The latest positive scheme to be hijacked by criminals is the UK government's bounce back loan scheme for businesses. Bounce back loan fraud is being forecast at £15-26 billion. And unfortunately, as long as a simple fraud check was performed, the government has 100% liability for these loans, which means the UK taxpayer does.
When the bounce back loan programme was set up, the government rushed it through because they needed to, and they didn’t put all the normal controls on loans at the bank level. For example, to qualify a business had to have been established before 1 March 2020 — I would have thought they’d have made it a requirement that they were in business from 2019 and before. Also, there was very little proof of business health needed.
From a fraud perspective, we are seeing two things:
- First-party fraud. Each business was supposed to only be able to make one bounce back application, but there are no controls to restrict a business to one application. There are businesses that have applied 3, 4, 5 times, so they are getting multipliers on the £50K or 25% of annual turnover they’re supposed to get. Some business owners may be ready to cash out and could have received 5 loans for 125% turnover.
- Impersonations. I could pretend to be a director of your company and start making applications for loans on your company. You might not even find out that this has happened until you need to start paying next spring. Fraudsters will try to put mail redirection on businesses, so that people at the company won’t get the mail confirming the loan. But in fact, as we’re in lockdown, those bounce back loan confirmations may be sitting in vacant offices. When people get back to their offices, they might find a bounce back loan letter. That means there’s a big balloon potential for fraud next spring when the payments start coming due.
The program was a great success, but there will be a lot of clean-up to do. The government will now have to consider having a consolidated collections process across the banks that made the loans. Initially, the government asked the banks to pump this money out, and now that they’re realizing the potential scale of fraud and bad debt, they’ll be looking to the banks to help get that money back. It will be difficult to do much about impersonation fraud — that money will be gone, siphoned off to cryptocurrency, international payments and cash.
Confronting the Bounce Back Loan Fraud Problem
What can be done now? If I was the government, I would look to implement network analytics used in identity fraud detection across all the applications done through the UK banks. Don’t wait until the payments are due to start — using advanced link analysis, you can find all the connections between loans, like common phone numbers or company names or addresses.
Get all the data together, use the analytics to find everyone who made more than one application, put all those into a bucket, then start contacting them. The money may be gone, but no one can abscond with it, they can’t even leave their house! Then run some first-party fraud definitions on the rest, and tell the suspicious accounts, “I need to talk to you.” Banks should consider using automated notifications, like SMS and App Push for account holders that have made an application.
Payments on these loans aren’t due for the first 12 months — that means any potential fraud is just sitting there festering for 12 months. It will be harder to get the money back in 12 months. The government should start working on this problem now, rather than waiting a year.