Nominet FCA Domain Name Redirection Worry
Last week Nominet announced that they intend to work with the FCA to redirect domain names they suspect of being involved in scams. In our opinion, this isn't a good idea.
Quick Loans Background In This issue
We felt the need to write about this subject due to having a Nominet tag, an FCA license and having been on the wrong end of such a policy in the past.
What has the FCA and Nominet Announced?
Nominet issued a press release detailing a new pilot program that they claim will reduce online harm. They've joined forces with the Financial Conduct Authority (FCA) and the Medicines and Healthcare products Regulatory Agency (MHRA).
The latest move will see Nominet redirect domain names of suspected scam sites from the customer's own website to one owned and operated by Action Fraud or similar, we are worried.
We think it is designed to work like this, victims of scams will contact the FCA, the FCA will contact Nominet, Nominet will then redirect the domain name(s) involved to action fraud. All sounds very simple. Well, life isn't that easy.
What's the problem?
Rogue illegal websites being instantly taken offline is a good thing. Yes, of course it is!
The problem is that neither Nominet nor the FCA has announced any safeguards. It is all very well reporting that they shut down suspected illegal websites, but that's not the hard part. The tricky bit is filtering out those websites that have been falsely accused.
Let's say that the FCA receives 30 to 40 complaints today about a website called QuickLoans.co.uk. It is not far-fetched; we get around 30 complaints a day from customers who believe that we cold call them asking for an upfront payment (more details here). Now, if the FCA thinks, oh, QuickLoans.co.uk is up to no good, they contact Nominet and have their website redirected to action fraud.
Surely someone at the FCA would check the financial services register and see that QuickLoans.co.uk is registered, legitimate and therefore doesn't need to have their website redirected?
In 2016 the FCA put out a press statement that one of our sites was acting illegally, it wasn't. That FCA press statement made its way to the Daily Mail and other news outlets. That site was operating in accordance with their rules, but it still received subject to negative FCA statements. They are still on their website today, they say they won't remove them.
In 2018 we watched as one of our trading names was almost taken offline by Nominet. Out of the blue, we received this email:
Nominet, the registry for .uk domain names, has been contacted by the Financial Conduct Authority in relation to your domain name(s). We have been informed that the domain name(s) below are in breach of UK criminal law and in addition that Nominet's terms and conditions have been breached.
Having investigated the complaint, we have found breaches of one or more of the promises and indemnity conditions set out in condition 6 and in accordance with condition 10 we will be placing the domain name(s) into a suspended status on 18th July 2018.
In this instance, we received a warning of what was about to happen and we quickly contacted Nominet (who didn't want to know), then we contacted the FCA and they dealt with the issue. We don't see any safety net for any pre-warning type in this recent statement regarding the pilot program.
The other concerning part of this was that Nominet didn't want to know our side. We had to contact the FCA and request that they withdrew the request. After a bit of bouncing around, The FCA did withdraw the notice, and Nominet ceased the suspension process. But Nominet didn't want to know, they had their request from the FCA, and that was that. Nominet was only doing what they were told - that was worrying to us. It was an admittance that they have no safeguards at their end.
As for the FCA's safeguards, the lord only knows what they were doing. Failing even to check their own Financial Services Register isn't a great look. The domain name/trading name was fully licensed and had been for the previous 12 months.
Our worry is is that we get stuck between two risk-averse virtue signalling organisations, we don't think Nominet is that, but in our opinion the FCA certainly is. Nobody wants to take responsibility, and legitimate sites get lost in the middle.
That would also lead us to the question of liability. Who would have been liable if our website did go down? Terms and Conditions of the FCA and Nominet do not supersede the law. Falsely / negligently taking down someone's website will have consequences. As many of us will know, it is not just time the initial downtime that is the problem; it's the potential SEO damage that could last years.
Websites that get taken down is one thing that in itself would be bad for SEO, but redirecting it to an anti-fraud website could be fatal for that brand. The direct damages passed on to Nominet could be severe. It could also be potentially libellous. Reputations for honesty in finance are challenging to build but incredibly simple to demolish.
Has anyone stopped and thought about where the FCA's powers start and stop? Do they even have the right to have some sites taken down?
As far as we know, The FCA only has powers over sites dealing with regulated finance products. There could be a catch 22 to all this. For the FCA to have jurisdiction, the site needs to be active in delivering loans etc. The trouble is, these scam sites don't provide loans; they only claim to offer loans so they can get upfront fees. Meaning, unless the site shows a fraudulent license number, the FCA doesn't have any powers; it's a matter for another law enforcement agency.
In our dealings with the FCA, they didn't seem to know their own rules. Sites only need to be licensed when they are selling leads to a third party. An active site with a live loan application form does not need FCA permission to operate. Only when it starts to sell those leads does it become illegal, the FCA never chases that aspect down. It could legally give those leads away for free. Would anyone at Nominet or the FCA realise this before requesting a take-down? In our experience, they wouldn't.
Martin Lewis gives mortgage advice, will anyone at Nominet of the FCA be shutting down his website for giving our advice on regulated products whilst not licensed to do so? He'll say he has journalistic immunity, but journalists don't sell mortgage leads like he did or does. HSBC has been fined for allowing drug cartels to run accounts. The issue is, will the rules only apply to the small people or, will bigger institutions be subject to this?
Don't be surprised
Don't be surprised when fraudsters figure out how to use a cloned version of the Action Fraud website for their own benefit. We've already seen clones of the FCA's website. Imagine if a website pops up that looks like Action Fraud, convinces a visitor that they are dealing with action fraud and then takes more money or details off them. It happens now, fraudsters are already five steps ahead. We've seen Indian Call Centres dedicated to looking like law enforcement sites. They sit right next to the fraudsters. In fact, YouTube is full of these videos.
One crucial aspect of introducing new safeguards that is often overlooked is "false Negatives". By declaring that you will redirect rogue websites, the public may infer that all the websites that remain are legitimate. This could cause a significant issue, worse than the problem you had at the start. Now you've got members of the public who are starting to believe that live websites must be fine, otherwise they would have been removed.
This is important because our experience in the credit industry tells us that with the increase in regulation comes an increase in fraud. People have the habit of turning off their common sense, somehow believing that the State will do it for them.
Finally, there may also be a problem of potential reputational damage. It is not so far-fetched to think that the members of the public who have fallen victims to scams will then turn their blame on the FCA and Nominet. In our experience, victims always want someone else to blame. The very fact that Nominet and the FCA didn't shut these websites down could provide these people with the perfect excuse to blame these. Unfortunately, there is always some gimmick hunting politician ready to jump on a bandwagon, any bandwagon.
Where would we look for a solution?
First of all, forget redirecting domain names. It will do more harm than good.
Nominet and the FCA should stay as quiet as possible, they should not make any press statements about how they're going to protect people. Don't give people a false sense of security that they are being protected when they are not. Giving people a reason not to think for themselves is very dangerous. It may be good for the FCA and Nominet, but it isn't helping the objective of keeping the public as safe as possible.
In our opinion, Nominet should try to enforce the ownership details of the registry. No fraudster is going to give accurate information to a registrar. We would implement a rapid reaction take-down if the domain registry details are false or unconfirmed. If the alleged criminal behaviour is severe enough for the FCA to contact Nominet and request a take-down, it would surely be powerful enough for the FCA to request the Police pay a visit to the people involved and make arrests?
We wouldn't expect the FCA or Nominet to do this domain names registered foreign individuals. In these circumstances, we could see an argument for an instant take-down. We are not 100% sure on this, more like 99%, but we seem to remember the FCA wouldn't grant FCA licenses to foreign listed companies or individuals. Whatever the specifics, we think the answer lies in the accuracy of the FCA's whois register. Most, if not all, fraudulent sites could be taken down this way, all without impacting innocent brand owners.
Whichever way the FCA and Nominet decide to go, someone senior on both sides should have to sign off each take-down. If a take-down goes wrong, it can't just be fobbed off on to some junior techie.