Protecting savers from financial crime
Today’s pension providers have an unprecedented opportunity to rethink how people save for retirement. The increasing demand for more digital services and significant industry changes, like Freedom and Choice, have created a new normal for pension provision in the UK. Pension access has seen the starkest change, with HMRC recently reporting that savers withdrew £2.2bn in Q4 2019, an 18 per cent increase on 2018. But such opportunities mean a growing financial crime threat.
Some of the key risks facing the industry today include account takeover, insider theft, fraudulent claims and scams. In fact, research by audit and risk firm Crowe and the University of Portsmouth has found the annual cost of fraud to the UK pensions sector to be around £6bn.
Risks like money laundering can also apply to pension funds. But as the industry accepts these risks are low, the sector’s recommended standard for preventing financial crime is to conduct due diligence on the customer and beneficiary at the point of making a retirement claim.
However, as pension providers start to consider offering more digital access to their systems and more flexible access to funds, they should consider what they can learn from other financial institutions. Banks, for example, have extensive measures in place to protect relatively small sums of money compared to pension funds.
Having worked with financial institutions to mitigate risk and conducted extensive research into the fight against financial crime we’ve identified three key tools pension providers need if they’re to protect their savers:
Robust user authentication controls
Having robust mechanisms to control access to a user’s account is vital, and these need to be in place across all channels. This starts with account registration and strong account credentials, including passwords, security questions, memorable words and even biometrics like voice or facial recognition. In an age where SIM cloning and swapping continues to rise, firms need to do more than simple two-factor authentication – including validating multiple data points.
Research by Aon found financial institutions typically hold false confidence in the security of retirement data. Tougher authentication controls, combined with good general security, will enable stronger defences, particularly around changing personal details and making a retirement claim. Workplace schemes should also ensure they can monitor access to accounts, and help employers and members remove rights from delegates who no longer require access or certain privileges.
Enhanced Know Your Customer (‘KYC’)
Pension providers should have processes and procedures for gaining as much information as possible about the saver, beneficiary or employer they’re dealing with. The more you know, the more likely you are to detect suspicious activity, a sanctioned organisation or a fraudulent claim. Example KYC activities include:
- Companies House checks
- postal address verification
- requiring evidence of a source of an employer’s funds or to support the validity of a Life Event, such as a death certificate or court order
- HMRC and FCA checks of schemes and annuity providers.
A robust Identity and Verification (ID&V) process is also critical. As the financial services industry shifts to making ID&V as ‘self-service’ as possible, firms are increasingly looking to automated solutions that draw on internal and external databases to confirm authenticity. Conducting these KYC activities early builds a robust initial profile that you can monitor and build on over time, including through transaction monitoring. Increasingly, third-parties hold rich data that can also help build better profiles. This has the potential to be particularly useful for confirming the existence of an individual as well as checking against known fraudsters or known stolen documents.
Pension savers typically don’t engage with their investments, and the FCA estimates five million could be at risk of scams. So, there’s a lot for providers to do to educate their members and help them spot fraudsters.
Key initiatives, like the SCAMSMART campaign, the Pension Scams Industry Group’s (PSIG) Code of Practice for Combatting Scams and the FCA’s warning list emphasise the importance of engaging members. And we see three key points in the retirement journey for that engagement:
- post-enrolment to help them claim their retirement accounts
- transfer requests to find out more about the receiving scheme and how the member decided to make the request
- at retirement to help them make sensible decisions, including highlighting typical techniques used by scammers and get-rich-quick schemes.
This is particularly relevant today, as people worry about what the COVID-19 outbreak means for their savings. Acknowledging this, The Pensions Regulator (TPR) has contacted 35,000 pension trustees, warning them about scams and the need to caution members who seek access to their funds or to transfer pension entitlements, particularly out of a defined-benefit scheme.
To maximise effectiveness, providers should design help, guidance and other information for the pension savers themselves, and not just advisors or pension experts.
In applying these tools, trustees and pension providers must take a risk-based approach and be aware of the importance of balancing control with a good user experience. There’s a real opportunity to make retirement simple for savers while improving protections for their investments.