The new Consumer Duty rules for retail financial services, which came into force in July 2023, marked a considerable shift in the regulatory expectations on firms for consumer protection. As noted by the Financial Conduct Authority (FCA), who will supervise firms for compliance, the Consumer Duty “sets higher and clearer standards of consumer protection across financial services and requires firms to put their customers’ needs first”.
Since announcing its intentions in a 2021 consultation, there have been myriad commentaries about how this new duty – with its strong focus on consumer access to services – marries up with another of the FCA’s significant regulatory focus areas in the retail financial services sector – that of tackling financial crime. An integral part of tackling financial crime – and indeed protecting other consumers – is effectively managing customer risk, which in some instances will naturally necessitate account closures and customer exits.
While balancing these requirements has been a source of industry consternation over the past year, arguably there are areas where translating the Consumer Duty principles into financial crime compliance processes is a less complex exercise.
For example, it is easy to envisage how a firm’s anti-financial crime policy intersects with the Consumer Duty when responding to innocent and law-abiding customers who fall victim to financial fraud. In its November 2023 review of anti-fraud controls, the FCA made its expectations clear and explicit:
“Firms must put the needs of their customers first and deliver consistently good outcomes for them. This includes helping customers understand what fraud is and how to identify it, making it easy for customers to report fraud and setting out what they can expect from the firm when they do report it.”
Furthermore, the FCA already recognises that risk-based automated fraud warning messages and controls – already standard across the much of the industry – are a way in which firms can comply with the Consumer Duty requirement to ‘avoid foreseeable harm’.
Beyond this, from an anti-money laundering perspective, it is clearly important to ensure that Know Your Customer processes are not over-zealous to the point of excluding innocent parties, particularly those from groups with ‘characteristics of vulnerability’, as required by the new rules.
However, there is one area where a clear fault line has emerged between the two realms of regulatory expectation; that of how the consumer duty intersects with institutions’ responsibility to tackle first party fraudulent conduct, which includes false representations made by individuals using their own details (as opposed to impersonation or use of false or synthetic identities) to apply for new services or misuse existing accounts or other products.
Let’s be clear, this isn’t a small-scale issue of concern. Although much of the public debate on financial sector fraud over the past few years has related to organised scams (in particular, authorised push payment (APP)), fraud first party fraudulent conduct – whether an opportunistic one-off or more organised – is growing. At Cifas, we have seen year-on-year growth in reports of first party fraudulent conduct recorded to the National Fraud Database.
While the squeeze on personal finances has undoubtably been a contributing factor to this, our research with consumers shows that a large part of this problem is driven by the perception of first party fraudulent conduct as an acceptable behaviour. Our recent fraud behaviours report revealed that 1 in 8 adults admit to committing some form of first party fraudulent conduct in the last 12 months, with many common MOs, such as chargeback claims and asset conversion, not being seen as crimes in the eyes of respondents.
Despite the clear growth of the problem and the challenges of public perceptions, it is here where the Consumer Duty comes into conflict with institutions’ financial crime duties, as well as a general fiduciary duty to protect their reserves.
There is a clear expectation set out in the Consumer Duty that “firms who reject customers have to explain alternatives and provide access to appropriate products”. Indeed, beyond the strict requirements of the regulation itself, the Chief Executive of the FCA made clear in a recent speech that, while not a statutory objective, financial inclusion is a key priority for the regulator.
Furthermore, even in cases where a firm’s risk appetite is not yet at the level of off-boarding a customer for first party fraud concerns, its ability to manage the immediate risk – and linked AML responsibilities – via measures such as account freezing, put the institution into potential conflict with the new rules. For example, in the FCA’s ‘Dear CEO’ letter from February 2023 regarding compliance with the Consumer Duty, it noted that, in its view, firms “freeze a disproportionate number of accounts, for too long, and without adequate explanation”, and sets out a clear expectation that account freezing activity should happen less often and be less protracted.
These conflicting priorities have, of course, been exacerbated by the debanking debate which has been playing out in the media since the high-profile client exit of Nigel Farage by Coutts. Although an independent body, the FCA has been under pressure to use the levers available to influence the industry in this regard.
Despite there being no link between the incident and financial crime compliance – a critical point that is frequently overlooked – in the FCA’s September 2023 report on debanking, their Chief Executive noted that “the time is also right for a debate on how we balance access to bank accounts with the threat of financial crime, as well as firms’ reasonable risk and commercial appetites”.
In summary, whereas government and regulators are clearly not easing up the pressure on the industry to tackle economic crime, including account abuse and laundering which enables scams that target and harm consumers, the industry is also under pressure to prioritise consumer outcomes and financial inclusion. This leaves the industry somewhere between a rock and a hard place when it comes to managing first party fraud risk against their own business. This challenge is particularly stark where there is an obligation to retain a bank account for an individual, whatever they have done and the harm and ongoing risk to wider consumers, because the individual does not hold an account with any other institution.
At this stage there is a lack of guidance from the regulator around how firms should balance these competing priorities, and the rules are too new to have revealed specific cases which adequately highlight the flashpoints in the debate.
What is clear to us however, from our conversations with Cifas members, is that building up a multi-sector picture of customer risk – which is strongly backed up by hard data – can help firms to provide a strong evidence base for a particular course of action, whether than be closer account monitoring or, ultimately, client off-boarding.
In the end, however, with the current absence of cross-cutting guidance on the balance between these two objectives, firms will have to continue to walk the tightrope between financial crime, financial inclusion and wider Consumer Duty requirements. With multi-sector data and intelligence-sharing a firm part of controls, at least they don’t have to walk alone.