Ofcom's fraud risk profile — a citation provenance audit at the verification floor

Frame

This study audits a finalised regulator artefact under the Online Safety Act 2023: Section 11 of Ofcom's Register of Risks (published 16 December 2024) — the fraud and financial services offences risk profile. The audit subject is the section's empirical citation surface, not the soundness of the policy direction it informs and not the sufficiency of Ofcom's overall regulatory approach. The framework's question is forward and granular: for each empirical claim Ofcom advances, does the source Ofcom attributes the claim to actually support the claim as stated.

What the framework can audit on this artefact is bounded by an access constraint that the audit treats as a structural finding rather than a methodological failure. Section 11 carries approximately 140 footnotes across 21 pages; after deduplicating repeated self-citations, statutory references, and definitional notes, the substantive empirical citation surface is approximately 70 unique sources, of which approximately 29 carry specific quoted statistics. The audit selected a stratified sample of 15 load-bearing citations covering prevalence, cost, demographic targeting, service-specific incidence, and methodological breadth. Of those 15, four were independently primary-source verifiable within the audit's tooling envelope. The remaining eleven sit behind one of three access barriers: regulator websites returning 403 to automated retrieval (Ofcom's own self-citations and Action Fraud), industry body access controls (UK Finance), academic publisher gates (ACM Digital Library), or moved/restructured institutional URLs (Phoenix Group, FCA archived 2016 release, Money and Mental Health Policy Institute). The audit's verification floor on this artefact is therefore ~27 per cent of the stratified sample.

The frame matters because the verdict shape on a partial-verification citation provenance audit must distinguish what the audit can claim from what it cannot. The audit can claim findings on the verified subset; it cannot extrapolate to a document-level citation discipline finding from a four-citation sample. The verification floor is itself the audit's principal methodological contribution — it demonstrates that citation provenance audits of regulator-grade consultation and finalised-guidance documents, conducted with AI-augmented tooling rather than institutional research access, encounter an irreducible access constraint that prior commentary on Ofcom's evidence base has not formally surfaced. The audit's structural contribution is the explicit accounting of that constraint alongside the per-citation grading on what could be verified.

Synthesis

What the audit finds.

On the four primary-source-verified citations, two represent their cited sources cleanly and two perform identifiable representation distortions. The Office for National Statistics Crime Survey for England and Wales (year ending June 2023) supports Ofcom's claim that fewer than one in seven fraud offences are reported to police or Action Fraud; the citation is verbatim accurate. The Financial Conduct Authority's Financial Promotions Data 2022 supports Ofcom's claim that the FCA issued 1,882 alerts relating to unauthorised activity in 2022, up 34 per cent from 1,410 in 2021; the citation is verbatim accurate, including the percentage which the FCA itself calculates rather than Ofcom inferring it. The Home Office Fraud Strategy (May 2023) supports Ofcom's claim that the total economic and social cost of fraud is approximately £6.8 billion in 2019–20, but with three quiet transformations: Ofcom drops the Fraud Strategy's "at least" lower-bound qualifier, drops the Fraud Strategy's "in England and Wales" geographic specifier, and collapses a citation chain that the Fraud Strategy itself preserves to the underlying Economic and Social Costs of Crime 2022 publication. The National Crime Agency's published page on fraud supports Ofcom's claim that fraud is the most frequently experienced crime in the UK, but with a paraphrase from "most prevalent crime against individuals in England and Wales" and with a citation-chain compression that omits the NCA's own attribution to the Crime Survey for England and Wales as the underlying source. The two distortion patterns the verifiable subset surfaces are scope-narrowing dropped to scope-implied (the geographic and qualifier transformations) and citation-chain compression (Ofcom presenting institutional secondaries as the originating source where the secondaries themselves cite further upstream).

What survives charitable consideration.

Ofcom's representation of the institutional sources audited survives the strongest available charitable interpretation across most of the verified subset. The Fraud Strategy's "at least £6.8 billion" qualifier is editorially defensible to drop in a regulator-grade synthesis where the figure is presented as approximate rather than precise; charity recovers the editorial decision without recovering the loss of evidentiary nuance. The geographic-scope distortion (England and Wales to UK-wide implied) is harder to recover under charity, because Ofcom's regulatory remit covers the whole UK and the document's risk-profile framing applies UK-wide; misrepresenting an England-and-Wales figure as the basis for UK-wide regulatory reasoning is a structural concern, though one that any reasonable reader could recover by following the citation. The NCA paraphrase ("most prevalent" to "most frequently experienced") is recoverable as a stylistic choice with negligible substantive difference; the citation-chain compression is the more material issue, because it presents the NCA as the originating authority where the NCA itself defers to the Crime Survey for England and Wales.

What dissolves.

The three Fraud Strategy distortions, taken together, do not survive the audit's discipline as a single editorial choice. Each transformation is small in isolation; the cumulative effect is a regulator-grade document presenting a lower-bound regional cost figure as a UK-wide point-estimate origin claim. Charity recovers each transformation individually but not the cumulative pattern. The verdict on Citation 4 (Fraud Strategy) is partial-with-pattern: the headline number survives, the framing distortions do not, and the audit notes the pattern as the kind of finding a citation provenance audit specifically exists to surface. On the eleven citations behind the access floor, the audit declines to assert dissolution or survival; the framework's discipline does not permit verdicts on unverifiable evidence, and the audit's discipline does not permit accepting Ofcom's representation on prior-art trust where the audit's brand commitment is to per-citation primary verification.

What the discipline preserves.

Where Ofcom cites high-quality institutional sources accurately by direct quotation (ONS, FCA), the empirical foundation in those areas is sound. The audit's affirmative position is bounded to the verified subset and does not extend to the document's overall citation discipline. The four Ofcom self-citations within the stratified sample (numbers 3, 7, 12, and 14) sit behind the largest single access barrier, and the audit notes that the absence of independent verifiability of regulator self-citations is itself a structural concern for regulator-grade evidence bases — not because regulator self-citations are presumed inaccurate, but because the discipline of independent reviewability is what distinguishes regulator-grade evidence from privately-held research. The audit declines to extrapolate from the unverifiability of the self-citation surface to any claim about its accuracy.

What changes verdicts.

The verdicts in this audit reverse on access. If the eleven blocked citations become independently verifiable through subsequent institutional cooperation, archive release, or republication, the audit can extend its per-citation grading to the full stratified sample. If the verifiable subset expands and reveals further distortion patterns matching the Fraud Strategy citation, the document-level finding sharpens; if the subset expands and reveals clean citation handling across the broader surface, the Fraud Strategy finding becomes an isolated case rather than a pattern. The audit's distinctive methodological contribution — the explicit accounting of the verification floor — is reversible only by the access constraint changing.

Method note

This study uses only public-record sources. The Register of Risks PDF (Ofcom, 16 December 2024) is the focal artefact and is publicly available. The four primary-source-verified citations were retrieved through the Office for National Statistics website (ONS Crime Survey for England and Wales, year ending June 2023), the gov.uk publications archive (Home Office Fraud Strategy 2023), the Financial Conduct Authority's data publications page (Financial Promotions Data 2022), and the National Crime Agency's website (Fraud and economic crime page). Where verbatim quotations from these sources are reproduced in the contradictions register, the source attribution traces to the specific URL and page reference recorded in the entities and contradictions data.

The eleven citations behind the verification floor are listed explicitly in the contradictions register with Tier B (claim accepted on Ofcom's representation, not independently verified) and Tier C (claim cannot currently be independently verified through any tooling available to the audit) markers. The audit declines to grade source reliability or representational accuracy on Tier B or Tier C citations; the framework's brand commitment to per-citation primary verification does not permit grading at distance. The verification floor is itself documented as a structural finding under KJ-5 and is the audit's principal methodological contribution beyond the per-citation grading on the verified subset.

The kit's brand commitment to symmetric scrutiny holds in this study by treating Ofcom's institutional position as it would treat any institutional account — with per-citation grading independent of policy preference, with charitable interpretation run before verdict on each verifiable citation, and with the verification floor accounted for explicitly rather than papered over. The discipline applied here is the same the kit would apply to any regulator-grade evidence base on any subject. The audit credits the Office for Statistics Regulation, the National Audit Office, and parliamentary committees with relevant remits (the Communications and Digital Committee in the House of Lords, the DCMS Select Committee in the Commons) as the institutional bodies whose review work the audit's per-citation discipline is designed to complement rather than replace; the framework's contribution is methodological standardisation under the SAF v2.1 source-reliability rubric, not novel institutional review.