Social media giants should share burden of fraud losses, say bank chiefs

The heads of the UK’s largest banks want social media and tech giants to be held accountable for losses stemming from fraudulent content appearing on their platforms. Their call comes as Ofcom, the UK media regulator, issued its first information requests under powers granted in the Online Safety Act.

Charlie Nunn, chief executive of Lloyds Bank, said the UK had become the “home of fraud”, adding that based on “my stats, 43% of all crime is now fraud”.

According to figures published this week by UK Finance, 70% of authorised push payment (APP) fraud originates on social media platforms or online marketplaces. Giving evidence to the Treasury Committee on May 20, Nunn said that large tech firms need to do more.

“As you know, 60% of the total [fraud] is with a single company, Meta,” said Nunn, adding that customers often ignored repeated warnings from the bank that were about to make a payment to a suspected fraudster after encountering them in an online marketplace or social media platform.

“If we cannot intervene upstream, or if those players are not incentivised to intervene upstream, this problem is going to get worse for the UK.”

Ian Stuart, chief executive of HSBC UK, agreed that banks were not the “root cause” of fraud.

Harm

The Online Safety Act enables Ofcom to fine social media companies up to 10% of their annual global revenue (capped at £18 million) if they fail to take reasonable steps to mitigate harm originating from their platforms.

The Act requires tech firms to carry out illegal harms risk assessments. Earlier this month, Ofcom began calling a select number of these assessments for review.

“We’ve started our work to assess platforms’ compliance with their new illegal harms obligations. This includes issuing information requests to a selection of services about the illegal harms risk assessments they are required to complete,” an Ofcom spokesperson told Compliance Corylated. Companies are legally obligated to respond to information requests from the regulator.

Stuart said he had witnessed at first-hand the harm that fraud was causing to HSBC’s customers — it left them “very disturbed” because it was “so invasive”. In the past five years, the bank had invested more than £200 million on technology designed to identify fraud, he added, which was now “helping to attack some of the known problems so we can intervene and stop them”.

Until recently, the bank could not refuse when customers that were being scammed insisted a payment must go through. Now HSBC “had the power not to make a payment”, which was really helpful, Stuart said.

Cost sharing

Richard Davies, chief executive of Allica Bank, told the committee it was time that tech firms contributed to reimbursing customers for fraud.

“There should be some sharing of this cost. I am not averse to paying a part of that as a bank; I think it encourages banks to do more, because historically not enough has been done in this space,” Davies said.

However, online fraud was now “very much an epidemic”, and with artificial intelligence (AI) tools now enabling better cloning of websites and deepfake IDs, would only accelerate unless “serious action” was taken, he added. “The tech groups need to have some share in that, because that is where it originates from.”

Under current UK mandatory reimbursement rules, only banks and payment firms bear the cost of reimbursing APP scam victims. Financial institutions have called for this cost to be shared, highlighting the approach taken by authorities in Singapore. For example, the Monetary Authority of Singapore (MAS) requires all financial institutions, telecom companies and consumers to share liabilities from phishing scams.

Data sharing

Davies said data sharing was also essential to identifying online fraud. “Even if you have good technology, you only see one side of the transaction, so it is quite hard to spot. We must put in place national collaboration and data sharing between tech groups and banks to solve this,” he said.

Paul Thwaite, chief executive of NatWest, agreed more needed to be done, and repeated his call for a coalition of the willing. “There could definitely be data sharing between all the parties, and we need to make sure that we have the right protocols and permissions around that,” he said.