APP Victim Check Principles
APP Victim Check helps participating banks and Payment Service Providers protect their customers from APP fraud by sharing information when someone has become a victim of APP fraud. This allows other organisations to know when a customer would benefit from additional safeguarding measures to prevent them becoming a victim again in the future.
APP Victim Check Handbook
To use the scheme, an APP Victim Check member must operate within the terms of the APP Victim Check Handbook – a guide that sets out eight Principles of use with accompanying guidance. These Principles and guidance describe the controls in place to protect the data in the scheme, and ensure that the highest possible level of fairness and transparency are observed.
The Handbook allows you and your organisation an appropriate degree of flexibility – there will be many ways for you to achieve the outcomes it describes. It also helps you maintain the quality and integrity of the data for the benefit of all members. By observing the Handbook and engaging with our compliance process your organisation will be compliant and can enjoy the benefits of the database.
Principles of use
APP Victim Check is a reciprocal data sharing arrangement where members commit to provide data and file cases of APP fraud. In return, members receive the benefit of searching the data.
Both Cifas and its members have equal responsibility for the quality, protection and lawful use of the data submitted to and held in APP Victim Check. Every member is responsible for the accuracy of the cases filed, and for the proportionate use of the data returned from a search.
We want the data we hold on behalf of our members to be used to the maximum benefit in protecting their customers and themselves from APP fraud. We also have a responsibility to ensure that the rights of individuals are balanced with the legitimate interests of our members; therefore the APP Victim Check Principles are closely aligned to data protection legislation.
The Principles are as follows:
Principle 1: Reciprocity
APP Victim Check relies on member data. Members must contribute their own cases to receive benefit from the data shared by other members.
Principle 2: Purpose Limitation (Legitimate reasons for searching)
Data from APP Victim Check can only be used for the purposes of considering whether to implement or maintain safeguarding measures, for preventing, detecting, and investigating APP Fraud and to comply with a member’s legal obligations. Data from APP Victim Check can not be used as part of application screening to make a decision to reject an application which has been made by an individual.
Principle 3: Transparency
Subjects have a right to know how data will be used and how any decisions related to them have been made.
Principle 4: Lawfulness (Searching and filing)
Subjects must only be searched and filed if they have been legally informed of how their data may be used via a Fair Processing Notice.
Principle 4: Lawfulness (Standard of Proof)
Cases filed to APP Victim Check must meet the Filing Standard. The Filing Standard is met when either of the following statements are reasonably believed by the member to be true:
1. The individual has notified the member that they have been the victim of an APP Fraud, or;
2. The member, following assessment of the circumstances surrounding a transaction or series of transactions or behaviours, has reasonable grounds to believe that the customer is or has been the target of an APP Fraud.
Principle 5: Fairness (Proportionality)
Members must ensure that the data is interpreted in a proportional manner in order to safeguard customers according to their own risk appetite. The data must not be used in isolation to justify decisions.
Principle 6: Accuracy
All data that is captured must be accurate.
Principle 7: Integrity (Security of APP Victim Check)
Access to APP Victim Check is restricted and all members must have adequate policies, procedures and technical measures in place to protect the data.
Principle 8: Data Minimisation
Members must not hold data indefinitely. Once it’s served its purpose, as dictated by APP Victim Check data retention policies, it must be deleted securely and permanently.
