Cymraeg

Guidelines for Charities

Trustees of Registered Charities have overall responsibility for keeping the assets of the charity safe. Every kind of organisation, especially those which have an online presence, is a potential target for fraudsters. Unfortunately, charities are no exception as most fraudsters make no distinction between organisations that operate for profit and those with altruistic aims.

In general, fraud has increased with the advent and growth of the internet, which has provided criminals with the means to carry on their activities anonymously. Therefore, as more of your business is conducted online, the greater the possibility that you will fall victim to fraud.

If defrauded, your charity will not only face financial losses but could also suffer damage to its reputation, and a loss of confidence by benefactors and donors.

This page is designed to help you prevent and detect online fraud and gives you information on what you should do if you discover that a fraud has taken place. Having a clear plan of what to do if there is a suspected or actual fraud will equip you to deal with the situation more easily. You will see that taking a few straightforward steps can significantly reduce your charity’s chances of becoming a victim.

The top line responsibilities of Trustees

  • Ensuring there are appropriate internal financial controls in place to make sure all funds are accounted for and spent in line with your charity’s aims.
  • Keeping proper and adequate financial records for both the receipt and use of all funds together with a record of any decisions made.
  • Acting responsibly and in the interests of your charity if fraud occurs. This includes promptly reporting the fraud (suspected or actual) to the relevant authorities such as Action Fraud and taking steps to ensure that the charity’s funds are protected.

The risks

The risks to charities of online fraud can be from both external and internal sources. These include:

External

  • Identity fraud – for example, where a genuine charity’s details are used without authorisation, to deceive unsuspecting donors.
  • Scam or ‘phishing’ emails requesting confidential details from your charity, which is then used by fraudsters to obtain funds illegally.

Internal

  • Misuse of your charity’s credit cards.

Get the basics right

You should ensure that you have structures in place to minimise the risk of financial wrongdoing. This should include the following:

  • Implement robust financial controls and reinforce the importance of these.
  • Understand your risks. Take regular assessments of the risks your charity might be exposed to.
  • Instil a culture of ethical behaviour throughout your charity. Encourage awareness by communicating anti-fraud measures and training staff.
  • Develop an anti-fraud policy. This is a formal written document to plan out actions and responsibilities.
  • Develop a whistleblowing policy. It is important that staff know how to report concerns about fraud and to whom – and that this is encouraged.
  • Ensure there are robust recruitment procedures. Draw up a self-declaration form for staff and check references for new starters.
  • Keep records of suspected and confirmed fraud.

Use the Charity Commission’s ‘CC8 – Internal Financial Controls for Charities’ guidance and checklist for reference.

Implement banking controls

A key element in ensuring online safety is the implementation and maintenance of banking controls. Make sure you have these in place:

  • Checking statements carefully, including checking that all amounts you expect to see banked, have been banked.
  • Storing statements and other financial documents safely and securely. Shredding documents that you no longer need.
  • Signing credit or debit cards as soon as they arrive.
  • Ensuring that you know exactly which staff have access to charity accounts and that there are mechanisms in place for independent verification of transactions.

The Charity Commission recommends that all charities banking online use a dual authorisation system. This is where one user submits a transaction and another user then authorises it. Charities should ask their own banking services provider whether they offer this service.

Protect your website

An increasing number of incidences of online fraud are committed by criminals accessing your website. If your charity is hosting its own website, you have a responsibility to ensure that that your website is protected from such attacks. You should take the following precautions:

  • Ensure that the hardware and software is secure.
  • Use the latest version of any e-commerce software. Old versions may have flaws that hackers can exploit.
  • Use strong, protected passwords throughout the system. Do not leave any password set to its default value.
  • Make sure the server is protected by an effective firewall and antivirus/antispyware software.
  • Monitor log files carefully to spot any attempts at intrusion.
  • Never store donors’ private information and credit card details or beneficiaries’ information on a public commerce server.
  • Protect your SSL details and keep them confidential.
  • Consider using a professional penetration testing firm to test the defences on your e-commerce server. Penetration testing is a method of evaluating the computer security of a computer system or network
  • If you choose to use a third-party hosting company:
  • Review its security and availability policy and arrangements.
  • Consider using a professional penetration testing firm to test the defences on your hosting company’s server.

Avoid identity fraud

Charities are just as vulnerable to having their identity stolen as individuals. It is not uncommon for fraudsters to obtain money by setting up a hoax charity or fundraising appeal in the name of an authentic charity. Take the following simple steps to reduce the possibility of this occurring to your charity:

  • Ensure donor data such as names, addresses and bank details are stored securely and in accordance with data protection requirements – this information is valuable to fraudsters.
  • Check your bank accounts regularly. If they have frequent withdrawals and deposits by different people, a fraudster who has access to your bank account could operate undetected for some time.
  • Look out for any unauthorised use of your charity’s name or logo.
  • Encourage donor awareness. Ask regular supporters to look out for and report any fundraisers, fundraising literature or emails that appear suspicious.
  • If someone sets up a hoax charity in your name, it may be possible for you to seek an injunction to prevent them from fundraising.
  • Advise existing and would-be donors to read the information and advice on Get Safe Online’s page on Charitable Donations here.

When filing accounts with the Charity Commission, the Commission recommends charities send accounts to it online rather than in hard copy. The accounts you submit online must have been signed off by trustees, but they do not need to show trustees’ signatures. This is to help prevent identity fraud against charities.

Increase internal awareness

Promoting greater awareness within your charity of what steps should be taken to prevent fraud, will help the charity meet its responsibilities.

  • Ensure that all staff, volunteers and fellow trustees are fully aware of fraud policies when they join the organisation, and on an ongoing basis.
  • Give one or more staff responsibility for fraud prevention policies, including keeping them updated and conducting regular risk assessments.
  • Train employees and volunteers to ensure they are familiar with your charity’s financial controls, and know what to do if they suspect fraud has taken place.
  • Ensure fellow trustees, employees and volunteers are also aware of any best practice guidelines and legal obligations relevant to their role.
  • Ensure that fraud and risk assessment are regular agenda items for trustee board meetings.

What to do if your charity has been a victim of fraud

Report the fraud

  • Report it to Action Fraud, the UK’s national fraud reporting centre by calling 0300 123 20 40 or by visiting www.actionfraud.police.uk
  • Depending on the nature of the fraud, you may also have to report it to an agency such as HM Revenue & Customs or the police.
  • Any actual or suspected serious incidents of fraud should also be reported to the Charity Commission.

Keep others informed

  • Keep the other members of the trustee board informed about the fraud and any subsequent investigations.
  • Notify staff and, if relevant, volunteers with the appropriate level of information.Keep others informed

Review security

  • As soon as you have identified the cause of the fraud, take steps to ensure that you have fixed this and make your systems more secure so that it does not happen again.

Recovering lost funds

  • If the fraud relates to the use of bank accounts, you may be able to recover the funds through your bank. Your bank will be able to provide more information on the likelihood of this and the steps to follow.
  • Make a claim to your insurance provider if your charity has policy that covers fraud.
  • In other cases, taking civil or other action is something for you and the other trustees to consider. However, you should be aware that pursuing an action through the civil courts can be expensive and may not be cost effective. Additionally, you may need to obtain the Charity Commission’s consent before pursuing litigation.
  • The Fraud Advisory Panel has produced a fact sheet, An Introduction to Civil Asset Recovery, for those wanting to know more about bringing formal proceedings against a fraudster. You can view and download the document by clicking here.

Other advice on preventing loss

The Charity Commission offers a range of guidance on managing your charity, including safety and security, on its website. The following may be of interest in specific circumstances:

Overseas donations

Most charities should know, at least in broad terms, where the money they are being given comes from (for example. grants, cash donations etc). Trustees should also be able to identify and be assured of substantial donations. Good due diligence will help to:

  • Assess any risks to the charity that may arise from accepting a donation or certain types of donations.
  • Ensure that it is appropriate for the charity to accept money from the particular donor, whether that is an individual or organisation.
  • Give trustees reasonable assurance that the donation is not from any illegal or inappropriate source.
  • Ensure that any conditions that may be attached are appropriate and can be accepted.

This does not mean you have to question every donation, nor must you know lots of personal and other details about every donor – apply a common-sense approach.

Prevention of money laundering

As some criminals look to legitimate organisations to facilitate money laundering or financial crime, trustees need to be aware of these risks. Charities should have clear policies and procedures in place both to ensure that its trustees, staff and volunteers are aware of this risk, and to ensure that trustees and/or senior staff are alerted to any suspicious donations.

A charity’s responsibility is not to work out if a donation is illegal or if the charity may be asked to use it for illegal purposes. However, trustees should carry out checks and report concerns and suspicious activities to the appropriate authorities, including the Charity Commission.

Money transfer services

A charity may decide to use an intermediary organisation such as an established Non-Governmental Organisation (NGO) or a local charity to transfer funds. In this case the charity should set out all arrangements in a formal agreement. This agreement should ideally include:

  • The details of the intermediary organisation and the recipient.
  • Timescales in which grants are to be paid over or returned to the charity.
  • Details of what paperwork (for example recipient’s application, report on the use of the grant etc) will be required by all parties to the agreement.

It is also important to carry out due diligence checks on the solvency and reliability of the intermediary.

This page has been compiled with the kind assistance of the Charity Commission.

In partnership with

Jargon Buster

A Glossary of terms used in this article:

Penetration testing

Legally hacking into a computer system or website with the approval of the owner, to reveal vulnerabilities and finding opportunities for improving its security.