With a growing number of financial institutions reporting people to a Cifas anti-fraud database, BCL's Andrew Watson explains what to do if you find yourself the innocent subject of a Cifas marker.
Cifas is an increasingly prominent feature in the battle against fraud. With a growing membership, and claiming to have prevented financial loss running to several billion pounds, it is unsurprising that many individuals and companies are finding themselves the subject of, or threatened with, a referral to Cifas. The consequences of a referral, however, can be severe; the worst-case scenario being a so-called ‘Cifas marker', lasting up to six years. But with no straightforward redress route via Cifas itself, any representations should initially be addressed to the member that made the referral in the first place. Navigating this process can be tricky, though, and pitfalls await the unwary.
What is Cifas?
Cifas is a non-profit membership organisation that aims to detect, deter, and prevent fraud. Cifas members share instances of actual or suspected fraud with Cifas, which in exchange allows its members to check their customers, applicants, or employees against its databases.
Cifas is in fact the custodian of several databases, principally the National Fraud Database and the Enhanced Internal Fraud Database. The former holds information about first and third-party fraud risk such as account takeover and identity fraud, false insurance claims and application fraud. The latter holds fraud risk data relating to internal fraud threats such as bribery and corruption, theft of personal and/or commercial data, customer account fraud and application fraud (including fake qualifications).
How does a ‘Cifas marker' work?
If a Cifas member – for example a bank – suspects a customer or employee of fraud, then it will refer that person (or company) to Cifas. Provided Cifas' principles have been complied with, Cifas will then issue a ‘marker' against that person's name. The marker is effectively a ‘red flag' alert that will show up should another Cifas member search a Cifas database for that person.
Cifas markers particularise different types of conduct. For example, one type might show that a person has been actively involved in fraud, another may show that someone submitted a bogus insurance claim. Another might record that someone's bank account has been used for a fraudulent purpose (although it may well be that the person has had their account used for the transfer of criminal property as a so-called money mule). Another type of marker may record that the person has been or is likely to be a victim of fraud.
Importantly, a Cifas marker does not constitute a criminal record, nor does it prevent a Cifas member from dealing with the individual or organisation. Rather, it serves to put the member on notice that the subject of the marker presents a potential risk of fraud. In many instances, however, a Cifas marker will create a serious impediment to participation in everyday employment and financial activities.
How do I know if I have a Cifas marker against my name?
Often, an individual will encounter a Cifas marker when trying to access and being denied financial services. Common examples include blocked bank accounts or a bank refusing to onboard you as a customer. The member will likely tell you that the issue is a Cifas marker but, in any event, and if you are unsure, you should exercise your right under the UK GDPR to make a Data Subject Access Request (DSAR) to Cifas directly. If there is a Cifas marker, the DSAR response will contain the basis for it. This information will influence your next step.
What can I do about a Cifas marker and are there any risks involved?
Of course, the best solution is to avoid a referral being made in the first place. In many instances, individuals will be put on notice, perhaps in an employment context, that their employer is considering referring them to Cifas. This is undoubtedly an alarming prospect and one that should be addressed head-on.
For example, the potential subject of a Cifas referral would want to know the exact basis for the proposed referral, have access to the evidence purporting to justify it, and its precise wording. Possible issues include accuracy, proportionality, fairness, or whether the alleged activity genuinely falls within the Cifas ‘fraud type'. A crucial issue – and a potential line of attack – is whether the referral meets the Cifas ‘standard of proof', for example that there are reasonable grounds to believe that a fraud or financial crime has been committed or attempted, and such conduct could confidently be reported to the police.
Where a Cifas marker is already in place, Cifas will not, initially at least, do anything itself to remove the marker unless the member that requested the marker in the first place instructs it to. In fact, Cifas' policy for complainants is to direct grievances about a marker to the member that made the referral and for you to request from that member a ‘Final Response'.
The grounds for convincing a Cifas member that the referral was erroneously made are many. They range from a straightforward case of mistaken identity to more complicated areas of data accuracy under the relevant provisions of the UK GDPR and the Cifas principles. Whatever the ground(s) may be, they should be carefully considered and evidenced before representations are made either to the member in anticipation of, or to Cifas as part of a complaint against, a Final Response.
If the complaint to the Cifas member is successful and the Final Response favourable, then Cifas will remove the marker. If, on the other hand, the Final Response is unfavourable (or where no Final Response is received), a complaint can at that point be lodged directly to Cifas, which will make its own enquires with its member. Cifas aims to adjudicate on complaints lodged with it within 14 days, although complex complaints may take longer for it to work through.
The Financial Ombudsman Service (FOS)
Where a Cifas member refuses to remove a marker, a complainant may take their grievance to the FOS. However, a common problem arises where banking customers have had their banking relationship terminated, or a prospective one rejected, because of a Cifas marker. That customer jumps immediately to lodging a complaint to the FOS without first challenging the Cifas member responsible for the marker and raising the dispute with Cifas. The FOS can consider both sides of a dispute and will produce a final report. Although not binding, a FOS final report in favour of the customer will go a considerable way to convincing the member to request that Cifas remove the marker. On the flip side, an unfavourable FOS report is likely to be perceived as reinforcing the basis on which a Cifas marker was made, presenting an even higher hurdle for any future representations to a bank.
While there are general time limits applicable to lodging complaints with the FOS, given the risks attendant on an unfavourable FOS final report, subjects of Cifas markers should be wary of complaining to the FOS prematurely and with poor evidence, and should consider whether they would be better served in the first instance by directing their representations to the Cifas member.
It is inevitable that as members increase their efforts to counter fraud via Cifas, innocent parties will find themselves caught out. Whilst fraudsters who are legitimately targeted will face a continuing headache for years to come, innocent individuals and companies need not endure the potentially ruinous consequences of a misplaced Cifas marker. Through a combination of careful planning and targeted representations to the right audience, it is possible to avoid or remove a Cifas marker.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.