireachtas source

Just so I understand, I gather from Deputy Doherty's earlier contribution that in the UK, it happens in either case. Is that correct?

Ms Niamh Davenport:

We will still investigate so it is not fully the case. Figures released two weeks ago for UK finance for this year show that they are refunding about 66%. We are at similar levels despite us not bringing a code in. I feel that level could go much higher if we had the other pieces, like the sharing of information. We feel that would drive up the levels of returning of funds. If that was the case, we could act more quickly and share information with other banks to get the money back.

Photo of Richard Boyd BarrettRichard Boyd Barrett (Dún Laoghaire, People Before Profit Alliance)
Link to this: Individually | In context | Oireachtas source

Is the sharing of the information purely just slowness on the part of this institution in changing the law?

Ms Niamh Davenport:

We are just waiting on that piece of legislation. As soon as we have that approved, we can stand up that project.

Photo of Richard Boyd BarrettRichard Boyd Barrett (Dún Laoghaire, People Before Profit Alliance)
Link to this: Individually | In context | Oireachtas source

Is there any resistance to bringing this legislation in?

Ms Niamh Davenport:

As far as we are aware, there is no resistance.

Mr. Richard Walsh:

The Department of Justice has been supportive. It consulted with the Attorney General who is happy with the proposed change, I think. It is just now a matter of getting it scheduled.

Photo of Richard Boyd BarrettRichard Boyd Barrett (Dún Laoghaire, People Before Profit Alliance)
Link to this: Individually | In context | Oireachtas source

Okay, so it is going to happen. In terms of the international comparisons, is any place doing well on all of this stuff? Deputy Doherty made reference earlier to other places having strategies in place and being more advanced. Are there any examples of people who are clamping down successfully and effectively on this stuff?

Ms Niamh Davenport:

We are actually doing well. We are probably ahead of our European counterparts on this. The UK has the code in place for reimbursements but it also has a lot in the preventative space, like the sharing of information, which I keep repeating, but it is a key element. We align ourselves with our EU counterparts and we are very proactive. Our education and awareness programme, FraudSMART, was recently used as an example across Europe of what should be done. We would like to do more in that space. It is a very limited programme but hopefully we can do more. I would like to stress that we are not behind by any stretch of the imagination. We are doing what we can within our remit.

Photo of Richard Boyd BarrettRichard Boyd Barrett (Dún Laoghaire, People Before Profit Alliance)
Link to this: Individually | In context | Oireachtas source

Okay, I get that, but is there anywhere that is really good?

Mr. Richard Walsh:

The technology and fraudster behaviour is changing constantly. It is very hard to say any one country has defeated this. As Ms Davenport has said, we are quite good. However, our concern is that we have probably done as well as we can yet the landscape is still evolving. We do see a situation where things could get worse for Ireland if we do not start putting these bigger projects in place. In the UK, the Royal United Service Institution, RUSI, is a very well regarded security think tank. It has been consulted about the situation in Ukraine, etc. It produced a very interesting report for us, looking at Ireland and comparing it to other countries. The summation was that Ireland is doing well, given the limited capabilities that it has. We have taken that as an alert that we are now possibly entering into a new situation where if we do not get these other strategies and information sharing in place, we will find ourselves slipping down the ranks.

Photo of Richard Boyd BarrettRichard Boyd Barrett (Dún Laoghaire, People Before Profit Alliance)
Link to this: Individually | In context | Oireachtas source

I was struck by the figure of 80% originating online. My very limited experience of this is seeing stuff in my emails that immediately looks like a scam, something pretending to be from the Bank of Ireland or some other institution offering an attractive investment. I do not even open those types of emails. The witnesses also made reference to advertisements for holidays. Is that the sort of thing we are seeing? People think it is a great deal, push a payment for it and then discover the money is gone to a scammer.

Could the social media and IT companies be stopping a lot of that stuff even getting onto their platforms? If a company is advertising then presumably it has to pay to advertise a holiday in Bermuda that is a fake holiday in Bermuda. It has to pay the social media company to get that on. Surely there has to be some sort of vetting, for want of a better word. Surely the social media companies have to gather information on their customers who are advertising with them and check that it is a legitimate advertisement. Should or could they be doing more? Are they being helpful?

Ms Niamh Davenport:

I do not know specifically what they are and are not doing. As Deputy Doherty said, they will be appearing here in a few weeks.

It would be good to hear what those companies have to say on the matter. They are definitely trying to find it but these websites are going up very quickly. As soon as one site is taken down, the fraudster is setting up a new one. I would like to know more about what those companies do around that process but I am not close enough to answer the Deputy's question in detail. We would like to see more collaboration. I know, for example, that if members see a fake website, they will report it straightway. Perhaps there is a better way and a means by which we can improve things.

Photo of Richard Boyd BarrettRichard Boyd Barrett (Dún Laoghaire, People Before Profit Alliance)
Link to this: Individually | In context | Oireachtas source

Given how profitable these companies are, they should be contributing some of their resources to preventing this happening.

Ms Niamh Davenport:

That is definitely the recommendation in the UK.

Photo of Richard Boyd BarrettRichard Boyd Barrett (Dún Laoghaire, People Before Profit Alliance)
Link to this: Individually | In context | Oireachtas source

Ms Davenport said that defrauded moneys are being disbursed across multiple bank accounts. In most countries in the world, it is hard, and getting harder, to set up a bank account. I discovered that to my cost when I had to move from Ulster Bank. It was an absolute nightmare. Is it the case that the bank accounts to which Ms Davenport has referred are in jurisdictions where there is much less control over the setting up of bank accounts? Why is it not easy enough to trace the fraudsters when there is so much control around the setting up of bank accounts?

Ms Niamh Davenport:

This is why it is important to look at the wider ecosystem. These accounts are not necessarily opened by the fraudsters. They are controlled by the fraudsters, and that is the difference. There is an enormous problem that the Garda would be able to speak about in more detail and with far more knowledge than we have. That problem is around money mule accounts. We will be doing a campaign with Snapchat on the issue later in the year as part of our FraudSMART programme. Students, in particular, are approached. It is, unfortunately, very common in this country for students to be approached and asked for their bank accounts to be used. They may get a fee of €50 or €200 for allowing a transaction to go through their account or the may be allowed to keep part of the transaction. They then forward on the money. Those are mule accounts. It is important to look at the full loop that is going around. When these frauds are taking place, fraudsters are using mule accounts and using that money to fund the drug-trafficking and human-trafficking we are seeing. That is happening throughout this country. It is not just something that happens abroad. People can forget it is happening here too.

Photo of Steven MatthewsSteven Matthews (Wicklow, Green Party)
Link to this: Individually | In context | Oireachtas source

I thank Ms Davenport for her presentation. During the previous contributions, and after what Ms Davenport raised about the torch app, I deleted 20 apps from my phone. I have had the phone a couple of years and do not remember installing many of those apps. There are four or five pages of apps and I do not know what some of them do. I have deleted some of them.

Ms Niamh Davenport:

Not all apps are bad, to clarify.

Photo of Steven MatthewsSteven Matthews (Wicklow, Green Party)
Link to this: Individually | In context | Oireachtas source

I know but if I have not used an app in the past year, I do not need it. It is gone now. If you delete an app that can trace and monitor your finger strokes or keyboard strokes, is it gone or is it embedded on the phone?

Mr. Richard Walsh:

I do not want to be too alarmist. The mobile banking apps use a very high level of security when interacting. It would be very unusual for one of those apps to be able to eavesdrop when a person is in his or her banking app. They can eavesdrop and find it more easy to observe when someone is entering his or her credit card details onto a general website. It is those kinds of key strokes that they can monitor. If representatives of Apple and Google are coming before the committee, they can give more detail as to their protections in that regard. There are some key loggers out there. They will record absolutely everything until they hit one of these secure apps. There will be a gap then and they will pick up again thereafter.

Photo of Steven MatthewsSteven Matthews (Wicklow, Green Party)
Link to this: Individually | In context | Oireachtas source

We are only scraping the surface of the issue. As our guests said, the technology that fraudsters use moves at a fast rate. It is a highly technological area because there is obviously money to be made. We spoke earlier about the number of text messages involved. I think eFlow was mentioned. I recently received a message from the Revenue to tell me there was some cash waiting for me, which is great.

Ms Niamh Davenport:

Lucky you.

Photo of Steven MatthewsSteven Matthews (Wicklow, Green Party)
Link to this: Individually | In context | Oireachtas source

I cannot wait to engage with Revenue and get that money. I also won the Spanish lottery last year. Another person contacted me to ask could they put a couple of million in my bank account. Most of us are able to look at that sort of correspondence and think if it is too good to be true then it is. There are others ones, however. Revenue and eFlow are reputable organisations. I also have a text message from Virgin Media, which is legitimate, but comes in as 089 number. The message from eFlow came in as an 085 number and I do not know what was the case in respect of the message from Revenue. In terms of analysis, it is simple to send out 500,000 text messages and hope to catch out one person who is tired or not informed enough and who will click on a link. Is there data around how many messages are being sent out, who is clicking on them and who is going all the way? Are we identifying a cohort of people who are more vulnerable and susceptible to this than others? Is that sort of research being done?

Ms Niamh Davenport:

We do not have all the data to which the Deputy has referred. We conducted a research survey in 2021 and 98% of those surveyed said they could identify one of the fake text messages. As I said, and I am sorry to sound like a broken record, education and awareness are important. We do a lot of work on text message scams in particular and trying to make people understand what a text message should look like. If there is a link in a text message, it is more than likely a fake message. That is our key piece of advice. Unfortunately, I can only say that about the inclusion of a link where the banks are concerned. Some companies put links in their text messages and there is nothing we can do to stop that.

We are working on a number of projects and hope that as time passes, we will be able to collate more of the information to which the Deputy has referred. We also hope to provide further protection around preventing the messages in the first place. Anecdotally, members have told us that only 10% of people will click on the links in text messages and continue on. That is a low percentage.

In terms of how easy it is to send the text messages, we know that people can buy the relevant equipment online. Some 50,000 text messages could be sent out in a matter of hours. That equipment is, unfortunately, readily available online. It is an easy scam to commit. The more education we do and awareness we create around what text messages look like and what to look out for, the better. We regularly send alerts to let people know if we see a new scam. The Deputy mentioned eFlow and we have done plenty of alerts about that scam. We will continue to do that.

Scammers use scenarios that are in the news. During the pandemic, we saw messages informing people they were close contacts of someone who had been infected and asking them to click on a link. We do a lot of education and awareness around the different scams and try to keep people alert to what is going on but it is an ongoing battle.

Mr. Richard Walsh:

To give the committee a sense of the scale of the problem, text messages are often followed up with phone calls to landlines. We have started engaging with ComReg and its nuisance communication task force. ComReg has led on a pilot that the banks took part in. It was intended to block any calls that appeared to come from bank call centres. Bank call centres generally will not make outbound calls but spoofers were able to make the call identifier appear as if it were coming from a bank. The trial started in September. ComReg has said that at this stage, mobile operators have blocked approximately 10 million calls. Those are 10 million calls that have not connected. That is only dealing with the one area, that is, the banking sector. There is a big problem. With Internet calls, there is almost no cost to a fraudster to repeatedly make a vast volume of calls.

Ms Niamh Davenport:

That project is also open to non-banks. It is open to all sectors to put numbers onto the "do not originate" list. ComReg is running that project.

Photo of Steven MatthewsSteven Matthews (Wicklow, Green Party)
Link to this: Individually | In context | Oireachtas source

There is generally a link in these fraudulent messages but some legitimate companies also put links in their text messages. It is obviously in companies' interests not to include links. That would be a very easy way to differentiate between a fraudulent message and a genuine one. There would be no link in a non-fraudulent message.

Ms Niamh Davenport:

Our education and awareness drive has been successful in moving fraudsters from impersonating the bank text messages. That is why 80% of the text messages are now impersonating what we refer to as non-banks. They are impersonating parcel delivery companies and those kinds of thing. Companies not from our sector have come to ask us what they are doing wrong. We tell them not to include a link and to change their communications. We need to make life as easy as possible for people so we should use text messages but we tell companies to get people to open their app. We tell them not to include links in messages. We feel strongly that education and awareness are important to understand how communications are sent and how people are contacted.

It is very important to understand how communications go out there and how people will be contacted. If people can understand what those communications should look like, they will be better armed to protect themselves.

Photo of Steven MatthewsSteven Matthews (Wicklow, Green Party)
Link to this: Individually | In context | Oireachtas source

An Internet service provider, ISP, recently had to send me a new modem to put in. That was followed up by a text message that came from an ordinary mobile number. It did not come up under the name of the ISP. There was no link in the message, but it contained a request to respond with a number if help was needed with the installation. Is that what Ms Davenport is talking about? Is that a way for the legitimate companies to do it?

Ms Niamh Davenport:

That is a safer way of doing it.

Photo of Steven MatthewsSteven Matthews (Wicklow, Green Party)
Link to this: Individually | In context | Oireachtas source

Where a fraudulent message has been sent, is there anybody at the receiving end if the customer responds by text? This is all computer- and mass-generated stuff. Even when the message comes from a mobile number, it is just purporting to be an Irish mobile number. Is that the case, or is it coming from an international number?

Mr. Richard Walsh:

It can be international. Fraudsters can map onto local numbers so that they appear to be local, when in fact they could have originated nearly anywhere on the planet.

Photo of Steven MatthewsSteven Matthews (Wicklow, Green Party)
Link to this: Individually | In context | Oireachtas source

How do they map them? You can still purchase a non-bill paying mobile phone number in Ireland. There is just a number, and the account is not associated with any address. I do not know what information a customer needs to go and buy one of these phones now. How are the fraudsters acquiring those mobile numbers?

Mr. Richard Walsh:

I am not sure how they are acquiring the mobile numbers, but as regards impersonating SMSs, I think any of us here could bulk-buy SMSs online. Part of that is choosing the name that you want to send the texts under. Fraudsters are sending texts under the name of Revenue, for example. In the past, they were putting in the names of the banks. We have since run a project that has reserved the names of the banks, and they cannot be used. We have seen a dramatic drop in the number that are mimicking the banks. Again, we are engaging with ComReg to see how we can tighten that up much further. I am not sure how fraudsters represent the actual mobile numbers , but I suspect that it is something similar to being able to choose, in a text, who you want the message to appear to come from. The service is not necessarily there to be fraudulent; it is there perhaps to be helpful, but a customer may have used the fraudulent one.

Photo of Steven MatthewsSteven Matthews (Wicklow, Green Party)
Link to this: Individually | In context | Oireachtas source

I get that.

Ms Niamh Davenport:

If I am correct, the fraudster is not necessarily purchasing the number. Like an email account, the account holder chooses the display name, as opposed to the number.

Photo of Steven MatthewsSteven Matthews (Wicklow, Green Party)
Link to this: Individually | In context | Oireachtas source

So it is displaying as 085 or 087 numbers or whatever.

Ms Niamh Davenport:

That is my understanding of it anyway.

Photo of Steven MatthewsSteven Matthews (Wicklow, Green Party)
Link to this: Individually | In context | Oireachtas source

That is grand. I was interested in that. On the reporting of fraud, does the federation advise people who have received a fraudulent text message - and we have all received them - to report it to the Garda first?

Ms Niamh Davenport:

I would say it should be reported to the bank.

Photo of Steven MatthewsSteven Matthews (Wicklow, Green Party)
Link to this: Individually | In context | Oireachtas source

We should report it to the bank.

Ms Niamh Davenport:

It depends on whether the customer has fallen victim to the fraud. If you think you have given a fraudster your credit card details or if you have handed over information, you should report it to your bank straightaway, then to An Garda Síochána.

Photo of Steven MatthewsSteven Matthews (Wicklow, Green Party)
Link to this: Individually | In context | Oireachtas source

Okay. That is where the customer has fallen through the first hole and has actually clicked on the message and is half way through the process. Some people probably pull back when they realise it is a fraudulent message, and others will go all the way with it. All of us are receiving text message on a weekly basis. Who is collating that information? Who knows that I have received five text messages in the last three months from various different companies, asking me to click on a link?

Ms Niamh Davenport:

I am not sure.

Mr. Richard Walsh:

I think that as part of their billing, the old mobile operators may have that data, but I do not know if they are collecting it for the ends that the Deputy is describing.

Photo of Steven MatthewsSteven Matthews (Wicklow, Green Party)
Link to this: Individually | In context | Oireachtas source

So, essentially, we do not know how wide the net is or how fine the mesh in that net is. Everybody in this room could have received a text message this week, and nobody knows that, except the recipient?

Ms Niamh Davenport:

That is why I say that we do not have figures and we only have anecdotal evidence. It is based on what we think is going on out there. Our members will have customers saying that they received a text message and they did not click on it. Our members are basing it on that kind of information that is coming in. However, there are also customers who tell them that they did click on the link. Unfortunately, we do not have that level of information to see how extensive the text messages are out there, but we are fully aware that everyone is getting them.

Photo of Steven MatthewsSteven Matthews (Wicklow, Green Party)
Link to this: Individually | In context | Oireachtas source

We also do not know if there is a failure rate or mistake rate, as it were, of 1%, 0.5% or 0.1% of people who receive these message and click on them. We do not know the extent of the messages that have gone out, therefore we do not know that there is a very small number of people who click on these emails.

Mr. Richard Walsh:

The banking sector only really becomes aware when money starts to move in a transaction. We do not know whether that 1% figure relates to people who have gone the whole way through the process, have fallen victim and made a payment, or whether it is smaller. All we know is when the money moving is taking place and when the customers realise.

Photo of Steven MatthewsSteven Matthews (Wicklow, Green Party)
Link to this: Individually | In context | Oireachtas source

That is when the banks are interested. It is like a bunch of burglars hanging around outside your door, and it is only when one breaks the door down that we record it and know that it is happening. It is about how to deal with the prevalence of it.

Ms Niamh Davenport:

That is something that we have been looking at, particularly with smishing. We have started a piece of work where we are documenting the start to finish, and that is before it gets to the member banks. We are looking at what controls are in place. We are already engaging with ComReg as part of this piece of work as well. Hopefully, we will have a better view of the ecosystem, as it were, specifically, of text message scams.

Photo of Steven MatthewsSteven Matthews (Wicklow, Green Party)
Link to this: Individually | In context | Oireachtas source

This is my last question. At the moment, for any of us who resist the temptation to click on the message, do not fall for it or realise that it is a scam, there is no one entity that it should be reported to. It is only when it becomes an actual fraudulent unauthorised payment or mistake that it is reported to the bank. Aside from receiving the message, we do not have a reporting strategy on this.

Mr. Richard Walsh:

The Deputy has raised a very interesting point. While we do not want to go too far into the detail of some of the tools that we are looking to develop, one of them involve using the 98% or 99% of people who can recognise a fraudulent text. They could be very valuable in reporting. If they were able to forward on a fraudulent text, it may give a sense that there is now an active campaign in place that has started up. If we are seeing a lot of them in a short amount of time, we could look to block those to domains.

Photo of Steven MatthewsSteven Matthews (Wicklow, Green Party)
Link to this: Individually | In context | Oireachtas source

I thank the witnesses for their work on this and for their time.

Photo of John McGuinnessJohn McGuinness (Carlow-Kilkenny, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

That was a very informative and comprehensive session. I thank the witnesses for coming in. Sorry, Deputy Doherty has a question. I nearly had the witnesses out the door there.

Ms Niamh Davenport:

We nearly got there.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

Just briefly, I want to raise the issue of instant payments and non-instant payments in the State. We are very low in relation to instant payments compared to other European countries, which are up at 90% and so on. The issue here is that the new directive that is coming from Europe will require us to identify the individual to whom the money is being transferred, but that will only apply to instant payments across Europe. It will not apply to non-instant payments.

Ms Niamh Davenport:

There has actually been an update on that. I think it is going to apply to all payments, but I will have to verify that. We can come back to the Deputy on it. I believe that the update that was issued two days ago included all credit transfers.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

All credit transfers.

Ms Niamh Davenport:

I would have to verify that and I can come back to the Deputy. I believe there is an update on it.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

When does Ms Davenport believe that will be operational?

Ms Niamh Davenport:

The guidelines of the regulation are for six and 18 months from the time of approval. I believe it will be approved by the end of the year.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

It will be approved by the end of the year.

Ms Niamh Davenport:

At an EU level.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

So, it will be another two and a half years.

Ms Niamh Davenport:

I understand it is going through the European Parliament at the moment and is at discussion level. We do not have exact dates as it is going through the process.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

On the issue of progressing the European directive, a number of countries have taken steps to confirm payee in the past, such as Britain and the Netherlands. Instant payments in the Netherlands are up at 99.5%. If people are transferring money, the bank will ensure that the IBAN directs to whatever store it should be, such as Homestore and More, as opposed to somebody who has set up an account that is pretending to be Homestore and More. Why can the banks here not move ahead, given that some other European countries are already operating under confirmation of payee and it would be of great benefit?

Ms Niamh Davenport:

In line with the instant payments regulation that is coming out, they have started looking at that process. They want to align to an EU model. At the moment there is no cross-border confirmation of payee, which the regulation will call for. It has not existed to date. Just the UK and Netherlands have the confirmation of payee, as far as I am aware. They are not without their faults in some cases. We can learn lessons from that, which we can take on board as we go forward. We will be implementing it. The projects are under way. As we all know, the legislation for the instant payments regulation is coming. The project has already been set up to look at the capabilities relating to that.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

So there is no appetite to move quicker than they are mandated to at a European level.

Ms Niamh Davenport:

I think they want to make sure they are in line with the cross-border one rather than trying to set up one that would not then align in future. It makes sense to set up one that would work cross-border.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

Ms Davenport mentioned that the initial step in the fraud is usually online. We talked about social media operators taking paid advertisement. We have some of those advertisements for investment scams, which the Banking and Payments Federation of Ireland has been alerting the public to recently. Regarding those types of investment scams, does the Central Bank have a role in authorising investment products? This is an investment product which is supposed to be authorised by the Central Bank. Does it have a role here? People are going onto Google and Facebook and getting stung by these scams.

Ms Niamh Davenport:

The Central Bank has a list of all authorised companies on its website. I do not think it is product level but more company level. It has issued alerts in recent weeks and months on the investment scams but they are just notifications on its website about being alert to this type of investment scam. That is why we would always say to anybody who wants to invest in any situation that they should do their research, go onto the Central Bank's website, see if there is an alert on it and to do their research and homework. The Central Bank has a role to play, for sure.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

What about the Competition and Consumer Protection Commission? The problem is that there is no liability here. These forums can take the paid advertisement and not have to worry whether it is a scam or not. If a newspaper or the Yellow Pages advertised an investment scam that was fraudulent, surely there would be some comeback for that business or entity? There is no culpability or liability, even under the Digital Services Act. There is no liability for these online platforms. Some of these checks are surely easy to do, particularly for investment scams, given that the organisation has to be approved and authorised by the Central Bank.

Ms Niamh Davenport:

I do not know what level of checks the companies are doing before the advertisements go up. If they are coming in, it would be a question for them. As we have seen in the UK, as I said earlier, that is definitely the way it is going. Those companies are being brought in to take some accountability. I do not know what level is being done here.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

That comes to my last question. It was interesting to hear what Ms Davenport said about the gardaí. The benefit of the module we are doing is that it will hopefully inform public awareness about some types of fraud. We have not even touched on the one which intercepts legitimate businesses paying invoices. There are major issues where fraudulent entities are pretending to be a supplier that businesses are already engaged with.

Regarding reporting to the gardaí, do the banks report every crime and fraud to the gardaí?

Ms Niamh Davenport:

They would, yes.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

They would. I ask because I know a family member who was involved in a fraudulent scam. When that person phoned the bank, the bank said there was no need to tell the gardaí because it tells the gardaí. Is that advice universal across the sector or not?

Ms Niamh Davenport:

The advice that I would always give from an industry point of view, through our awareness programme, is to report to your bank and local Garda station. The banks will report it to An Garda Síochána in the Garda National Economic Crime Bureau, GNECB, through the suspicious transaction report, STR, and section 19 processes.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

When the Banking and Payments Federation of Ireland reports it, does it report, for example, that Pearse Doherty is the victim of an approved push payment scam and what his address is? Do the gardaí have the details? If I do not report it myself but have phoned the bank to say €5,000 or €500 is missing from the bank, and the bank has then reported it, do the gardaí have the details to come to knock on my door and know that I am a victim? I would say that most people are not getting that knock on the door.

Ms Niamh Davenport:

I would say banks report all relevant information. I would not know specifically what they would report for each case but I suspect all relevant information is reported. If the gardaí require more information, they will come back to the bank and ask it for additional information. To clarify, a number of years ago, a couple of thousand of cases were reported to An Garda Síochána. It is not just fraud but money laundering and the suspicion of money laundering too. More than 60,000 cases have now been reported to An Garda Síochána for it to analyse and go through.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

Is that per year?

Ms Niamh Davenport:

I think that is the year to date.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

Is that the year to date?

Ms Niamh Davenport:

I would have to check. I do not know the statistics.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

There would be roughly 200,000 transactions.

Ms Niamh Davenport:

Exactly. A number of years ago, there would have been 10,000.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

I commend the banks on doing that. We will have the gardaí here. Could the witnesses supply the committee with anonymised detail of what they would provide in a report to the gardaí?

Ms Niamh Davenport:

Sure.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

We talked about authorised and unauthorised push payments. I refer to a case that where somebody hijacks or gains access to someone's account through a PIN and so on, then goes into it and makes the payment. We have broadly discussed authorised push payments in this committee where people have made payments themselves. They have been scammed but they have actually made the payments. There are other authorised push payments which the account holders never authorised in the first instance but somebody has got control of their bank accounts through, for example, access to 365 online, to an app and so on, through some of the mechanisms discussed earlier. Would that type of transaction be an authorised transaction?

Ms Niamh Davenport:

It would depend on the case. Whether it is unauthorised or authorised, it would still be investigated. Every case is investigated. If somebody else made that transaction, I would have to verify this but I think it would go in as an unauthorised transaction. I would have to check the specifics of the case. It depends on the intricacies.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

I said a family member was involved in this. When the family member contacted the bank, in fairness, the bank's reaction was to return the money because it was still in the account and it was noticed very quickly. Thankfully the bank operated very swiftly. The point was that the view of the bank was that, in some way, the person gave access to their bank account to a fraudster and therefore the bank is not liable. That was the view of the bank.

Mr. Richard Walsh:

In that particular case, where the authorisation used the correct credentials and appeared in the correct manner, I imagine the bank would view that as authorised. In the discussion that takes place, I imagine the banks would be sympathetic if people could show that it was genuinely not them but a fraudster who gained access, but they would have to explain how they could have happened.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

In this case, what happened is that the fraudsters gained access to the banking online, go in and set themselves up as a beneficiary, wait for the period that allows for larger transactions, which is usually two days, and then transfer money to another account that they control.

Mr. Richard Walsh:

One sometimes sees this with account takeover, where fraudsters report a person's phone as having been stolen, request a new PIN which comes, and then set up a bank account on the new phone. I think the banks would regard that as unauthorised.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

In that case, will the banks honour all the money that was taken in that scenario?

Mr. Richard Walsh:

If the banks are satisfied that it has, in fact, been stolen, even though they have the correct credentials, then they would see that as unauthorised, and that fall under the automatic refunds.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

Do the witnesses have levels for bank takeovers? I know it is not in their fraud smart data but do they have any detail for that type of fraud? How common is it to hijack somebody's account?

Mr. Richard Walsh:

We could probably get something on that. It is not particularly common but there is a constant low level. The operators take pains to see how they can help to block it, as do the banks.

Ms Niamh Davenport:

It might actually be categorised in one of the unauthorised categories that we have but I would have to check which it is and we can look at those figures.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

Do the gardaí give the Banking and Payments Federation of Ireland any updates on prosecutions? If they do, can the witnesses provide any detail of that nature to the committee?

Ms Niamh Davenport:

There is no detail on specifics. If gardaí run operations, such as the operation last year which I cannot remember the name of, they would provide updates on general operations that they have run.

They do that through the joint intelligence working group which we have with them, but not specifically on cases. If there is a specific case to a specific bank, they might provide the update and say that has been prosecuted, or we see it in the media.

Photo of Pearse DohertyPearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

I thank Ms Davenport.

Photo of John McGuinnessJohn McGuinness (Carlow-Kilkenny, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I thank the witnesses once again. It was a very interesting topic.

The joint committee adjourned at 3.30 p.m. until 1.30 p.m. on Wednesday, 31 May 2023.