Cifas Homepage
NewsroomCareersContact Us

APP Victim Check Legitimate Interests Assessment

Introduction

The following is a record of the legitimate interests assessment that Cifas has carried out for the processing of personal data within the Cifas APP Victim Check scheme. It identifies the processing involved and the legitimate interests that exist in relation to the Cifas APP Victim Check, and the balance of those interests is considered in conjunction with the safeguards that exist.

What is APP fraud?

APP fraud happens when someone is tricked into making a payment to an account outside of their control. There are multiple types of APP fraud, which can involve victims being deceived about the destination account and the reason for making a payment. APP fraud often involves large sums of money, with individuals falling victim to APP fraud being targeted repeatedly. Victims can also be deceived into giving their bank a false story about why a payment is being made.

What processing is there?

The details of instances of APP fraud are recorded to Cifas APP Victim Check in order that other participating Cifas members are able to identify customers susceptible to APP fraud and employ enhanced safeguarding measures for those individuals and prevent further APP fraud.

Cifas APP Victim Check can be queried by participating Cifas members in the following circumstances:

•    After an individual has opened a new account with the member;
•    As part of continual customer monitoring;
•    As part of assessing a transaction for APP fraud risk.


What are the legitimate interests?

The General Data Protection Regulation gives fraud as an example of a legitimate interest (Recital 47).

It is in the legitimate interests of members to protect themselves and their customers from APP fraud in order to be able to protect customer’s money and be able to continue in business. Cifas has a legitimate interest in enabling members to prevent APP fraud. 

It is in the interests of the customers of each member that APP fraud is prevented, and that they do not become a repeat victim. Customers do not want to lose money, nor be subject to the associated negative impacts of being a victim of crime, and want Cifas members to continue to provide products or services to them. 

APP fraud prevention is in the general public interest – it is important for consumers to continue to have access to low cost or free financial products, which may otherwise be unavailable or limited in the event of widespread APP fraud losses which have to be reimbursed.


Is the processing necessary?

APP frauds and scams are increasingly sophisticated and hard for individuals to identify. Sharing data enables banks and Payment Services Providers to employ enhanced safeguarding measures for customers who they know to be susceptible to APP fraud, in order to help them identify APP fraud in the future and to prevent the customer becoming a victim again. Frequently individuals hold multiple accounts with a number of different banks or Payment Service Providers and switch providers. Victims of APP fraud can sometimes refuse to believe that they have been deceived, at least initially during the critical time when they are trying to make more payments.

Sharing instances of previous APP fraud is the only way for all relevant banks and Payment Service Providers to understand where these enhanced safeguarding measures should be employed.

APP fraud prevention is a non-competitive issue and as a not-for-profit membership organisation, Cifas is trusted by organisations public and private to ensure that the data sharing is lawful, reciprocal, and fair.

Balancing the interests

It is reasonable to expect that organisations will take steps to prevent APP fraud against themselves and against their customers. Members of Cifas using Cifas APP Victim Check and their customers face millions of pounds in APP fraud losses each year. APP Victim Check helps its members safeguard their customers from APP fraud and if those losses are not prevented or reduced, then consumers will continue to feel the emotional, psychological and financial impacts of being a victim of crime and the costs of financial products would be higher – a significant negative impact upon the wider public.

The purpose of the Cifas APP Victim Check is to alert members to an increased susceptibility to APP fraud, based on previous instance(s) of being a victim, in order to enable enhanced safeguarding measure to be employed. As a result of these safeguarding measures an individual may find that that they experience increased contact from their bank or Payment Services Provider regarding the risk of APP fraud, or that they are challenged about the purpose of specific payments if they are assessed to present a high risk of APP fraud. The purpose of these interventions, however, is to prevent the individual from falling victim to APP fraud again.

Cifas APP Victim Check offers an effective and efficient means for Cifas and its members to identify APP fraud susceptibility, with a minimal impact upon the user experience of customers, and minimal expense to members which might otherwise need to be passed on to consumers. Without an effective means of APP fraud prevention technologies and methods – which meet sophisticated techniques employed by fraudsters in an increasingly digital world – the general public may be denied proper access to a wide range of commercial and competitive financial services or be required to pay more for access to these services.

Operational safeguards are in place to minimise any negative effects to a person of being recorded as a (potential or previous) victim of APP fraud. 

What safeguards are in place?

A Cifas member must operate within the terms of the Cifas APP Victim Check Handbook – a guide that sets out eight Principles of use[link to principles page] with accompanying guidance. These Principles and guidance describe the controls in place to protect the data on the database, and ensure that the highest possible level of fairness and transparency are observed:
•    The Cifas APP Victim Check scheme can only be used for preventing fraud and financial crime, and for complying with legislation. The information recorded to APP Victim Check cannot be used as a reason to justify the withdrawal or rejection of a financial service or product. It can only be used to enhance customer safeguards and investigate APP fraud;
•    The fair processing notice that all members provide states that personal information will be shared, and records of APP fraud risk retained;
•    All records must be provided in a timely manner and supported by relevant evidence that APP fraud has occurred;
•    Only trained staff can access the Cifas APP Victim Check, operating under suitable technical and organisational measures to prevent unauthorised use of personal data;
•    Members must ensure that the data is interpreted in a proportional manner according to the circumstances of the customer and their own risk appetite.

As the data controller of Cifas APP Victim Check, Cifas is responsible for the security of the system. Cifas is certified to ISO/IEC 27001:2013, the international standard for operating an information security management system, and to Cyber Essentials, the online security scheme run by the Government’s National Cyber Security Centre. Cifas APP Victim Check runs in the Microsoft Azure UK cloud, which is itself certified to ISO/IEC 27001:2013 and many other international security standards, and so benefits from the Microsoft global incident response team. Cifas commissions regular penetration testing of all systems by independent experts approved under the CREST scheme.

Cifas operates a complaints process that provides individuals with a way to challenge, and if necessary correct or remove, information that may be recorded about them within Cifas APP Victim Check. An individual can exercise their right of access to any personal data held about them on Cifas APP Victim Check by contacting Cifas. An individual can then contact the member that recorded information to challenge it, and if an individual is not satisfied with the response then Cifas will review the complaint.

Given the importance of fraud prevention, should the review by Cifas into the complaint find that the evidence supports the record it will be very rare that Cifas and Cifas members do not have compelling, overriding grounds to carry on processing the personal data concerned.  Individuals can always approach the relevant regulator (typically the Financial Services Ombudsman) as well as the Information Commissioners Office at any stage. 

Conclusion

The legitimate interests of Cifas, its members and the public, and the interests of data subjects themselves, in the processing, subject to the safeguards described above, are significant, and outweigh the limited competing interests of data subjects. Cifas therefore concludes that the processing may be undertaken on the basis of those legitimate interests. Cifas' Data Protection Officer can be contacted at dpo@cifas.org.uk or through the main Contact Us page.
 

Share:

Latest blog posts

Stronger Together: The Power of Collaboration and Data Sharing

AI, fake deliveries and eCards: Protect your team from Christmas scams

First party fraud: Harmless ‘friendly’ fraud or a hurtful and callous crime?

Tackling financial crime through enhanced data sharing: The key to preventing APP scams

How could the Payment Systems Regulator’s mandatory reimbursement impact fraud? Three questions from the counter-fraud industry