Internal Fraud Database Principles
The Internal Fraud Database is a repository of fraud risk information that can be used by your organisation to reduce exposure to fraud and other relevant conduct, and inform decisions according to your organisation’s risk appetite.
Internal Fraud Database Handbook
To use the database, a Cifas member must operate within the terms of the Internal Fraud Database Handbook – a guide that sets out eight Principles of use with accompanying guidance. These Principles and guidance describe the controls in place to protect the data on the database, and ensure that the highest possible level of fairness and transparency are observed.
The Handbook allows you and your organisation an appropriate degree of flexibility – there will be many ways for you to achieve the outcomes it describes. It also helps you maintain the quality and integrity of the data for the benefit of all members. By observing the Handbook and engaging with our compliance process your organisation will be compliant and can enjoy the benefits of the database.
Principles of use
The Internal Fraud Database is a reciprocal data sharing arrangement where members commit to provide data and file cases of fraud and other relevant conduct. In return, members receive the benefit of searching the database.
Both Cifas and its members have equal responsibility for the quality, protection and lawful use of the data submitted to and held on the Internal Fraud Database. Every member is responsible for the accuracy of the cases filed, and for the proportionate use of the data returned from a search.
We want the data we hold on behalf of our members to be used to the maximum benefit in protecting themselves from fraud and other relevant conduct. We also have a responsibility to ensure that the rights of the citizen are balanced with the legitimate interests of our members; therefore the Internal Fraud Database Principles are closely aligned to data protection legislation.
The Principles are as follows:
Principle 1: Reciprocity
The Internal Fraud Database relies on member data – members must contribute their own cases to receive benefit from the data shared by other members.
Principle 2: Purpose Limitation (Legitimate reasons for searching)
Data can be used in a wide range of situations for the purpose of the prevention, detection and investigation of fraud and other unlawful or dishonest conduct, malpractice or other seriously improper conduct.
Principle 3: Transparency
Subjects have a right to know how data will be used and how any decisions related to them have been made.
Principle 4: Lawfulness (Searching and filing)
Subjects must only be searched and filed if they have been legally informed of how their data may be used via a Fair Processing Notice.
Principle 4: Lawfulness (Standard of Proof)
Cases filed to the Internal Fraud Database must be supported by evidence and meet the ‘four pillars’ of the Standard of Proof. The Standard of Proof is:
- There are reasonable grounds to believe that a fraud or relevant conduct has been committed or attempted;
- The evidence must be clear, relevant and rigorous such that the member could confidently report the conduct of the subject to the police, a relevant regulatory body or considers the fraud or relevant conduct as gross misconduct;
- The conduct of the subject must meet the criteria of one of the case types;
- To file a case, the member must have:
- Declined employment; or
- Withdrawn employment; or
- Identified a fraud or relevant conduct after staff have left employment.
All Subjects involved that meet the Standard of Proof, must be filed to the Internal Fraud Database.
Principle 5: Fairness (Proportionality)
Members must ensure that the data is interpreted in a proportional manner according to their own risk appetite.
Principle 6: Accuracy
All data that is captured must be accurate and loaded within one business day of the Standard of Proof being met.
Principle 7: Integrity (Security of the National Fraud Database)
Access to the Internal Fraud Database is restricted and all members must have adequate policies, procedures and technical measures in place to protect the data.
Principle 8: Data Minimisation
Members must be able to retrieve the evidence to support a case filed to the Internal Fraud Database but they must not hold data indefinitely – once it has served its purpose, it must be deleted securely and permanently.
Contact our Engagement team for more information.