Information requested
Investigative Systems
Do you have dedicated systems, databases, or platforms in place for fraud and financial crime investigations?
If so, please specify what systems are currently used (e.g. Companies House, credit reference agencies, internal databases, third-party platforms).
Data Sources & Access
Do you have a consolidated platform that brings together company, director, and financial intelligence from multiple verified UK sources?
Or do investigative staff currently access this information manually across multiple, disconnected systems?
Evidence Standards
Do you have processes in place to ensure that intelligence gathered for fraud investigations is disclosure-ready (i.e. date-stamped, unaltered, and admissible in court)?
If not, how is continuity of evidence assured?
Director & Network Mapping
Do you have tools to map cross-company directorships, disqualified directors, and hidden associations across multiple firms?
If not, how is this analysis currently carried out?
Monitoring & Alerts
Do you have live monitoring or watchlist capabilities to track suspect companies, directors, or entities in real time?
Or is monitoring carried out through periodic manual checks?
Financial Risk Profiling
Do you have the ability to automatically profile the financial resilience of companies (e.g. through balance sheets, P&L, cashflow, CCJs, or charges)?
If not, how is financial risk typically assessed during investigations?
Casework Efficiency
Do you have audit trails and secure collaboration tools in place for investigative teams working across cases?
Or are cases typically reliant on manual collation and file sharing?
Security & Compliance
Do you have systems accredited to ISO 27001 or equivalent for handling sensitive investigative data?
If not, what measures are currently in place to ensure security and GDPR compliance?
Fraud on the Corporate Risk Register
Do you have fraud, financial crime, or corruption risks recorded on your corporate risk register?
If so, please provide:
The specific risks listed (e.g. procurement fraud, payroll fraud, supplier collusion, grant misappropriation, etc.).
The current risk ratings (likelihood, impact, or equivalent scoring used).
Details of any mitigating controls identified.
If fraud is not explicitly recorded on the corporate risk register, please confirm how the organisation records and monitors fraud-related risks.
Please provide your answers in as much detail as possible, including whether the tools, systems, or processes are internal, outsourced, or provided via third-party suppliers
NHSCFA response
Investigative Systems
Do you have dedicated systems, databases, or platforms in place for fraud and financial crime investigations?
If so, please specify what systems are currently used (e.g. Companies House, credit reference agencies, internal databases, third-party platforms).
The NHS Counter Fraud Authority uses the CLUE case management system and the iBase Intelligence system for fraud and financial crime investigation,
More information on the systems can be accessed here:
NHSCFA-DPIA_CLUE-Case_Management-and-Intelligence-System.pdf
The Authority undertakes open source checks for services such as Companies House and other publicly available data.
Open but paywalled, and closed sources of data are accessed via the National Anti-Fraud Network (NAFN).
Data Sources & Access
Do you have a consolidated platform that brings together company, director, and financial intelligence from multiple verified UK sources?
Or do investigative staff currently access this information manually across multiple, disconnected systems?
Information is accessed manually on a case-by-case basis depending on the nature of the allegation.
Evidence Standards
Do you have processes in place to ensure that intelligence gathered for fraud investigations is disclosure-ready (i.e. date-stamped, unaltered, and admissible in court)?
If not, how is continuity of evidence assured?
Information is time stamped when added to the application and areas such as progress logs have a time stamp when they are appended.
As an intelligence application there are fields that:
- Can be altered. Such as adding a date of incorporation to an organisation. In these instances, the source of the information for this change will be referenced both in the progress logs as well as the supporting evidence uploaded.
- Can only be appended to. This includes the progress log – an officer can add to it, but they cannot edit something previously written.
- Read only. Fields that cannot be updated by officers.
All additions and changes are auditable
Director & Network Mapping
Do you have tools to map cross-company directorships, disqualified directors, and hidden associations across multiple firms?
If not, how is this analysis currently carried out?
The organisation uses Companies House.
Analysis is carried out manually on a case-by-case basis.
Monitoring & Alerts
Do you have live monitoring or watchlist capabilities to track suspect companies, directors, or entities in real time?
Or is monitoring carried out through periodic manual checks?
NHS Counter Fraud Authority do not monitor in real time or periodically in intelligence.
Real time tracking is not a requirement.
Financial Risk Profiling
Do you have the ability to automatically profile the financial resilience of companies (e.g. through balance sheets, P&L, cashflow, CCJs, or charges)?
If not, how is financial risk typically assessed during investigations?
NHSCFA does not have the ability to automatically profile financial resilience . This is not a requirement of the Authority
Casework Efficiency
Do you have audit trails and secure collaboration tools in place for investigative teams working across cases?
Or are cases typically reliant on manual collation and file sharing?
Intelligence officers will share information through the intelligence application. Information shared with internal investigation teams will be disseminated on the NHSCFA’s case management system (CLUE).
Information received by the NHSCFA for external organisations will be shared using the College of Policing’s Intelligence Report.
Security & Compliance
Do you have systems accredited to ISO 27001 or equivalent for handling sensitive investigative data?
If not, what measures are currently in place to ensure security and GDPR compliance?
The NHSCFA is certified to ISO27001 with the scope including all people, information systems and sites.
The NHSCFA complete the NHS Data Security and Protection Toolkit, which is CAF-aligned. The mandated audit this year returned a result of “Low” risk and “High” confidence in our response.
There is also IG and Data Protection policies available on the website:
Government Security Classifications | NHS Counter Fraud Authority | NHSCFA
Fraud on the Corporate Risk Register
Do you have fraud, financial crime, or corruption risks recorded on your corporate risk register?
If so, please provide:
The specific risks listed (e.g. procurement fraud, payroll fraud, supplier collusion, grant misappropriation, etc.).
The current risk ratings (likelihood, impact, or equivalent scoring used).
Details of any mitigating controls identified.
If fraud is not explicitly recorded on the corporate risk register, please confirm how the organisation records and monitors fraud-related risks.
The Authority has fraud related risks recorded on the corporate fraud risk register.
Fraud risks are included in the Enterprise Fraud Risk Assessment (EFRA)in line with Government Functional Standard 013. Government Functional Standard GovS 013: Counter Fraud - GOV.UK
The Authority is unable to provide the specific risks listed or the current risk ratings.
This information falls under the exemption specified in Section 31 1 (g) and 31 2(a) In applying this exemption we have had to balance the public interest in withholding the information against the public interest in disclosing the information. The attached annex to this letter sets out the exemption in full, as well as the factors the Authority considered when deciding that in all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosing the information.