Firstly some definitions. Financial crime is, generally defined as being crimes such as money laundering, tax evasion and bribery whereas fraud generally includes customer not present credit scams, false transfers, forgery and internal threats. The reason why this is important is the approach taken by financial institutions such as banks which tend to approach financial crime as a compliance issue and fraud as a problem of loss.
Increasingly, however, the lines are being blurred and managers are questioning whether, in reality, there is any difference between the types of crime, all of which can result in some kind of loss to the institution, be it cash loss, diminishment of reputation or loss of customer trust.
The costs to financial institutions are staggering. In 2018 the World Economic Forum estimated that, in 2017, financial institutions spent $8.2 billion on anti money laundering ('AML') controls and that for every $1 lost to fraud an additional $3 is lost due to the associated costs.
Malicious operators have been aided by technology and, in particular, the massive growth of online banking, digitisation and the huge growth in transaction volumes. Increased integration of financial systems both nationally and internationally has also aided the financial fraudster as, once they crack the system, the vistas of potential fraud can be endless.
A shining example of this are the so called Carbanak malware attacks which began in 2014 and which, according to some reports, are still active. This is a group who use spear phishing e-mails (emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information) to introduce malware into bank systems which enable ATM systems to give out cash collected by 'mules', fake credit card transactions and to enable bank transfers of cash by pumping up real customer balances then transferring the excess leaving the original customer's balance intact.
The cash is moved using online and electronic payments to offshore banks from which the funds then disappear. Several members of the group have been arrested but evidently the threat continues. Estimates of losses so far hover around the $1 billion mark.
One of the problems that financial institutions face is the need to make faster risk decisions. In the modern world of online banking speed of transaction is seen as important so the institution handling the payment has to make a much quicker risk decision than was previously the case. In addition contact between customers and bank staff is now primarily digital. The days of the local bank manager knowing the customers and calmly processing paper based transactions is long gone replaced by speedy processing and 'digital trust'. This concept is used by potential customers as a key metric in choosing a bank – any institution with a reputation for being leaky or unreliable is not to be considered.
Because financial crime and fraud have been classified differently combating financial crime has been dealt with in silos – those engaged in AML activities are not the same as those combating fraud. The status quo, much loved by regulators, is to have separate departments with their own rules and protocols combating different crimes in different ways.
The problem is in boundaries and interfaces, areas where it may not be clear who is to deal with a particular malicious attack, where responsibility lies, what to do if it overlaps boundaries and the problems associated with developing digital responses which stop at the border.
In combating any kind of financial crime be it fraud or money laundering there are three key issues:
- Identifying and authenticating the customer
- Monitoring and detecting behavioural anomalies
- Responding quickly enough to mitigate risks
Now the modern world requires more than this. It requires the ability for strategic systems to predict risk. This requires continuous assessment of instances of fraud, cybercrime and financial crime. This then enables the institution to respond by redesigning customer and internal operations in an holistic way around processes instead of delivering change based on a departmental approach. Integration is the new buzzword.
Integration of processes and systems requires a total rethink of how banks operate. Many are adopting a collaborative model where data is shared between silos in order to integrate cybersecurity and fraud but this is a long way from complete integration of cybersecurity, fraud and AML processes.
The non integration of these systems results in a duplication of effort and gaps where systems do not interface completely. Consequently threat prediction and detection is impaired and fast moving fraudsters may have come and gone before the response mechanisms have swung into action.
Integration of financial systems will enable the use of AI and machine learning to improve predictive analytics and reduce the number of false positives in account monitoring. The use of these techniques can begin to identify correlations between attacks, methodologies and the movement of funds by criminals.
Of course many questions have to be asked and answered. Issues such as identifying key processes, who the people are and what skills are needed to carry out defensive activities and what reporting lines they should have, what data should be shared bearing in mind duties of confidentiality and legal requirements and how should the governance of the new approach work have to be tackled.
By integrating business operations, risk analysis teams and security operations institutions can begin to reduce the ability of the malicious operator to perpetrate successful crimes. The alternative is for institutions to continue to suffer losses and bad publicity which can gradually undermine trust. In the long run this is unsustainable so proactive action now is going to be a lot better than counting the losses and being forced into action reluctantly.
This is no time for half measures.
John Taylor is an author for accountingcpd. To see his courses, click here.