Revealed – The Agreements for HMRC, the British Business Bank, Cabinet Office, Department of Trade and Price Waterhouse Coopers to Share Data to Detect Bounce Back Loan Fraud and Uncover Evidence of the Over-Egging of Turnover to Get a BBL

BBL Helpline

These are the agreements that were put in place when the Government agreed share data to allow them to put in place, amongst other things, a “Turnover Pilot” relating to Bounce Back Loans and led to them discovering that 35% of the 10,000 BBL applicants chosen at random for sampling appeared, on the basis of the data shared, to have over-egged their turnover to blag a Bounce Back Loan.

I did cover this topic quite some time ago, > https://mrbounceback.com/since-june-2021-the-government-has-been-checking-business-turnover-figures-from-hmrc-data/, but it is good to see the actual agreements at last.

Lets just say, if you over-egged your turnover, they probably now know you did.

This is the outcome of that pilot scheme by the way…

Here are the agreements on data sharing

Data Usage Agreement – Bounce Back Loan Turnover Pilot

  1. Conditions of disclosure of information by HMRC

HMRC disclose this information to the Cabinet Office and the Department for Business, Energy and Industrial Strategy (BEIS) by virtue of the legal basis of section 56 of the Digital Economy Act Disclosure (DEA) for the purpose of ‘taking of action in connection with fraud against a public authority’ on the condition that Cabinet Office and BEIS undertake the following:

  • complete a Data Protection Impact Assessment (DPIA)
  • adhere to the DEACode of Practice and complete all relevant documentation and have ministerial approval
  • adhere to this Data Usage Agreement

A joint DPIA has been completed by BEIS, Cabinet Office and HMRC to go alongside this Data Usage Agreement.

1.1 Purpose

This information sharing arrangement is to provide an indicative level of fraud within the BBL (Bounce Back Loan) Scheme, by comparing a sample of existing BBL applications (specifically the turnover amount stated in each – as provided by BBL applicants to lenders whereupon they make a loan application and/or top-up request) with HMRC limited company turnover data.

1.2 Data specification

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

BBL application data for a sample (up to 10,000) of Limited Companies and Sole Traders which have applied for BBL:

  • facility reference
  • purpose of loan
  • loan amount
  • facility type
  • loan term
  • business name
  • lender code
  • lender name
  • loan state
  • annual turnover
  • Standard Industrial Classification (SIC) code
  • postcode
  • guarantee percentage
  • created date
  • scheme facility letter date
  • initial draw date
  • repaid date
  • maturity date
  • lender demand date
  • demand to Debt To Income (DTI) date
  • cumulative amount drawn
  • SICgroup
  • region
  • region order
  • constituency
  • district
  • Local Economic Partnership (LEP) 1
  • LEP2
  • Nomenclature of Territorial Units for Statistics (NUTS) 2 code
  • NUTS2
  • NUTS3 code
  • NUTS3
  • region NUTS1 code
  • region NUTS1
  • trading date
  • scheme
  • legal form
  • company registration
  • trading name
  • Enterprise Finance Guarantee (EFG) interest rate
  • loan purpose
  • lender type
  • fees

This dataset may contain personal information, for example in the business trading name fields.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

Cabinet Office will make a subset of the data available in the secure file transfer platform Egress. The subset of the data will only relate to Limited companies and contain only the following fields:

  • Company Registration Number (CRN)
  • company name
  • company postcode

The reduced number of fields is restricted only to what HMRC requires to carry out the data matching exercise and limits unnecessary data sharing. Cabinet Office will inform HMRC that the dataset is available in Egress. HMRC will access Egress to extract the file onto their system and perform matching. The returned file will be uploaded to Egress with the following data points for each Limited company BBL applicant, where available:

  • no match
  • match and the following data:
  • CRNor company name and postcode
  • last annual turnover data recorded by HMRC
  • accounting period (for example, 2018 to 2019)

1.3 Data security

BEIS, HMRC and Cabinet Office will undertake to:

  • move, process and destroy data securely; ie in line with the principles set out in HM government Security Policy Framework, issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information
  • only use it for the purposes that it has been disclosed for and ensure that only those with a genuine business need to see the information (linked to the purpose) will have access to it
  • HMRCwill store all data supplied by BEIS/Cabinet Office, in a secure CAF with restricted access to members of RIS who are directly involved in the data share and only keep it for the time it is needed, and then destroy it securely on agreement of all parties
  • not onwardly disclose the information without the prior authorisation of HMRCother than what is provided for in section 56 of the Digital Economy Act
  • comply with the requirements in the Security Policy Framework, and be prepared for and respond to Security Incidents and to report any data losses, wrongful disclosures or breaches of security relating to information
  • mark information assets with the appropriate security classification and apply the appropriate baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile as set out in Government Security Classifications (GSC),and in particular as set out in the Annex – Security Controls Framework to the GSC

1.4 How data will be shared

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

1.5 Data processor and data owner

HMRC and BEIS will act as data controllers and Cabinet Office will act as a data processor on behalf of BEIS and HMRC, using definitions as set out in the Data Protection Act 2018.

1.6 Freedom of Information (FOI) and Subject Access Requests (SARs)

All parties are subject to the requirements of the Freedom of Information Act 2000, and will assist and cooperate with each other, to enable each to comply with its information disclosure obligations.

Where an FOI request is received by either party to this agreement, which relates to data that has been provided by other parties, the party receiving the request will notify the other relevant parties to allow them the opportunity to make representation on the potential impact of disclosure.

  • BEISFOI team mailbox
  • HMRCFOI team mailbox
  • Cabinet Office FOI team mailbox

Additionally, individuals can request access to their data. The following are the email contacts for an individual to contact the relevant organisation:

  • BEISenquiries
  • HMRCSAR
  • Cabinet Office

1.7 Costs

HMRC will recharge BEIS and Cabinet Office for the time taken to provide the data and the governance documents for Cabinet Office to have the relevant data to assist in this project.

BEIS and Cabinet Office have confirmed that they have funds available for costs incurred by HMRC for this data share.

1.8 Disputes

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

 

 

Data Usage Agreement: HMRC use of Bounce Back Loan data to detect fraud2023

  1. Conditions of disclosure of information by HMRC

British Business Financial Services Limited (BBFSL), a subsidiary of the British Business Bank plc (BBB) is appointed under a deed of authority and a services agreement as agent to the Secretary of State for the Department of Business, Energy and Industrial Strategy (BEIS) in relation to the administration of the Future Fund Scheme and various loan guarantee schemes created in response to the COVID-19 pandemic including the Bounce Back Loan Scheme.

HMRC disclose this information to the BBFSL, by virtue of the legal basis of section 56 of the Digital Economy Act (DEA) disclosure for the purpose of ‘taking of action in connection with fraud against a public authority’ on the condition that HMRC and BBFSL undertake the following:

  • complete a Data Protection Impact Assessment (DPIA)
  • adhere to the DEACode of Practice and complete all relevant documentation and have ministerial approval
  • adhere to this Data Usage Agreement (DUA)

HMRC has completed a DPIA to go alongside this DUA. BBFSL has completed its own DPIA to consider the handling of HMRC information.

1.1 Purpose

The purpose of this data share pilot is to enable the sharing of information by HMRC to BBFSL, where HMRC has reasonable concerns of likely fraudulent activity by a number of entities and associates.

The aim of this pilot is to enable BBFSL to investigate potentially fraudulent activity within the Future Fund and the Bounce Back Loan Scheme and take appropriate action.

1.2 Data specification

The information shared by HMRC will include information about individuals, businesses, and their trading and financial affairs in bank statements, financial records, business records and communications. It follows that the information will contain personal data, including director names, business addresses and email addresses.

1.3 Lawful basis

Under section 18 (1) of the Commissioners for Revenue and Customs Act (CRCA) 2005, HMRC is bound by a strict duty of confidentiality meaning that HMRC officers may not disclose information HMRC holds for its functions. However, HMRC information may be disclosed where one of the statutory exceptions in section 18 (2) CRCA 2005 apply or where disclosure is permitted under any other enactment pursuant to section 18 (3) CRCA 2005.

Any person who discloses HMRC information which identifies a taxpayer without a lawful basis to do so under either sections 18 (2) or (3) of CRCA 2005 potentially commits a criminal offence of wrongful disclosure pursuant to section 19 CRCA 2005. A person found guilty of an offence may receive an unlimited fine, imprisonment of up to 2 years, or both.

In this particular case, disclosure is permitted by virtue of part 5, chapter 4 of the Digital Economy Act (DEA) 2017 and in particular section 56. This permits disclosure between specified persons for the purposes of taking action in connection with fraud against a public authority.

Specified persons for the purposes of section 56 powers are set out in schedule 8 of the DEA 2017 and include HMRC at paragraph 14, and also include a person providing services to a specified person under paragraph 41. In this case, BBB is a wholly government owned bank with oversight and direction provided by the Secretary of State for BEIS. Its subsidiary, BBFSL, is appointed as agent by BEIS to administer both the Bounce Back Loan Scheme and Future Fund Scheme on its behalf. BEIS is a specified person by virtue of paragraph 6 of schedule 8 DEA 2017.

1.4 Data security

BBFSL will undertake in relation to the information provided to BBFSL hereunder to:

  • move, process and destroy data securely i.e. in line with the principles set out in HM Government, issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information
  • only use it for the purposes that it has been disclosed for and ensure that only those with a genuine business need to see the information (linked to the purpose) will have access to it
  • store the data in a secure folder in a shared drive with restricted access to members of the team who are directly involved in the data share and only keep it for the time it is needed, and then destroy it securely on agreement of all parties
  • not onwardly disclose HMRCinformation without the prior authorisation of HMRC other than what is provided for in section 56 of the Digital Economy Act
  • restrict access to the information by applying additional access restrictions to the designated storage point
  • comply with the requirements in the Security Policy Framework, and be prepared for and respond to security incidents and to report any data losses, wrongful disclosures or breaches of security relating to the information provided to BBFSLhereunder
  • mark information assets with the appropriate security classification and apply the appropriate baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile as set out in Government Security Classifications (GCS),and in particular as set out in the Annex – Security Controls Framework to the GSC

1.5 Security incidents

In the event that BBFSL becomes aware of a suspected or actual incident affecting the confidentiality, integrity and availability of the HMRC information in its possession or control, BBFSL will report the incident through its incident procedure.

1.6 How data will be shared

HMRC will share the data using secure means, via the Secure Data Exchange Service (SDES).

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

The path of data transfer is described below:

  • HMRCcompiles a data file containing documentation and communications relating to specific business and individuals
  • HMRCuploads this file to SDES, a secure transfer system for BBFSL to access
  • This is a one-off data share.
  • BBFSLwill save the documents to a designated folder that will have additional access controls to restrict access to designated individuals from BBB and PriceWaterhouseCoopers (PwC). PwC is contracted as a data processor, to administer the Future Fund and Bounce Back Loan Scheme under BBFSL’s instruction.
  • Information will, where appropriate, be shared with BBFSL’s external legal advisers who are advising BBFSLon the investigation.

1.7 Data retention

HMRC data that has been shared as part of the pilot will be retained in accordance with BBB’s data retention policy or as specified in the Code of Practice. Shared data will be kept separate and recognisable to enable deletion at the end of the pilot.

If the HMRC information supports any fraud concerns, BBFSL will discuss with HMRC what data needs to be retained, for how long, and regularity of review periods to confirm if data is still required to be retained. BBFSL will delete the information 6 months after the last action and confirm its deletion in writing to HMRC.

If HMRC information does not help identify fraud concerns, BBFSL will delete the information within 6 months and confirm in writing to HMRC that this has taken place.

1.8 Data Usage Agreement review

This Data Usage Agreement is anticipated to last for 6 months, where it will be reviewed to determine if the pilot needs to continue for a further period of time.

1.9 Data controllers and data processors

HMRC and BBFSL act as separate data controllers. HMRC will be data controller whilst the data is on its estate. BBFSL will be data controller once the data is received on its estate. PwC are a data processor acting on the instructions of BBFSL.

1.10 Freedom of Information (FOI) and Subject Access Requests (SAR)

HMRC and BBB/BBFSL are subject to the Freedom of Information Act 2000, and will assist and cooperate with each other, to enable each to comply with its information disclosure obligations.

Where an FOI request is received by a party to this agreement, which relates to data that has been provided under this agreement, the party receiving the request will notify the other relevant party to allow them the opportunity to make representation on the potential impact of disclosure.

  • BBBFOI mailbox

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

Data subjects are entitled to exercise their data subject rights when their personal data is processed. Where either party receives a data subject request, the party receiving the request will, where appropriate to do so, notify the other relevant party to allow them the opportunity to make representation on the potential impact disclosure.

1.11 Costs

If appropriate, HMRC will recharge BBFSL for the time taken to provide the data and the governance documents for Cabinet Office to have the relevant data to assist in this project.

1.12 Disputes

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

 

Data Usage Agreement: Bounce Back Loan fraud analytics pilot between BEIS, the Cabinet Office and HMRC

  1. Conditions of disclosure of information by HMRC

HMRC disclose this information to the Cabinet Office, the Department for Business, Energy and Industrial Strategy (BEIS), British Business Financial Services Limited (BBB) and accredited lenders by virtue of the legal basis of section 56 of the Digital Economy Act (DEA) Disclosure for the purpose of ‘taking of action in connection with fraud against a public authority’ on the condition that Cabinet Office and BEIS undertake the following:

  • complete a Data Protection Impact Assessment (DPIA)
  • adhere to the DEAcode of practice and complete all relevant documentation and have ministerial approval
  • adhere to this Data Usage Agreement (DUA)

A joint DPIA has been completed by BEIS, Cabinet Office and HMRC to go alongside this DUA.

1.1 Purpose

The purpose of the Bounce Back Loan (BBL) fraud analytics programme is to prevent and detect suspected fraud committed within the BBL scheme.

  • Cabinet Office and HMRCintend to complete a pilot that will match BBL data relating to ‘limited liability’ companies against data sets held by HMRC to detect suspected fraud in the BBL This part of the programme aims to identify BBLs that are linked to companies that have:
  • claimed for workers under the Coronavirus Job Retention Scheme (CJRS)
  • are operating as Mini Umbrella Companies (MUCs)
  • The wider programme scope includes the use of public, private, government and law enforcement data sets. But these will not be linked with data disclosed by HMRC.
  • Information disclosed to BEISby HMRC may be used by BEIS investigators (including officers seconded to BEIS from the National Investigation Service (NATIS) acting as BEIS’ agents) for the purposes of investigation and prosecution of BBL-related fraud.
  • Cabinet Office (acting as data processor for BEIS) will use outputs disclosed by HMRCfrom the pilot to formulate a risk flag for onward sharing with BBB and accredited lenders.  The risk flag will not indicate that it is based on any HMRC data or source material or that it originates from a MUC referral. Furthermore it will not infer or imply that a BBL borrower is a MUC.

1.2 Data Specification

BEIS will provide Cabinet Office with the following data via upload to a container in Cloud Based Analytics Service (CBAS), accessible only by BEIS and Cabinet Office:

  • successful BBLapplication data for all borrowers on secured loans, including limited liability companies and sole traders
  • facility reference; purpose of loan; loan amount; facility type; loan term; business name; lender code; lender name; loan state; annual turnover; standard industry classification code; postcode; guarantee percentage; created date; scheme facility letter date; initial draw date; repaid date; maturity date; lender demand date; demand to direct trader input date; cumulative amount drawn; standard industry classification group; region; region order; constituency; district; LEP1; LEP2; NUTS2 code; NUTS2; NUTS3 code; NUTS3; region NUTS1 code; region NUTS1; trading date; scheme; legal form; company registration; trading name; EFG interest rate; loan purpose; lender type; fees
  • this dataset may contain personal information, for example in the business or trading name fields
  • for more information on these fields, please see the attached web portal data fields justification document
  • Cabinet Office will enrich this with publicly available data from Companies House, namely:
  • date of creation
  • SPA(Specified Public Authority) personal data from Companies House (residential addresses and dates of birth) (this is covered by a separate legal gateway)
  • Cabinet Office will make a subset of the data available in the secure file transfer platform Egress. The subset of the data will only relate to limited liability companies and contain only the following fields:
  • facility reference, loan amount, business name, company registration, annual turnover, and initial draw date
  • The reduced number of fields is restricted only to what HMRCrequire to carry out the data matching exercises and limits unnecessary data sharing. The Cabinet Office will inform HMRC that the dataset is available in Egress. HMRC will access Egress to extract the file onto their system and perform matching. The returned file will be uploaded to Egress with the following data points for each limited liability company successful BBL applicant, where available:
  • MUC flag, HMRCwill add a flag where they think a limited company may be a MUC but this does not mean
  • that it definitely is a MUC as this may include false positives
  • that the list is complete – there may be many more that HMRChas not managed to trace yet
  • the MUC flag would not directly indicate that the MUC would not be entitled to apply for a BBLand so this flag cannot be used in isolation to make a fraud determination
  • at this time, HMRCare unable to provide a risk classification and context around MUC flags
  • job retention scheme application flag, risk classification and risk classification context
  • Cabinet Office will extract the data from Egress, then analyse the data in a Cabinet Office-only container alongside various other datasets (supplied via additional MOUs) and provide BEISwith information on BBL applications that are flagged as a result of Cabinet Office analysis as higher risk. This data will be shared within CBAS containers (accessible via BEIS and CO only).
  • Outputs from the pilot will be used by Cabinet Office (as data processor on behalf of BEIS) to formulate a risk flag to share with BBBand accredited lenders for the purposes of investigation of BBL related fraud, which includes facilitating a determination of whether any such investigation should be initiated. The risk flag will not attribute HMRC as a source and will not infer or imply that the flag is based on a MUC referral or that a BBL borrower is a MUC.
  • Data will be shared with BEIS, which may include BEISinvestigators (including seconded NATIS officers) for the purposes of investigation of BBL related fraud, which includes facilitating a determination of whether any such investigation should be initiated.

1.3 Data security

BEIS, BBB, HMRC and CO will undertake to:

  • move, process and destroy data securely i.e. in line with the principles set out in HM Government Security Policy Framework, issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information
  • only use it for the purposes that it has been disclosed for and ensure that only those with a genuine business need to see the information (linked to the purpose) will have access to it
  • HMRCwill store all data supplied by the BEIS, in a secure CAF with restricted access to members of RIS who are directly involved in the data share and only keep it for the time it is needed, and then destroy it securely on agreement of all parties
  • not onwardly disclose the information without the prior authorisation of HMRCother than what is provided for in S56 of the Digital Economy Act
  • comply with the requirements in the Security Policy Framework, and be prepared for and respond to Security Incidents and to report any data losses, wrongful disclosures or breaches of security relating to information
  • mark information assets with the appropriate security classification and apply the appropriate baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile as set out in Government Security Classifications,and in particular as set out in the Annex – Security Controls Framework to the GSC

1.4 How data will be shared

The path of data transfer is described below;

  • BEIScompiles a data file containing successful BBL applications for which a guarantee has been made.
  • BEISuploads this file to a container within the Cloud Based Analytics Service (CBAS) accessible by both Cabinet Office and BEIS. This will be done on a weekly basis.
  • Cabinet Office will enrich this file with publicly available information from Companies House and SPAdata (this is covered under a separate non-DEA legal gateway).
  • Cabinet Office will upload ‘limited liability companies’ data only to a secure file sharing platform (Egress) owned by BEISwhich will be accessible by both Cabinet Office and HMRC. Cabinet Office will then inform HMRC when and where the data is available. This data sharing will be carried out only once.
  • HMRCwill access Egress to extract the BBL data to the HMRC
  • HMRCwill match ‘limited liability company’ BBL data against HMRC records, append the relevant columns and review the file.
  • HMRCwill upload the resulting file to Egress and make Cabinet Office aware where the data is available. This activity will be carried out only once.
  • Cabinet Office will access Egress, move the file into a Cabinet Office-only permissioned area and conduct analysis alongside other data sets, obtained via other legal gateways or via MOU’s to identify suspected fraud networks
  • Results of this analysis (which still constitute HMRCdata) will be shared with the BBL counter fraud analytics programme working group and oversight board for decisions on next steps. HMRC will be closely involved in the drafting of the outputs.
  • Please note the following steps are the additional steps as a result of this variation.
  • Cabinet Office will pass information on suspected fraud applications to BEIS, which may include BEISinvestigators as outlined in para 6 and 14 above.
  • Cabinet Office will prepare risk flags as outlined in para 7 and 13 for sharing with BBB, who will onward share the data with accredited lenders. HMRCdata will not be available for onward sharing for purposes other than those for which it was disclosed unless with the consent of HMRC and appropriate legal gateways being in place.
  • Cabinet Office will produce interim reports based on those initial findings and suspected fraud to the DEAreview board.

1.5 Data Retention

It is anticipated the data sharing agreement with BEIS, Cabinet Office and HMRC will last a period of no more than 24 months (subject to confirmation) from the date the data is sent from HMRC to Cabinet Office.

HMRC will destroy BEIS BBL data and their own data files used to conduct the matching once:

  • HMRChas conducted the matching
  • results have been returned to Cabinet Office
  • Cabinet Office can confirm receipt of the data
  • anomalies in the data have been resolved

Cabinet Office will destroy BEIS and HMRC data and their own files used to conduct the matching at the end of the 24-month period.

1.6 Data processor and data owner

HMRC is the data controller when the data is within its estate. Cabinet Office will act as a data processor on behalf of BEIS and HMRC. BEIS will act as data controller when the data is within its estate. This is using definitions as set out in the Data Protection Act 2018. BBB and accredited lenders are independent data controllers.

1.7 Freedom of information and subject access requests

All parties, who are deemed to be public authorities, are subject to the requirements of the Freedom of Information Act 2000, and will assist and cooperate with each other, to enable each to comply with its information disclosure obligations.

Where a freedom of information request is received by either party to this agreement, which relates to data that has been provided by other parties, the party receiving the request will notify the other relevant parties to allow them the opportunity to make representation on the potential impact of disclosure.

  • BEIS’ FOIteam mailbox is: foi.requests@beis.gov.uk
  • HMRC’s FOIteam mailbox is: foi.team@hmrc.gov.uk

Additionally individuals can request access to their data, the following are the email contacts for individual to contact the relevant organisation

BEIS enquiries@beis.gov.uk

HMRC via this link.

1.8 Costs

HMRC will recharge BEIS for the time taken to provide the data and the governance documents for Cabinet Office to have the relevant data to assist in this project.

BEIS has confirmed that it has funds available for costs incurred by HMRC for this data share.

1.9 Disputes

This content has been withheld because of exemptions in the Freedom of Information Act 2000.