The NHS Counter Fraud Authority (NHS CFA) has been alerted to a new fraud trend within salary sacrifice schemes. Many NHS organisations offer a salary sacrifice scheme to their employees and are partnered with various providers who supply benefits such as car leasing or cycle to work schemes.
The scheme is an agreement between the employer and employee to purchase items and benefit from the cost being split over multiple payments out of their salary, pre-tax. This can be done directly between the employee and provider with final authorisation undertaken by Payroll.
The NHS CFA is aware that multiple salary sacrifice agreements have been entered into by fraudsters using stolen credentials of NHS staff. The enrolment into a salary sacrifice agreement can often be done simply using the nhs.net email or other NHS credentials such as an ESR assignment number. This means that the NHS employer’s involvement and oversight is minimal and therefore little verification is undertaken to ensure the purchase has been made by the employee.
This newly identified fraud trend directly impacts NHS employees’ salaries; however, it is fundamentally the NHS organisation that incurs the loss by reimbursing the employee.
The application of salary sacrifice schemes and the approval process of purchases at each NHS organisation varies widely. The NHS CFA is aware of many cases where there is a lack of verification checks and/or no approval process in place. The employee is only made aware of the fraud when their payslip shows a salary sacrifice deduction.
Prevention advice
Ensure there is a robust policy in place to support the salary sacrifice scheme, with an approval process and request form to verify the authenticity of every salary sacrifice application. This could be between the employee and line manager as well as Human Resources and/or Payroll team to authorise purchases.
On receipt of a salary sacrifice request, Payroll should independently verify the request directly with the employee. They should do this by using the employee’s contact details held within the organisation’s secure internal systems, not using the information held within the request.
Employees should not share ESR/assignment numbers or email login credentials – keep them confidential.
Organisations should consider a local proactive exercise to raise awareness and undertake control testing.
For further discussion and support please Contact Us or Melanie Alflatt, Director-Risk and Advisory email:fraud@tiaa.co.uk