Acting Deputy Commissioner John Ford
Keynote address at the Financial Crime Summit, 31 May 2023
(Check against delivery)
Thank you chair.
And thank you for having me here today.
I would like to acknowledge the Gadigal people of the Eora Nation, the traditional custodians of this land and pay my respects to the Elders both past and present.
Today’s summit brings together the community of Government and private enterprise organisations who each play a role in addressing financial crime.
For each of us we are also addressing financial crime at a time when most if not all transactions in both regulatory agencies and financial services are provided online to meet client expectations.
Of course, this move to a digital economy is something we should all support, champion and as the recipients of services ourselves, expect.
However, in my role as chief of Australia’s Serious Financial Crime Taskforce, the ATO Fraud Risk owner and through my engagement with my international counterparts there is increasing concern that the benefits of increased digitalisation are also offering opportunities to fraudsters to attack the same services at scale.
In effect the question many of us face is ‘have we got the balance between client service and system integrity right’.
I hope you agree though that these two poles cannot and should not be mutually exclusive, they are both important.
In fact, they are both very much grounded in how organisations like the ATO access and use data and partners with others in its use.
The partnering with others to use data is an important point for us to consider in regard to how we respond to fraud. This is because partnering means that to support a seamless client experience, we must, at times, connect our systems with trusted access rights.
At other times the systems might not be connected directly, but data is shared and then relied on to support the client’s experience as well as prevent fraud.
The seams between system connection and data sharing can be a point of vulnerability which is not always obvious when viewed through an organisational lens.
However, I am confident that the Fraudsters are well aware of the opportunities that they present.
Australia Digital Services
Australia's first Data Strategy sets a vision for Australia to become a modern data-driven society by 2030.
The strategy aims to maximize data's value, protect it to build trust, and enable its use.
It reflects the need to maintain public trust in how data is used in decision-making and how privacy is protected.
The strategy focuses on three key themes: maximizing the value of data, protecting data to build trust, and enabling the use of data.
The strategy will support the public service to respond to changes and enhance effective, safe, and secure data use.
The increased digitalisation across government brings many opportunities that are exciting, but also bring significant challenges.
The ATO aims to be fully digitalised by 2030. Tax 3.0 is the ATO’s “North Star” - where reporting, payment and real-time compliance checks coincide with the taxable event. The closer we get too real-time, event-based reporting and payment, the more certainty and less burden there is for everyone.
The ATO currently holds about 50 petabytes of actively used data and processes about 20 billion transactions each year.
On any given day our systems block an average of approximately 89,000 malicious connections – this is even higher during our peak individual’s lodgment period ‘tax time’.
However, as I alluded to at the outset of this speech, we are experiencing that with increased digitalisation of our service offerings comes increased fraud risks.
These increased risks do not always relate directly to ATO system integrity. In fact, we share fraud risks with other organisations.
The Australian Information Commissioner revealed in March this year, there were three large-scale data breaches in the second half of last year, which affected between 1 million and 10 million Australians.
In total, there were 497 data breaches in that time period, mostly in the health and finance sectors.
Almost three-quarters of those breaches are being blamed on criminal attacks.
A key challenge for the ATO is the setting the guardrails for a modern data economy and ensuring we have protections for robust and modern cyber security settings at the same time as giving our clients better visibility and control of their data.
The recent Optus Medibank and Latitude Finance data breaches have really brought home how vulnerable many businesses and organisations are to attack and the need to evolve our controls as threats arise.
Challenges
In fact, one of the biggest challenges we face as an organisation is hardening our systems and controls against what we think of as traditional ‘cyber security’ but also increasingly cyber enabled fraud.
Importantly though what we are seeing in relation to cyber enabled fraud is that is not solely the domain of identity crime.
Whilst identity crime is an important risk that the ATO is paying great attention to, what we are also seeing are fraud attacks which have the hallmarks of identity crime but are in fact not.
Rather these are what we refer to as first person fraud, or frauds being committed by the actual person who owns the digital identity used in the attack.
As you will see as I share further insights with you, these first-person fraud attacks on the revenue system are proving to be of a significant, prolonged and agile at scale.
Some are DIY, often inspired by social media, but many are frauds perpetrated by individuals actively sharing their digital identities with fraudsters, on a spectrum merging into second-person fraud.
Or where the digital identity is not directly shared the owner of the identity is being supported by the promoters of fraud to use their digital identity keys to the system to undertake fraud in their own name.
It is worth stating that whilst these attacks are not traditional third person identity crime, they do share characteristics in common.
Firstly, the success of the fraud is directly linked to the strength of authentication processes – that is the strength and trust we place on the keys and the people using the keys, to our front door.
Secondly the attacks can scale up very quickly and respond agilely as we strengthen controls.
Thirdly they seek to hide in the volume of transactions we process and are skilled at having the same characteristics (or what I think of as signals) as legitimate claims, making them difficult to differentiate.
Lastly, In the same way as you can buy ‘kits’ off the dark web and there are many actors who offer ‘support packages for identity crime’ there is growing evidence this same type of support exists for people willing to run the risk of committing fraud in their own name.
We first saw an indication of a changed taxation fraud paradigm, shortly after people returned to a more normal lifestyle after the Covid pandemic.
In what has become known as Operation Protego Individuals invented fake businesses in order to claim GST refunds they weren’t entitled to.
Simply put, if you don’t operate a business, you don’t need an ABN and you shouldn’t lodge a BAS. This is fraud.
Operation Protego has now become the biggest tax revenue fraud against the community in the history of the ATO .
In particular, the ATO has taken compliance action on around 53,000 clients, stopping around $2.5 billion in fraudulent GST refunds from being paid to individuals seeking to exploit the tax system.
In addition to the fraud we stopped before a refund issued, we have raised over $1 billion in liabilities. This relates to fraudulent GST refunds that were paid to clients, most (over 80%) of which were issued before 12 April 2022.
As I have previously stated, only a relatively small number of these attacks were traditional identity crime.
A significant proportion of the fraud the ATO is experiencing is being driven by the open promotion of fraud on social media platforms.
These social media influencers. I prefer fraud promoters, actively glamourise their lifestyles and the luxury assets they buy from theft from the community.
What they are actually influencing though is exactly that, theft from health, education and defence and the broader community.
Unfortunately, though for the thousands of people who engage in these posts this is not obvious to them.
There is some engagement with these posts where civil minded members of the community voice their view that the behaviour is fraudulent.
However, their influence on this on-line community is not as pervasive as those promoting the fraud.
Of course, we are not standing by and idly watching these frauds.
We have mobilised our resources and those of our partner agencies to directly address the behaviour.
As I stated before we have taken compliance action against the 53,000 clients we have identified as being involved in this activity.
For those who committed these frauds, recovery is underway through a range of debt recovery strategies that will continue well into 2023.
In addition, the Serious Financial Crime Taskforce and state law enforcement partner agencies are pursuing a significant number of criminal investigations.
In this regard we are increasingly targeting these specialist teams at identifying and taking action against the individuals promoting the fraud on social media.
As many of you will appreciate, the identification of the individual behind the social media post is not always a straightforward activity.
Responses
However, this is where the combined powers of all the Serious Financial Crime Taskforce agencies come to the fore.
Despite the success of these efforts in addressing the GST fraud, we are continuing to see not insignificant groups of individuals not only continue to attack the GST system, but also morph their behaviour into income tax and other revenue products we administer.
This type of first-person fraud is a particularly vexing problem for a self-assessment taxation system.
We know that we can’t simply haul up the drawbridge and protect our castle, especially as we move into an integrated tax ecosystem.
We want legitimate clients and their advisers to be able to continue to interact with us digitally, and with relative ease.
However, we need to balance the ease of the service offering with the need to protect the integrity of the revenue system.
As such, we recognise that this is not a risk that can be addressed solely through the mobilisation of physical resources.
System-level prevention initiatives
We are focusing heavily on our system-level prevention initiatives and the growth in their sophistication. Using the data we have available, we continually monitor and adjust our systems to ensure that we can respond when fraudsters pivot.
I am sure you will appreciate that it is not appropriate for me to make public where we are focusing our control improvement efforts and innovation.
However, you can be assured we have a specific focus on how we can continually strengthen secure, digital-first interactions with taxpayers and third parties (such as tax agent systems or superannuation funds).
Dedicated team
In fact, we have recently established a dedicated team of approximately 500 people in a new specialised Fraud and Criminal Behaviours Unit. This investment is in addition to the SFCT and state law enforcement efforts, and our own internal response to the actual fraud matters.
Whilst this new business line will strengthen the ATO’s ability to continually identify fraud vulnerabilities and determine if our countermeasures effectively work, a significant focus of the group will be public private partnerships.
This focus is a deliberate recognition of learnings from our response to Operation Protego.
Shared risks
I made reference to the interconnectivity of our systems and data and how this can expose us to a shared fraud risk.
In this context the ATO administers the taxation system in an ecosystem which includes, tax professionals, accountants, lawyers, digital service providers, the banking and finance industry and the superannuation industry amongst others.
We hold a view that a sole focus on our internal systems, will, as they are strengthened against fraud, see the attack vector displace to our trusted partner’s systems.
Recognising that many of these partners are critical to the overall client experience individuals receive when interacting with the ATO, this potential for displacement is of great concern to us.
Importantly though we see the potential of industry partnerships for the ATO to harness the knowledge of industry, government and international partners, whilst also informing our partners’ response to fraud.
In this regard I thought it might be useful for me to mention three of the many steps we are currently taking to partner purposefully.
We are increasing our focus and support for the FINTEL Alliance Tax Crime and Evasion working group.
For those that are not aware the Fintel Alliance is an AUSTRAC led public-private partnership comprised of 29 Australian government and private sector organisations.
It is focused on the fight against money laundering, terrorism financing, and other serious crime including tax crime and evasion.
Within the bounds of secrecy legislation we intend to increasingly share with this group the tax fraud typologies and system level indicators of fraud we are seeing and responding to.
Secondly, recognising that a proportion of the fraud attacks we experience are instigated from outside Australia we are establishing a public private partnership with our J5 partners.
The Joint Chiefs of Tax Enforcement, the J5, of which I am Australia’s chief, is an existing partnership between the revenue agencies in the UK, USA, Canada and the Netherlands.
Under the sponsorship of the J5 countries we have commenced a Global Financial Institutions Summit.
This partnership will see J5 Chiefs work with group such as the Wolfsburg Banks, Banking Associations and the Royal United Services Institute (RUSI) to collaborate on important issues such as intelligence sharing and influencing best practices aimed at addressing financial crime.
Finally, we have commenced throughout National Taxation Liaison Group and our Tax Practitioner Steering Group open discussion on the fraud environment.
Already I am starting to see the members of these groups, which include bookkeepers, accountants and lawyers, come forward with ideas and focus points which we can work on collaboratively to address fraud as a shared risk.
These partnerships are only a few of the initiatives we are pursuing.
Conclusion
This is why I thought it was so important to come and speak with you today.
What often we think about as a risk for my organisation, is in fact often a shared risk with others outside the organisation.
Shared because inevitably at some level the connections between the systems we run or the data we share means that fraud enablers and vulnerabilities which impact on organisational fraud in part lie outside of our organisational infrastructure.
Increasingly I think this means that we must move our thinking to where could we contribute as a member of a digitally enabled community to not only protect our bits of a system, but also to gain benefits for each others’ organisations by partnering with others to protect theirs.
Of course, in identifying these opportunities it is important to recognise that we all have constraints which impact on our ability to partner.
Be those financial, legislative, commercial confidentiality or others.
I hope what you have heard today is a willingness from the ATO to start the journey with you.
I would like to thank you for giving me the opportunity to talk with you today and I look forward to partnering with many of you to address the shared risk of financial crime in the future.