Wednesday, 5 October 2011

AML vendors deploy raw computing power to reduce false positives

Watch list filtering is every compliance officer's worst nightmare. With a single name like Muammar Gaddafi, spelled hundreds of different ways, and multiple watch lists to manage and update, the work is time consuming, costly and onerous.

Banks have often complained about the number of false positives generated, all of which need to be investigated. Some firms have even outsourced false positives' investigations to offshore locations in order to cope with the workload.

Anti-money laundering vendors are under pressure to not only reduce the number of false positives, but to make the filtering process more intuitive. In a report on Achieving Global Sanctions Compliance, Neil Katkov, senior vice president, Asia, Celent, says, "Achieving consistency in global sanctions compliance involves standardising operations, technology systems, and perhaps most essentially the compliance data—watchlists—that drive sanctions filtering.”

The lists themselves can be onerous and difficult to manage. Dr Tony Wicks, director, AML solutions, NICE Actimize, says HM Treasury's sanctions list in the UK had 3652 changed entries this year alone. There are also other lists banks need to comply with depending on the scope of their activity, including the well-known OFAC list, there is also an EU and UN watchlist and a Japanese FSA list.

The so-called Arab Spring has also had an impact on sanctions activity with new sanctions coming out associated with Iran. Anti-money laundering (AML) vendors like NICE Actimize say they are trying to lessen the workload for banks and the number of false positives using "fourth generation computational linguistics" - throwing raw computing power at "transliterate" words .

Explaining how the technology works, Wicks of NICE Actimize, says it can understand 800 million names, the context of those names and their cultural significance and make a "probalistic match" against the source of the name, which he says is important in terms of reducing false positives.

Increased risk of money laundering using pre-paid cards

There could be a high risk of increased fraud during the 2012 Olympic Games as a result of pre-paid cards, which could also potentially be used to launder money.

Dr Tony Wicks, director, AML solutions, NICE Actimize, sounded the warning last week, having walked into a shop in a UK high street, asking if he could buy an unlimited number of pre-paid cards which contain a stored value. According to Wicks, the shopkeeper responded by saying he could buy as many pre-paid cards as he liked.

Unlike credit cards, pre-paid cards are not linked to a bank account and no ID is required to buy them over the counter. Wicks says outside of a closed loop environment where the amount that can be spent on pre-paid cards or what they can be used for is controlled, anyone can buy a pre-paid card. He says most cards have an annual spending limit of £25,000, but there are no obvious restrictions he says on someone being able to buy multiple cards, top them up and use them to potentially launder money. "There is an increased risk of fraud with pre-paid cards as you can buy them anywhere and there are no credit checks or ID required," says Wicks.

Pre-paid or stored value cards are a relatively new phenomenon in Europe. They are also being promoted as a form of payment during the 2012 Olympics by Visa. There are different pre-paid card systems throughout Europe. In Italy most pre-paid cards are "open loop" whereas in other European markets, including the UK, they are typically part of "close-looped gift card schemes." Wicks makes the distinction between closed loop and open loop debit cards schemes, saying the greatest threat in terms of fraudulent use lies in "open loop" schemes.

Laundering money using pre-paid cards? According to AML experts, as banks deploy more sophisticated technologies to detect money laundering, fraudsters are turning to other means, such as cards, as a means of laundering money. While credit cards can be traced back to a user, pre-paid cards have no user ID or credentials.

Thursday, 23 July 2009

"Double-jeopardy" threat for banks

A regulatory partner at a London law firm has labeled the £3.2million fine the Financial Services Authority imposed on HSBC as unprecedented and draconian.

Yesterday, I wrote about HSBC being fined by the FSA for failing to adequately protect customer data by not encrypting computer discs containing personal information and for failing to keep personal paper files on site under lock and key. RPC partner, Jonathan Davies said fining HSBC for the latter was draconian. He said the £3.2 million fine was much more substantial than that imposed on Nationwide Building Society for similar failures back in 2007.

Back in 2007, the FSA imposed a £980,000 fine on Nationwide for ineffective information security controls following theft of a laptop from a Nationwide employee's home. "You can see that fines for financial services companies have undergone massive inflation as the FSA has instituted its get tough policy in response to the credit crunch,” said Davies.

Given the pubic backlash against data leakages and the increased threat of customer details being used for fraudulent purposes, particularly in difficult economic times, the hefty fine the FSA imposed on HSBC should come as no surprise even though it may be unprecedented.

Regulators are taking an increasingly dim and no-nonsense view of banks that fail to protect customer data and as banks trade on their reputation as trusted third parties, how can consumers take them seriously when banks fail to adequately protect customer data?

Banks could be in even more hot water from next year as in addition to FSA-imposed fines, the UK's Information Commissioner will also have the power to impose fines on companies for data breaches.
"When the Information Commissioner gains this power next year, any FSA-regulated firm may well be subject to “double jeopardy” fines for data protection breaches," said Oliver Bray, a partner at RPC specializing in data protection. "One careless mistake by a regulated firm could expose it to fines from both the Information Commissioner and the FSA. From a wider perspective, all businesses should be concerned that the Information Commissioner may be encouraged by this case to apply similar levels of fines when he starts flexing his new muscles next year."

Wednesday, 22 July 2009

HSBC businesses fail to protect customer information

We have all heard the horror stories of customers' confidential personal and account information being accidentally misplaced or stored on unencrypted discs by thoughtless employees in both public and private sector companies.

At the public level, Her Majesty's Revenue & Customs made one of the biggest gaffes when two CDs containing the personal details of 25 million customers goes missing. The HMRC was not fined but its boss Paul Gray quit over the missing discs.

However, in the private sector, the penalties for failing to adequately protect customer data are more severe, which is borne out by the £3 million fine the Financial Services Authority (FSA) in the UK has imposed on HSBC following a series of incidences in 2007 and 2008 regarding three of its businesses; Life UK, Actuaries & Consultants and Insurance Brokers.

Back in 2007, Citywire reports that HSBC Actuaries lost an unencrypted disk containing personal information, including national insurance numbers of approximately 2,000 pension scheme members. In February 2008, HSBC Life lost an unencrypted CD containing the details of 180,000 policy holders.

The FSA said despite increasing awareness of the need to protect people's confidential details, all three firms failed to put in place adequate procedures to manage their financial crime risks.
"All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals. It is also worrying that increasing awareness around the importance of keeping personal information safe and the dangers of fraud did not prompt the firms to do more to protect their customers' details," stated Margaret Cole, director of enforcement at the FSA.
Cole said that in areas where the FSA had previously warned firms of the need to improve, people can expect to see fines increase to deter others and change behaviour in the industry. But will fines be enough, as despite previous hefty fines, data leakage and firms' failure to encrypt confidential customer information remains a major problem. When protecting customer information is as simple as encrypting information stored on discs, why do firms remain non-compliant?

Friday, 10 July 2009

Firms fail to comply with data protection standards

In the fight against fraud, so much emphasis is placed on monitoring of individual transactions, that often firms forget about getting the basics right. Protecting confidential customer data is essential in the fight against fraud, yet companies continue to fail to adhere to data protection standards.

According to a survey published by BSI, the UK's National Standards Body, almost one in five businesses breached the Data Protection Act (DPA) on one or more occasions - many without even realising it. This could be because they failed to hold information securely, illegally transferred information to a third party or neglected other legal obligations.

Tim Thompson, UK Managing Director at 41st Parameter, says the cost of fraud is often thought of in terms of how much money is stolen, however, he says this is too much of a short-term view. "Now, more so than ever, organised 'fraud rings' are cashing in on an underground economy, which deals in stolen personal information."

Thompson said the BSI survey highlighted the fact that 65% of businesses provide no data protection training for their staff. Almost half of firms indicated that there was no one in their business with specific responsibility for data protection and 18% of businesses said that data protection was less of a priority in the current economic climate.

The latter is alarming given that fraud is reportedly on the rise in the current recession. Can firms afford to lose not only millions through fraud, but also a tarnished reputation with their customers, if they continue to take a lackadaisical approach to data protection?

"If a company is hit by a security breach and data is taken, not only is it highly likely that it will be hit with fraudulent actions, its reputation will quickly become tarnished, and new and existing customers will take their business elsewhere," says Thompson of 41st Parameter.

Wednesday, 24 June 2009

Government stimulus money vulnerable to fraudsters

Governments have ploughed billions of dollars into stimulus packages to breathe new life into flagging economies, however, they could be handing fraudsters an "unintentional" meal ticket, according to the latest Kroll Global Fraud Report.

Of the $5 trillion in stimulus funding various governments have doled out, Kroll estimates that as much as $500 billion could be lost to fraudsters as the investment amount and the highly complex procurement processes involved mean these kinds of "big-budget capital projects" are often targets for corruption. 

"The unprecedented amount of financial support that governments have pledged to help stabilise their economies leaves the door wide open to fraudsters," said Richard Abbey, managing director, Kroll's Financial Investigations practice. "It’s a once-in-a-generation opportunity for those engaging in corrupt practices to cut themselves a large slice of the pie and it’s important that governments and businesses alike are aware of the risk and are prepared to counteract them.”
Kroll says focusing on the "middlemen" who are entrusted with large sums of money is essential if this type of crime is to be prevented. That means procurement processes need to be highly transparent. Resources must also be made available to "root out" corruption and Kroll advises that salaries should be appropriate to discourage employees from committing fraud. 

So can we be sure that government stimulus and taxpayers' money has ended up in the right hands? And will the processes around how this money is assigned and spent be transparent to the public?

Tuesday, 16 June 2009

FBI knew of Stanford, according to Vanity Fair

According to Vanity Fair magazine, Sir Allen Stanford, who the SEC alleges ran a Ponzi scheme, was on the FBI's radar for a number of years since he was investigated for money laundering back in 1989.

The article in the July issue of Vanity Fair, quotes a former FBI agent who claims that there were a series of interagency investigations into Stanford, but none of them resulted in any legal action.

The article also claims that there were various "red flags" within Stanford International including a 70-year-old compliance officer.