Transparency data

Data Usage Agreement: Bounce Back Loan fraud analytics pilot between BEIS, the Cabinet Office, HMRC and associated lenders

Published 10 January 2024

 

This Data Usage Agreement for HMRC use of Bounce Back Loan data for fraud detection was approved and put in place in 2023.  

1. Conditions of disclosure of information by HMRC

HMRC disclose this information for the purposes of the prevention, detection and investigation of fraud committed within the Bounce Back Loan Scheme (BBLS)

1.1 Participants to this agreement

• HM Revenue and Customs (HMRC)
• Cabinet Office – specifically the Public Sector Fraud Authority team (PSFA)
• Department of Business and Trade (DBT)

Following a transfer of functions order, Department for Business, Energy and Industrial Strategy (BEIS) is now known as Department for Business and Trade (DBT) from 3 May 2023. DBT provides the same functions as BEIS and is permitted to utilise the DEA.

1.2 Legal basis

Subject to approval by the relevant minister, HMRC disclose this information to the Cabinet Office by virtue of the legal basis of section 56 of the Digital Economy Act (DEA) 2017, disclosure for the purpose of ‘taking of action in connection with fraud against a public authority’.

HMRC is named as a ‘specified person’ in schedule 8, part 1 (14) DEA. Cabinet Office is named as a ‘specified person’ in schedule 8, part 1 (13) DEA. Secretary of State for Business and Trade is named as a ‘specified person’ in schedule 8, part 1 (6) DEA.

HMRC is the data controller when HMRC processes the data, and it is within the HMRC environment. When the data has left HMRC and is received by Cabinet Office, DBT will be the data controller and Cabinet Office will act as a data processor under DBT’s authority. Cabinet Office’s role as DBT’s data processor is covered in the DBT COVID-19 Loan Schemes Privacy Notice and an memorandum of understanding between DBT and Cabinet Office.

The lawful basis for the data processing is article 6(1)(e) of the UK General Data Protection Regulation (UK GDPR): ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’ as identified in section 8(d) of the Data Protection Act 2018.

1.3 Data sharing between DBT and HMRC

The participants to this agreement note that sections 11 and 12 of the Investigatory Powers Act 2016 respectively make it an offence to knowingly or recklessly obtain communications data from a telecommunications operator without lawful authority and restrict certain powers of public authorities to obtain such data. The participants to this agreement are satisfied that sharing data under the DEA would neither constitute an offence under section 11 nor contravene a restriction under section 12.

For the purposes of this agreement, DBT is acting as a conduit for data sharing and is not generating any data, including communications data. Furthermore, none of the data to be shared between DBT and HMRC constitutes communications data held by either party as a telecommunications operator.

1.4 Data Protection Impact Assessment (DPIA)

A DPIA is required prior to the exchange proceeding:

• DBT DPIA reference number: DEA/F/31  (20 November 2023)    

• HMRC DPIA reference number: 10227 (17 October 2023)

1.5 Records of Processing Activity (ROPA)

HMRC will update its ROPA, an inventory of all HMRC’s major processing activities involving personal data, when setting up the data exchange.

1.6 Purpose

DBT, HMRC and Cabinet Office intend to complete a pilot that will match BBLS borrower data relating to sole traders against data sets held by HMRC to detect loan application fraud. There are 2 intended stages to this pilot.

Stage 1

The current data share is outlined below. The first intended stage entails Cabinet Office, acting as DBT’s data processor, sharing BBLS borrower data relating to sole traders with HMRC. HMRC will then match that data to information it holds about those sole traders and return a dataset to Cabinet Office. Cabinet Office will use this data to create risk flags identifying high risk populations where fraud is suspected and share these with DBT.

DBT will select cases for investigation by reference to the risk flags generated and other data already held by DBT and Cabinet Office in relation to sole traders.

Information disclosed to Cabinet Office by HMRC and shared by Cabinet Office with DBT may be used by DBT’s investigators, comprising staff at the Insolvency Service, an executive agency of DBT, and officers seconded to DBT from the National Investigation Service (NATIS) acting as DBT’s agents (DBT’s investigators) for the purposes of the investigation and prosecution of BBL related fraud.

Stage 2

Forward look and future variation request (please note this stage will need to be presented to the Review Board at a later date and will require HMRC and ministerial approval)               

The second intended stage extends the pilot and entails Cabinet Office, acting as DBT’s data processor, sharing the risk flags via British Business Financial Services Limited (BBFSL) with Accredited Bounce Back Loan Scheme lenders to support lenders’ fraud investigations and recovery efforts. Where lenders suspect fraud, following their review of the risk flags, they would then update the BBL portal to reflect this. These updates would also inform the selection of cases by DBT for their investigations.

Currently DBT requires an agreement to provide the risk flags to BBFSL and lenders.  DBT will seek an agreement to allow this (the further agreement) and approval for it through the DEA board and relevant minister.

1.7 Pilot aims

The pilot aims to identify sole traders who applied for BBLs that have:

• applied for a BBL when they were not trading during the eligibility period; or
• misrepresented their actual turnover to obtain a loan

This data pilot is like the previous pilot (DEA/F/14), originally approved on 24 September 2020 and subject to a variation approved on 28 October 2021, which addressed limited companies who have fraudulently taken COVID-19 scheme loans. Analysis from the previous pilot of the limited company population suggests that risks of fraud relating to falsified income or turnover is probable in the sole trader population as well.

The pilot is performed as part of the wider fraud analytics programme in which Cabinet Office is assisting DBT to detect fraud within the Bounce Bank Loan Scheme - the programme.

The purpose of the programme is to detect fraud against the Bounce Bank Loan Scheme. The government is liable for loan defaults and fraud losses where a lender can evidence that they have met the minimum standard in respect of counter fraud checks.

The PSFA (previously Government Counter Fraud Function) within Cabinet Office, created the BBLS Fraud Analytics Programme which has used a range of analytical methods, including network analytics and entity platform to surface fraud and criminality within the £47 billion loan program. The platform brings together more than 100 million records to create a single view of risk.

To date, £9.6 billion has been lent to 475,000 sole traders through the BBLS. The scheme was designed to stimulate the economy during a crisis period and to accelerate the speed at which funds were made available, it operated without credit and affordability checks against the borrowers. The scheme operated on the principles of self-certification and sole traders were asked to self-certify and provide evidence of trading and to declare their 2018 to 2019 turnover. This presented a risk that sole traders falsely represented their trading and financial status in order to obtain bounce bank loans fraudulently.

1.8 Benefits of the exchange

• identification of potential fraud that may result in investigations and the recovery of funds, leading up to and including prosecution
• improved ability to detect and identify potential organised fraud networks

1.9 Data security

HMRC, DBT and Cabinet Office (acting under the authority of DBT as its data processor) agree to:

• move, process and destroy data securely for example in line with the principles set out in HM Government Security Policy Framework, issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information
• only use it for the purposes that it has been disclosed for and ensure that only those with a genuine business need to see the information will have access to it
• only keep it for the time it is needed, and then destroy it securely
• except as set out in this agreement, not onwardly disclose that information without the prior authorisation of HMRC
• comply with the requirements in the Security Policy Framework, and be prepared for and respond to security incidents and to report any data losses, wrongful disclosures or breaches of security relating to information

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

• mark information assets with the appropriate security classification and apply the appropriate baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile as set out in  Government Security Classifications, and in particular as set out in the Annex – Security Controls Framework to the GSC

Data received by Cabinet Office from HMRC will only be used by Cabinet Office staff and contractors working at the Public Sector Fraud Authority (PSFA).

1.10 Freedom of Information requests

If an FOI request relating to this information is made to Cabinet Office, Cabinet Office’s FOI team or DBT’s FOI team will engage with HMRC’s FOI team regarding the potential impact of disclosure.

1.11 Procedure

The data sharing detailed in this agreement between Cabinet Office (acting under the authority of DBT as its data processor) and HMRC is a one-off pilot. 

Cabinet Office will receive a copy of the Cifas BBLS Duplicate Account Database from DBT (the database). The transfer of the database to Cabinet Office is covered in the memorandum of understanding in the sharing of COVID-19 Loan Scheme data between BBB and DBT updated January 2023. The database includes data relating to sole traders that have applied for BBLS loans and will include personal data. It includes personal data relating to sole traders (including their name, telephone numbers, email address and postal address) that are provided in their BBLS application. It does not include records held by Cifas within its fraud databases.     

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

Cabinet Office will provide the following data items to HMRC RIS Government Data Exchange Team (DET). This will be referred to as dataset 1:

• unique reference
• full name
• first name (where available)
• middle name (where available)
• surname (where available)
• DOB
• trading name
• address 1
• postcode 1
• address 2 (where available)
• postcode 2 (where available)

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

Where there is a confirmed match HMRC will return data for these individuals as outlined below. For any individuals where there is not a positive match, HMRC will not return any data for these individuals.

Data matching is carried out in accordance with the agreed RIS team quality assurance standards framework and only the most up to date information available to HMRC will be shared with Cabinet Office.

HMRC RIS Government DET will populate an excel spreadsheet with the data as below. This will be referred to as dataset 2:

• unique reference (as supplied by Cabinet Office in dataset 1)
• self-employment flag for tax years 2018 to 2019, 2019 to 2020 and 2020 to 2021 (Y or N)
• self-employment income for tax years 2018 to 2019, 2019 to 2020 and 2020 to 2021
• VAT registration flag for tax years 2018 to 2019, 2019 to 2020 and 2020 to 2021
• VAT registration date for tax years 2018 to 2019, 2019 to 2020 and 2020 to 2021
• VAT de-registration date for tax years 2018 to 2019, 2019 to 2020 and 2020 to 2021
• VAT turnover for tax years 2018 to 2019, 2019 to 2020 and 2020 to 2021

HMRC RIS Government DET will then supply dataset 2 identified above to Cabinet Office via SDES.

On receipt of dataset 2, Cabinet Office will create risk flags derived from the HMRC and other data sources provided to it by DBT to support the programme under an existing memorandum of understanding dated 7 January 2022 (risk flags) and will share these with DBT. The risk flags will indicate on a yes or no basis whether a fraud risk has been identified as a result of the analysis of the HMRC data and the other data sources.

DBT will conduct investigations and take recovery action up to and including prosecution. DBT’s investigators will, if necessary, request Cabinet Office provide dataset 2 fields which may be shared with them to support the recovery of funds, leading up to and including prosecution.

Cabinet Office will produce an anonymised and aggregated analysis report for the use of Cabinet Office and DBT. This will also be shared with the Digital Economy Act (DEA) Review Board, DBT, Counter Fraud Analytics Programme working group and the DBT Counter Fraud Programme Board - subject to HMRC approval.

1.12 Data retention and storage

HMRC

HMRC RIS Government DET will download the data file received from Cabinet Office via SDES.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

SDES retains the data for up to 6 days or until the data is downloaded by the RIS Government DET analyst.

The inputs and output of the matched data will be held and will be manually deleted by the Government DET analyst 6 months after delivery of the data (as per Government DET team lead’s recommendation) to address any potential data quality issues or queries on the data received by Cabinet Office. 

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

There is an auto-reminder set for the HMRC RIS analyst to delete the data 6 months after delivery. The RIS team lead also assures that this is deleted on time.

Cabinet Office

HMRC will upload a file containing the output identified as dataset 2 to SDES and make Cabinet Office aware where the data is available. Cabinet Office, acting under DBT’s authority, will access SDES and move the file into a Cabinet Office-only permissioned container within the Cloud Based Analytics Service (CBAS). Ownership of CBAS transferred from BEIS to the Department for Energy Security and Net Zero (DESNZ) under the Transfer of Functions order. DESNZ hosts data in CBAS on behalf of DBT for the purposes of delivering the Programme. DBT has confirmed that, with the exception of CBAS administrators, DESNZ staff do not have access to the containers that will be used to store data under this agreement.

Cabinet Office, acting under DBT’s authority as its data processor, will analyse dataset 2 and other data sources provided to it by DBT to support the programme under an existing memorandum of understanding dated 7 January 2022 to prepare risk flags to support DBT’s fraud investigations and recovery efforts. Cabinet Office will share the risk flags with DBT.  

All data analysis will be performed within the permissioned container. Only the risk flags generated though this analysis will be subject to onward disclosure to parties beyond the participants to this agreement, as set out below.

Cabinet Office will, within 3 months of the date the risk flags are delivered to DBT, either destroy any database records that were not successfully matched to sole traders for the purpose of preparing dataset 1 or write to the DEA board to set out the reasons why it believes they should be retained for the remainder of the 24 month period for the pilot.

Cabinet Office will destroy dataset 1, dataset 2, the risk flags and their own files used to prepare the risk flags at the conclusion of the 24 month period for the pilot.

DBT

Data will be retained by Cabinet Office and will be provided to DBT’s investigators using a secure file transfer platform (Egress) under the instruction of DBT when requested for investigation.

Data used by DBT’s investigators will be held in CBAS. The data will be accessible only to DBT staff and contractors involved in the BBLS Fraud Analytics Programme.    

DBT’s investigators seconded from NATIS will also store data in NATIS’s case management system.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

DBT is currently reviewing whether to introduce a new case management system for the purpose of holding this data and triaging it for the benefit of DBT’s investigators. If this is introduced then DBT will consult with HMRC on the data storage and retention arrangements for it prior to it holding HMRC data.

1.13 Onward disclosure

Subject to approval of this agreement by the relevant minister, personal information will be disclosed by HMRC under this agreement to Cabinet Office (acting under DBT’s authority as its data processor) under section 56 DEA 2017. By virtue of section 59 DEA 2017 however, any onward disclosure of that personal information to bodies or persons that are not a party to this agreement is prohibited without HMRC’s consent. Any person who contravenes this requirement, by disclosing personal information received under this agreement without HMRC’s consent (as set out in this section), will be committing an offence. 

HMRC’s policy is to only give its consent to onward disclosure of its information where a legal power exists for HMRC to disclose directly to any proposed recipient.

Cabinet Office will also need to disclose relevant personal information with DBT’s investigators for the purposes of investigation and prosecution of BBL related fraud. Under paragraph 6 of schedule 8 DEA 2017, the Secretary of State for DBT is a ‘specified person’ and so a legal power for HMRC to disclose directly to DBT exists. Subject to the approval of a disclosure by the appropriate DEA review board, HMRC therefore gives its consent for onward disclosure of HMRC information to DBT by Cabinet Office for the purposes of investigating and preventing fraud under section 56 DEA 2017.

For the avoidance of doubt, HMRC does not consent for any personal information received by DBT, as a result of this agreement, to be further disclosed by them, except as set out above.

1.14 Certificate of Assurance (CoRA)

In accordance with the review and assurance agreed, a Certificate of Review and Assurance (CoRA) must be completed by Cabinet Office annually, for the duration of the pilot, which is expected to be completed by the end of November 2025. That assurance should also extend to any HMRC data that has been shared by Cabinet Office with DBT (including DBT’s investigators).

1.15 Costs

HMRC will be recharging Cabinet Office for the time taken to provide the data.

Cabinet Office has confirmed that they have funds available for costs incurred by HMRC for this data share.

1.16 Disputes

• HMRC

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

• Cabinet Office and DBT

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

1.17 Signatures

This content has been withheld because of exemptions in the Freedom of Information Act 2000.