NO2ID

The Identity Documents Act 2010 will create a worrying loophole that can be exploited by criminals. Identity documents, whether they be passports, EEA national identity cards or driving licences, are commonly used to authenticate transactions. For example, it is common for bank clerks to make a record of an identity document's serial number when processing a large cash withdrawal. This is because an identity document's validity at the time of a transaction may later be verified with the document's issuing authority, which may occur in the event of a subsequent dispute about the authenticity of the transaction.

ID card data is held only in the National Identity Register. The Identity Documents Act 2010 mandates that all information recorded in the National Identity Register be destroyed by 21st February 2010. A bank customer who has previously authenticated a transaction with a UK ID card could, after 21st February 2011, fraudulently claim that he did not authorise the transaction; there is little that the bank could do to prove the transaction's authenticity, given that the Government will have destroyed all data in the National Identity Register. Likewise, until 21st January 2011, a criminally-minded bank employee could record a false UK ID card number on a fraudulent cash withdrawal in the knowledge that the authenticity of the ID card number cannot be refuted after 21st February 2011. Such potential criminal acts exploiting the impending destruction of valid identity document data are not limited only to financial transactions or to the United Kingdom. They could also include terrorism and transactions in other countries using UK ID cards.

Identity documents play an important role in the authentication of transactions. There is no precedent for destroying records petertaining to identity documents that have at one time been valid. By introducing such a precedent, the Government is diminishing the credibility of British travel documents in general, in that it cannot guarantee later verification of a travel document's authenticity.

Fortunately the loophole cannot be exploited yet and there is still time to close it. In order to eliminate the potential for criminal exploitation, the Government should take urgent action and repeal the the Identity Documents Act 2010, replacing it with another act that mandates the migration of data from the National Identity Register to the IPS's passport database. This would also avoid the need to invalidate existing ID cards and the consequent potential for claims against the Government under Article 1 of the First Protocol to the European Convention on Human Rights.

Financial institutions mostly ask to see proof-of-identity for large transactions in order to satisfy UK government money-laundering regulations. The risk they are defending against is almost entirely regulatory (the cost of fines for not complying with the regulations) not real (the monetary loss they would bear in case of fraud). Since the government won't accept liability if a fraudster uses a realistic fake UK ID card, there's little business justification for asking to see an ID card. The banks defend against actual fraud in other ways.

Provided the bank can show that they jumped through the appropriate regulatory hoop at the time of the transaction, no-one will care if the records of the ID card used are subsequently destroyed, least of all the banks.

You are right about the regulatory requirements for large transactions (>€12,500 or equivalent), and this is in fact an EU regulation, not specifically a UK one. The particular onus on banks is to ask the customer the purpose of the transaction, but the truth of the answer is not usually verified. However, back to the original topic, the requirement for proof of identity is against fraud, i.e. to prove that the customer is who he says he is. This applies to large transactions above and below €12,500 and is to protect the banks, because if they let someone who is not authorised make a withdrawal from a customer's acccount, then the bank is liable for the loss. The usual evidence of identity is a travel document, i.e. a passport or an EEA national identity card. The banks will care if their means of proving validity of a travel document is removed. Also, contrary to your comment, it is not about whether the government accepts liability (since they are not a party to the transaction anyway), but about whether the bank can use government databases to prove that it recorded the serial number of a valid identity document.

But why would the bank care whether it recorded the serial number of a valid identity document or a fake one?

I repeat - the bank is only asking for a government-issued passport or ID card to satisfy the government-issued money-laundering regulations. Provided it can prove that it's seen a passport or ID card (which it usually does by photocopying it), the bank has satisfied those regulations. No-one at the bank actually cares whether the card was actually issued to this person by a government, is a stolen card originally issued to someone else, or is a high-quality forgery. The bank has other, separate authentication systems for ensuring that only the authorised customer can withdraw money from any particular account. If you believe that showing the teller a piece of government-issued plastic with a photo on it makes any significant contribution to this authentication process, then you need to read this paper and reconsider:

APPLIED COGNITIVE PSYCHOLOGY, VOL. 11, 211-222 (1997)
When Seeing should not be Believing: Photographs, Credit Cards and Fraud
RICHARD KEMP, NICOLA TOWELL and GRAHAM PIKE
Division of Psychology, University of Westminster, London, UK

SUMMARY

Identity cards often include a photograph of the bearer in an attempt to prevent fraudulent use or personation. In the U.K. some credit card companies have recently introduced photo-credit cards and the government is currently considering the introduction of a new driving licence including the bearer's photograph. However, the widely held belief that the inclusion of photographs will reduce or prevent fraudulent use has never been tested. This paper describes a field study designed to examine the utility of photo-credit cards by assessing the accuracy with which supermarket cashiers could identify whether the photographs on credit cards depicted the person tendering them. The results demonstrate that the task of matching the photograph to the shopper is much more difficult than might be expected, and that even under optimized conditions, performance is poor. It is concluded that the introduction of photographs on credit cards would have little effect on the detection of fraud at the point of sale.

Because the serial number of a genuine identity document can be traced via the document's issuing authority to prove beyond reasonable doubt that the person who carried out the transaction was the customer. I'm not saying this is watertight, as it's not, but it's one anti-fraud measure that the banks use, even for transactions that are not regulated (<€12,500). Again, I'm not talking about regulatory checks which is a different topic entirely.

Even if true, this isn't a reason for maintaining the NIR after ID cards have been abolished, which was the argument you advanced in your original post.

If a bank does check travel document serial numbers using a service like IPS's Passport Validation Service, it does it at the time of the transaction, so that it can reject the transaction if the passport has been reported stolen. There's no point in running the check after the transaction, since the miscreant (and presumably also the money) are then long-gone. Since ID cards cease to be valid at the same time that the NIR is destroyed, checking ID card serial numbers ceases to be possible at the same time that ID cards can no longer be used.

So there's no issue, and no reason to hang on to the NIR records, which was the suggestion you originally made.

No, I said that data should be migrated from the National Identity Register to the IPS's passport database.

No, you are wrong. Read my original post. At the time of the transaction (in the absence of any dispute), the bank only records the serial number of the identity document. In some cases, they also take a photocopy (which mitigates the problem I described). However, the bank will validate the identity document's serial number only in the event of a later dispute about the transaction. I explained this in my original post, so please re-read it.

If fraud has occurred, why would the bank bother to go back and retrospectively check the serial number of an ID card presented at the time of the transaction? It won't help get the money back, because (as I noted before) the government would never accept liability for forged or stolen ID cards. Hence the banks won't care if they can't retrospectively check ID card validity, and there's no need to preserve the NIR information for this purpose.

To understand why, please refer to the first example in my original post. I've already explained this.

In that post, you wrote:


So here's the scenario you're proposing: The legitimate owner of a bank account goes into his bank to withdraw a large amount of his own cash from his own account. He presents his genuine bank-issued credential (perhaps a bank card or a passbook), which the teller verifies is valid, and also signs a slip and/or enters a PIN. Because this is a large cash withdrawal, the money-laundering regulations force the teller to ask for a government-issued credential as well. The customer hands over a UK ID card, and the teller notes the number on the face of the card, but doesn't try to verify anything with IPS. The account is debited and the customer takes his money. Then, some weeks later, after ID cards have been invalidated and the NIR destroyed, the customer goes back to the bank and claims that the he did not carry out this transaction, and that the bank should therefore refund the money to his account, since it is responsible for allowing a fraudulent withdrawal. The bank points out that it has evidence that the valid bank-issued credential (bank card or passbook) was used, and that the signatures and/or PINs match, but the customer insists that he did not make the withdrawal, and challenges the bank to show that he did in the absence of any available evidence about the ID card (and only the ID card), since the NIR has been destroyed. Because of this,and despite the evidence that the valid bank card/passbook was used, the bank caves in and "refunds" the money that that been "stolen" from the customer's account.

Here's an example of what happens when legitimate customers report real withdrawal fraud to banks:

http://www.poptel.org.uk/nuj/mike/articles/gdn-mun.htm

http://www.phantomwithdrawals.com/index ... unden_Case

Do you believe a criminal would risk this ordeal by fraudulently reporting a real, face-to-face transaction as fraud?

It's also doubtful that the bank would actually accept the ID card in the first place:

http://www.guardian.co.uk/politics/2010 ... h-ferguson

For all these reasons, this risk of financial fraud from the destruction of the NIR is non-existent.

As I've already told you (why do I have to keep repeating myself?), the money-laundering requirement is over €12,500. The bank asks for identification to protect itself against fraud. Therefore, assume that the amount is large but under €12,500. Assume that there is no plastic card or passbook associated with the account, quite common with savings accounts in which large sums may be deposited. The entire authentication of the withdrawal comes down to an ID card whose audit trail is being removed by the Government.

That seems to be a rather large assumption to me. Please could you point to examples of these common accounts where large four figure sums can be withdrawn only on the basis of the presentation of a government-issued identity document. Even if that were the case, I wonder how many transactions were authorised on the basis of a UK identity card given the relatively small numbers issued over a relatively short period of time. Again, if we take your assumption to be valid, the banks could presumably identify the small number of transactions and deal with the issue. There is no need to repeal the act. All the banks need to do is to ensure that the validity is before the NIR is destroyed.

Similarly, with respect to



the banks could simply disallow authorisation using an ID card. No need to repeal the act.

How? These are transactions that have already taken place. And how, for example, would a bank in France be aware that a UK ID card will soon be invalidated? The expiry date is in ten years' time! You haven't thought about this, and are viewing the matter from an insular UK perspective.

Again, these are transactions that have already taken place, so how could a transaction be retrospectively disallowed? And the banks cannot discriminate between valid travel documents issued by different EEA countries, as to do so would fall foul of EU regulations.

But your original post states

in other words, the fact that the transaction has already taken place doesn't prevent subsequent verification.

That's a good point. I would imagine, though, that parties that rely on an ID card would have been notified in the same way as they would if the format of the passport changed etc etc. It wouldn't be beyond the wit of man to notify banking authorities now. It doesn't require a repeal of the act.


I refer again to your original post. Plus, the whole rationale behind dispute resolution is to disallow transactions. Are you suggesting that fraudulent transactions can't be disallowed.

How is this discrimination?

I fail to see why processes can't be established to address the points you raise, which may or may not be valid (I note you didn't provide examples of these common accounts that rely solely on the basis of an ID card) without recourse to repealing the act.

Yes, because if a dispute arises after 21st February 2011, verification will be impossible. Verification will not take place in the absence of a dispute.
No, there are over 25 unique types of ID card used around the EEA, and banks and other interested parties rely on expiry dates being correct. It is without precedent that a travel document is cancelled (without being lost or stolen) when it has not reached its expiry date.
If the Government removes the apparatus to prove that a transaction was authorised, then it makes it harder for the banks to prove that it was authorised.
Because it is unlawful to treat nationals of one EU country more favourably than another. There are EU directives in this regard concerning free movement of goods and services within the EU.
Because this is the norm. A lot of savings accounts don't have an associated plastic card.

But surely for the small number of transactions that would have been verified by an identity card, those organisations that did could reconfirm that the serial number that was presented is consistent with that of the account holder before the NIR is destroyed, which would not require repeal of the identity card act. Why wouldn't that be the case?

How would the banks be able to identify which transactions were authorised using a UK ID card? In my experience, the identity document's number and type is handwritten on to the bank's copy of the withdrawal receipt. Likewise, if I pay for something in a Spanish supermarket with a credit card, the same thing is done.

The bottom line is that issuing authorities of identity documents should retain records of the identity documents that they issued, if those documents have been valid at any time. Those documents may have been used for immigration purposes, purchases in shops, cash withdrawals or other financial transactions. It is not acceptable for the Government to remove the audit trail for its own political reasons.

In my experience, for example when obtaining foreign currency at the post office, they make a note of the type of document used e.g. D/L for driving license together with the note of the number (as you pointed out in your original post - ) and surely they would have to be able to identify which transactions were authorised using a UK ID card because (as you again pointed out in your original post) . The only way that could be achieved would be if they new which transactions were authorised by which means. If they can't then they could not subsequently check the validity of the document at the time of the transaction.

A bank could easily identify the type of identity document used to authenticate a particular transaction, but it would be impossible to obtain a list of all transactions that had been authenticated using a particular type of identity document.

Do they not take the data from the paper slips and record it into a computer system? I don't know enough about the details of banking transaction management but it seems you are suggesting that if someone disputes a transaction they actually search through all of the paper slips to find out how it was verified. Or do they have a computer system where they record details of the transaction, verification type, serial number. If they can search based on the transaction then I would have thought they would be able to search on the basis of the verification type.

No, any data recorded in a computer system is entered directly and not first on to a paper slip. Handwriting the data on a paper slip keeps the record of the identity document's number together with the customer's signature. The paper slips are filed away by date so they can be easily retrieved at a later date using the original transaction date.

Thanks for the clarification. That would suggest a potential risk in the event that the only thing that was used to verify the transaction was the identity card. However, that risk rests on your earlier assumptions:

which as has already been pointed out seems very low given the customer would have provided a signature and would have to jump through hoops to prove that the transaction was fraudulent.

I wonder how many such transactions there were that fitted your assumptions?

Now we know there were approximately 13,000 cards issued since the first trial in November 2009. Let's assume that 1% of those individuals had a bank account that fit your assumptions (which I believe must be an over-estimate as I have no evidence to the contrary) and that each individual undertook 1 fraudulent transaction (which I believe must be a significant over-estimate) of £10,000 since they were issued with their identity card. So, we have
130 fraudulent transactions totalling £13,000,000 based on what I believe are two over-estimates.
According to this article: http://www.computerweekly.com/Articles/2010/03/10/240553/Online-bank-fraud-up-but-total-card-fraud-falls-for-first.htm

It seems to me that the banking industry has far bigger fraud loopholes to be concerned with than the hypothetical risk that you have outlined.

Perhaps you are able to quantify the risk with some hard facts rather than my guesstimates?