The National Fraud Database (NFD) is the UK’s largest repository of fraud risk information. It operates under strict rules known as the CIFAS Principles, which are set out in the National Fraud Database Handbook.
These Principles ensure that data is shared lawfully, fairly, and proportionately, in line with the UK GDPR and the Data Protection Act 2018. CIFAS and its members share equal responsibility for ensuring that all information in the database is accurate, secure, and used only for legitimate purposes.
Understanding these Principles is vital, because they are the foundation for challenging an unfair marker. If a bank or other member has not followed them properly, the marker may be unlawful.
The Eight CIFAS Principles #
Principle 1: Reciprocity #
The NFD is a reciprocal data-sharing system. Members must contribute fraud cases in order to benefit from the database. This ensures fairness and balance across the network.
Principle 2: Purpose Limitation (Legitimate Reasons for Searching) #
NFD data can only be used for the prevention, detection, and investigation of fraud and financial crime. Members cannot use CIFAS data for unrelated purposes, in line with the purpose limitation principle of GDPR.
Principle 3: Transparency #
Individuals have a right to know how their data will be used and how decisions about them have been made. This reflects the transparency obligations in GDPR, requiring clear and accessible Fair Processing Notices.
Principle 4: Lawfulness #
Members must only search or file an individual’s data if they have been legally informed of how their data may be used. Any marker must also meet the Standard of Proof, which has four requirements:
- Reasonable grounds to believe fraud or financial crime has been committed or attempted.
- Evidence must be clear, relevant, and rigorous.
- Conduct must fit one of the recognised CIFAS case types.
- The organisation must have withdrawn, rejected, or terminated a product as a result of fraud, unless obliged to provide it or the benefit has already been received.
This mirrors GDPR’s requirement that all processing of personal data must have a lawful basis.
Principle 5: Fairness (Proportionality and Protection) #
Members must use data proportionately and not penalise innocent parties. CIFAS requires that innocent individuals (for example, victims of impersonation) are protected and clearly distinguished from fraudsters. This links to the GDPR principle of fairness and the requirement that data processing must not have unjust or excessive consequences.
Principle 6: Accuracy #
All data filed to the NFD must be accurate and kept up to date. If information changes, the record must be amended. This reflects GDPR’s principle of accuracy in Article 5.
Principle 7: Integrity (Security) #
Members must protect the database with appropriate security, policies, and controls. Access is restricted to authorised staff only. This aligns with GDPR’s integrity and confidentiality principle.
Principle 8: Data Minimisation #
Data must not be kept indefinitely. Once it has served its purpose, it must be securely and permanently deleted. This reflects GDPR’s storage limitation and data minimisation principles.
Why These Principles Matter #
These Principles are not optional — they are binding rules for all CIFAS members. If an organisation files a case without clear, relevant, and rigorous evidence, or fails to act proportionately, they may be in breach of both the CIFAS Handbook and data protection law.
For individuals, this provides a clear basis to challenge unfair or inaccurate markers. A CIFAS marker can only be justified if it meets the Standards of Proof and complies with these Principles.
