Inviting attendees to consider the risks within the probate industry, we were thrilled to welcome noted speaker Dave Knowles to our Roundtable earlier this month. With over 26 years of experience at Scotland Yard, Dave has a wealth of knowledge and practical understanding of cyber threats, having consulted to many different organisations on all forms of fraud.
Dave commenced the debate with something the panel had touched upon earlier in the day – online Wills.
From a risk point of view, he asked: ‘What due diligence would you do to ensure that a person making a change to an online Will is who they say they are?’
Seb Shakh from WillSuite offered his idea for protection of wills documentation kept online, stating: ‘While passwords can become known by other entities, a fairly effective method of verifying the authenticity of the access request is to carry out two-step authentication in order to ascertain if the person trying to access the will is the owner of said will and accompanying documentation.’
Clive Ponder TEP of Countrywide Tax & Trusts Ltd. did not think that the access of online Wills would pose too much of a problem, stating: ‘Lots of people make a Will and then when they want to change it, they simply go to a different provider and just make a new one. They do not necessarily go back to their original provider. Online Wills are easy access, so won’t someone just logon and do it all again. We find that we don’t often alter a Will and that a new Will is done to replace it, as opposed to altering the original.’
Elaine Roche from JMW solicitors observed that as the younger generation has become so used to using services online at their own pace, this could present additional challenges. She said: ‘You might find that someone may well start to draft their Will by logging in and complete it in part, but then decide to then go back to it at a later stage; how would it be ensured that they are the same person when they log back in?‘
Another point of possible contention related to the nature of online Wills and the lack of interaction; as the customer merely creates their Will by following the steps required, does this pose other questions in itself? Or is it up to the online providers to be responsible for the due diligence?
Beverley Freestone, Commercial Director for DPL Professional Services/Arken pointed out: ‘You may not have done any due diligence in any case as it is all online. It is not possible to eliminate risk with online services, but risk can be managed through proper checks etc. being applied through the online process. If the person doing the online Will is not who they say they are, more people would be involved in the fraud as the signature to the Will has to have two witnesses.’
Dave Knowles went on to have the panel consider the fact that all data is out there and accessible for the fraudster. An example he gave was a possible Barclays security question, stating that this could ask for your dog’s name as part of their authentication process. However, if you as an individual are posting on social media pictures of your dog and name it ‘Bingo – there is the gap in your armour. Individuals are leaking information all of the time in the age of digital.’
He went on to point out, however, that there are always opportunities for criminals, likening it to a constant game of chess; as the fraudsters make a move, the industry try to combat it, the criminals meanwhile are moving on, making their next move by targeting the weakest points in any industry.
The next question posed was about the need to adopt different approaches when dealing with different generations. He asked: ‘How do we make sure all demographics are covered, looked after and not alienate one or another?’
Clive Ponder commented; ‘Youngsters do not want a long and drawn out process. They want it to be quick, so they don’t have to waste too much time on it.’
Dave Knowles agreed, stating: ‘Generationally, people want things more quickly and more easily. Every professional service is now split between the people who want face to face contact, and the more tech savvy younger generation.
‘For example, those over the age of 39 are more at risk of a vhishing attack then a younger person. The likelihood of a person under 39 getting a call to deceive them is much lower than that of someone over this age.
‘The question is now, how do you verify the document is real? More enhanced due diligence is happening within the larger companies. My consultancy looks to probe for weak areas, the areas most vulnerable to being targeted by fraudsters.‘
The impact that further due diligence, as well as the work that comes with it, was considered by Clive Ponder, who said: ‘Our older clients really do not like the due diligence; often they do not understand it and find it really quite upsetting.’
Biometric Tagging – the face of the future?
Dave Knowles then went on to highlight just how close we are to a near fully automated and digital future when it comes to combatting fraud.
He said: ‘I think that the Wills industry could consider the retina scan or facial recognition systems. We know that HM Land Registry has commenced its upgrade to a fully digitalised service and a potential solution could be to place some form of biometric tag on a property they already own, thereby eliminating seller fraud if the conveyancer was mandated to compare the digitally held land registry identity with that of the seller. There is no reason why this, or something similar, could not be used for Wills to confirm a person’s identity. As this could be used and referred to all the time, the need for all the paperwork would be negated, satisfying each end of the spectrum of clients. As well as being quick for the young, it would also minimise confusion for the more elderly client.’
One of the sponsors for the day, DPL Professional Services, also shared their views on the prospect of a centralising system. The owners of Arken, a technological Will writing product, had their MD Dave Newick in attendance, who stated: ‘I think we will need to be considering where the Will is kept. For example, if there was a central repository, this would then provide a clear trail which could be audited, as well as ensuring that the proper channels and processes are adhered to.’
Is Blockchain the answer to a secure future?
Knowledgeable in this particular area was Seb Shakh, who was able to shed some light on this new area of opportunity for businesses. He stated: “While I’m no expert in this field, it is something I am interested in, I believe the nature of blockchain lends itself to the will writing industry in multiple forms, though as of yet I’m still to see anyone successfully tackle the implementation. With the blockchain being in simple terms a “public revision-controlled database” would make it a perfect candidate for a will register, which I’d see working storing and distributing the hashed contents (to keep it private) of a will, allowing verification of the will, and whether it is the most recent.”
Next, the debate moved on the consider where responsibility lies when it comes to hashing the document.
In response, Seb stated: ‘This would be done at the time of registration, if a system existed it would be automated at this point. The blockchain can also be decentralised, meaning that no single entity owns or has control over it. Instead, each person who is part of the blockchain would have a copy of the whole database which is used to cross-reference each other to ensure there has been no tampering.’
Generally, the panel felt that this all sounded positive for the future, with Dave Knowles commenting;
‘Conceptually the opportunity is there, but the question is how something is built to utilise it; how do we make it work for the industry in a way which is effective?’
Elaine Roche offered an important point about how fast technology is moving all of the time, stating: ‘I used to have everything on a floppy disc. Even though this is what we used less than 20 years ago, there is now nothing I could use to access the data on that disc. Whilst the blockchain technology is not yet where it needs to be, it soon could be; as everything moves so fast, will the technology still be able to be used in the future? And, if not, would this lead to even greater problems?’
Dave agreed, and acknowledged that the speed at which at which technology was advancing was certainly a factor which needed to be taken into consideration.
Crypto currency:
This was another key point of discussion, along with considering what happens to online accounts after death.
Whilst including passwords in the physical Will may be the obvious answer, concerns were raised over security – wouldn’t anyone who was able to view the Will then be able to have access to these protected accounts? This would be a particular concern for individuals who had a large amount of cryptocurrency stored in an e-wallet online.
Whilst she claimed that it may be a very old fashioned approach, Elaine suggested: ‘Put it in a vault in a bank?’
Emma Louise -Green of Meridian agreed, stating: ‘Maybe the solution to a modern problem is an old fashioned one of a physical storage of a document with no electronic footprint.’
The benefits of this over digital storage were also highlighted amongst attendees, who suggested that this would make it much easier to identify a fraudster, as being anonymous when committing a crime physically is much harder.
Clive also expressed a preference for physical documentation, stating: ‘Now, none of us send account details by email – we have gone back to paper!’
However, Dave Newick drew attention to the generational divide, stating: ‘The younger generation hate anything to do with paper, but more and more of the wealth will be passed to them. It’s important that we establish how can we help them manage and protect their assets in a way which suits them, whilst balancing prevention of risk.’
Seb pointed out that while in many cases it is true that ‘Cryptocurrency is essentially burnt if the private key is ever lost, with some popular services used by most people dabbling in cryptocurrency -such as CoinBase – actually have the ability to provide access to the wallet for executors after jumping through a few hoops, so if dealing with this make sure you get some sound advice from both the legal and technical sides, and don’t just listen to the guy from the pub.’
Mitigating risk
In order to reduce the risk of fraud or an information breach, Dave Knowles went on to highlight the need to monitor all aspects of a business, particularly those who you may least expect.
He drew attention to cleaners for example. As they may usually work when there is no one in the office, they will be unsupervised, yet in most cases, will have access to all areas. Posing a particular risk are printer/scanner/copying machines that tend to have a hard drive, as these will retain images of any documents used by the machines. He highlighted the need to bear this in mind, reminding attendees to clear any sensitive material in its physical form e.g. a usb stick, as well as properly shutting down any computers and accompanying and monitoring visitors to a site.
Legal Eye’s Paul Saunders brought in GDPR, highlighting that adhering to the new regulation will shake up the way businesses currently think about the way they use personal data. He said: ‘All of this is linked together; after all, it is there to make us all stronger and more protected. Looking after our clients is a priority, so it makes sense that we just need to be sensible about what we do with their data. If your organisation is still on their journey to GDPR compliance you should continue with your efforts to be ready before the law takes full effect on 25 May. But remember that this date is the start and not the end of GDPR compliance. Organisations need to sustain their compliance processes over time – this is the best way to take people with you on your business journey.
