British Government create Major Fraud Incident by using IT to save on human costs! 20+ million pounds lost.

Current benefit scam (Universal Credit) in the United Kingdom has yet again shown how any approval for money given out via online validation is risky. Since the money was provided quickly by the government, scammers jumped on the chance to coax personal information out of people and even to make up fake personal information so they could get access to the most money possible. Current estimates are that over 20 million pounds has been stolen by fraudsters.

To help gain people’s trust, scammers used social media heavily to sell the fraud. Scammers also did the online application so any warnings of what was being signed up for were not visible to the victims of the fraud.

If we look at the original honorable goal of the online application, it was to provide people with money until their benefits were reviewed / approved as the approval process was taking 5 weeks or more. Government thought it would be great to give people money (in a the form of a loan) that would be later paid for by the claimants benefits (if approved) or repaid by the claimant if not approved for benefits. This way, the claimant could avoid cash flow issues. Really, the problem was that the Government did not have enough staff to process the claims quicker. The IT solution along with the loan was a cheaper approach that was badly implemented.

What was completely missed by the IT department working for the British Government when setting up the solution was the implementing of all the rules that human employees would use to process an application. This was a complete failure on the part of the business analysts involved in this software development and has ended up costing the UK government millions.

Some of the functions a human employee would have done in processing the application:

  1. Is the applicant aware of what they are signing up for? – Scammers did the application on behalf of the applicant so the applicants never knew fully. Scammers also used social media to describe the money as coming from a grant and not a loan.
  2. Do I have confirmation that the applicant knows what they are signing up for? As the applicants were not on the web site, they never confirmed what was being done. Victims have found out after the case what was really done.
  3. Do I have some reliable proof that the claim is accurate? Scammers submitted whatever they wanted to state in the claim as the validation was done over the process of 5 weeks after the money had been sent.
  4. Does the applicant know the amount and fees (if any) associated with the claim? Scammers claimed a fee to fill in the application on behalf of the claimant but there were no fees in reality.
  5. Does the applicant know who is supposed to do the claim? Scammers jumped on the opportunity to do the claim as their was no biometric validation (as compared to being interviewed by the government employee) as it was done online.

Here are the functions that we should watch for in our projects that require special attention when we are providing money quickly based on online validation only:

  • We need to guarantee that the party receiving the money is who they say they are and they know exactly how much is their money. This could be done by ensuring they are using an already validated bank account. In this fraud, a lot of the victims actually received the money to their bank account but thought they were obligated to pay the scammers part of it as the scammers had completed the online application.
  • We need to guarantee that the applicant is the one completing the application online so that the applicants are aware of what they are doing. Any warning / informational messages associated with the claiming / providing of money as part of an online application, we have to be 100% sure that the party to receive the money (legally tied to the money) has seen them! A web page pop-up with click of “Yes” along with capturing of IP address is not enough to verify that the person who needed to see the warning / informational message actually saw them. We need to guarantee the person at the computer on the web site is the valid party involved. This is where biometric information or a chip style reader (as used in credit cards) for an identity card would come in handy. Some companies use validated phone numbers with text messaging to achieved this however if the phone number is hacked or changed by the scammer this does not work. With the current fraud, it is several weeks before the Government works out that the claimant never used the web site to complete the application and thus were not aware of what was being signed for.

In summary, the British Government got themselves into this position because they did not want to hire more staff to process claims quicker. It is the classic case of relying on Information Technology to speed up a process on the cheap without due considerations of the risks involved or the human functions being replaced by the computer. Whoever did the analysis and design of this payment solution was incompetent beyond belief.

Are criminals and government fines driving new requirement methods?

We all have had the business partner who never quite tells us all that we need to know when working on a project but spare a thought for those who design solutions to defeat criminals. In their case, the criminal is not sharing what he does and most design is done in reaction mode.

One area that has got recent focus is Money Laundering. Financial Institutions that end up involved with Money Laundering not only risk loss of money and reputation but fines as well imposed by their governments or even other governments. The situation of identifying money laundering has gotten so out of control that nobody really knows how to define the complete requirements to identify money laundering.

Traditional requirement methods basically do not work anymore. With traditional requirement methods, the Business Analysts identify / capture the business rule and then implement it. Unfortunately the people who make the business rules are not the ones sharing it with us.

Criminals don’t tell us that if they do X, Y & Z then they are money laundering. The criminal’s desire is to float under the radar as normal customers. Their methods for appearing as ordinary customers have gotten so good that the people trying to create the rules after the fact to identify Money Laundering can no longer keep up. This puts Financial Organizations in a bit of a pickle.

Governments have made it so that Financial Institutions cannot just ignore the problem of Money Laundering and hope for the best. After all, if a Financial Institution goes belly up, it can affect a whole country. To avoid this worst case scenario, a government may force a Financial Institution out of business if they are not confident that the institution is compliant with laws. If you want to get business owners / board members to do something about a problem, threatening their business is one solid way to go about it and the governments know this.

For Financial Institutions to get round this issue of not knowing the business rules to implement to identify Money Laundering, they are turning to Artificial Intelligence (AI) to fill in the gap of knowledge. AI will scan through large amounts of data to learn, establish, monitor and update the business rules that identify Money Laundering or Potential Money Laundering. Systems will then implement the rules on the fly to freeze accounts, recover laundered money and notify government and law enforcement agencies.

While I am not a liberty to talk about the specific data being worked with, I can discuss what this means from a Business Analyst perspective. Data scientists and AI engineers will take over the role of capturing and implementing the business rules for identification of Money Laundering into the systems. Previously this was handled by the Business Analyst. However, before you cry about the loss of another piece of work for the Business Analyst role, new opportunities will open up:

  • AI needs data and lots of it. Business Analysts will be recruited to provide data interfaces into the AI machine. At least for the next little while. Eventually, the desire is to end up with more of a Web Crawler approach where the AI establishes new sources of data with little to no human intervention.
  • While AI will be good at identifying that an action is needed it will not be good at implementing the action (at least until we build the fictional “Skynet”). Business Analysts will always be involved with ensuring that the action is communicated to where it needs to be communicated and that any automatic response within an organization is performed . With the way Companies, Governments and Law Enforcement Agencies reorganize themselves on a regular basis it is unlikely that this will ever be a static solution. Given that changing environment, this should keep Business Analysts busy for a while.

What I think will be interesting in the future will be for the Data Scientists and AI engineers to be able to explain the reasoning of the AI for its decision that a particular event is Money Laundering. Eventually it could grow beyond their understanding. I can see a future where Business Analysts will be called upon to get the AI systems to pump out human readable reasoning and maybe that will be a new job task for us all.

In summary, criminals and governments are driving the need for AI to step in and generate IT requirements on the fly. This is to ensure that the criminals are kept in check and that businesses are not shut down by governments for not keeping criminals in check. While some BA roles will be lost around business rules capturing and implementing, other new roles will open up in support of the AI infrastructure and especially the output from the AI solutions.