Blacklisted: Removing a marker from a fraud database
Fraud databases effectively act as blacklists for financial institutions. An individual with a fraud marker against their name on a fraud database will normally only discover its existence after they have had to deal with the adverse effects that it can cause, such as being refused credit, or an abrupt (and often unexplained) closure of a bank account. It is not uncommon for fraud markers to be applied incorrectly or overzealously. In such circumstances, action can be taken to seek their removal and limit their damage. In certain situations, where a fraud marker has been applied inappropriately, it may also be possible to bring a claim for damages (compensation).
What is a fraud marker?
A fraud marker is recorded on a fraud database and acts as a warning to financial institutions that a particular individual (or business) has in some way been involved in suspected fraud (even as a victim). The three main fraud databases are run by CIFAS, National Hunter and National Sira.
How do I know if there is a fraud marker against me on any particular database?
You can make data subject access requests under the UK General Data Protection Regulation ('the UK GDPR') to the various databases. We can assist you with this.
Is it lawful for a fraud database to process my personal data?
Pursuant to Article 5(1)(a) of the UK GDPR, any data controller must process an individual’s personal data lawfully, fairly and in a transparent manner. Processing will be lawful if it is, for instance, necessary for the purposes of the legitimate interests pursued by the data controller, provided that such interests are not overridden by the interests or fundamental rights of the individual concerned (Article 6(1)(f) of the UK GDPR). Recital 47 to the UK GDPR states that “processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest”.
A fraud marker against a person’s name also constitutes ‘criminal offence data’ and must, pursuant to section 10(5) of the Data Protection Act 2018 (“DPA 2018”), comply with one of the conditions in Part 1, 2 or 3 of Schedule 1 to the DPA 2018. The condition most likely to be relevant in this context is found in paragraph 14 in Part 2 of Schedule 1 which stipulates:-
“This condition is met if the processing—
(a)is necessary for the purposes of preventing fraud or a particular kind of fraud, and
(i)the disclosure of personal data by a person as a member of an anti-fraud organisation,
(ii)the disclosure of personal data in accordance with arrangements made by an anti-fraud organisation, or
(iii)the processing of personal data disclosed as described in sub-paragraph (i) or (ii).”
While the UK GDPR / DPA 2018 permits processing of personal data for the purpose of preventing fraud, this is subject to such processing being necessary. Accordingly, where it can be shown that the processing is not necessary (within the sense this term is understood in a data protection context), the data processing is unlikely to be lawful, and can be challenged on this ground. In addition, a data controller must demonstrate a lawful basis for processing under Article 6 of the UK GDPR which is likely to see the fraud database seeking to rely on the legitimate interest condition under Article 6(1)(f). This condition clearly calls for the conduct of a balancing exercise between the data controller’s legitimate interest (in preventing fraud) on the one hand, and the data subject’s rights and interests on the other. If the latter trumps the former, then a data controller will not be able to be able to justify its processing on this basis.
In respect of CIFAs, it requires cases filed to its National Fraud Database to be supported by evidence and meet its standard of proof, which states:-
- “That there are reasonable grounds to believe that a Fraud or Financial Crime has been committed or attempted;
- That the evidence must be clear, relevant and rigorous such that the member could confidently report the conduct of the Subject to the police;
- The conduct of the Subject must meet the criteria of one of the Case Types;
- In order to file the member must have rejected, withdrawn or terminated a Product on the basis of Fraud unless the member has an obligation to provide the Product or the Subject has already received the full benefit of the Product.”
These criteria provide a further basis on which a challenge can be made. The second condition – that evidence must be clear, relevant and rigorous – precludes reports being made based on mere suspicion and/or tenuous evidence.
What can be done to remove a fraud marker?
Where a marker has been unlawfully placed on a fraud database, it can be removed. This can often be achieved by solicitors sending a Letter of Claim to the fraud database and, if they fail to comply with a legitimate request for removal, a claim can be issued in which a data subject can seek, amongst other things, a Court Order under section 167 of the DPA 2018, requiring the fraud database to remove the marker. A claim may also arise for libel (both against the database and any institution that supplied information). We have had considerable success in removing fraud markers for clients at a pre-action stage.
Each case against a fraud database will be fact specific and the legal arguments outlined above are complex and would need to be properly developed, and applied to the specific facts, before they are likely to succeed. If you are seeking to have a fraud marker removed, we would recommend that you instruct specialist solicitors, to give you the best possible chance of success.
Articles are intended as an introduction to the topic and do not constitute legal advice.