Joint Committee on Finance, Public Expenditure and Reform, and Taoiseach debate -
Tuesday, 24 Oct 2023

Apologies have been received from Senator Higgins. Today’s meeting will deal with the examination of fraud. We have representatives from Meta, Google and Amazon. On behalf of the committee, I welcome from Amazon Mr. Ed Brophy, head of public policy, Ireland, and Ms Abigail Bishop, head of external relations for scam prevention; from Google Mr. Ryan Meade, director of public policy and Mr. Ollie Irwin, safety engineering centre lead; and from Meta, Mr. Dualta Ó Broin, head of public policy, Ireland, and Mr. Philip Milton, public policy manager, UK.

I will read a note on privilege. Members and those present in Leinster House will have full privilege. Those not on the campus may only have limited privilege. Members are reminded of the long-standing parliamentary practice to the effect that members should not comment on, criticise or make charges against a person outside the Houses or an official either by name or in such a way as to make him or her identifiable.

I invite Mr. Brophy from Amazon to give his opening statement.

I thank the committee for the invitation to Amazon to attend this session. I am head of public policy for Amazon in Ireland. I am joined by my colleague, Abigail Bishop, global head of external relations in Amazon’s scam prevention division. Ms Bishop leads a global team working closely with organisations and individuals to combat scams and to prevent fraud internationally.

We have been invited to speak about authorised push payment, APP, fraud. I will provide the committee with a short overview of Amazon’s approach to addressing fraudulent activity more broadly and APP fraud in particular. We are also happy to answer any questions the committee may have.

I will give a little bit of background on Amazon in Ireland. Next year, Amazon will celebrate our 20th anniversary in Ireland, having first invested here in 2004, and we look forward to many more years of investing in the country. We employ more than 6,500 people in Dublin, Cork, Drogheda and in additional regional locations in diverse roles, such as data engineers, operations managers and financial staff. Over the past three years, we opened our first fulfilment centre in Dublin on the N7 and then at Ballycoolin, which created 500 new jobs and will continue to grow. We have more than 1,200 Irish SMEs selling on Amazon, creating more than 3,500 jobs. Irish SMEs on Amazon recorded €150 million in export sales last year, which was an increase of 25% from 2021.

We also make multiple investments in skills development and community, including: establishing a programme with the Technological University Dublin to train data centre engineers; supporting establishment of the Tallaght district heating scheme - the first in Ireland; launching a start-up loft for growing companies at our Dublin office; and offering career choice to our fulfilment centre employees, which pays 95% of their course tuition in high-demand fields over four years.

Turning to fraud and APP fraud in particular, scams affect everyone. Like most people, I regularly receive scam texts and calls myself. Scammers are clever and impersonate trusted brands just enough to seem legitimate. Scams today are complex, scammers use many methods and scams are global. Scammers are innovative, creative and opportunistic, keeping up with the times. This is a significant issue in Ireland, but in Amazon we have seen to date limited evidence of APP scams across our services.

Amazon is a retail store and, as such, we generally do not see this type of fraud on our store or through our services themselves. However, as one of the world’s most trusted and recognisable brands, scammers unfortunately do seek to use our name in their scams to afford themselves further credibility.

Our focus on scam prevention at Amazon starts with our broader mission to be the world's most customer-centric company. Our mission is at the heart of everything we do and drives us to deliver an amazing customer experience. It includes a commitment to protect our customers from scammers who would take advantage of their trust in us. When a scammer attempts to take advantage of our customers using the Amazon name, we take that seriously. Amazon is committed to protecting consumers by preventing scammers from impersonating Amazon’s brand or anyone else’s.

As members will appreciate, we work proactively against the impersonation of Amazon and our brand. For example, in 2022, we invested more than €1.2 billion and employed more than 15,000 people, including machine learning scientists, software developers and expert investigators, who were dedicated to protecting customers, brands, selling partners and our store from counterfeit, fraud and other forms of abuse.

Turning to fraud prevention, in order to further combat these scams, we have a number of secure mechanisms on our store, namely, customers can view order and communication history with Amazon by logging into their account and checking the message centre; the buyer-seller messaging tool we offer provides a secure channel for customers to communicate with Amazon sellers; we implemented email verification technology across more than 20 countries to make it easier for customers to distinguish authentic communications from Amazon; and, available in 20 countries and languages, our self-service reporting tool, available at amazon.com/ReportAScam, is available online and in our app to enable simple, speedy, and standardised reporting.

Beyond the protections in place in our store, our team is working to protect customers from scammers through consumer education and enforcement actions. Amazon reinforces scam avoidance best practices in its communications, including working with consumer organisations on awareness campaigns, sending regular direct emails to hundreds of millions of customers around the world and amplifying our communications policies through our channels. We also continue to innovate with our tech solutions.

We have zero tolerance for scammers who attempt to impersonate Amazon. Last year, we initiated takedowns of more than 20,000 phishing websites and 10,000 phone numbers being used for impersonation scams. We referred hundreds of bad actors across the world to law enforcement to help them ensure that these scammers are held accountable. All of these efforts have been acknowledged by the US Department of Justice, among others.

To conclude my opening statement, Amazon strives to be the world's most customer-centric company. Maintaining the trust and safety of our customers is absolutely paramount to us. We have taken many steps to increase customer trust and to prevent fraud. We work to secure our customers’ funds and personal financial information. This is the case in Ireland as much as it is in any other country, and we will continue to work on this for our customers. We look forward to any questions the committee may have.

I thank members for inviting us to today's session to discuss the subject of APP fraud. I am head of public policy for Meta in Ireland and I joined by my colleague, Philip Milton, who is a member of our UK public policy team. Mr. Milton has been involved in the engagements with the UK Parliament and UK Government on the issue of fraud for the past few years. In this opening statement, I will focus on Meta's efforts to tackle fraud on our platforms.

The safety of our users is a priority for Meta and we therefore take a zero tolerance approach to fraud on our platforms. By its very nature, fraud is adversarial and hard to spot and the perpetrators of fraud are continually searching for ways to subvert the rules, processes and safeguards we put in place to protect our users. The perpetrators are also operating across platforms and industries to avoid disruption by any one platform, which makes this a very challenging area. Just as it is unlikely that fraud will ever be eradicated in society at large, it is unlikely we will ever be able to completely eradicate it online.

Nonetheless, Meta is committed to doing all we can to prevent fraudulent activity on our platforms wherever we can. We invest substantially in our safety and security teams to that end. All told, since 2016, we have spent about $20 billion on teams and technology in this area and that is not slowing down - $5 billion of that was in the past year alone. We have a team of highly trained experts solely focused on identifying fraud and building tools to counter this kind of activity, which are used to help catch suspicious activity at various points of interaction on the site, block accounts used for fraudulent purposes and remove bad actors.

It is directly in our interest to do all we can to combat fraud on our platforms. Failure to do so will expose our users to risk, severely degrade the experience of using our platforms for users and make them an unattractive place for brands and businesses to advertise. Meta has a set of strict advertising policies, community standards and community guidelines that govern what is and is not allowed in advertising and non-paid or organic surfaces on Facebook and Instagram.

Where we believe anyone has violated our terms, standards and policies, we take action and use a range of tools to enforce our policies, either via proactive automated systems or reactive methods or both. We deploy a combination of proactive detection and reactive action to disrupt bad actors on our platforms. This includes using our artificial intelligence systems to proactively detect suspicious activity. We focus our attention on behaviours rather than content, as while the content of these scams changes frequently, the modus operandi of the bad actor typically remains the same.

Where our systems are near certain that content or profiles are violating because they possess the signals we associate with a scam to a high degree of confidence, they will immediately be automatically removed. Where less certain, content may be prioritised for our moderation teams to review. Our aim is to catch these bad actors proactively, as early as possible, before they have a chance to engage with users.

APP is, of course, concerned with inauthentic behaviour. When someone looks to create a page or profile, we will use our artificial intelligence, Al, to check for signs they are being created by real people and not automated bots. This is because scammers can use bots to help them commit fraud. Accordingly, one of the tools we use to combat APP is taking down fake accounts, and in half 1 of 2023, we removed 1.1 billion.

We also use a mixture of nudge behaviour and proactive warnings via Messenger to let users know when they are messaging an account demonstrating behaviour similar to that we have previously seen from scammers. These accounts have not breached the levels we would need to suspend or disable an account but are suspicious enough to warn users about.

For fraudulent activity advertising on our platforms, we also focus on behaviours rather than content, given the ever changing nature of these scams. These efforts are geared toward building more proactive tools to automatically take down this content before it goes live, using a combination of Al and human review.

Our systems incorporate signals such as user feedback, fake or compromised account signals and ad content signals and tactics which go into building our proactive detection technology. We have also invested in ensuring our specialised reviewers can understand and identify this content which, by its very nature, is hard to spot. Relative to other harms on Facebook, the scams space is more complex and difficult for reviewers to accurately classify, so we have sought to build a more holistic understanding of the abuse over time.

While our aim is to catch content proactively, where users do come across such content, we want to make the process of reporting it to us and getting it taken down as easy as possible. Our in-app reporting function is available via the three dots that appear in every piece of posted content. Users can report organic content they consider harmful in some way or advertising content they no longer want to see or think is irrelevant or inappropriate. These reports are an integral part of training our systems to better spot fraudulent activity.

We also have the ability to onboard regulators to our consumer policy channel, CPC. The CPC enables us to work with consumer protection bodies, government departments, regulators and law enforcement around the world to help us better detect and remove content that violates our policies or local law by taking action on content reported to us by agencies that have the appropriate authority to make determinations in relation to the commercial content or activity they are reporting. We have several of these relationships in Ireland, covering a wide range of regulatory issues and harms.

Where we see a trend towards a particular type of activity that is not captured by our policies, we review those policies with the input of experts to ensure they remain fit for purpose as the landscape evolves.

Our priority is always to act against a bad actor as quickly as possible for any violation, but we are operating in a particularly adversarial space with bad actors who use increasingly sophisticated means to avoid detection. This is a complex issue that requires a joined-up multi-stakeholder approach.

I hope this provides members with an overview of how seriously Meta takes the issue of APP fraud and fraud more generally, and the various methods we employ to combat it. We look forward to the committee's questions on this important subject.

I thank members for inviting us to speak on the topic of APP fraud. I work with Google as government affairs and public policy manager in Ireland. I am joined by Mr. Ollie Irwin from our trust and safety team, who leads our Google safety engineering centre in Dublin.

The core of Google’s mission is helping users find reliable and authoritative information. This applies across our products, whether it is helping users navigate the open web through Search, find local business in Maps or access learning and entertainment on YouTube.

Protecting users of our products is central to this mission. We recognise that our products can only be as helpful as they are safe. That is why we take our responsibility seriously to provide access to trustworthy information and content and we are committed to combating fraudulent activity on our platforms.

We invest heavily in the development of systems, detection methods and enforcement measures to stay ahead of new abuse behaviours and patterns. Our teams use a mix of technology - including sophisticated machine learning - and human review to enforce our policies. This combination of technology and human talent means policy violations can be spotted and swift action can be taken to remove violative content and ads.

Our products and services have multiple layers of built-in protections. When operating at scale, it is important to have a structured approach powered by technology. We think of reducing risk of abuse under three pillars: prevent, detect and respond.

We primarily want to prevent abuse from occurring. We embed safety-by-design principles across our products to proactively assess risks and engineer solutions. For example, Google safe browsing will warn users when they attempt to navigate to a dangerous website or download dangerous files. We are also currently piloting new policies that limit ad views for advertisers we are less familiar with in categories that may be prone to abuse, giving them an opportunity to build up user trust before their campaigns have full reach. You can think of it as a get to know you period for advertisers. Second is detect, where AI powered classifiers help us to quickly flag potentially harmful content for removal or escalation. Last year we removed 5.2 billion ads that violate our policies and restricted 4.3 billion. Most of these actions took place before the ad was seen by a user. Content moderation at this scale is only possible with AI. In 2022, classifiers ensured that 99% of Google searches were spam free. Over the past two years, we also launched several algorithm updates specifically focused on reducing the appearance of scammy results in Google search. These efforts also include the reduction of sites appearing in search results that are seeking to trick people into thinking they are visiting an official or authoritative site. Our dedicated intel teams track emerging global trends and third-party reports to understand how we can get ahead of the curve on detection of new abuse methods, and the building of new and sophisticated protections to help keep users safe. The final pillar is respond. We are often up against sophisticated bad actors, who are evolving new modus operandi and changing tactics. Sometimes new malicious behaviour may temporarily evade our systems, but we are constantly improving our technology and detection methods. These are supplemented by human review and both user and trusted flagger reporting to ensure enforcement against bad actors can be taken in an expeditious manner. As mentioned, as a backstop, users can report or flag questionable content they encounter, and that signal informs our systems. We also partner with trusted organisations, including government agencies and NGOs, through our priority flagger programme, providing priority tools for them to quickly flag problematic content appearing on our services. When a piece of content is flagged we rely on both humans and AI-driven technology to determine whether it has violated our policies and respond appropriately. At Google, we proactively look for ways to ensure a safe user experience on all of our platforms, including the advertising they see. When we make decisions about ads and other monetised content on our platforms, user safety is at the top of our list. In fact, thousands of Google employees work around the clock to prevent malicious use of our advertising network and make it safer for people, businesses and publishers. We do this important work because an ad-supported Internet allows everyone to access essential information and diverse content free of charge. As the digital world evolves, our policy development and enforcement strategies evolve with it. These help to prevent abuse while allowing businesses to reach new customers and grow. Online scams are a growing concern for people everywhere and as technology progresses, bad actors are finding new ways to defraud people and businesses. APP fraud is just one aspect of a scam and fraud landscape that is constantly evolving. We have continued to invest in our policies, teams of experts and enforcement technology to stay ahead of potential threats, including launching new policies and updating existing ones. In 2022, we added or updated 29 policies for advertisers and publishers. Our continued investment in policy development and enforcement enabled us to block or remove more than 5.2 billion ads, restrict more than 4.3 billion ads and suspend more than 6.7 million advertiser accounts. We also blocked or restricted ads from serving on more than 1.57 billion publisher pages and across more than 143,000 publisher sites. That is up from 63,000 in 2021.

The recent increase in scams is not exclusive to Internet advertising. Criminal gangs are using multiple malicious methods, including phishing emails, spoof phone calls and texts, shopping scams and impersonation scams. Half of adults in Ireland reportedly received a fraudulent text message in 2022, so online advertising leading to scams is one part of a bigger societal problem. However, we take our responsibility in this space seriously, and have not waited to act. We know that people and businesses put enormous trust in Google when they use our products. It is very much in Google’s business interest to do the right thing. Our business is heavily dependent on the proper functioning of a healthy ad-supported open Internet, and the continued trust of users in that ecosystem. If consumers abandon bad web experiences, the long-term viability of Google’s core business is at stake. That is why we have thousands of people working round the clock to create and enforce effective advertiser and publisher policies to prevent abuse while enabling publishers and businesses of all sizes to thrive.

Fraud is a cross-industry issue that requires strong and sustained co-operation from a range of actors. Tackling scams should be a priority, and in our view all of the parties involved should work individually and collectively to find the best ways of tackling a problem which involves sophisticated bad actors seeking out routes to scam consumers. We know from experience that organised criminals are adaptable. They will evolve their approach in response to whatever counter measures we implement and will target any weak spots in the wider system. This underlines the importance of an effective and co-ordinated response across the industry and from government and law enforcement working together to address the issue. I thank the committee for its time and look forward to the discussion.

I welcome all of the witnesses. I am aware that there are many methods by which fraud can be perpetrated, not just on the witnesses' platforms but elsewhere. However, I want to focus on scams being co-ordinated by advertisers or sellers on those platforms. I will start with Mr. Brophy with respect to Amazon. It obviously has its own products but attracts a lot of sellers onto its platform. What steps or methods does Amazon have to vet anyone who wishes to sell goods through Amazon, to ensure they are legitimate.

I will give the short answer here, but I will be happy to follow up with more detail on the extensive process we have in place for seller vetting. We have quite an elaborate protocol in place to evaluate our sellers, including actually meeting with the sellers face-to-face. Everybody who sells on the Amazon store has to verify their identification in multiple ways, one of which is by showing their face to us and confirming a mailing address among other verification protocols. It is quite extensive, and we can share more on the ins and outs.

We have in place our A to Z guarantee, where any customer can file a claim about a transaction that did not go as anticipated. They can seek recourse that way. I will also underscore to the Deputy, that the types of scams we talked about in our remarks, and which were cited by others, are happening outside of our store and outside of the Amazon protocols and processes. That also makes them difficult to mitigate and even know they are happening, because we rely so much on self-reported data from victims of these crimes. Many of the cases we are talking about today are not happening on our store or with our sellers. In many cases they are not happening to Amazon customers. I want to underscore that point.

I have similar questions for Mr. Ó Broin.

I suspect that one of the big issues Meta has to deal with is people who are advertising on Meta and then subsequently it is discovered that the product they are selling or claims they are making are scams. That would be the minority of cases but that is an issue. What protocols does Meta have in place before it accepts an advertisement from somebody who wants to promote their product on Meta?

It is important to distinguish Meta from Amazon. The purchase would happen off our platform. The ad would be on our platform but it would guide you off the platform to another website to conduct the purchase. The ads are subject to stringent policies. They are not only subject to those policies but they go through an ad review system before they can be placed on our platforms. That review covers a range of different elements of the ad, including the text and images, for certain violations. If any violation is detected we will reject the ad. That review can happen before the ad is placed but it can also happen afterwards if we receive a signal that there is something of concern with that particular advertisement. We also have strong policies in place about anyone who tries to purposely get around our policies, for example, by seeking to obscure images to get through the ad review system or by seeking to camouflage text in a way that our systems will not pick up on it. We have very strong enforcement on that and we have taken action against individuals on it.

I want to build on the points Mr. Ó Broin was making about the identity verification we have for advertisers. We take a risk-based approach to verification for advertisers. Depending on what kind of category you are advertising in there will be different levels of verification that apply. A good example is political ads. There are particularly high levels of verification for political ads because of the consequences that can come from that, such as influencing elections, misinformation and things like that. There are also different levels of verification in place for things like regulated goods. Things like gambling and alcohol might require a licence from a regulator or something along those lines. We do not verify all advertisers, however. We do not ask the local coffee shop or yoga studio to provide ID verification, for example, because we find those categories to be lower risk. Where we assess the risk to be particularly high we will require some level of verification. It is worth saying that if that local yoga studio or coffee shop starts engaging in behaviour that we think might be fraudulent, then we can checkpoint that account and ask it to provide identification and verification. Where we think a risk is developing, we can suspend that account and ask for verification quickly.

I thank Mr. Milton and I want to ask Mr. Meade a similar question. What measures does Google have in place to vet advertisers? What happens if Google is subsequently informed of the fact that the advertiser about whom it did not know what it was doing is engaged in fraudulent activity on users of Google?

We are rolling out a global advertiser verification process. We are verifying all advertisers across our products and services in that they will have to verify who they are and do business operations verification. We have also released a new policy, which Mr. Meade mentioned in the opening statement, whereby there will be limited ad surveying for some new advertisers. During that get-to-know-you period we would be able to limit the reach of the serving of those ads until we get further information on the advertiser.

For example, if an ad is put on Google, Google's verification process is not effective and the ad is advertising something that is a scam, a fraudulent sale or something like that, and if Google subsequently becomes aware of that, presumably Google removes the ad if it is satisfied that it is a scam. Is that correct?

Once that has been reviewed our trust and safety teams will review the ad against our policy. In this case, if it is a scam, we will review it against our misrepresentation policy and then there can be further reviews on the account itself. I will share some of the numbers Mr. Meade mentioned earlier. Some 5.2 billion ads were removed in the last year but about 6 million accounts were also removed in that time. We take action in those scenarios. As far as reporting it further, in some instances we may not have full awareness of the fraud or scam that can happen off our services or platforms.

I might jump in there to reinforce what Mr. Irwin said. We gave an idea in the opening statement of the scale of policy enforcement we take in respect of ads. A large volume of ads get disapproved for different policy reasons. In some cases that is because of misrepresentation, so that might indicate that the ad is potentially trying to lead someone into a fraud or scam, but it is important to note that in those cases we do not know that that will be a fraud or scam. The only visibility of that part of the chain is where it is taking place on a Google surface. Given the scale of policy action we have taken and the priority we put on trying to ensure this material does not appear to users in the first place, it is not a routine matter to report each of those instances because that would flood any agency with information that would be of limited use.

I thank the witnesses. I will conclude by making a comment and I do not need anyone to answer it. My assessment of this issue is as follows. I am conscious that the organisations present are all enormous platforms that have global reach but I would have thought it would be preferable, from the point of view of the protection of the consumer, if it was possible that there was a universally high level of verification for all their sellers, advertisers and persons who they are entering some form of contractual relationship with.

In the long term, it would not eliminate all fraud but it would certainly reduce it. I thank all the guests for attending.

I thank the delegates for their presentations, which I appreciated very much. I wish to follow on from Deputy Jim O'Callaghan. How many cases have the delegates' organisations reported to the Garda? How many complaints have they passed on where they have seen that a crime has been committed? Do they have any numbers?

In different ways, it is directed at all three organisations. By times, they will come across what are obviously crimes involving the total defrauding of people. People have filmed crimes live at various times, including on Meta. On Amazon, people may be selling fraudulent things, although this is not done by Amazon itself. Have the three companies data on when they might have liaised with the Garda on what they regarded as crimes during any given year?

I am happy to give the Meta perspective. The numbers we have are global numbers. They are published in our transparency report. The report has been evolving. It started off with just a very small number of categories. It has broadened but has not reached the granular level in terms of fraud. Again, the numbers are global. I am referring to the 1.1 billion fake accounts in the first half of 2023 and 2.7 billion instances of spam in the same period.

We have a law enforcement outreach team that works very closely with the authorities in the Phoenix Park, and we have a portal through which law enforcement authorities can request data from us when investigating crime. Part of the problem, as mentioned by Mr. Meade, is that we see only one sliver and do not see the scam taking place. We can take action against the advertisement itself and remove it, but we do not necessarily see the fraud itself, which is further on down the chain.

I understand the question. What I am trying to say is that where there is child sexual abuse material, for example, or a child safety concern, we contact law enforcement straight away because it is clear there is something happening and somebody at risk. In the space we are talking about, it is not clear to us-----

Our transparency report on that will be coming out shortly. An interesting data point is that, proportionately, given the size of our business and the size of Ireland's market, there have been far more regulatory contacts between us and Irish authorities than between us and authorities across larger EU countries. We are in very regular contact with regulators and they reach out to us on an ongoing basis. It is a very effective channel in Ireland. There will be more details coming out on this that we would love to share with the members when our Digital Services Act transparency report comes out. We will be happy to meet the Senator and other committee members on it because there are some interesting data on Ireland and the EU more broadly.

On the broader trends, I might defer to Ms Bishop.

Last year, we referred over 100 bad actors to law enforcement authorities across the world. We are pleased to share publicly that we recently worked in partnership with Microsoft to put together a joint referral to Indian authorities that resulted last week in raids of 78 locations associated with technical support impersonation scams that had affected, it has been confirmed, thousands of Amazon and Microsoft customers. That serves as an anecdote on some of the most recent successes we have had. We are working very closely with law enforcement across the globe.

I do not know that we have any in Ireland. We do not disaggregate publicly all the various cases we have live and pending, but we have referred to the number in question worldwide. The figure relates only to law enforcement referrals. We also engage in business disruption, legal actions, take-downs and such activities.

To answer the Senator's question directly, I do not have figures available to me on reports we may have made. In general, and referring to my previous answer, it would not be typical for us to know a fraud has been committed because it will have been committed off our site. However, we have very well established practices for engaging with law enforcement. We get law enforcement requests routinely right across Europe and we preserve advertiser data so they can be produced for law enforcement authorities on foot of valid legal processes. Generally, the report would come in the other direction because the fraud occurs further down the stream.

That is fair enough. The point I am making, bearing in mind that we hear comments about the wild west, is that what are obviously crimes are committed on all three websites at different times. I am curious about where the reports go and whether they are made to the relevant authorities. I received a very mixed answer. We will move on. The delegates have all given an answer in some shape or form.

I am worried about something the three companies have been raising for a while and that was mentioned by the Chairman of the Committee on Budgetary Oversight, Deputy Barry Cowen, at a meeting of that committee today. The proposed global minimum corporation tax rate of 15% was recently rejected by the US Congress. The Secretary of the Treasury of the United States, Ms Janet Yellen, was asked whether it would take quite a while for it to be accepted and she said that was quite conceivable. She has asked other countries to sign up to the new rate, and 130 have done so thus far. She is promising that if everybody else is made sign up, the Republicans will come on board. It is very much a "Live, horse, and you'll eat grass" attitude.

I am the Seanad spokesperson on public expenditure. What is the witnesses' opinion of the United States being one of the biggest pushers of this 15% global corporation tax rate? Evidently there are complications with the Republicans and the Democrats and the power in the different Houses. They have not been able to pony up themselves to be able to back this. I am curious about the bigger picture. Will this be a problem for Ireland if we sign up to this? I think we are going in very blind into this. I know it is a priority for some people, but in general it has not been. It has been one of the staple blocks to making Ireland such an important and attractive country to do business in. It has made Ireland so successful and is probably why all these prestigious, well-educated and successful people are here today. What are the witnesses thoughts on what is going on in America in relation to corporation tax and what knock-on effect it will have in Ireland?

I am hesitant to get in deep into the dealings in the US Congress. It is probably an even more complicated matter than online fraud and scams. In general terms, there is broad support for reform on a multilateral basis. This involves all parties working together and is being pursued through the OECD process. Anything that can be done to ensure this process succeeds will be positive for Ireland and economies generally. As I said, I would not like to make any comments on how things are playing out in the US Congress

I would echo that. Obviously it is hard to speculate on the course of US politics at the moment because it changes from week to week. We have always been highly supportive of the OECD BEPS reform process and of a global minimum tax, and the various other aspects of that. We would love to see that deal get across the line, having been agreed internationally, domestically within the US and elsewhere. We have been working quite hard on this, but it is very hard to see how it will play out politically in the US. We are very keen to see it get to a resolution to create the kind of certainty that would provide for countries across the world, including Ireland, to have a new global minimum rate. I am very supportive of that, but is hard to see what is going to happen in US politics.

The OECD BEPS process is based on a global agreement. If everyone signed up to it, then obviously there is less opportunity for one country to benefit ahead of the others. That is the nature of the agreement, that it is global. That is why it is so hard to get it agreed. Global agreements, by their nature, create domestic issues. That is the difficulty. The process itself is very sound. If it is agreed globally and implemented across the globe, then I do not think that is an issue. However, there is a way to go yet and we have to see what happens

Similarly to the other two companies, Meta is very supportive of the efforts being made. Regarding Ireland, I do not want to sound like an ad for the IDA, there is far more to the offering that Ireland provides to industry than tax. Possibly the most important one which is not immediately appreciated is the industrial ecosystem. Ireland has been attracting investment of this type for 70 years. The industrial ecosystem and the talent pool here simply cannot be found in many other locations around the world. Tax is one aspect, but I would emphasise that Ireland has much more going for it than simply the tax rate.

I appreciate that. The fact that there is only a handful of us in the room and many of the witnesses are elsewhere in the world means that it is quite a fluid and changed position form where we were when all these conglomerates came here a while ago. I would probably have bigger concerns around that.

I do not have the figure for the amount of money that we receive from fraudulent ads which get through our systems and appear on the platforms. I would push back against the idea that we are a net beneficiary of this. I outlined the amount we are investing in our safety and security teams to combat a whole range of harms, including fraud . There is also the-----

Yes, but people have told me that if someone puts up a post saying "free Palestine" it is withdrawn by Facebook, yet ads that scam people are still up on the site, so the company does benefit. Is it not a fact that the company benefits financially from fraudulent activity, scamming citizens across the State? Does the company have a number for how much revenue was taken in 2022 from fraudulent ads on the site?

Regarding those potential scam ads, I would encourage people to report them through the app functionality. I do not have a figure for the Deputy but the amount of investment on the other side to combat it far outweighs any small amount that would be received for the ad. In addition, it creates a bad user experience. Other brands and advertisers do not want to have that near their material. There is also reputational damage. While there may be a financial payment which is as a result of the ad, it would be minimal compared to the investment and the other damage done on the other side.

The first thing to say about those kinds of statistics is that it is incredibly sobering to see that kind of bullying associated with the Meta platform. We take those statistics really seriously. It is important to work in collaboration with banks to try to get underneath the bonnet of the statistics because what we see here is a real opportunity to work collaboratively with banks. If they are collecting those kinds of statistics, presumably they can collect the details from the customers as to where they have seen that scam and then report the information to us. We can use that information to take action on the specific piece of content and to train our systems accordingly so they can better respond to that kind of scam in the next case. The statistics are sobering, although I would point out that they are a little out of date. I believe they are from last year and there have been quite a lot of changes on our platform since then, both in the UK and Ireland and globally. We would hope to see quite a lot of change in that regard. We would be keen to get underneath the bonnet of those statistics to try to see if there are opportunities to develop a working relationship with banks so we can take action on this on a more regular basis.

They can report it to the legal team. They can write to us at our headquarters. They can write to me. We are part of the same trade associations as the banks. There would be no issue in making contact with the company at any stage. The first line of defence, as we always say, is to report it using the three dots.

I have reported stuff using the three dots and I get a message back saying it does not violate blah, blah, blah. This is what Bank of Ireland told this committee:

Like most users, when the bank identifies malicious content, we report this to the social media companies through the standard reporting mechanisms such as their online reporting forms or the report button on social media posts, with the exception of LinkedIn. There is no specific mechanism or process in place to share information or intelligence with social media companies aside from these standard reporting processes.

Let us not take Bank of Ireland's word for it. Let us look and see what AIB told us. It stated:

In line with other industry peers, we have been unable to establish direct contact with the various companies to discuss the challenges. It should also be noted that social media companies receive income from the aforementioned fraud education and awareness programmes and from the criminals for paid ads hosting fraudulent websites. Establishing direct contact with social media companies has proved to be difficult as social media companies do not engage at industry level or publish their fraud team members' contact details. They utilise general email boxes. The report ad function that is in place for individuals is the same process that is utilised by organisations, including AIB and other financial institutions.

It went on to say:

When the bank proactively reports cases, it is normal to receive a standard acknowledgement saying 'The report does not breach our community safety standards'. No feedback is ever received from the companies on the background to or progress on their investigations, if any.

That is two of Ireland's biggest financial institutions. Mr. Milton is just after telling me he is alarmed at the figure in Britain of 61% and he would like to get under the bonnet and have a better understanding from the financial institutions, yet the two biggest banks in the country have no more access to the witnesses' platforms than me or any other person in this State, despite the fact that they are getting dozens and dozens of customers contacting them on a daily basis about being scammed. I just find that incredible. I am not challenging them personally or anything. I am talking about a company, a company that is very profitable.

Nobody wants to see people getting scammed - we will start at that point - but this is just unbelievable. I asked for this committee hearing to take place to try to at least get this outcome, so that there is direct communication and understanding between social media companies and the banks and so that when a bank recognises or identifies fraudulent activity, there is somebody to talk to, an email can be sent, not to a general email inbox, and that action will be taken. Is that too much to ask?

Certainly not but I do not have access to the documents the Deputy has in front of him. We have been established in Ireland for 15 years. If somebody wants to contact us in Ireland, they are able to do so. It is not the case that we are uncontactable. I would slightly question that. As I say, we are members of some of the same trade associations as these banks and go to the same events as them.

There is no understanding between social media companies and the banks on reporting fraudulent activity. Mr. Ó Broin could make the same point about me or my mother, who is 80 years of age. He could say that my mum should know how to contact the company because she can look it up on Google and find the address and send a letter. Surely to God, when we are trying to deal with scamming that is ripping off customers, to the tune of tens of thousands of euro in some cases, there should be an understanding between social media companies and financial institutions about a prompt way to report.

I will just give an example from another area. Let us take child safety, for example. We would have built up over time, because of contact with us, relationships with child safety organisations. They are onboarded to our trusted flagger system, which means that if they report something, for example, in relation to bullying or harassment, it goes directly to the team that deals with bullying and harassment. There is no blocker to establishing that. As we said at the end of the opening statement, a multistakeholder forum would possibly help to bust some of these issues that the banks seem to have. There is certainly no blocker from our point of view to engaging with the banks, through BPFI or anything like that.

I welcome that. Like the social media platforms, BPFI is in the country for quite a long time and so is Bank of Ireland, for a couple of hundred years, and AIB. I am sure the witnesses know their addresses as well. The CEOs came before us. This is word for word what they told us. This does not need a multistakeholder forum at this stage. BPFI represents the financial industry here in this State. I am not just dealing with Mr. Ó Broin's company. Google is exactly the same. Surely to God someone in those companies can pick up the phone to Brian Hayes and say "Maybe we should just chat about this" and figure out how to set up a pathway for financial institutions to report fraud. The platforms could then give feedback on that because there is no feedback either.

I did read the comments the Deputy is quoting from the previous witnesses. Like Mr. Ó Broin, I am a little puzzled by the idea that there is no way of contacting us. I am not sure what attempts have been made. We have very well-developed priority flagger programmes that allow for NGOs and other industry bodies, and Government bodies, to access our reporting tools on a priority basis. We would be very happy to have that discussion with BPFI or anyone else. We do that with a number of organisations. In general terms, there can be a reluctance to use reporting tools on the basis that you do not know where it goes and so on. We always encourage, in all circumstances, people to use those tools because it goes directly to our teams and to our systems. It is in all cases the most direct way of bringing something to our attention. Obviously, there is no issue with other contacts. I am available and others are available here in Ireland. However, I would not deprecate the usefulness of the reporting tools. As I said my opening statement, we treat this sort of reporting as a backstop when other prevention and detection methods that we proactively deploy for whatever reason are not-----

I cannot for Meta because I am given a drop-down list containing options. If I wanted to say that a customer of mine had reported that he or she had been defrauded by a fake website advertising on Meta, I could not. I could only pick from a drop-down list of options. Could I give such information to Google?

It should not have to take this meeting to recognise that the financial industry, which is at the coalface of this because its customers are the ones discovering that payments have been being taken out, should not have to select a violation from a drop-down menu, which is the same level of access my mum has. That is not acceptable. Financial institutions have information that they should provide to the companies.

Let us turn to Google. In fairness, we would be lost without it. Mr. Meade stated: "The core of Google’s mission is helping users find reliable and authoritative information" and "we take our responsibility seriously to provide access to trustworthy information and content". Let us go back a couple of months. One of the largest retail companies in Ireland is Dunnes Stores. If we typed “Dunnes Stores” into Google’s search engine because we wanted to buy something there, the No. 1 hit was a sponsored ad for “Dunnes Stores Ireland Online”, telling us we could save up to 70%, with the latest fashion in women’s, men’s and kids’ clothes on clearance sale for as low as €9. That was a fraudulent account. I know that to be the case because I looked at the web address and saw it was spelled “Dunie”. How many people were scammed by it while it was up? This was a paid advertisement for which Google accepted money and put as its No. 1 hit when peopled googled “Dunnes Stores”. The algorithm should throw up the official Dunnes Stores website. Obviously, this fraudulent account paid a fortune to beat the algorithm and come up as the No. 1 hit. How long did it take Google to take it down?

I would not be able to give details on a specific advertiser or ad. I am aware that there has been interaction on that particular case and that enforcement action has been taken but I do not have any details on the length of time or anything like that. At this meeting, we can only speak in more general terms about how such eventualities would be handled. Does Mr. Irwin wish to discuss how that type of advertisement would have been dealt with in our systems?

And how Google allowed it to pass all of its checks when “Dunnes Stores” was spelled wrong. The most basic thing we ask customers to look at is the name of the website. The site may have all of the relevant branding, but a letter could be missing from the name. Where this example is concerned, though, Google accepted the money, put the money into its bank account and posted the add as the No. 1 hit. How did Google’s checks miss a basic thing like that?

In this instance, it would have gone through our automated checks and manual reviews. It fell under our misrepresentation policy, as it tried to appear to be a site it was not. Unfortunately, it was not caught by preventative actions. When a misrepresentation is flagged to us, it is prioritised for human review, where I would hope the redirection in the URL would be noticed.

It was not picked up by human review. It was reported to Google.

How many fraudulent ads has Google been made aware of by financial institutions in the past 12 months in Ireland?

I am not sure that is the case, but the figure for reports by financial institutions is not something we track on an ongoing basis. If there is any useful information of that nature that we can share, we would be happy to look at doing so. I have probably given the committee an idea of the scale of the issue and the enforcement action we take. The number of sectors that report ads for different policy violations, be those misrepresentations or anything else, is large.

That is a fair point and I can provide information to the committee after the meeting. Our ad transparency report lists the various reasons for which we take action on ads. There are a wide variety of reasons, including trademarks and misrepresentations. We provide figures on how many ads we have removed for various reasons. Sometimes, the advertiser is legitimate and is attempting to advertise his or her business but just happens to be in violation of a policy because he or she has not framed the ad in the right way. That is part of the normal business of enforcing our policies.

Time and again, I hear that it takes forever. It only takes a minute to scam someone, so if something is up for a couple of weeks, a great deal of damage could be done to many households.

There are different types of scam. Interestingly, investment scams hit people the heaviest. People could be €100,000 or more out of pocket. If I googled, “Best savings rate Ireland”, are the top three sponsored ads all legitimate?

It is a common thing. Many of these ads are fake websites. When I googled the phrase today, it came up with a website called compare-deposits.com. It had exactly the same web address as one that was shared with us on 30 June by the CEO of Bank of Ireland. He told us that this website was fraudulent but was sponsored on Google’s platform. I do not know whether that ad was taken down and this one, which was only established a couple of months ago, just happens to have the same name. When I put its name into a search engine to check its authenticity, its score was 1%. How could that happen?

That website was reported to Google by Bank of Ireland. The witnesses say it may have been taken down but be back up again. Forgive my ignorance, but not-for-profit groups I have been involved with placed ads on Google, Facebook, etc.

It costs a lot of money to get to No. 1. I do not mean if it is a broad issue. We were talking about best interest rates. To get one's website to No. 1 on Google is not a €10 advertisement, is it?

These fraudsters are really sophisticated. I gave the statistics earlier from Britain, where 61% of all British payment frauds originated from Meta sites. There are advertisements on Meta's social media platforms from Elon Musk and Tesla, stating how people can just click a link and make €250,000 in the next couple of months. It does not take a wizard to figure out that that is a fraudulent advertisement, yet it runs. If we google Tesla on Facebook, it comes up over and over again. Meta has had these advertisements and the point is that it has accepted money for them. As I said, I know community groups which have put Facebook advertisements up and are not allowed to because the background music they used was from Beyoncé or whoever is up in the charts these days or, as I said, there might be an image with branding of Nike or such. Yet, we have these companies operating investment scams, using AI to put words in the mouth of Channel 4 presenters sitting at a news desk, and telling people that if they click the link and invest, they will not have to work ever again. Facebook is taking money from these advertisements. How the hell are they slipping through the checks that Meta has?

Unfortunately, some do. One thing which is potentially helpful in this regard is that the advertisement library, which we originally set up for social issue, electoral and political advertisements, has now been broadened, so all advertisements will now be in the library. Anything that is targeting Irish users and EU users more broadly will be cached in that ad library. Targeting information will be in there, as will information on the payer and beneficiary. There is potentially a repository for when ads do slip through. There is an open and transparent database that can be searched for the purposes of pursuing individuals who are engaged in this activity. I would make the point that while there may be payment for the ad, the cost to Meta far outweighs any sort of financial benefit we receive from those ads.

Or Mr. Ó Broin's company does not have the figure.

The purpose of this session is not just to discuss the social media companies. It is to look at what we need to do about authorised push payment fraud. There is no doubt, in my view, that the social media companies have a role to play. The culprits are the people who are scamming, swindling and so on, but companies cannot financially benefit from this. It would not be acceptable if the Irish Independent contained fraudulent ads that are very obviously fraudulent. If it ran the Dunnes Stores advertisement with the fake website, it would not be acceptable. It would not be tolerated, nor should it be for social media companies.

I appeal to the witnesses, and I will come to Amazon next, to have their company reach out to the financial institutions and representative body to try to have a pathway where this reporting can be more speedily dealt with and also have feedback. They commented that stakeholders need to work together, which I think is important, and it is clear that is not happening. Working in silos only benefits the criminals who are trying to rip off people. I encourage them to do that.

There are proposals in Britain. I would like both Meta and Google's views on it. Do they believe that social media companies which have received payment for fraudulent ads should be in some way held partially accountable for the fraud that takes place? I understand there are proposals like this in Britain and would like the companies' views on that.

I will hand over to Mr. Milton to address the particulars regarding the UK. The focus should be on solving the issue. We are happy to follow up with BPFI to raise the issue. If we do that and we establish good working practices, that would lead to a reduction in fraud across the platform. That is where the focus should be. Mr. Milton might address the UK element and where those proposals are.

I am not aware of those specific proposals but, to echo what Mr. Ó Broin said, our money is best spent to try to prevent this stuff from happening and working in collaboration with the banks to do that. Rather than focusing on who should pay for what, we should focus on solving the problem and working together to do that. Mr. Ó Broin has outlined the level of investment that we already put in place to prevent this kind of thing from happening. As he said in his opening statement, that is only increasing over time, not decreasing. That question is legitimate if there is a sense that there is not a financial incentive for organisations like ours to engage in this and try to fix the problem. It is clear, however, that there is a significant financial incentive for us because, as Mr. Ó Broin outlined, the risk to us is substantial. Our users and advertisers that advertise on our platforms are the lifeblood of our platforms. Fraud on our platforms, even if one does not fall victim to it, makes people not want to use our platforms, whether advertisers or users. That is the death knell for a platform like ours, so there is a huge motivation for a company like ours to solve this as an issue.

Things get through our protections and always will because this is an adversarial space and we are talking about highly organised criminal gangs which are incentivised to do all they can to get under the bars of our standards and policies so they can run ads or post content on our platforms. Our focus is on trying to invest to stay one step ahead of those criminals. That is where our focus has been over the last few years.

I thank the witnesses. I note from both Google and Meta's opening statements that the number of fraudulent websites and ads that have been taken down is massive. I note the work that is going on there.

Regarding Amazon, Mr. Brophy was nearly back in his old role, giving a bit of financial advice to the committee, slipping into his old jacket too comfortably. I hear his opening statement about Amazon. Where the fraud takes place in Amazon, in the main, is others replicating Amazon sites. It is not solely that. Mr. Brophy gave an outline of the checks that are done for selling on Amazon.

Is it not the case that one of the most popular types of Amazon frauds is where somebody sets up selling an item on Amazon and then cons the person into making the payment outside of Amazon? Therefore they are not protected by the A to Z. They are left high and dry. Could Mr. Brophy or Ms Bishop speak to that? How many of those cases have happened in Ireland if there are any statistics for them?

No. What I am asking about is where sellers on Amazon are selling an item, and when it goes to the purchase point, they are contacting the buyer and asking them to make payments off-platform using other types of apps like Venmo and so on, where the scam actually happens, although it is originating on the Amazon site.

Great. In terms of our service, we do not allow sellers to go off-platform to ask for payments. Our policy is that payments are not conducted off of our store. While I do not have any specific figures on this particular modus operandi, it is not an MO that I am familiar with in terms of prevalence in our fraud programme.

Okay, so Amazon does not track that. Amazon warns customers not to make payments off-platform, through Western Union or whatever, but to go onto the site. It is the right warning because if it is fraudulent, they will get their money back. It is a great service that is operated if people stay on the platform. It appears over and over that this is one of the scams that are attempted. A purchase is attempted but the individual is then contacted and requested to send the money through Western Union, which dupes the person into believing it is a credible way to pay. Given that they are on the Amazon platform and the trust that is in that platform, people fall for it.

The Deputy's understanding is correct that our policy is to not allow sellers to accept payments off our platform. If that does happen, we would rely on some of our self-reported mechanisms from our customers to let us know that it had happened. Our ability to track or monitor that is as capable as any other type of impersonation or off-store scam. It is not actually an MO which has hit the peak of prevalence. Some other MOs are-----

Sorry, it is the first item on the website in respect of avoiding payment scams. There is a number of items about how to avoid them and the first is "do not do business with a seller who directs you off the Amazon website." How are they getting on to the Amazon website in the first place and do the witnesses have any figures on how many people have been put off as a result of this?

The payment services directive 3, or PSD3, proposals that the EU is currently looking at will not deal with the receiving side of that. However, they deal very well with a number of the other aspects. That would be very much our focus. As I think the Deputy has said previously, and as his colleague Chris MacManus, MEP, has said, it is not something the Irish Government could not do itself. However, at the moment the focus is very much on PSD3, and ensuring it gets through and the protections for APP fraud contained in PSD3 are dealt with. That would be very much our focus within Amazon in Ireland and looking at that EU legislation.

I thank the witnesses for attending. Many of the questions have already been asked at this stage but there are a couple of things I want to develop on. The first is the acknowledgement than an economic crime is being committed here in terms of extracting money from people fraudulently. The companies represented are obviously performing services on behalf of the person or organisation that is committing that crime. Is that right? Would the witnesses agree with that, that there is economic crime and that they are facilitating or enabling it? People would not be able to do it without these platforms.

I am not sure that is the case. As we discussed, these are pretty determined networks of actors and organised criminals so they do try to find different ways. In all cases, if there is an advertisement or some other piece of online content such as a phishing email that goes through, it is one part of a very long chain that may ultimately result in somebody being defrauded. The fraudsters will make use of tools that are available, particularly any tools where they are not likely to be subject to enforcement action. That is why we spend a huge amount of investment in technology and humans to ensure that our tools are not seen as attractive to fraudsters to form part of a system they may put together to defraud people ultimately.

They obviously are when we look at the figures showing that 61% of the reported authorised push payments and 87% of scams come through social media platforms, or we look at the backup TSB data which showed that 80% of that company's fraud cases came through Meta-owned companies. They obviously are and it is obviously a big problem. It is shocking what is being revealed here this evening. When the banks told us there were no pathways, nobody for them to talk to and nothing arranged, it was quite unbelievable. The witnesses have verified this evening in respect of the banks and institutions where the money is being taken from and that for the end user there is nobody to talk to. If one thing is to come out of this evening's meeting, that pathway has to be there. People need a human being to speak to as well. They do not need drop-down menus. All of the companies before us can afford to at least have somebody available so the banks know who to speak to and can have a conversation with that person.

Once there is a suspicion of fraudulent activity, what happens then? How does Meta, Facebook or Instagram engage with the appropriate authorities in this State and abroad to ensure the fraudsters face more than the inconvenience of having to set up a new account or switching over to a fake account? Will the witnesses talk me through what happens in terms of their reporting?

Certainly. Our enforcement is against our policies and standards. As I explained earlier, we see that part of it. We are not necessarily aware a crime or fraud has been committed further down the chain. We have reporting channels in place for law enforcement where they are pursuing investigations and we publish the figures in that regard. As I just said to Deputy Doherty, one of the developments in the past year is the ads library. That repository will be there for regulators and stakeholders to go to to find the ads they are particularly concerned about. They can follow that up with us or they may choose to bring it to law enforcement themselves.

Okay, so Meta takes no responsibility for that other than placing the ad there for somebody to report it. That is the interaction people have with the mechanism for scamming them. Does Mr. Ó Broin think that if social media platforms were held financially responsible for fraud, they would be forced to reform the approval process?

As we discussed with Deputy Doherty, the financial incentives for us to solve this are extremely clear. That is clear from the investment we have made and from the risk to the user experience, the brand experience and the legitimate advertiser experience on our platforms. The incentive for us to solve our element of this is therefore extremely clear and very high, as per our earlier discussion with Deputy Doherty.

No, but on that point, I think there is a suggestion that we are somehow uncontactable or that there is no way for the banks to reach us and to raise their concerns with us. I would query that slightly because it is certainly not the case for any other area of online harm. We have strong relationships with Irish stakeholders in those spaces.

I do not mean Mr. Ó Broin's personal relationship, but he must know what the relationship is between his own company and the banks. Do they meet? Do they ever discuss anything? Is APP fraud important enough for Meta to discuss it with any of the financial institutions, the regulator in this State, the Government, a Department or anybody else?

Does Mr. Ó Broin see what I mean, though? There is a discrepancy there because if Meta were focused on it and focused on finding solutions to it, it would be engaged regularly with all these stakeholders to try to find a collective solution, rather than people working in silos and ordinary people being the victims of crime, which, at the end of the day, is what they are here.

The point I was trying to make is that we are extremely focused on addressing those elements that are within our control. There is a need for a broader, multistate, sectoral conversation and for online platforms beyond our own, beyond the companies represented here, to be involved in those conversations. Yes, we are very focused on this, we are focused on our own element of it and we are happy to engage with the BPFI going forward.

Okay, but Meta has not until now.

What is the difference between how APP fraud is handled here and how it is handled in the UK, from a social media perspective, or from the perspective of the witnesses' platforms?

I will allow my colleague, Mr. Milton, to come in on this, but one of the great strengths in the UK has been the establishment of a multi-stakeholder forum. Mr. Milton can elaborate, but essentially it is jointly led by the Government, regulators and trade associations, and a lot of the benefits of those contacts have come out of those meetings. Mr. Milton might come in-----

The short answer to that question is "No". There is no compelling need for us to be there, simply because I think we all want to be there. This is a massive societal issue that we and other companies are extremely focused on trying, if not to help solve, to at least to help mitigate.

I will break down the things that are happening in the UK which might be a useful model to follow here. There are two different forums we are engaged in - two main ones, at least. One is called the online fraud group and is co-chaired by three different groups: UK Finance, which is the banking trade body, techUK, which is the tech trade body, and the National Economic Crime Centre, which is what it sounds like. They hold quarterly meetings at which they send us off in different working groups, task-and-finish groups, to focus on particular areas. There is a purchase scam group that is just about to launch. We have just finished up one working on money mules, which is a type of money-laundering that can happen in various places. Those have been really effective because they have allowed us to bring together law enforcement, banks, regulators and tech companies in one forum to talk about the information we all have. As Mr. Ó Broin said a couple of times, we have a very small piece of the puzzle. It is basically the initial hook or trap fraudsters put in place on our platforms, be it through-----

As part of the Online Safety Act just recently passed, we will be regulated by Ofcom. Advertising is a self-regulatory model in the UK, but the advertising regulator is the Advertising Standards Authority. Then there is a financial services regulator through the Financial Conduct Authority, FCA, with which we also engage as part of this. All those regulators are brought together in this forum - as they were, I should say, before we were formally regulated by them. The point I made at the beginning is that the reason we are engaging with those regulators, even though before now we were formally regulated by them, is that we have a real incentive to talk to them and to learn from their experiences-----

The legislation that regulates this at an EU level and in Ireland is the payment services directive, PSD, under the Central Bank. Sometimes the directive is called PSD2 and it will now become PSD3. The directive will have strong provisions on APP fraud, which I mentioned to the Deputy's colleague, Deputy Doherty. There is definitely a role for the Central Bank here and it is the de facto or the euro regulator for the payment services directive. In the UK, things are split up. In the UK, there is the Payment Systems Regulator which specifically looks at payment systems in that country. In Ireland, we have the Central Bank and it is the regulator around this matter. We would be delighted to deal with any forum that the Central Bank sets up in terms of this or any work that it wants to carry out specifically in regard to this AAP fraud activity, but also broader online fraud activities because the legislation exists in Ireland by way of PSD2 and PSD3. Officials from the Department of Finance appeared before this committee before the summer break and I think they confirmed this as well. Some of the tools are definitely there and we are very happy to work with the Central Bank of Ireland to advance that.

My colleague, Ms Bishop, will reflect on some of the broader activities at a global and more international level.

To underscore the cross co-ordination that is under way, it gives me a lot of hope, personally and professionally, that there are channels for co-ordination across all the different stakeholders, including the people who are facilitating communication, whether they are social media or telecommunication providers, they are financial institutions and finance tool providers, they are peer-to-peer payments, or traditional banks, bitcoin and otherwise, as well as those trusted brands that are being taken advantage of and manipulated. There are many forums and there are ones that we are increasingly engaged with at Amazon, and are sharing information and best practices, and gleaning insights from them, including the folks at the Council of Anti-Phishing in Japan, the Global Anti-Scam Alliance based in Amsterdam and consumer organisations all over the world. It really does take a concerted co-ordinated effort. Conversations are being had which we are both facilitating in round-table conversations ourselves but also engaging with some of these organisations across the globe. I reiterate that there are some promising trends, thankfully.

I will push back on that a little. Amazon is a member of the Fintech and Payments Association of Ireland, which is part of the Banking & Payments Federation Ireland. We are a member, have conversations with them all the time and we discuss this the time. It is not that we are not aware of these discussions and not aware of these debates. We engage with them. We are paid up members. There is a lot of connection between a lot of the work that we do and the banks do, so I do not think that it is the case there is nothing happening. There is a lot happening. There is a lot of discussion and ongoing engagement, certainly between ourselves and all the members of the association.

The main message from tonight is that that needs to be done. I appreciate there is a willingness to do that but it must be driven by Government. Passing the buck from the Central Bank to ComReg does not help us solve the problem before us and the problems that will exist in the future, particularly as AI advances and exposes more people to fraud.

I want to address the point made about interaction with regulators and whether there is a regulator in this space. We deal with multiple regulators, including the Central Bank. We have a dedicated priority web forum for State bodies to report issues to us. The Central Bank use that. ComReg also uses it to report issues. We engage with the Advertising Standards Authority for Ireland on advertising issues. It has been mentioned that the UK has a specific regulator to deal with this issue. Increasingly, these complex issues involve multiple regulators nowadays of necessity because they include multiple industry sectors, multiple disciplines and so on. It is not that unusual there is no one regulator covering this entire space. That type of regulatory co-operation between regulators and across industry is more common and more necessary. Coimisiún na Meán will be Ireland's digital services co-ordinator under the Digital Services Act and will have a role in bringing together the regulation more generally. Already there is informal networks of regulators, such as the Economic Regulators Network, to discuss cross-cutting issues and so on. It is probably not unexpected that there might be no one regulator to point to but, increasingly, it is normal practice for multiple regulators to have different parts of the issue.

The most relevant law in that instance would be the Digital Services Act, which has only just come into force. The Act is already in force in respect of many of our platforms. We have produced our risk-assessment report, under that legislation, and provided it to our regulator, which is the European Commission. There is going to be audits and requirements for transparency reports and a whole series of other steps. That is all in train. Obviously, it is too early to talk about enforcement. We will certainly do our best to ensure that we are compliant.

Deputies Doherty and Conway-Walsh have asked all of the questions that I had in mind but I would like Mr. Ó Broin to clarify one matter. People access an advertisement or offer, attempt to purchase a product, leave the online site believing that they have purchased, but the product never arrives because the advertisement is a scam. Yet those advertisement continue to appear on Facebook. In fact, these advertisements are quite numerous on Facebook and state things like, "Store closing 90% off", "Outlet store 80% off", and "Flagship store 80% off", and then for particular brands of footwear, they state, "90% off". I fail to understand the explanation given to me as to why these advertisements cannot be tracked down and stopped.

They can be tracked down and stopped but the question is identifying the ad. The way an ad can be identified most readily, separate from the in-APP reporting, is the URL which allows our teams to instantly locate, review and take action against the ad. For example, we are unable to take action against details, which may happen off platforms regarding payments that happen off the platform.

We are also unable to take action in relation to screenshots. The URL is essentially key. The URL is easily locatable, whether you are on the ad or not. You can go through your account history and see any ad that you have been engaging with. On top of that, there is the ad library as well, where all of those ads will be located, and reports can be produced from that. If law enforcement is interested in pursuing a matter, the information will be available.

They rely on the fact that the ad appears on a reputable platform and then they get comfortable with it. I think a lot more needs to be done. Deputy Doherty covered a range of questions that I had, so I am not going to indulge any further, except to thank all of the witnesses for attending the meeting. We have had a good exchange and we will follow up with the witnesses in due course. I thank the witnesses for their time.