Transparency data

Data usage agreement: pilot to prevent and detect fraud for DWP

Published 22 July 2025

This Data Usage Agreement (DUA) for Department and Works and Pensions (DWP)and HMRC use of sharing data for fraud detection was approved and put in place in 2023.

1. Conditions of disclosure of information by HMRC

HMRC disclose this information to the Department for Work and Pensions (DWP) by virtue of the legal basis of Section 56 of the Digital Economy Act (DEA) - Disclosure for the purpose of “taking of action in connection with fraud against a public authority” on the condition that HMRC is permitted to undertake to:

• complete a Data Protection Impact Assessment (DPIA)

• adhere to the DEA Code of Practice and complete all relevant documentation and have ministerial approval

• adhere to this DUA

A DPIA has been completed by DWP. A DPIA has been completed by HMRC to go alongside this DUA. 

1.1 Purpose

This is a pilot project building on the 2019 Transaction Protection discovery. The discovery identified the potential to reduce cross-government fraud and data theft by enabling the sharing of access to and data resulting from the use of ‘attribute validation’ and ‘risk scoring’ services.

Transaction analysis (TrX) is a capability that has many potential applications. The financial sector has invested significantly in TrX to counter fraud and other financial crime. Large UK government departments like HMRC, Department for Education (DfE), DWP, Driving Vehicle License Agency (DVLA), National Health Service (NHS) and Ministry of Justice (MOJ) are investigating and applying TrX to their online services to:

•  more effectively detect and prevent fraud and other crime

•  encourage digital adoption of services

•  deliver a better, more consistent end user experience

•  build confidence that the user is who they say they are

•  build confidence that the user is who we think they are

•  gain economy of scale through third party relationships

The DWP have agreed to take part in a proof of concept in order to determine whether the sharing of data and insights leads to an improved ability to detect and prevent fraud.

1.2 Data Specification

Validation Services such as Bank Account Reputation allows the calling service to check the validity of a sort code, whether the account number maps back to it, if the name provided matches the name on the account and the types of transactions accepted by the account. This is done via a third party provider SurePay on behalf of NatWest of a Confirmation of Payee (CoP) service and another third party provider Vocalink who provide the Extended Industry Sort Code Directory (EISCD).

Risking Services such as a risking Application Programming Interface (API) will generate a risk score for an attribute bank account based on the associated data that we hold. We will then provide the score alongside an explanation of how it was generated without revealing the actual data used.

Outcome (API) will be for users of the risking (API) to provide the outcome of any investigations where a risk score was provided, as well as providing an explanation of how they reached that outcome. This should help us to establish how they are investigating fraud, whether there are hints and tips we can gain, understand alternative methods of investigation and understand the weight carried by our risk score.

1.3 Data Security

The DWP will undertake to:

• move, process and destroy data securely, in line with the principles set out in HM Government Security Policy Framework issued by the DWP when handling, transferring, storing, accessing or destroying information

• only use it for the purposes that it has been disclosed for and ensure that only those with a genuine business need linked to purpose to access, handle, transfer, use or see the information will have access to it

• not onwardly disclose the information without the prior authorisation of HMRC other than what is provided for in section 48 of the Digital Economy Act

• comply with the requirements in the Security Policy Framework, and be prepared for and respond to Security Incidents and to report any data losses, wrongful disclosures or breaches of security relating to information as soon as possible and always within 48 hours of discovery of the incident

• mark information assets with the appropriate security classification and apply the appropriate baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile as set out in  Government Security Classifications, and in particular as set out in the Annex – Security Controls Framework to the Government Security Classifications

1.4 Freedom of Information

If a Freedom of Information (FOI) request relating to this information is made to the DWP their (FOI) team will engage with HMRC’s (FOI) team regarding the potential impact of disclosure.

 

This content has been withheld because of exemptions in the Freedom of Information Act 2000. 

1.5 Costs

HMRC will cover its own costs in relation to supporting the integration with its (API) and the DWP will cover its own costs.

There are no third party costs involved in the use of the Risking (API) and the Outcomes (API), no further costs will be incurred on a per request basis.

The Bank Account Verification (API) calls out to a third party service in order to validate the account details, and therefore there is a per request charge incurred of 6 pence per transaction.

HMRC will pass through the third-party Bank Account Reputation Service (BARS) transaction charges of 6 pence per transaction to the DWP and the DWP have agreed to reimburse these charges.

Based on expected volumes of 45,000 checks per year, transaction costs for the pilot will be £1,350. More checks may be conducted as required.

1.6 Disputes 

 

This content has been withheld because of exemptions in the Freedom of Information Act 2000. 

1.7 Signatures 

 

This content has been withheld because of exemptions in the Freedom of Information Act 2000.