Identity theft continues to spiral upwards; VAT fraud has grown so fast that its impact is throwing doubt on the veracity of UK trade figures, and reported fraud in the UK has reached a 10 year high, with cases involving almost £1bn reaching the courts in 2005, according to a study by KPMG.
And yet the endemic confusion surrounding the right of an organisation to use or share employee, customer, or partner information to counter fraud is fundamentally undermining the ability of UK organisations - including the Government - to take even the most basic steps to detect and prevent fraudulent activity.
Why are organisations not making basic checks on payment trends, such as comparing employee address data with supplier information to pick up fake companies, as a matter of course? Or comparing senior employee shareholdings with customer and supplier names to identify conflict of interest? And why is the Government not sharing key information with organisations to support active initiatives for combating fraud?
Fraud is big business. Increasingly organised by criminal gangs, fraudulent activity - from VAT carrousel schemes, to systematic insurance and benefit fraud - is increasing year on year. According to the latest KPMG Fraud Barometer, the Government remains the biggest victim of fraud, but financial firms also lost 10 times more to fraud in 2005 than in 2004.
Then, so prevalent is the VAT scam, particularly for mobile phones and tobacco, that the Office of National Statistics has cautioned that recent trade figures may have been exaggerated by the fraud, and could eventually need to be revised.
Despite the demands increasingly placed on organisations by new anti-money-laundering legislation (AML) and the Proceeds of Crime Act, only a small percentage of companies have any confidence in the controls in place. While some have invested in hugely expensive AML software, there is little evidence that the technology is delivering any quantifiable benefit in reducing fraud.
One of the major constraints on effective fraud detection and prevention is a complete lack of understanding of information ownership within an organisation. The confusion and overlap created by the Data Protection, Employment and Human Rights Acts have made organisations terrified to use employee, customer and supplier information that can transform the fight against fraud.
Using low cost data mining tools, it is a straightforward process to compare supplier and employee addresses, picking up fraudulent supplier companies set up by employees. This process can also identify inappropriate connections between supplier or customer organisations and senior employee interests - such as share holdings or non-executive directorships.
Complex and confused
The majority of UK organisations are not taking this simple action because they believe, incorrectly, that they are prohibited from using employee data in this way by the Data Protection Act. Indeed, more often than not, the human resources department has taken over the role of employee protector, and simply will not allow any audit or finance department access to this information.
Given that the majority of fraud is employee led - and senior employee-led at that - the ability to track trends in payments is critical. And that requires the use of internal company data. This is not forbidden under any law; an organisation simply needs to make its case to the Information Commissioner that such use of employee information will reduce fraud, and than inform employees. Yet the level of misinformation and wilful misinterpretation of existing legislation means such actions are rarely undertaken.
It should be a simple process for the Government to clarify the law. Yet, despite being the primary target of fraud, the UK Government's policies continue to exacerbate the situation. For example, it would be a simple way to cut down on VAT fraud if organisations were able to put in place checks of the VAT numbers of suppliers against an approved database.
But that is not allowed. HMRC holds the entire database of VAT registered entities in the UK - an approach mirrored in every other European country - yet it is impossible for organisations to check a supplier's VAT details. As a result, it is easy either to create fake VAT numbers or commit identity theft by stealing a number. One option is to go to the European Union web site ( www.europa.eu.int/comm/taxation_customs/vies/en/vieshome.htm and type in a VAT number. This will confirm if the number is valid, but will not provide the name of the associated company, thus providing no help in combating identity theft.Why is HMRC so adamant that VAT information, which is printed on every invoice, cannot be checked, especially when VAT fraud is not only costing the Treasury so much money annually but also quite possibly skewing the trade figures?
In many ways the climate of information protection is actively aiding fraudsters. Without doubt, information transparency is key to combating fraud - a fact already demonstrated by the insurance industry. Under the auspices of the Insurance Fraud Bureau, companies are sharing claims information to identify potentially fraudulent activity from specific addresses. This information is already shared with Government to help combat benefit fraud, yet there is no return flow of information to the insurance sector from the Government's own anti-fraud activity.
Combating fraud is seen as a priority by the Government, and the introduction of the Proceeds of Crime Act and AML legislation demonstrate its commitment. But the current attitudes to information management are confusing and conflicting, and they are actively preventing organisations from undertaking straightforward measures that could significantly reduce many of the forms of fraud that are becoming endemic.
Given the ease with which data mining technology can automatically perform regular checks on payment profiles or VAT numbers, why has the Government made no effort either to clarify the obvious misunderstanding associated with data protection or provide access to the relevant VAT information?
With growing recognition of the value of sharing information to increase the chances of detecting fraudulent activity, there is a real need for the Government not only to shed light on the apparently conflicting information laws but also to introduce an era of controlled openness that will give the potential fraudster fewer places to hide.
Richard Kusnierz is director at IDS: www.ids.gb.com