Fighting Fraud

AML vendors deploy raw computing power to reduce false positives

2011-10-05T13:49:00.004+01:00

Watch list filtering is every compliance officer's worst nightmare. With a single name like Muammar Gaddafi, spelled hundreds of different ways, and multiple watch lists to manage and update, the work is time consuming, costly and onerous.

Banks have often complained about the number of false positives generated, all of which need to be investigated. Some firms have even outsourced false positives' investigations to offshore locations in order to cope with the workload.

Anti-money laundering vendors are under pressure to not only reduce the number of false positives, but to make the filtering process more intuitive. In a report on Achieving Global Sanctions Compliance, Neil Katkov, senior vice president, Asia, Celent, says, "Achieving consistency in global sanctions compliance involves standardising operations, technology systems, and perhaps most essentially the compliance data—watchlists—that drive sanctions filtering.”

The lists themselves can be onerous and difficult to manage. Dr Tony Wicks, director, AML solutions, NICE Actimize, says HM Treasury's sanctions list in the UK had 3652 changed entries this year alone. There are also other lists banks need to comply with depending on the scope of their activity, including the well-known OFAC list, there is also an EU and UN watchlist and a Japanese FSA list.

The so-called Arab Spring has also had an impact on sanctions activity with new sanctions coming out associated with Iran. Anti-money laundering (AML) vendors like NICE Actimize say they are trying to lessen the workload for banks and the number of false positives using "fourth generation computational linguistics" - throwing raw computing power at "transliterate" words .

Explaining how the technology works, Wicks of NICE Actimize, says it can understand 800 million names, the context of those names and their cultural significance and make a "probalistic match" against the source of the name, which he says is important in terms of reducing false positives.

Increased risk of money laundering using pre-paid cards

2011-10-05T12:32:00.001+01:00

There could be a high risk of increased fraud during the 2012 Olympic Games as a result of pre-paid cards, which could also potentially be used to launder money.

Dr Tony Wicks, director, AML solutions, NICE Actimize, sounded the warning last week, having walked into a shop in a UK high street, asking if he could buy an unlimited number of pre-paid cards which contain a stored value. According to Wicks, the shopkeeper responded by saying he could buy as many pre-paid cards as he liked.

Unlike credit cards, pre-paid cards are not linked to a bank account and no ID is required to buy them over the counter. Wicks says outside of a closed loop environment where the amount that can be spent on pre-paid cards or what they can be used for is controlled, anyone can buy a pre-paid card. He says most cards have an annual spending limit of £25,000, but there are no obvious restrictions he says on someone being able to buy multiple cards, top them up and use them to potentially launder money. "There is an increased risk of fraud with pre-paid cards as you can buy them anywhere and there are no credit checks or ID required," says Wicks.

Pre-paid or stored value cards are a relatively new phenomenon in Europe. They are also being promoted as a form of payment during the 2012 Olympics by Visa. There are different pre-paid card systems throughout Europe. In Italy most pre-paid cards are "open loop" whereas in other European markets, including the UK, they are typically part of "close-looped gift card schemes." Wicks makes the distinction between closed loop and open loop debit cards schemes, saying the greatest threat in terms of fraudulent use lies in "open loop" schemes.

Laundering money using pre-paid cards? According to AML experts, as banks deploy more sophisticated technologies to detect money laundering, fraudsters are turning to other means, such as cards, as a means of laundering money. While credit cards can be traced back to a user, pre-paid cards have no user ID or credentials.

"Double-jeopardy" threat for banks

2009-07-23T15:17:00.003+01:00

A regulatory partner at a London law firm has labeled the £3.2million fine the Financial Services Authority imposed on HSBC as unprecedented and draconian.

Yesterday, I wrote about HSBC being fined by the FSA for failing to adequately protect customer data by not encrypting computer discs containing personal information and for failing to keep personal paper files on site under lock and key. RPC partner, Jonathan Davies said fining HSBC for the latter was draconian. He said the £3.2 million fine was much more substantial than that imposed on Nationwide Building Society for similar failures back in 2007.

Back in 2007, the FSA imposed a £980,000 fine on Nationwide for ineffective information security controls following theft of a laptop from a Nationwide employee's home. "You can see that fines for financial services companies have undergone massive inflation as the FSA has instituted its get tough policy in response to the credit crunch,” said Davies.

Given the pubic backlash against data leakages and the increased threat of customer details being used for fraudulent purposes, particularly in difficult economic times, the hefty fine the FSA imposed on HSBC should come as no surprise even though it may be unprecedented.

Regulators are taking an increasingly dim and no-nonsense view of banks that fail to protect customer data and as banks trade on their reputation as trusted third parties, how can consumers take them seriously when banks fail to adequately protect customer data?

Banks could be in even more hot water from next year as in addition to FSA-imposed fines, the UK's Information Commissioner will also have the power to impose fines on companies for data breaches.

"When the Information Commissioner gains this power next year, any FSA-regulated firm may well be subject to “double jeopardy” fines for data protection breaches," said Oliver Bray, a partner at RPC specializing in data protection. "One careless mistake by a regulated firm could expose it to fines from both the Information Commissioner and the FSA. From a wider perspective, all businesses should be concerned that the Information Commissioner may be encouraged by this case to apply similar levels of fines when he starts flexing his new muscles next year."

HSBC businesses fail to protect customer information

2009-07-22T14:18:00.003+01:00

We have all heard the horror stories of customers' confidential personal and account information being accidentally misplaced or stored on unencrypted discs by thoughtless employees in both public and private sector companies.

At the public level, Her Majesty's Revenue & Customs made one of the biggest gaffes when two CDs containing the personal details of 25 million customers goes missing. The HMRC was not fined but its boss Paul Gray quit over the missing discs.

However, in the private sector, the penalties for failing to adequately protect customer data are more severe, which is borne out by the £3 million fine the Financial Services Authority (FSA) in the UK has imposed on HSBC following a series of incidences in 2007 and 2008 regarding three of its businesses; Life UK, Actuaries & Consultants and Insurance Brokers.

Back in 2007, Citywire reports that HSBC Actuaries lost an unencrypted disk containing personal information, including national insurance numbers of approximately 2,000 pension scheme members. In February 2008, HSBC Life lost an unencrypted CD containing the details of 180,000 policy holders.

The FSA said despite increasing awareness of the need to protect people's confidential details, all three firms failed to put in place adequate procedures to manage their financial crime risks.

"All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals. It is also worrying that increasing awareness around the importance of keeping personal information safe and the dangers of fraud did not prompt the firms to do more to protect their customers' details," stated Margaret Cole, director of enforcement at the FSA.

Cole said that in areas where the FSA had previously warned firms of the need to improve, people can expect to see fines increase to deter others and change behaviour in the industry. But will fines be enough, as despite previous hefty fines, data leakage and firms' failure to encrypt confidential customer information remains a major problem. When protecting customer information is as simple as encrypting information stored on discs, why do firms remain non-compliant?

Firms fail to comply with data protection standards

2009-07-10T09:50:00.004+01:00

In the fight against fraud, so much emphasis is placed on monitoring of individual transactions, that often firms forget about getting the basics right. Protecting confidential customer data is essential in the fight against fraud, yet companies continue to fail to adhere to data protection standards.

According to a survey published by BSI, the UK's National Standards Body, almost one in five businesses breached the Data Protection Act (DPA) on one or more occasions - many without even realising it. This could be because they failed to hold information securely, illegally transferred information to a third party or neglected other legal obligations.

Tim Thompson, UK Managing Director at 41st Parameter, says the cost of fraud is often thought of in terms of how much money is stolen, however, he says this is too much of a short-term view. "Now, more so than ever, organised 'fraud rings' are cashing in on an underground economy, which deals in stolen personal information."

Thompson said the BSI survey highlighted the fact that 65% of businesses provide no data protection training for their staff. Almost half of firms indicated that there was no one in their business with specific responsibility for data protection and 18% of businesses said that data protection was less of a priority in the current economic climate.

The latter is alarming given that fraud is reportedly on the rise in the current recession. Can firms afford to lose not only millions through fraud, but also a tarnished reputation with their customers, if they continue to take a lackadaisical approach to data protection?

"If a company is hit by a security breach and data is taken, not only is it highly likely that it will be hit with fraudulent actions, its reputation will quickly become tarnished, and new and existing customers will take their business elsewhere," says Thompson of 41st Parameter.

Government stimulus money vulnerable to fraudsters

2009-06-24T13:37:00.005+01:00

Governments have ploughed billions of dollars into stimulus packages to breathe new life into flagging economies, however, they could be handing fraudsters an "unintentional" meal ticket, according to the latest Kroll Global Fraud Report.

Of the $5 trillion in stimulus funding various governments have doled out, Kroll estimates that as much as $500 billion could be lost to fraudsters as the investment amount and the highly complex procurement processes involved mean these kinds of "big-budget capital projects" are often targets for corruption.

"The unprecedented amount of financial support that governments have pledged to help stabilise their economies leaves the door wide open to fraudsters," said Richard Abbey, managing director, Kroll's Financial Investigations practice. "It’s a once-in-a-generation opportunity for those engaging in corrupt practices to cut themselves a large slice of the pie and it’s important that governments and businesses alike are aware of the risk and are prepared to counteract them.”

Kroll says focusing on the "middlemen" who are entrusted with large sums of money is essential if this type of crime is to be prevented. That means procurement processes need to be highly transparent. Resources must also be made available to "root out" corruption and Kroll advises that salaries should be appropriate to discourage employees from committing fraud.

So can we be sure that government stimulus and taxpayers' money has ended up in the right hands? And will the processes around how this money is assigned and spent be transparent to the public?

FBI knew of Stanford, according to Vanity Fair

2009-06-16T21:39:00.005+01:00

According to Vanity Fair magazine, Sir Allen Stanford, who the SEC alleges ran a Ponzi scheme, was on the FBI's radar for a number of years since he was investigated for money laundering back in 1989.

The article in the July issue of Vanity Fair, quotes a former FBI agent who claims that there were a series of interagency investigations into Stanford, but none of them resulted in any legal action.

The article also claims that there were various "red flags" within Stanford International including a 70-year-old compliance officer.

First-party fraud largely goes unreported

2009-06-10T11:35:00.002+01:00

Losses from first-party credit card fraud are bigger than those from third-party fraud, and although it represents 10% to 20% of bad debt, first-party fraud often goes unreported.

First-party fraud is a new threat to the banking industry and is more difficult to detect than third-party fraud as banks often write it off as bad debt, when in fact fraudsters have given inaccurate financial and personal details in order to obtain a credit card or loan without ever intending to pay it off.

At a recent webinar held by analyst firm Lafferty Group, Martin Warwick, principal consultant, solutions management, at decision-management software vendor, FICO, said first-party fraud is different from third-party fraud in that the account for a loan or credit card is set up using a "synthetic" or false identity. The application also contains false or "misrepresented" financial information. Banks continue to write it off as bad debt, he says, because of challenges around proving intent.

Warwick says first-party card fraud can be detected during the application process and the "transactional life" of the account. Things to look out for are:

First payment defaults on cards
Cases where the customer is massively over their credit limit
Customer ends up as a no trace
Or if less than 5% of the loan is repaid.

Stand-alone scorecards and customer profiling applications can be used at the time of applying for a card or loan to detect whether an individual is likely to commit first-party fraud. However, Warwick says a holistic approach needs to be taken as first-party fraud can start with current accounts and quickly spread to other banking accounts and channels such as loans, mortgages and insurance. Both qualitative and quantitative measures need to be used to distinguish first-party fraud from bad debt.

SEC on the war path?

2009-06-05T09:37:00.004+01:00

When the tide goes out, it is amazing what you can find washed up on the beach. The latest jetsam to be found on US shores is Countrywide Financial's former chief executive officer, Angelo R. Mozilo who has been charged by the Securities & Exchange Commission (SEC) with securities fraud and insider trading.

Countrywide Financial, a mortgage provider in the US, was one of the victims of the recent credit crisis and was eventually bought by Bank of America. The Federal Bureau of Investigation has launched investigations into the collapse of a number of high profile credit crunch victims including AIG, Lehman's and Fannie Mae and Freddie Mac.

Focusing on cases it says are at the "root of the financial crisis", the SEC alleges that Mozilo misled investors about its "high-risk" lending practices, and claims he described Countrywide's loan products as "toxic" and "poison". The SEC is also querying profits Mozilo earned on selling shares in Countrywide.

Lawyers believe this is the first of many such suits the SEC is likely to bring in the wake of the financial crisis as it looks to restore its reputation which was tarnished by its failure to uncover the Bernard Madoff Ponzi scheme.

Bank sues auditor over losses resulting from card data breach

2009-06-03T11:48:00.003+01:00

An interesting test case involving a US bank suing an auditor, which it claims was negligent in certifying a payment processing company, is believed to be the first case of its kind and could set a precedent for other cases to follow.

Merchant acquiring bank, Merrick Bank, based in Utah is suing auditor, Savvis Inc., claiming that it lost $16 million as a result of fraud, fines and other costs related to a 2004 data breach at payments processing provider, CardSystems, which resulted in hackers stealing 263,000 card numbers.

Merrick says its losses stemmed from having to pay Visa and MasterCard to reimburse their issuers from the breach-related fraud, as well as other costs including legal fees. Prior to the data breach, Savvis, had carried out an audit of CardSystems. Merchant Bank now claims that report was "false and misleading" and that Savvis "failed to use reasonable care and competence in representing that CardSystems was CISP-compliant when it fact it was not.”

The Cardholder Information Security Program (CISP) preceded the PCI-DSS standard for securely storing card data. One of the basic requirements of card data security is that the data should be encrypted.

A new form of credit card fraud

2009-05-28T15:25:00.003+01:00

CHIP and PIN, Visa and MasterCard SecureCode and PCI-DSS for the safe storage of customer credit card data, are just some of the tactics deployed in the ongoing battle against credit card fraud.

All of these measures have had mixed success and while they may have helped reduce card present fraud, card-not-present fraud is on the increase particularly in online shopping and cross-border transactions.

A new form of credit card fraud called "first-party fraud" is also emerging and experts say it could cost banks and other card issuers up to $21 billion in losses this year. Instead of fraudsters stealing customer credit card details or trading credit card numbers in underground communities, "first-party fraud" involves people using false income and financial declarations to apply for a credit card, which they intend to use and never repay.

Banks typically treat these applications as bad debts and only discover much further down the line that instead they may be dealing with fraud. Lafferty Group estimates that "first-party fraud" losses this year were $15 billion for the US, $2.5 billion for Asia-Pacific, and $2.2 billion for Western Europe.

Increased focus on AML as banks look to recoup losses

2009-05-28T14:51:00.003+01:00

Financial crime is likely to dominate banks' IT spending in the months to come, experts say, as banks look to recoup millions lost to fraud every year.

I was at an event recently held by business process management vendor, Pegasystems, on the topic of financial crime and the message from most speakers at the event was that financial crime and anti-money laundering (AML) had moved up the banking agenda. According to Daniel Mayo of analyst firm, Datamonitor, 37% of banks expect anti-money laundering (AML) will drive IT project spending in 2009.

Yet, questions remain about the effectiveness of AML in detecting terrorist financing and the quality of Suspicious Activity Reports generated by banks pertaining to proceeds from crime, including fraud, AML and terror financing.

Like it or not, banks are at the coalface of fighting fraud and while the Serious Fraud Office in the UK says it is going to rely more on market intelligence and whistle blowers to unearth fraud, a lot of the onus for detection of fraud is still on the banks.

Reetu Khosla, director of financial crime solutions at Pegasystems, says the regulators want to see banks take a more enterprise-wide, multiple-siloed view of fraud across all lines of business. "Regulators are saying not only should firms be looking at fraud, anti-money laundering and KYC, they should also be looking at these aspects across all lines of business," says Khosla. Banks will also need to be able to gather information from disparate systems and analyse it in such a way that links can be made between seemingly unrelated events.

Banks attending Pega's breakfast briefing on financial crime were interested in learning whether banks could follow the example of the insurance industry which has collaborated on setting up a database enabling insurers to share claim information. The database has helped insurers successfully reduce fraud. However, banks sharing customer information may open up a can of worms in terms of data privacy issues, and banks still see financial crime as a competitive issue, particularly in terms of how long it takes them to resolve alerts and transactions held up by false positives.

False positives remains a major issue for banks, given that banks are required to demonstrate sufficient due diligence around investigating alerts. "When it comes to financial crime alerts, most firms are faced with a high volume of false positives and a low volume of true hits," says Khosla. "However, the regulators point out that the risk of not evaluating each alert at some level is extremely high.

Regulators are taking fraud more seriously

2009-05-22T11:43:00.002+01:00

The Financial Services Authority (FSA) appears to be upping the ante when it comes to insider trading by seeking to prosecute two City lawyers who are accused of illegally trading shares based on non-public information.

A corporate partner of US law firm Dorsey & Whitney and a former partner at Will & Emery are both being prosecuted for trading shares related to the takeover of Neutec Pharma by Swiss conglomerate Novartis.

Police have also arrested two men over a suspected fund management fraud worth more than £50 million after the FSA earlier froze the operations of three firms - Business Consulting International, John Anderson Consulting and Kenneth Peacock Consulting - which are alleged to have mishandled millions in investors' money.

Criminal lawyers have also warned that the Serious Fraud Office is also taking the issue of corporate bribery and corruption more seriously and we understand that legislation is pending regarding the seizing of corporate assets in bribery and corruption cases.

Disrupting fraud as it happens

2009-05-08T16:06:00.005+01:00

When the director of the UK's Serious Fraud Office (SFO) Richard Alderman comes out all guns blazing saying that his office is becoming more proactive, intelligence-led and plans on making better use of powers at its disposal, one cannot help but think, shouldn't you haven't been doing that all along anyway?

Much of the burden for detecting, policing and enforcing anti-fraud measures has historically fallen on the shoulders of banks, other financial service providers and individual victims. But with the Securities & Exchange Commission (SEC) in the US and many other regulatory bodies and government agencies caught napping in the wake of the $50 billion Madoff scandal, they are eager to challenge the publicly held notion that they are essentially 'toothless tigers'.

At the Sweet & Maxwell conference on the changing face of fraud trials, Alderman stated that the SFO was moving towards becoming an "intelligence-led organisation", assessing where the fraud risks are during this economic downturn and working with other agencies to disrupt fraud as it happens. That means the SFO is going to have to capture reliable and sophisticated intelligence if it is to stop fraud before it even happens and I am curious to know how they are going to do that.

The SFO has extended an olive branch to so-called City whistle blowers and says it is going to look more closely at hedge funds, but is that going to be enough to uncover major frauds? Take the alleged Bernard Madoff Ponzi scheme for example. There were plenty of whistle blowers warning the SEC that something was amiss, but on the whole they chose to ignore this information or did not investigate it thoroughly.

"We intend to take full advantage of all the powers that are available to us and that have been neglected by the SFO over the past years, but we also need to consider what further powers we need to make the SFO a more efficient organisation,” said Alderman. It begs the question why has the SFO neglected to use its powers and what has so fundamentally changed within the organisation that it is going to seize those powers now to keep fraudsters at bay?

Is this recognition finally that the powers that be are finally taking fraud more seriously and that the onus for detecting, policing and preventing fraud is no longer the onus of banks and individuals but intelligence-led policing? I'm not sure we can all breathe a collective sigh of relief just yet.

Banks in the firing line for misleading investors

2009-04-30T14:27:00.005+01:00

In the wake of the credit crunch a number of banks are in the firing line as investors allege that they were misled concerning the purchase of particular financial instruments or the true state of the bank's financial situation.

A class-action lawsuit was launched against the Royal Bank of Scotland (RBS) in the US earlier this year based on allegations that the bank misled investors by failing to disclose the damage caused by debt securities on its balance sheet, as well as the damage caused by the acquisition of ABN-AMRO, and its inadequate capital buffer to safeguard it against subprime losses.

RBS, which is now majority owned by UK taxpayers, suffered the biggest loss (in excess of £24 billion) in corporate history back in February, has been a high profile victim of the subprime meltdown. But it is not the only bank in the firing line over misleading investors.

Italian police are also reported to have seized $630 million worth of assets belonging to Deutsche Bank, UBS, Depfa Bank and JP Morgan as part of an investigation into an alleged fraud against Milan's city authority.

The alleged fraud dates back to 2005 when Milan's city authority was sold derivatives contracts linked to a bond issue. According to the allegations the banks failed to adequately inform the authority of the risks linked to the derivatives and "falsely claimed" the authority would save money.

Losses for the authority are estimated to be in the region of €300 million , although it could be more. The banks however pocketed more than €100 million in" illicit profits", according to the allegations.

It will be interesting to see if the authorities can prove that the banks deliberately misled the city authority, as the lack of suitable reference data surrounding some derivatives contracts and the subsequent emergence of a less favourable interest rate environment, may make it difficult to establish whether the banks intentionally set out to defraud the authority.

Due diligence in a post-Madoff world

2009-04-28T09:22:00.002+01:00

Following the exposure of the $50 billion Bernard Madoff Ponzi scheme, investors and fund managers are under increasing pressure to perform more rigorous due diligence of hedge funds. But is that easier said than done?

If you look at some of the facts surrounding the Madoff scheme; lack of clear separation of duties, an unregistered auditor and the promise of high returns; then it is clear that feeder funds and other investors in Madoff's scheme failed to perform sufficient due diligence. In fact it seems as if their only rationale for putting money into Madoff's fund was his previously untarnished reputation (he was a former Nasdaq chairman) and the spectre of high returns.

Corgentum Consulting, a hedge fund operational risk consultancy based in New Jersey, has some interesting insights into how the exposure of Madoff's $50 billion Ponzi scheme is likely to change the world of hedge fund due diligence.

"Successful operational risk management in the post-Madoff world will require hedge funds to walk a tightrope of continually boosting investor confidence in a fund’s operational risk management capabilities, while not destroying and competitive advantages or informational edges through the dissemination of this information," says Corgentum.

Instead of outsourcing operational due diligence to "hedge fund allocators", Corgentum's believes that investors will want to exert greater control over the process and that the scope and depth of operational issues covered in a due diligence review will be more exhaustive. The frequency of hedge fund reviews will also be increased, says Corgentum.

"No longer will it be sufficient for investors to rely on generic due diligence questionnaires or to be granted a meeting with a hedge fund’s senior operational professionals for a few hours once a year for an annual review," says Corgentum. "Investors will likely request much greater detail on a host of different operational issues ranging from legal and compliance issues, information technology, cash management and valuation."

The upshot of all this is that hedge fund's "already strained" resources are likely to come under further pressure, resulting in lower profit margins, says Corgentum. Only those funds that make the due diligence process run as smoothly as possible for investors are likely to attract capital.

But that does not account for the age-old problem of human greed - investors and fund managers are driven to seek high returns. So despite all this talk of more rigorous due diligence of hedge funds, will it still be easy for a Madoff-type character to pull the wool over investors' and fund managers' eyes purely by promising market-beating returns?

Cultural impediments to AML in Middle East

2009-04-24T12:38:00.007+01:00

The UK's Independent newspaper was the first to report that ransom money paid to Somali pirates was being laundered via the Middle East. The newspaper quoted shipping industry investigators who claim that approximately $80 million (£56 million) had been paid out in the past year alone in ransom money to Somali pirates, with millions being laundered through bank accounts in the United Arab Emirates and other parts of the Middle East.

Dubai's deputy police commander general has since denied any involvement by the UAE saying it has strict anti-money laundering (AML) legislation that requires all transactions above 40,000 dirhams ($10,889) to be reported.

Yet, a common laundering technique is to split large sums of money up into smaller amounts so that it cannot be detected by AML controls. I also stumbled across an interesting article posted on the web by Hany Abou-El-Fotouh, director of Policy & Corporate Affairs at CI Capital, the investment banking arm of Egypt's Commercial International Bank (CIB).

He points to cultural factors, which he says makes the strict enforcement of AML procedures in the Middle East difficult. Abou-El-Fotouh says that in some Middle Eastern countries setting up proper controls and strictly enforcing them in order to detect suspicious transactions or activities, conflicts with customer relationships and cultural customs.

He says many Middle Eastern financial institutions are adopting corporate cultures that weaken AML and anti-terrorist financing efforts. "One of the biggest problems for AML initiatives in the Middle East is cultural customs that accept deference to customers and anonymity. Accounts lacking full identification details or with misleading information are not unusual in the region," he said.

Abou-El-Fotouh says Know Your Customer (KYC) requirements are lacking at many Middle Eastern financial institutions as customers may view banks' requests for additional information as intrusive or offensive. "For example, it can be difficult for a bank to refuse to enter into or to exit a relationship with a politically connected person," Abou-El-Fotouh explained. "Doing so could mean trouble for the staffer involved."

Is mobile banking really secure?

2009-04-24T11:39:00.004+01:00

With mobile banking transactions tipped to rise from 2.7 billion annually in 2007 to 37 billion by 2011, security experts are warning of the security risks associated with new mobile banking and payment channels.

Every time a bank opens up a new channel to customers, it presents new opportunities for fraudsters. Anti-fraud software provider, 41st Parameter, claims that users have good reason to be sceptical about the security of mobile banking transactions.

Ori Eisen, founder and chief innovation officer at 41st Parameter, says transactions between a mobile device and the bank are not as well-guarded as internet transactions as they only use basic identification and verification checkpoints.

According to Eisen, mobile banking systems are not able to determine whether a device accessing its mobile banking site is a mobile device, PC or laptop.

"Mobile banking touch points are easier to gain access to as they don’t have the security layers that internet sites do. Because fraudsters are able to mimic the appearance of a mobile device as easily as they can a PC or laptop, they are capable of infiltrating an unsuspecting bystander’s mobile banking account," writes Eisen in a white paper entitled: Mobile Banking - An Easy Target for fraud?

Eisen maintains that a multi-layered approach to security incorporating a firewall, password and encryption barriers and real-time tracking that identifies devices that were initially refused admission to a site and have changed their identity to try and gain access, is the best way of securing mobile banking transactions.

In addition to the information (credit credentials and personal identity) that is typically used to authenticate an individual, Eisen says Client Device Identification (CDI) goes beyond simple user names and passwords to detect suspect mobiles at device level. CDI can differentiate a device visiting a site regardless of the credentials presented or the IP address.

Insurers struggle to keep up with fraudsters

2009-04-20T12:22:00.006+01:00

Last week, the Association of British Insurers (ABI) warned against the rise of insurance fraud in a recession and published figures demonstrating a 17% increase in insurance fraud from 2007 to 2008, with the total value of fraudulent claims (£730 million) rising by 30%.

Dishonest claims on home insurance were the most common accounting for 55,000 false or exaggerated claims. By value, however, fraudulent motor insurance claims were the highest. The rising cost of fraud adds an additional £40 a year to insurance premiums, the ABI stated.

Bart Patrick, head of insurance at risk management and business intelligence firm, SAS UK, made the following comments regarding the latest ABI figures:

"It is hardly surprising that in the current economic conditions that fraud is rising. A sophisticated approach is required to overcome the increasingly savvy fraudsters out there, and sadly insurers will always struggle to keep up with their activities while they adopt a piecemeal approach to fraud detection, using a range of disjointed systems, and unsophisticated methods.

A link analysis tool and a bunch of rules does not a fraud strategy make. An integrated system, which uses the widest range of techniques (rules, advanced analytics, profiling, visualisation and experience) is the answer when implemented in an environment which has the people and process to action the frauds discovered. You can lead an SIU (Special Investigation Unit) to the fraud trough, but without the people and process to action this, you cannot make it drink.

Accuracy is key in being effective. The SIU must focus on the biggest frauds first, however if they are chasing shadows with a high false positive rate, then much of their effort is wasted. Only an integrated set of techniques can achieve this. If you have a simple, single approach to fraud, you are almost certainly wasting your company's time and money.

While fraud is viewed as an after the claim event, insurers will always play catch up. Most realise that some insurance policies are written just for the purpose of committing fraud. However they have no way of stopping this at policy inception. More importantly is the rising spectre of claims abuse, whereby people inflate their claims by a "reasonable" amount. This type of activity lives in the thin layer between acceptable behaviour and fraud, and this is where much of the insurance industry's real problems lay.

We are reaching the stage where a vicious circle is emerging. The SIU's are undermanned and over burdened as the numbers of potential frauds increase. Without a concerted, co-ordinated and sophisticated approach to fraud, using good old fashioned investigation and the latest technology in harmony, companies will struggle.

Let's flip this argument around to something policyholders will understand - the longer the insurers ignore fraud, the longer they will persist in charging a higher than necessary premium to cover the cost of fraud. In this increasingly competitive and fickle market with policyholders buying on price, it's actually impacting on competitiveness, so combating claims abuse and fraud is now a critical commercial consideration for all insurers. Ultimately, better Fraud and claims abuse detection reduces claims expenditure, reduces combined ratios, protects market share and increases profits."

Data security standards - A toothless tiger?

2009-04-17T11:47:00.006+01:00

Some alarming statistics have been published by Verizon regarding data breaches. According to the 2009 Verizon Business Data Breach Investigations Report, more electronic records were breached in 2008 than in the previous four years combined, and banks were the worst culprits for compromising records.

The report says that the financial sector accounted for 93% of the 285 million records compromised during 2008 and that 90% of the records breached were reportedly targeted by groups involved in organised crime.

Interestingly, most (74%) of the data breaches were from external parties, and only 20% were caused by insiders. So the biggest threat to confidential customer data still appears to come from external hackers hacking into servers and applications online. Financial service providers are doing nowhere near enough to secure customer data, including implementing basic forms of protection such as data encryption.

The credit card companies introduced the PCI-DSS (Payment Card Industry Data Security Standard) standard which includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures for securing credit card data. The standard includes basic requirements such as implementing a firewall, and encrypting the transmission of cardholder data across open networks.

However, according to Verizon's report, 81% of affected organisations subject to PCI-DSS were non-compliant prior to being breached. Firms that fail to comply with PCI-DSS risk losing their merchant account, and could be subject to fines, lawsuits and bad publicity, as in the case of TJX in the US, which suffered the largest known data breach to date when hackers stole 45.7 million credit and debit card numbers, as well as personal data, including driver's license numbers of another 455,000 customers.

TJX did not comply with PCI-DSS as cardholder data was unencrypted. Penalties for noncompliance range from fines of up to $500,000 to increased auditing requirements or losing the ability to process credit card transactions. But if Verizon's stats are anything to go by, PCI-DSS appears to be somewhat of a 'toothless tiger' in terms of forcing companies to implement even the most basic of data security measures.

It begs the question, why aren't companies encrypting data? Is it a cost factor, a technology issue (what form of encryption to use) or just plain ignorance? Certainly the reputational implications, as evidenced by TJX, outweigh the upfront costs of securing and encrypting customer data.

"Mini-Madoffs"

2009-04-14T15:30:00.004+01:00

In the wake of the Bernard Madoff revelations, Ponzi schemes, on a much smaller scale than Madoff's $50 billion scam, are being unearthed.

Eager to be seen to be proactive rather than reactive, the US Securities & Exchange Commission (SEC) is charging funds left right and centre with running Ponzi schemes. Some of the latest victims on the SEC's watch list include Shawn R. Merriman, who according to reports, is accused of fraudulently obtaining between $17 million and $20 million from investors in three US states through his company Market Street Advisors. Similar to Madoff, Merriman is alleged to have promised investors "impressive" returns.

Other reports claim that "mini-Madoffs" are you using the video-sharing web site, YouTube, to promote "cash gifting" programs. According to a Los Angeles Times report, the Better Business Bureau claims to have uncovered 23,000 clips promoting these so-called 'gifting' schemes. Viewers are reportedly directed to a web site where they are asked to sign up at a cost of between $150 and $5000. A spokesperson from the Better Business Bureau is quoted as saying, "They make it seem like it's legal and an easy way to make money, but it's nothing more than a pyramid scheme."

A "smart computer" to detect insider trading

2009-04-08T10:22:00.004+01:00

Increasingly fraudsters are devising more sophisticated means of committing fraud, and for the technology companies charged with combating fraud, it always seems like they are playing catch-up. But when the nature of the fraud is more insidious, the challenge is greater, as is the case with insider fraud.

Fraud committed from the inside is more difficult to contend with than external threats. As a company how do you identify who is likely to commit fraud within your organisation? How do you give employees access to applications and systems they need to do their job, without locking everything down or introducing a 'Big Brother' culture?

At the University of Sunderland, they are working on a new "smart computer" that uses artificial intelligence and "headline analysis techniques" to try and detect suspicious share dealing. Insider trading or rogue trades have long plagued the capital markets and some stats suggest that upwards of 20% of deals in the UK, and 40% in the US, may be tainted.

The "smart computer" project at Sunderland is entitled CASSANDRA (Computerised Analysis of Stocks and Shares for Novelty Detection of Radical Activities) and it has been awarded £90,000 by Northstar Funding to investigate the merits of combining artificial intelligence and analysis techniques to combat financial fraud.

Dr Dale Addison, project manager, CASSANDRA, says the problem with current anti-fraud systems is that they generate too many 'false positives'. "As many as 75% false positive flagging has been observed by some systems," he says.

CASSANDRA on the other hand looks at news stories affecting a particular company. So for example if two companies are in the process of merging and someone finds out the merger is not going ahead, they may go out and buy and or sell that company's stock based on that inside knowledge.

According to Addison, CASSANDRA would be able to detect that based on its analysis of news events from Reuters, Bloomberg and other sources, as well as the movement of stocks and shares of a specific company. "This system will have the ability to allow users to look at news information and rank it according to how significant an impact it has had on share dealing." But how do you know which piece of news or information has altered trading in a particular stock?

Information on US and UK stock markets is being provided to the Sunderland team by Canadian company, Measured Markets,which provides an "early warning" analysis service alerting investors when a stock's trading pattern changes.

Dr Addison plans to build a bigger computer that can be used to detect market abuse or false and exaggerated news that helps traders earn more money.

Madoff "feeder" funds in spotlight

2009-04-03T13:45:00.004+01:00

Civil law suits pertaining to "feeder funds" in the Bernard Madoff Ponzi scheme continue to play out with Connecticut-based hedge fund, Fairfield Greenwich the subject of allegations that it failed to carry out adequate due diligence on Madoff.

According to newspaper reports, the fund, whose manager reportedly worked with Madoff for 18 years, is accused of being "blinded" by the hefty performance fees it earned for funneling funds into the alleged Ponzi scheme. The fund funnelled a reported $7.2 billion into Mr Madoff's company. Fairfield Greenwich is believed to be contesting the charges brought by Massachusetts authorities.

Combating AML and terrorist financing

2009-04-03T13:28:00.003+01:00

The International Monetary Fund (IMF) is reported to have announced a "donor-supported fund" that will provide $31 million over the next five years in the fight against anti-money laundering (AML) and terrorist financing. Fund donors include the United Kingdom, Switzerland, Norway, Luxembourg, France, South Korea, Saudi Arabia and Japan.

The fund will commence operations in May and is geared towards providing "technical expertise" to those countries that want to strengthen their national AML and counter-terrorist financing strategies. Currently, at least in countries such as the UK and the US, a lot of the onus for detecting money laundering and terrorist financing falls on banks, however, not all funds are laundered through banks. The diamond trade is also a conduit for laundering.

The figures speak for themselves in terms of how successful governments have been in seizing terrorist funds. Since 2001 in the UK there were £400,000 worth of cash seized under the Anti-Terrorism, Crime and Security Act, £475,000 seized under the Proceeds of Crime Act, and £477,000 frozen by HM Treasury.

One of the challenges for banks is that some of them have been unwittingly caught out by US terror financing legislation for transferring money to organisations in Palestine, for example, that the US recognises as terrorist organisations, but which other countries don't necessarily.

Online fraud is flourishing

2009-04-03T13:21:00.004+01:00

A report in the Wall Street Journal features remarks made by Katherine Hutchinson, senior director of global risk management at PayPal. She reportedly told the Web 2.0 Expo in San Francisco that the online fraud industry was so lucrative that an "underground community" existed where fraudsters offered their specialist skills to others.

She also warned that the use of IP addresses for determining a customer's location were no longer a suitable method of combating online fraud - IPs addresses can be easily masked for one thing, and fraudsters often use "zombie" computers. She also warned that all the confusion in the banking sector caused by the current economic crisis left the door open for phishing attacks by fraudsters asking customers for bank account details.

Companies plagued by cheque fraud

2009-03-30T13:45:00.004+01:00

Payments fraud is on the increase, including old fashioned forms of fraud such as cheque fraud according to the findings of the 2009 Association of Finance Professionals' (AFP) Payments and Fraud Control Survey.

More than 70% of companies surveyed experienced actual or attempted payments fraud in 2008, with 40% experiencing increased fraud activity during the second half of 2008 as economic conditions worsened in the U.S. Overall 30% of respondents said incidents of fraud increased in 2008 compared to 2007.

The pickings appeared to be richer for fraudsters from larger companies, with 80% of companies with annual revenues in excess of $1 billion falling victim to payments fraud in 2008, compared with just 63% of companies with annual revenues under $1 billion.

Also old fashioned payment methods such as cheque appeared to be more susceptible to fraud with nine out of 10 companies that experienced attempted or actual payments fraud in 2008 being victims of cheque fraud. Other common forms of fraud were ACH debit (28%); consumer credit/debit cards (18%); corporate/commercial cards (14%t); ACH credits (7%); and wire transfers (6%).

US companies are being encouraged to write less cheques with solutions such as ACH and commercial cards being offered as an alternative, but it seems there is still some way to go before all payments migrate to electronic channels, which are still susceptible to fraud, but perhaps not to the same extent as fraudulent cheques.

Government stimulus funds could increase fraud

2009-03-30T10:04:00.006+01:00

Ponzi schemes and other old fashioned forms of fraud are growing, and efforts by governments to combat the credit freeze are presenting new opportunities for fraudsters. That is the conclusion drawn in the latest Kroll Global Fraud Report. According to Kroll the greatest threat is misuse of government stimulus funds, particularly in areas such as infrastructure funding.

"Those impacted by the economic instability who are inclined to engage in fraudulent business practices will work to secure stimulus funds by any means possible,” said Blake Coppotelli, senior managing director in Kroll’s Business Intelligence and Investigations practice. “One prime area is infrastructure projects. With the near collapse of the real estate and construction markets, traditional fraud and rackets, such as bribery, kickbacks and bid-rigging, will find a wealth of opportunity in the stimulus funds. In our experience, without extensive anti-fraud policies, oversight and enforcement, 10% of these funds will be lost to fraud and criminal activity.”

Fraudsters will also be provided with new opportunities, says Kroll such as preying on companies as they move into "riskier geographies" in search of growth, to cheating to obtain a piece of the huge government stimulus pies. In its latest fraud report, Kroll says Ponzi schemes and other "old classics" are growing –for example, various financial scams and straight-forward corruption. According to Kroll, " smaller scale" pyramid schemes are multiplying in Latin American countries and elsewhere.

Often some of the most difficult frauds to predict are those committed by so-called "corporate saviours", as they "cook the books" not so much for personal gain but out of the misguided belief that they are acting in the best interests of the company or its employees. "They do not even realize that their actions would be considered fraudulent, or the damage that they might cause to others," says Kroll.

Kroll also says that the risks for companies that look to do more business in other geographies are also more acute in developing regions. Its survey found that the incidence of the top 10 major
frauds is generally higher in the Middle East and African countries, and lower, except for IP (intellectual property) fraud, in Europe and North America.

Despite the proliferation of fraud, Kroll says more regulation may not be the answer. After the Enron and WorldCom scandals at the beginning of the millennium, the US government introduced Sarbanes-Oxley legislation, but Kroll says despite such legislation fraudsters continue to penetrate and defraud companies in any industry, in any country around the world.

Chip and PIN no 'panacea'

2009-03-27T08:52:00.004Z

Chip and PIN has forced fraudsters away from the high street, Shopsafe.co.uk director Simon Crisp was quoted as saying recently. While that may be true, what it has done is resulted in higher levels of card-not-present fraud and cross-border card fraud.

Crisp is quoted as saying stopping card fraud is about staying "one step ahead" of the fraudsters and that Chip and PIN is helping deter criminals. Well most so-called fraud experts would argue that Chip and PIN is not the 'panacea' some thought it would be and that it has merely forced fraudsters to become more sophisticated in their efforts to use cards for criminal purposes.

While it may have helped reduce the amount of card present fraud committed on the high street, online shopping presents numerous opportunities for fraudsters as the card is not presented. Malicious software and phishing attacks can also be used to capture personal banking as well as PIN and password details. I don't think Chip and PIN can really be classed as staying one step ahead of the fraudsters, as they have already jumped that 'hurdle'.

Banks still spending on fraud prevention

2009-03-24T09:54:00.002Z

A new report on US banks' fraud management strategies concludes that funding for addressing fraud is unlikely to be scaled back despite the economic downturn,

"The good news is that funding for addressing fraud management is seen as mission-critical by financial institutions," says Nick Holland, senior analyst with Aite Group and author of the report. Holland says bank fraud management departments are centralising, investing in monitoring technology and continuing to place a strong emphasis on the "human element" as the most critical component of fraud mitigation.

The report, which is based on interviews with fraud managers at 23 of the top 150 US financial institutions, also sheds some interesting light on the drivers for banks' fraud management strategies, both now and in three years time. Supporting law enforcement efforts and recouping fraud losses are not necessarily high on banks' agenda. Instead more than 80% said preventing fraud losses and meeting compliance requirements was important now, increasing to 90% or more in three years.

While banks spend a lot of time, money and effort in trying to meet regulatory requirements, preventing fraud should be a priority of the bank regardless of compliance, as not only does it cost the banks millions ever year, but it also tarnishes their relationship with customers and impacts brand loyalty. Will there come a day when people shop for banks based not only on interest rates but also their track record in preventing fraud?

Banks could do more to protect customer data

2009-03-24T09:33:00.003Z

As more fraudsters take over customer bank accounts, a company that shreds confidential information says banks need to do more in terms of safeguarding confidential material and educating customers about the risks of fraud.

According to CIFAS, the UK’s fraud prevention service, in 2008 there was a 207% rise in facility takeover fraud, whereby "scammers" intercept bank statements, credit card bills, receipts and account slips so that they can take over bank accounts that belong to other people.

Interestingly, while banks appear to have done considerable work in terms of implementing internal systems to detect fraud, sending credit card or account statements and PIN numbers by post to customers is hardly state-of-the-art fraud prevention.

Shred Easy, which collects, destroys and recycles materials including paper and IT equipment, believes more could be done to educate bank customers about fraud and that banks should provide free advice on fraud and identity theft.

There is something to be said for greater customer awareness of what indicators to look out for in order to help prevent and detect fraud earlier. When you open an account with a bank it would be good to receive a pamphlet/brochure on bank account and credit card fraud and tips as to what telltale signs or behaviours customers should look for.

But also banks need to rethink their approach to safeguarding customer data. If they are still sending out paper account statements that can easily be intercepted (instead of say a digitally signed encrypted electronic file) then customer education will only go so far in helping reduce fraud.

Detecting suspicious activity sooner rather than later

2009-03-20T14:56:00.002Z

This is what Michelle Weatherhead, manager, EMEA, Risk Solutions for payments software provider, ACI Worldwide, had to say recently about the rise in UK card fraud in 2008.

The APACS annual statistics finding that UK card fraud in 2008 increased by 14% is, unfortunately, relatively unsurprising. The one statistic that was immediately notable was the increase in card ID theft, which was up 39%.

Card ID theft, which is when someone gets hold of your card details and PIN and starts to use them on an ongoing basis, is a real problem. There is the issue of consumer education - encouraging members of the public to shred card statements when they dispose of them, change PINs regularly and carefully check statements to make sure they are accurate, is a first step. However, there are techniques that the bank can use to help prevent this type of fraud.

One step that many banks are turning to is monitoring all activity on an account, both financial and non-financial transactions, as well as combining intelligence about how a customer uses all their cards and accounts, not just an individual one.

This helps the banks build up a complete profile of that individual - how often they travel, where they tend to shop, how much they usually spend - so that as soon as a transaction occurs that is outside that customer's usual spending patterns, alarm bells start to ring and that transaction can be flagged as suspicious. What is important is that the banks detect suspicious activity as soon as the account is taken over, otherwise the fraudster will build up their own 'profile' so activity may appear genuine.

This leads to tools such as SMS alerting, which banks are starting to implement to help them stop fraud early. SMS alerting means that if suspicious activity occurs, such as a transaction that is overseas, over a certain value, or in a type of outlet the customer hasn't used before, the bank can send a text message to the customer immediately, informing them of the transaction and asking them to respond if it isn't genuine.

This can also be used to confirm with customers that they have changed their address or requested a new PIN for example, which can be a first sign of account takeover.This combination of activity can enable the banks to block compromised cards quickly, protecting themselves from losses, and also building confidence with members of the public that they are protected too.

Fraud is always changing and moving - the APACS’ statistics for 2009 when they come out in 12 months’ will show similar trends to those we have seen in this announcement - but as banks embrace the latest technology, just maybe some of these numbers will start to come down.

The battle against fraud steps up a gear

2009-03-19T08:45:00.002Z

For some time now I have been drawing links between the economic crisis and the increased discovery of fraud. It is not rocket science really, as economic hardship can make people that may not normally commit fraud, find themselves suddenly fiddling the books or altering accounts in order to cover up losses or poor performance.

Of course, there is always the more criminal element that looks for vulnerabilities to commit new and varied forms of fraud. Most of the fraud experts I have spoken to have said that the crisis is not likely to lead to a greater incidence of fraud, but greater discovery of frauds that may have been going on for some time. The Madoff Ponzi scheme is a case in point.

However, a survey conducted by Vanson Bourne on behalf of predictive analytics software provider, SPSS Inc., has found that one in four (26%) financial companies reported increased levels of fraud, which it claims is double the UK average of 12%.

But it is not necessarily a lack of preparation that is exposing financial service providers to fraud, as 82% of respondents said they were very or well prepared to combat fraud, compared to 73% across all industry sectors. Now this is obviously where SPSS comes in and says predictive analytics is one tool that financial service providers should have in their anti-fraud armoury.

Yet, having the latest whizz bang anti-fraud solutions in place does not necessarily mean you are less exposed to fraud. Firstly it depends what solutions you have in place, whether they are joined up enterprise-wide or operate in silos, how well educated and trained your staff are to uncover various types of fraud and to interpret various data inputs and analytics that could suggest fraud.

We have all heard the stories of fraud technologies that generate "false positives", which means staff spend more time responding to false alerts or red flags than they do to real incidences of fraud. Professional fraudsters are also fairly adaptable and can change certain behaviours in order to circumvent technologies, which may only be programmed to look for past known behaviours of fraudsters, not new permutations.

While the bulk of the responsibility and liability for fraud has historically been with the companies that are the victims, increasingly the government appears to be assuming more responsibility with the setting up of a National Fraud Reporting Centre (NFRC) where people and businesses will be able to report suspected cases of fraud.

The UK National Fraud Strategic Authority has also given the Crown Courts extended powers to bar solicitors and estate agents from working if they are convicted of fraud. It is all part of the Government's efforts to change the perception that fraud is a "victimless" crime, but while businesses take fraud seriously, will this get the police to treat fraud more seriously?

There was an interesting report on the BBC's Panorama program recently about the government's inability to successfully recover the assets of organised crime or money earned through illicit means. While a reporting centre is a step up as information sharing can often uncover patterns of fraud across various enterprises, the authorities need to make the evidence stick and the information needs to be adequately followed up by the police, which to date have not made significant inroads when it comes to catching fraudsters.

FSA faces multimillion pound compensation claim

2009-03-05T09:09:00.001Z

The Securities & Exchange Commission in the US has copped serious flack over its handling of the alleged Madoff Ponzi scheme and it looks like it is the turn of the UK's Financial Services Authority (FSA) to cop some flak - in fact it is facing a multimillion pound compensation claim from investors in collapsed fund, GFX Capital Markets.

According to a report in The Times, the FSA knew about concerns pertaining to GFX's business practices and that its boss Terry Freeman had changed his name after earlier being disqualified until 2012 as a company director.

Lawyers for investors in GFX which collapsed with estimated losses of £44 million, claim that the FSA could have acted sooner based on the knowledge it possessed. Is this the first of many such claims that we are likely to see against the FSA as angry investors seek retribution for their losses?

While it is all to easy to use the regulators as a scape goat for a lack of due diligence by investor or investment funds, this crisis raises serious questions about the regulatory oversight and due diligence conducted by the FSA and perhaps suggests that more regulation or granting more powers to the FSA is not going to be the panacea some hope it might.

What to look for in a web-based fraud detection system

2009-02-27T17:38:00.005Z

For online retailers the growth of online shopping is a double-edged sword. While the recession is driving more shoppers online to search for bargains, the more people that shop online the greater the risk of fraud, which makes the cost of acquiring online customers a bit of a tricky biscuit.

As an online retailer you may spend considerable sums not only on customer acquisition but also on automated anti-fraud monitoring technologies, but do the benefits outweigh the costs?

Some online retailers would probably say no, yet as the recession continues to bite, anti-fraud software vendors are eager to tout their automated fraud monitoring solutions, however with so much choice out there and with vendors prescribing different solutions for different operational silos and levels of fraud, how can retailers be sure that they are choosing the right solution?

Gartner recently published its Magic Quadrant for Web Fraud Detection, which describes the market as "still maturing" and consisting of vendors that have "a lot of work to do to round out their product lines". In other words this is a rapidly evolving market and vendors are having to keep up with the rapidly changing =nature of online fraud, which means that solutions with built in flexibility and the ability to quickly introduce new functionality as and when needed without a major overhaul of the existing installation, is key.

Gartner says most web fraud detection systems can be broken down into two types: rules-based software and predictive software that uses artificial intelligence to detect potentially fraudulent behaviours. According to Gartner, predictive software is more effective at catching fraud as rules-based systems tend to be based on past known events that have already occurred, therefore it is not good at detecting new or unknown types of fraud. The more rules you have, the more difficult it is to manage, so Gartner suggests that rules-based systems are only suitable for those companies with minimum levels of fraud.

When selecting a fraud detection system Gartner advises firms to opt for those solutions with a 70% fraud detection rate and a "false-positive" rate of one in five in order to minimise the time spent unnecessarily investigating legitimate transactions. Some anti-fraud solutions such as "geolocation" and "client device identification" have a short shelf life and can be spoofed or fail to keep up with increasingly sophisticated attacks.

Gartner also advises firms to buy solutions that provide value-added services such as authentication in conjunction with fraud detection as well as solutions that work across multiple channels and accounts. Those vendors whose web detection solutions can easily "plub and play" with different authentication technologies score highly.

Prioritising alerts is also key. "Enterprises want and need to be able to prioritise alerts based on their severity and urgency," writes Gartner. "Unless the system returns a score that ranks the severity, it is difficult to know which alerts demand priority attention."

Ease of use may sound like a no-brainer but Gartner says most web fraud detection vendors fall short in terms of providing consoles that enable alerts to be investigated easily. Sufficient levels of reporting also tends to be a downfall. More advanced fraud detection solutions, says Gartner, not only look at log on details or web site access, but also transaction information and user navigation.

Online retailers fight "recession fraud"

2009-02-24T10:23:00.002Z

A survey conducted by Vanson Bourne indicates that online retailers are fighting back against the increased threat of "recession fraud".

The research conducted on behalf of SPSS, a predictive analytics software provider, shows that 37% of online businesses had implemented new measures such as customer behaviour analysis, restricting purchases from "high risk" locations or countries and reducing the number of payment methods available, to help reduce online payment fraud.

The 2009 UK Online Fraud Report estimates that UK online retailers lost up to 5% of total revenues to fraud in 2008, however, while retail sales on the high street are declining, online sales are increasing (up 14% in December 2008 compared to the previous year), so retailers cannot afford to be complacent about fraud.

One in four retailers surveyed by Vanson Bourne indicated they are using customer analytics, which focus on unusual behaviour patterns, to detect fraud. Eighteen percent said they had also reduced the number of payment methods in the belief that it reduced the opportunities for fraudsters.

Learning the lessons of due diligence

2009-02-19T08:35:00.010Z

A few months back when the alleged Bernard Madoff Ponzi scheme was first exposed, I remember writing on this blog that the alleged $50 billion fraud was only the tip of the iceberg, and that the recession would result in other scams or alleged frauds being exposed.

Not that I want to beat my own drum, but it doesn't take much to realise that a deep economic recession and tightened credit availability are all it takes to bring suspected frauds that have gone undetected, to light. When banks don't want to lend and investors panic and want to withdraw funds, things start to unravel.

I don't think we can say that the credit crisis is causing fraud to spiral out of control, however, it is resulting in greater levels of discovery. Since Madoff, there has been the $1.5 billion fraud at Indian IT firm Satyam Computers, other Ponzi schemes and dodgy investor scams are being uncovered on a regular basis and now the SEC alleges that Allen Stanford duped investors who bought bonds from his Stanford International Bank in Antigua and claim that he also lied about the performance of their savings and the extent of investors' exposure to Bernard Madoff's alleged Ponzi scheme.

Not only is more fraud likely to be uncovered in trying economic times, but also financial regulators are on the war path, eager to redress the perception that they failed to adequately supervise financial firms when times were good. Now that times are not so good we can expect to see the heavy hand of regulation come down on banks.

In the UK the Financial Services Authority is calling for a sea change in the way commercial banks, investment banks and building societies manage their liquidity. The new liquidity standards, which are scheduled to come into force in October, will also impact US banks with branches in the UK and are designed to try and prevent an event like the Lehman's collapse in the US, spilling over into the UK by forcing bank branches to become self-sustaining when it comes to liquidity.

While managing liquidity is not directly related to fraud, what is perhaps more interesting is that observers believe the FSA is likely to not only make an example of those banks that fail to comply with its new liquidity standards, but they may also "disbar" those company chairman and executive directors of banks that don't measure up.

Corporate governance is back on the agenda again and it is the guys at the top that are likely to take the heat, however one has to question how serious the regulators really are when you read reports that a former disqualified company director was able to foil the FSA merely by changing his name and becoming a director of three companies.

We have all heard the corporate governance rant before - isn't that what Sarbanes-Oxley was all about? Yet financial accounting scandals are still very much with us and some suggest it is only going to get worse as company executives resort to fiddling the books in order to preserve banking covenants, meet analyts' expectations or avoid bankruptcy.

But heightened levels of corporate governance in the form of greater regulatory oversight is not the panacea some think it is. If anything is to be learned from the Madoff and Stanford cases it is the lack of due diligence by investors and investment funds. All the warning signs were there; fly-by-night accountants and a lack of separation of duties; and if anyone had bothered to do their due diligence they would have uncovered enough to raise alarm bells.

However, it seems everyone wanted to believe the unbelievable; market beating returns; and it seems we all want to believe that some of the gold dust will rub off on us, which means a lot of financiers are not subjected to the level of scrutiny that they should be.

Corporate bribery

2009-02-13T10:01:00.003Z

Former investment banks are in the spotlight again, this time relating to allegations of corporate bribery.

According to a report in the Financial Times, Morgan Stanley's global head of real estate investing has been suspended following disclosure of a Securities & Exchange Commission (SEC) filing that indicates a China-based employee violated the foreign corrupt practices act.

Morgan Stanley was a major investor in Chinese real estate, a sector which is believed to be plagued by bribery and corruption. A number of fraud and risk specialists I have spoken to in recent weeks have highlighted increasing reports of corporate bribery and corruption where business contracts are awarded on the basis of financial rewards.

In the US and the UK corporate bribery can attract substantial fines, which often exceed the initial bribe. According to Kroll's 2008-2009 Global Fraud Report, regulatory and compliance breaches increased from 19% to 25%.

Balancing fraud and profit

2009-02-11T10:39:00.002Z

I received an interesting email from an Amsterdam-based company, Directness, which is running a Risk v Reward: Balancing Fraud and Profit conference for retailers in Amsterdam tomorrow.

Organiser, Adam Dorrell, said that the event was triggered by retailers such as Nike, Philips and Sony getting fed up with the cost of fraud. The problem for many retailers is that they have to invest considerable sums in automated solutions for combating credit card fraud, but the return on investment is uncertain in that they may be spending more to acquire customers, only to lose them to fraud or "charge-backs".

Do the risks outweigh the rewards? Well if you believe what you read in the newspapers and various surveys that are published, the risks, particularly in the online shopping world appear to be significant. This appears to have convinced a significantly large proportion (41%) of the UK population not to shop online, according to CyberSource's latest annual survey of more than 150 merchants and 1000 consumers.

Security was an issue for the 41% of UK consumers that said they did not shop online. Out of the total sample, including those that did shop online, 66% said they were concerned about the level of risk. Given that most online shopping sites now carry a secure padlock icon or the green VeriSign bar which demonstrates that the web site has met more stringent standards around web site integrity, this is still a surprisingly high number.

Some of the other basic precautions online shoppers can take is signing up to the MasterCard SecureCode or Verified by Visa programmes, which adds an additional authentication layer by asking for a password, but not all shopping sites carry this and arguably it is still open to abuse if the password is easy to guess or replicate.

CHIP and PIN while reducing fraud when the card is presented, has only served to increase the incidence of fraud in card-not-present transactions (online or over the telephone). Some security vendors suggest that one-time passwords are more secure, but there has been no uptake of this by the card companies.

Another problem is that the cost of fraud is borne by the poor retailer who has to foot the cost of charge backs and fraud in general, as well as investing in anti-fraud measures. It will be interesting to hear what comes out of the event in Amsterdam tomorrow and whether retailers can come up with a joint industry solution to combat fraud. We hope to provide you with coverage after the event.

Lloyds warns against phishing attacks

2009-02-10T15:52:00.004Z

Newly-merged UK-banking group Lloyds TSB and HBOS have taken the unusual step of warning customers that fraudsters may take advantage of their merger to launch phishing attacks.

In recent years, phishing scams which typically involve the sending of "official-looking" emails asking customers to confirm bank password, security and account details, have been steadily rising. Banks and other security providers have cautioned customers not to respond or open emails sent to them asking for such information.

However, in an effort to head off a potential attack as it goes through a long and protracted merger with HBOS, Lloyds TSB said customers should be on their guard and that it would not email them requesting account, PIN or security information.

More Ponzi schemes

2009-02-06T09:39:00.003Z

While the alleged Bernard Madoff Ponzi scheme is capturing most of the headlines, other Ponzi schemes are also coming to light.

According to newspaper reports, Japanese police have arrested a 75-year-old bedding company executive on suspicion of running a "pyramid scheme" that promised investors high returns.

According to some experts, Ponzi schemes are increasing and are recurrent. Estimates suggest that in 2002, US citizens lost $9.6 billion to Ponzi schemes. Some suggest that Ponzi schemes are happening with increasing frequency and point the finger at unregulated hedge funds or alternative investments put together by investment advisors.

Madoff - who is to blame?

2009-02-06T09:10:00.006Z

The US Securities & Exchange Commission (SEC) continues to cop flak over its handling of tip offs regarding the alleged Bernard Madoff Ponzi scheme.

According to a report in the UK's Financial Times newspaper, Lord Jacobs a peer who lost money in the alleged $50 billion scheme, is pointing the finger at the SEC for "the grossest negligence it is possible to conceive" for not fully investigating a whistleblower’s detailed exposé.

He is not alone in his condemnation of the US regulator. Members of the US Senate Committee on Banking, Housing and Urban Affairs also expressed disbelief and amazement at how regulators did not uncover the alleged Madoff Investment Securities Ponzi scheme, citing numerous "red flags" such as the fact that he did not use a separate custodian for his investment advisory business, and that his accountant was not registered with The Public Company Accounting Oversight Board (PCAOB).

However, as a privately held broker-dealer, the Senate hearing heard how Madoff was able to avoid adhering to these requirements. At the same Senate hearing, senior representatives from the SEC defended their investigations of Madoff saying their examinations which were limited to the scope of his broker/dealer business, not his investment advisory business, did not find fraud.

Madoff registered as an investment advisor in 2006. The SEC said it could not examine every investment advisor and that 10% of registered advisors were examined every three years, but that these examinations were limited in their scope and targeted specific activities. The SEC also pointed towards resource constraints.

Nevertheless it seems that the SEC is going to cop a lot more flak over its handling of the alleged Ponzi scheme as a number of investors that have lost money question how detailed tip offs from a reliable source failed to uncover anything. The truth perhaps lies somewhere in the fact that the SEC said it only examined Madoff's broker/dealer activities, not his investment advisory business. Regulatory loopholes appeared to have allowed Madoff's investment advisory activities to escape rigorous scrutiny.

AIG in the spotlight again

2009-01-30T12:19:00.004Z

US insurance company, AIG, one of the high profile victims of the credit crunch, is in the spotlight again with one of its former vice presidents being jailed for four years for falsely inflating the company's share price and reserves.

According to reports, Christian Milton, who was convicted back in 2008 of conspiracy, mail fraud, securities fraud and making false statements to the Securities and Exchange Commission, participated in a scheme whereby AIG "secretly paid" General Reinsurance to take out reinsurance policies with the company in 2000 and 2001. The scheme reportedly cost investors up to $597 million.

It is not the first time that AIG has been implicated in fraud. According to Wikipedia, an accounting scandal resulted in former CEO Maurice R. Greenberg being ousted in 2005. The allegations made at the time included fraudulent business practice, securities fraud, common law fraud, and other violations of insurance and securities laws. All criminal charges were later dropped however and Greenberg was not held responsible.

AIG, and other victims of the credit crunch are also being investigated by the FBI. The investigation is believed to be looking at whether these firms unduly influenced agencies to "inflate" their ratings and misled investors about the true state of their assets.

Card fraud stats - who do you believe?

2009-01-30T12:00:00.004Z

Various organisations produce statistics on the incidence of credit card fraud, but the UK payments association, APACS, has hit back at a recent survey published by "life assistance" group CPP, which claims that 12 million people were victims of card fraud in 2008 and that the average loss was £650.

APACS says CPP's stats are "spurious" and that according to its own data, which is drawn from stats provided by its member banks, 2007 figures indicate there were just over a million reported cases of card fraud; and although card fraud increased in 2008 (APACS will publish figures in March), APACS says CPP’s suggestion that there were 12 million victims in 2008 is "wildly out of line".

Is it a case of CPP, which provides protection and insurance against identity theft and card fraud, talking up the incidence of card fraud in order to scare consumers into thinking the problem is much bigger than it really is? There is no question that some organisations may be talking up fraud to benefit their own cause, which is not helpful as card fraud remains a persistent problem for online merchants and exaggerating the levels of fraud, only serves to suggest that none of the solutions deployed so far to combat it are actually working.

Having said that more certainly needs to be done, as CHIP and PIN may have reduced "over-the-counter" fraud, but most reports indicate card-not-present fraud is on the increase, particularly online. Some providers have suggested the use of one-time PINs and passwords to "toughen up" existing security.

Regulatory loopholes may have helped Madoff

2009-01-29T16:24:00.008Z

Members of the US Senate Committee on Banking, Housing and Urban Affairs expressed disbelief and amazement at how regulators did not uncover the alleged Madoff Investment Securities Ponzi scheme. On Tuesday the committee listened to witnesses' testimony regarding regulatory and oversight concerns and the need for reform in light of the alleged Ponzi scheme.

Senators expressed disbelief that securities regulators, the Securities & Exchange Commission (SEC) and the Financial Industry Regulatory Authority (Finra), missed numerous "red flags" pertaining to Madoff, including the fact that he did not use a separate custodian for his investment advisory business, and that his accountant was not registered with The Public Company Accounting Oversight Board (PCAOB).

During the hearing one senator remarked: "... it is inexplicable how the SEC missed it (Madoff's alleged Ponzi scheme). It is as if there was a giant elephant standing next to the SEC in a rather small room for 25 years and the SEC never noticed the elephant or even smelt the peanuts on its breath. And it is not as if the SEC were not looking around the room."

The SEC is conducting its own investigation into its handling of the alleged Madoff Ponzi scheme. During Tuesday's testimony senior SEC officials stressed that their past examinations of Madoff were restricted to his broker dealer activities and did not include his investment advisory business which was registered in 2006.

The SEC said 10% of registered investment advisors were examined every three years, and that these examinations were limited in their scope and targeted specific activities. The other regulator in the spotlight regarding the alleged Ponzi scheme, Finra, said its jurisdiction was limited to Madoff's broker dealer operations and that this meant it could not be an "extra set of eyes".

However, during Tuesday's hearing, Professor John Coffee, Professor of Law at Columbia University, said Finra did have jurisdiction over Madoff Investment Securities. He also stated that registered investment advisors are required to use a "qualified" custodian. However, he said Madoff used himself and that he was able to do this because the SEC gave us an "illusory" rule which allows investment advisors, where it has a broker dealer affiliate, to use its own broker dealer to be its custodian.

Following the implementation of Sarbanes-Oxley, Coffee said broker dealers were supposed to use accountants registered with the PCAOB. However, he said on three occasions, the SEC adopted and extended an exemptive rule that said privately-held broker dealers did not have to use such a PCAOB registered accountant.

Coffee said Ponzi schemes were increasing in regulatory and frequency and tended to occur in unregulated hedge funds or alternative investments put together by investment advisors.

Online fraud continues to rise despite countermeasures

2009-01-29T08:34:00.004Z

Despite ongoing investment in tackling fraud, online merchants continue to see their losses from fraud increase, according to a survey of 150 online retailers conducted by Cybersource Ltd.

The overall rate of fraud increased 2.6%, which does not sound like much, however, Cybersource says for approximately 13% of merchants, the rate of fraud increased by more than 20% and 37% of merchants experience losses due to fraud of 1% or more. These increases are in spite of the fact that in the UK at least, approximately 60% of merchants now deploy Verified by Visa and MasterCard SecureCard schemes, which require the purchaser to type in a private code known only to them and their bank.

But it is perhaps the indirect costs of fraud that are more telling. According to the survey, 20% of merchants reject more than 5% of orders because they suspect fraud, although some of these orders may be authentic.

Despite the increasing sophistication of automated fraud screening software, Cybersource's survey indicates that 10% of merchants still reviewed every order manually, which is deemed costly and inefficient. It begs the question, do merchants see automated fraud screening as too costly or difficult to implement?

How did "India's Enron" come about?

2009-01-29T08:03:00.007Z

"We will see a significant increase in
[ financial accounting scandals], however the jurisdiction is shifting from the more regulated markets where Sarbanes-Oxley, independent audit committees and the significant level of oversight make it more difficult to get away with, to emerging markets where supervision and broad oversight is not as advanced," said Richard Abbey, managing director, Financial Investigations for risk consulting company, Kroll.

I have reported these comments from Abbey before in an earlier posting, but I wanted to highlight them again in light of the Financial Times publishing its account of B. Ramalinga Raju, the former chairman of Indian IT firm, Satyam Computers and how "India's Enron" unfolded.

According to the newspaper report, Mr Raju became "obsessed with market capitalisation", which is what Abbey is alluding to in his statement above.

The report goes on to say that Mr Raju also appeared to benefit from the silliness that prevailed during the dot.com boom when the market cap of companies was wildly overinflated and no one, including those financing dot.com companies, really paid any attention to a company's earnings or P&L .

According to the FT, Mr Raju listed Satyam Infoway on the Nasdaq in 1999, and was able to immediately raise money despite the fact that the company had lost money. But once the dot.com bubble burst, according to the police the accounting fraud began in 2001 when the share price deflated.

Fund heaped praise on Madoff

2009-01-23T09:58:00.003Z

As more details come to light about the alleged Madoff Ponzi scheme, lawyers representing those investors that lost millions are pointing the finger at the apparent lack of due diligence conducted by the banks and the funds that invested money with Madoff.

According to a report in the Financial Times, Santander's Swiss-based alternative investment arm, Optimal, "heaped praise" on Madoff before his arrest, for his ability “to find great entry and exit points to benefit investors”.

With parent bank, Banco Santander admitting losses of up to €2.33 billion as a result of the alleged Ponzi scheme, lawyers will be clambering all over this latest revelation.

Another Ponzi scheme?

2009-01-22T16:53:00.003Z

Bloomberg is carrying news of the latest alleged Ponzi scheme coming out of Japan. Japanese housewives have reportedly been hit by the alleged currency trading scam.

Recession - the mother of invention

2009-01-22T13:43:00.005Z

A recession is the mother of invention, and never one to miss an opportunity, fraudsters are reportedly targeting investors whose money is trapped in Icelandic bank, Kaupthing Singer & Friedlander.

According to Citywire, depositors with money trapped in Kaupthing Singer & Friedlander, on the Isle of Man, which went into administration late last year, have been approached by a company calling itself Kristen Heather Investments (Isle of Man). The company claimed it could return depositors' funds in Kaupthing Singer & Friedlander for a fee.

The Isle of Man Financial Services Commission says the firm has a fake address and had copied the real bank’s website. PricewaterhouseCoopers, which is liquidating Kaupthing, says it appeared to be "an entirely fraudulent endeavour".

As I mentioned in my previous post, Madoff - who is culpable?, with irate investors and shareholders having lost substantial sums of money, there is likely to be a raft of legal action in the wake of the credit crisis. Some of the big class action suits may be some time in coming, but meanwhile, according to The Press & Journal, an 83-year-old QC is suing Royal Bank of Scotland claiming that the bank was "insolvent" when it "fraudulently" sold him shares in a rights issue.

As part of his small claims action, the QC is trying to prove that the bank was "technically insolvent" when it sold him stock valued at £1,282 as part of a rights issue. If the case is successful, it could lead to similar action being taken by other bank shareholders.

Madoff - Who is culpable?

2009-01-21T10:48:00.005Z

Given the amount of corporate fraud cases and lack of due diligence that has been brought to light as as a result of the current financial crisis, litigators will be clambering all over it trying to find some means of recourse for their clients who have suffered substantial financial losses.

In the case of the alleged Madoff $50 billion Ponzi scheme, there could be a number of potential targets in the firing line for litigators to take action against. Investors whose money ended up in Madoff's scheme are likely to turn to the managers of the "feeder funds" who earned commissions from feeding funds into the alleged Ponzi scheme. Questions also remain over the due diligence conducted further down the line by those banks that have revealed exposure to the Ponzi scheme.

Some experts also question whether the US securities regulator, the Securities Exchange Commission (SEC) is culpable. According to the latest newspaper reports, the SEC missed "red flags" regarding Madoff's alleged Ponzi scheme when it investigated an accountancy firm with ties to Madoff back in 1992. The New York Times claims that the SEC's probe found that the accountancy firm kept "almost no records", and that one of the partners told investigators that the $441 million it controlled was managed by Mr Madoff.

Forensic accountants currently working on the Madoff case in New York and London, say there appeared to be a “patent lack of segregation of duties” as the management, administration and custody of the fund in question was conducted either by Madoff or associated parties. However, standards of due diligence in this area are still developing and there was no apparent legal onus on Madoff to separate these duties.

One source I spoke to involved in the Madoff investigation recalled the BCCI scandal in the UK in 1991 when the Middle Eastern bank collapsed with £7 billion of undeclared debts. The financial regulator at the time was the Bank of England and victims of BCCI, led by the liquidator Deloitte & Touche, later brought a lawsuit against the Bank of England claiming up to £1 billion in damages. The victims alleged the Bank of England was "guilty of negligence amounting to 'misfeasance', or wilful misconduct." The case later collapsed.

Questions now remain about whether the SEC could have done more to uncover the alleged Madoff Ponzi scheme. As to whether it could face its day in court is debatable as the SEC may be able to declare immunity from being sued. As the BCCI lawsuit also demonstrated it may also be difficult to prove that the SEC "deliberately" failed in its duties.

Learning old lessons about fraud

2009-01-20T07:46:00.006Z

With "Ponzi" schemes and "rocketing levels of discovery" of insider fraud that has gone undetected for years finally being exposed by the credit crisis, corporate fraud will be an area of renewed focus this year as companies go back to basics to defend themselves against malicious and non-malicious attacks perpetrated by insiders.

With so much press and industry focus on the multitude of threats looming outside the corporate firewall, until recently insider fraud attracted few column inches. Given the impact exposure of corporate fraud has on a company's brand and reputation, it is not surprising perhaps that most incidences of insider fraud (50% in the case of insider fraud in banks, according to Celent) goes unreported.

Yet, with figures published by analyst firm Celent indicating that insider fraud accounts for 60% of all bank fraud cases involving a data breach or theft of funds, corporate fraud is an endemic problem and fraud experts anticipate it will be ratcheted up a notch or two by the recession.

Richard Abbey, managing director, Financial Investigations, for risk consulting company, Kroll, says the recession could give rise to the "non-malicious" corporate fraudster - those that commit fraud not for personal gain, but to save their company and employees' jobs. "It's misplaced loyalty if you like as they do not really think they are committing fraud," says Abbey. While anti-fraud measures tend to be focused on new employees, Abbey says the typical fraudster is the long-serving, loyal employee that knows their way around a company's systems.

Despite the introduction of Sarbanes-Oxley in the US, which placed more rigorous reporting requirements on a company's financials in the wake of the Enron and WorldCom corporate accounting scandals, Abbey expects to see more financial accounting scandals in the wake of the recession as corporate executives falsely inflate profits and cover up debts in an effort to maintain core ratios or to protect themselves from breaching banking covenants.

"We will see a significant increase in that type of fraud, however the jurisdiction is shifting from the more regulated markets where Sarbanes-Oxley, independent audit committees and the significant level of oversight make it more difficult to get away with, to emerging markets where supervision and broad oversight is not as advanced," says Abbey.

No surprises then that the latest accounting scandal has rocked Indian IT outsourcing firm, Satyam Computers, where the company's chairman has admitted to a $1 billion fraud, which is being billed as "India's Enron". Kroll is also seeing more companies reporting allegations of corporate bribery and corruption, which if proved true can attract hefty fines far in excess of the original bribe.

Given the threat landscape, it may be tempting for corporate executives and chief risk officers to reach for the latest gadgets: biometrics; enterprise anti-fraud systems; software that detects the potential for fraud in emails; however, fraud experts caution that brandishing the sword of technology is not necessarily the answer.

According to Abbey most corporate fraud is detected not as a result of controls companies put in place, but by accident or whistle blowers. There are, however, more immediate measures firms can put in place to protect themselves against insider fraud, segregation of duties being the main one, to ensure that no single person, regardless of how long they have been with the company, has "end-to-end" control over a business processes or processes.

In its latest Global Fraud Report, Kroll concludes that the financial crisis will lead to more fraud claims, legal disputes and regulatory action. Greater due diligence and levels of corporate governance will also be required and cross-border transactions are likely to increase exposure to "complex fraud and corruption".

“There are some wonderful technologies that can help solve fraud,” says David Porter, head of security and risk at consultancy, Detica, “but it is not just about wielding the sword of technology. It is about con artists scamming people. There is a soft human element to combating fraud. This year, companies are going to be learning a lot of old lessons about fraud.”

Corporate fraud - The revelations keep coming

2009-01-12T16:33:00.012Z

As I mentioned in my previous post with the tide well and truly out as the credit crisis deepens, some unsightly corporate 'flotsam' is being washed up on our shores. But can we extrapolate from the increased disclosure of high profile corporate fraud cases in recent weeks and months that corporate fraud and the credit crunch go hand in hand?

Well the answer to that is yes and no. David Porter, head of security and risk at consultancy, Detica says corporate fraud was a major problem before the credit crisis began and that we are unlikely to see rocketing levels of fraud as a result of the crisis. "But we will see rocketing levels of discovery," he says. "When things are going well, people don't bother looking at fraud. Now that times are hard, what was previously non-pressing has become more pressing.”

In other words the scarcity of capital and renewed focus on corporate governance is helping shine the light on incidences of fraud that were less likely to be uncovered when everyone was drowning in liquidity and economic conditions were perhaps more conducive to inflating profits in financial statements.

Kroll's 2008-2009 Global Fraud Report says that 85% of companies were affected by at least one fraud in the past three years, up from 80% in its previous survey. The most common forms of corporate fraud according to Kroll's survey were theft of physical assets, which impacted 37% of companies, compared to 34% in the previous survey. Information theft also increased from 22% to 27%; and regulatory and compliance breaches from 19% to 25%.

In its 2008 Financial Risk Outlook, UK financial services regulator, the Financial Services Authority (FSA) identified financial crime as one of the key priority risks stating that “tighter economic conditions may lead to an increase in the incidence or discovery of some types of financial crime.”

Kroll anticipates that as a result of the credit crunch there is likely to be an increase in "non-malicious" corporate fraud committed by those "misguided" employers or employees who are not out for personal gain, but to save their company and employee's jobs. It also expects to see an increase in false accounting practices as companies look to inflate profits in order to maintain their core ratios or protect themselves from breaching banking covenants. We also understand that corporate bribery and corruption where business contracts are awarded on the basis of financial rewards and employees being coerced into collusion with outside gangs are also on the rise.

Below I have compiled a rough list of frauds or alleged frauds that have come to light since the credit crisis began 18 months ago. While these frauds are not necessarily the direct result of the credit crisis, the scarceness of capital has perhaps helped bring them to light or resulted in more exposure and heftier fines or closer regulatory scrutiny:

January 2008: Trader Jerome Kerviel incurred $7 billion in losses as a result of "rogue trades" at French bank Société Générale.

March 2008: Swiss investment bank Credit Suisse announced $2.65 billion of write downs on asset-backed securities after discovering "intentional mismarkings" by a group of traders.

Also in March 2008, the now defunct Lehman Brothers suspended two London equity traders after "issues" were discovered on share valuations.

May 2008: Merrill Lynch suspends a trader for "overstating the value" of some equity derivatives.

June 2008: Morgan Stanley suspends a credit trader for "mismarking" trading positions to the tune of $120 million.

Also in June 2008: Two former Bear Stearns hedge fund managers were arrested on charges of securities fraud pertaining to allegations of misleading investors regarding two funds they ran that were exposed to subprime mortgages.

October 2008: The US Federal Bureau of Investigation launches an investigation into Lehman Brothers, insurer AIG and mortgage providers Fannie Mae and Freddie Mac as they fall victim to the credit crisis. The investigation is believed to be looking at whether these firms unduly influenced agencies to "inflate" their ratings and misled investors about the true state of their assets.

December 2008: European banks reveal their exposure to ex-Nasdaq chairman Bernard Madoff's alleged $50 billion Ponzi scheme

January 2009: B.Ramalinga Raju chairman of Indian IT outsourcing firm, Satyam Computers, admits fiddling the books to the tune of $1 billion. It has since been described as "India's Enron".

8, January, 2009: In the largest financial crime related fine, the FSA in the UK fines Aon Ltd, £5.25 million for failing to take reasonable care to establish and maintain effective systems and controls to counter the risks of bribery and corruption associated with making payments to overseas firms and individuals.

Also in January of this year: Police reveal they have arrested Kabir Mulchandani, the chairman of Dynasty Zarooni, a Dubai real estate company, on allegations of fraud.

This is by no means an exhaustive list and does not take into account the myriad of fines imposed against individuals and firms for fraudulent activity such as insider trading and mortgage-related fraud.

However, the list does appear to support Kroll's view that in worsening economic conditions, employees or company executives, particularly in beleaguered industry sectors such as the financial services industry, may be tempted to falsely inflate profits, mismark the value of securities, or attempt to cover up substantial losses.

These incidences also appear to highlight a range of motivational factors ranging from personal gain in the form of seeking generous end of year bonuses by falsely inflating figures to making more money for the company concerned, or in the case of the alleged Madoff Ponzi scheme, the attainment of personal kudos through the accumulation of wealth.

Who has been swimming naked?

2009-01-07T09:14:00.006Z

As celebrated financier Warren Buffett once said, "Only when the tide goes out, do you discover who has been swimming naked." Thanks to the so-called credit crunch, a handful of high-flying financiers, traders and company executives have been caught with their pants down.

There were the former Bear Stearns hedge fund managers arrested on securities fraud, the exposure of Bernard Madoff's alleged Ponzi scheme, and now the chairman of Indian IT outsourcing firm, Satyam Computer Services has admitted to "fixing the books" for the past several years.

While these frauds are not the direct result of the credit crunch; as capital has become scarcer, frauds perpetrated some years ago have become more difficult to cover up. Quoted in the Financial Times explaining how the fraud had spiraled out of control, Satyam's chairman, B. Ramalinga Raju said: "It was like riding a tiger, not knowing when to get off without being eaten."

While corporate fraud is not a new phenomenon, it is difficult to determine how endemic it is as it can go undetected for years. However, according to analyst firm Celent, internal fraud accounts for 60% of bank fraud cases involving a data breach or theft of funds. While malicious insider fraud, as opposed to accidental fraud caused through employee negligence or error, accounts for a much smaller percentage(9%)of all data breaches in financial services, Celent estimates that up to 50% of all insider fraud incidents go unreported.

With capital scarce and a high number of employee redundancies on the cards, most fraud experts anticipate the credit crunch will provide the perfect breeding ground for some employees to try and defraud the company they work for. But what is more likely to emerge is that tight availability of credit will expose those frauds that have been going on for some time. Madoff and Satyam Computers are only the tip of the iceberg.

"The general rule of thumb is that 20% of fraud companies know about, the other 40% they are aware of but don't know how to deal with and the remaining 40% they know is happening, but they are unsure where it is happening," says Bart Patrick, head of risk at business intelligence firm, SAS UK.

According to Patrick in the wake of the credit crunch, more and more companies are waking up to the threat corporate and insider fraud poses, and with capital scarcer than ever before, no company can afford to let criminal gangs or employees walk off with a few million.

More importantly perhaps, customers are likely to take an even dimmer view of those firms that do nothing to prevent internal fraud, as it is ultimately the customer that ends up paying for the higher incidence of fraud in the form of increased margins on insurance policies, for example.

AML programs should be tailored to business models

2009-01-06T09:23:00.003Z

"Brokerage firms' AML programs must be tailored to their business models," said Susan L. Merrill, executive vice president and chief of enforcement at US-based regulatory agency, FINRA (Financial Industry Regulatory Authority). Merrill was commenting on the $1 million fine it recently imposed against E*Trade Securities, LLC and E*Trade Clearing, LLC, collectively, for failing to establish and implement anti-money laundering (AML) policies and procedures that could reasonably be expected to detect and cause the reporting of suspicious securities transactions.

While E*Trade provided trading customers with online electronic access to the securities markets, according to FINRA, it did not apply the same levels of automation when it came to monitoring trading acccounts for suspicious or "manipulative" trading activity.

According to FINRA, E*Trade relied on its analysts and other employees to manually monitor for and detect suspicious trading activity without providing them with sufficient automated tools, which was deemed to be insufficient given E*Trade's online business model, which requires "computerized surveillance of account activity to detect suspicious transactions and activity."

Financial service providers have invested millions in automated solutions for detecting suspicious account activity, but AML is still largely viewed as a 'box ticking' exercise, with some academics questioning the large number of Suspicious Activity Reports that have been generated, with few resulting in actual prosecutions.

The British Bankers Association has previously said that law enforcement officials need to take AML more seriously by following up on reports and information gathered by banks whilst monitoring account activity.

Banks reveal exposure to alleged fraud

2008-12-15T11:04:00.008Z

The financial papers are abuzz with the news of leading European banks' exposure to the alleged fraud committed by Bernard Madoff of Bernard L. Madoff Investment Securities, headquartered in the US.

HSBC, RBS, Spain's Santander and France's BNP Paribas reportedly have varying levels of exposure to Mr Madoff's "alleged $50 billion pyramid scheme", which according to the Financial Times, prosecutors allege operated on the basis of paying old investors with money raised from new investors.

RBS, a recipient of the UK government's bail out package in October, reported a potential exposure of £400 million to the alleged pyramid vehicle. According to the Financial Times report, HSBC's potential exposure may be considerably higher (approximately $1 billion). Not good news at a time when banks are already experiencing a significant reversal of fortunes thanks to their exposure to subprime assets. And with counterparty risk high on everyone's agenda, this revelation will come as yet another blow for an already beleaguered banking industry which is likely to face some pointed questions from investors regarding the due diligence they undertook before placing money with Bernard L. Madoff.

It appears that the regulators (in this case the US Securities and Exchange Commission) have also come under fire for ignoring early warning signs pertaining to Bernard L. Madoff Investment Securities. If there had been no credit crisis, then perhaps Madoff's alleged "pyramid scheme" would never have come to light. It also highlights the increasing number of links being made between fraud and the credit crisis.

Before the Madoff incident, a couple of Bear Stearns hedge fund managers were arrested on securities fraud charges and since the subprime meltdown, the US Federal Bureau of Investigation has launched investigations into the collapse of Lehman Brothers, the insurer AIG, and mortgage providers Fannie Mae and Freddie Mac.

According to newspaper reports, the FBI is investigating whether these firms unduly influenced agencies to "inflate" their ratings. It is also looking at whether these firms misled investors about the true state of their assets. The FBI is also believed to be investigating a number of firms over what it terms "subprime lending practices".

The following is taken from a Financial Crimes Report published in 2007 by the FBI and alludes to the potential for fraud in light of the subprime meltdown:

"As publicly traded subprime lenders have suffered financial difficulties due to rising defaults, analyses of company financials have identified instances of false accounting entries, and fraudulently inflated assets and revenues. Investigations have determined that many of these bankrupt subprime lenders manipulated their reported loan portfolio risks and used various accounting schemes to inflate their financial reports. In addition, before these sub prime lenders' stocks rapidly declined in value, executives with insider information sold their equity positions and profited illegally."

The FBI's 2007 Financial Crimes Report shows that the incidence of pending cases related to corporate and securities and commodities fraud has been steadily increasing every year since 2003. The Serious Fraud Office in the UK is also reported to be targeting corporate fraud in the wake of the crisis, calling on bankers and City "whistle blowers" to come forward with any information.

Anti-fraud technologies get smarter

2008-12-11T17:56:00.007Z

With card fraud and other forms of fraud reportedly on the rise during the economic downturn, anti-fraud management software vendors are having to up their game to play catch-up to the fraudsters.

Business intelligence and analytics vendors such as SAS, focus on not just looking at fraud in terms of monitoring card transactions, but the ability to match seemingly unrelated events across different parts of the business. Its real-time card fraud detection system which is used by banks such as HSBC, reviews card transactions alongside other changes in customer behaviour and then based on that analysis advises in real time as to whether a card transaction should proceed or be flagged for further investigation. Using such a system, HSBC claims to have reduced false positive rates, which is one of the biggest bug bears of any fraud detection system.

But while banks may deploy a system to try and combat the different forms of fraud that are prevalent today, it needs to be flexible enough to predict and detect changes in fraudsters' behaviour patterns in order to avoid detection. Analytics and decision management vendor, Fair Isaac Corporation, is trying to do this in the debit and credit card space with version 6.0 of its Falcon Fraud Manager scoring server, which uses recent advances in fraud analytics and profiling to help banks more quickly identify changing fraud patterns.

Using what it calls, "adaptive analytics", Fair Isaac provides "dynamic, real-time self-calibration of fraud detection models" to help firms more quickly identify changing fraud behavior patterns and improve fraud detection performance.

Another software provider, Actimize has incorporated IBM InfoSphere's Global Name Recognition (GNR) technology into its risk management platform. GNR is designed to help firms overcome challenges in matching names across different cultural and language barriers as part of their financial crime fighting efforts and works by analysing the order of a name, cultural spelling variations, nicknames and different spelling variations.

"[Global Name Analytics] ... can help to identify and correct names that may have been presented in non-standard or incorrect sequential order." It can also identify the "cultural classification" of a person's name using linguistic and statistical tools, which can be useful for Know Your Customer regulations and anti-fraud projects that entail matching names against lists or databases of suspected terrorists or Politically Exposed Persons.

Risk management in your Xmas stocking

2008-12-11T17:49:00.004Z

This post first appeared on FinancialTech Insider

Go to a Christmas lunch these days and most people will be talking about what they are filling their Christmas stockings with or how they are looking forward to eating turkey yet again for the fourth time in a week. While the conversation at business intelligence and analytics vendor, SAS's Christmas press lunch may have been peppered with such conversational tid bits, the real subject of today's lunch was for SAS to publicise its recent foray into the capital markets space.

Building on its already strong base in the retail banking sector, particularly in the areas of operational risk, credit risk, market risk and financial crime, SAS has put together a team based in the UK that is wholly focused on selling its analytics and risk management solutions to capital markets firms.

2009 is likely to see increased regulatory oversight, particularly when it comes to the overlooked areas of liquidity and counterparty risk; and not one too miss an opportunity, SAS is eager to sell its solutions to a business that is drowning in information, but not quite sure what to do with it or how to make sense of it in order to determine risk, fraud liability etc.

It seems the poor old trader is likely to come under increasing surveillance with intelligent software algorithms monitoring their every move and looking for unusual patterns of behaviour (the ability to match seemingly unrelated events across different parts of the business). The technology certainly exists to provide such surveillance, but the cynic in me says most banks are only likely to embrace these technologies as a 'box ticking' exercise in order to comply with regulation, rather than seeing it as good business per se.

Risk management is suddenly the business to be in, but one has to wonder where was all this wonderful bells and whistles technology when things started going wrong in capital markets? And at the end of the day technology can only do so much.

If the people in charge still view "betting on the bank" as a necessary part of making money, or don't want to listen to those 'little voices' in their risk department warning them that something bad is about to happen; then no amount of technology can account for the fact that the culture within firms has to fundamentally change if risk management is to be viewed as a strategic asset and not something that is ferreted away in a back office somewhere filing reports to regulators that no one really concerns themselves with.

Interestingly, while we only get to hear about the multi-billion dollar losses racked up by rogue traders like Jerome Kerviel, there are plenty of other million dollar losses within banks, which occur on an almost daily basis (be they the result of human error or internal fraud) that we don't get to hear about.

Mark Hudson, industry consultant, Capital Markets, SAS, believes if firms can start minimising those million dollar losses we don't get to hear about via market or trader surveillance technologies then perhaps the industry will have achieved something.

Surely saving the bank a few 'mill' from combating accidental or internal fraud is going to make a CFO's ears prick up in this challenging business climate? And even if it doesn't, then Hudson believes the banks' customers and may be even their shareholders (which lets face it is the government these days) may insist on more risk management oversight.
Posted by Anita Hawser

"Underground" online economy is flourishing

2008-11-26T10:27:00.004Z

While growth in the real economy is being hit hard by the global credit crisis, there appear to be no signs of a recession in the "underground" online economy, which is flourishing with millions of pounds being exchanged to buy stolen goods and "fraud-related services".

These are the findings of online security firm, Symantec's Report on the Underground Economy, which it compiled based on data gathered by its Security Technology and Response (STAR) organisation, from underground economy servers between July 1, 2007 and June 30, 2008.

According to Symantec, the potential value of total goods advertised in the "underground" online world was more than £184 million ($276 million). No prizes for guessing what was the most popular item for sale, and no it was not a Nintendo Wii or an iPhone but stolen credit card details.

Symantec said that credit card information accounted for 31% of the total goods for sale and that the potential worth of all credit cards advertised during the reporting period was £3.53 billion ($5.3 billion).

"The popularity of credit card information is likely due to the many ways this information can be obtained and used for fraud; credit cards are easy to use for online shopping and it’s often difficult for merchants or credit providers to identify and address fraudulent transactions before fraudsters complete these transactions and receive their goods," said Symantec. "Also, credit card information is often sold to fraudsters in bulk, with discounts or free numbers provided with larger purchases."

Stolen bank account information (20% of total goods advertised) was the second most popular item for sale with prices ranging from £6.50 ($10) to £650 ($1,000). According to Symantec's report, most of the underground activity was hosted by North American (45% of the total) servers, followed by EMEA on 38%. Asia Pacific was only 12% and Latin America 5%. "The geographical locations of underground economy servers are constantly changing to evade detection," said Symantec.

Tips for avoiding mortgage fraud

2008-11-21T18:27:00.004Z

In the third part of our series on mortgage fraud, Anthony Riem, a specialist in multi-jurisdictional frauds and asset recovery with PCB Litigation, outlines the warning signs brokers should look for to detect mortgage fraud.

Some of the more obvious warning signs include the following:

Documents provided in support of an application such as bank statements, utility bills and passports that appear to be forgeries.

Income or employment details which are not supported by documentation supplied by the customer.

Inconsistent information provided by the same customer, i.e. various applications made with different incomes/details either to the same lender or lenders within a group.

Links with other applicants where fraud is suspected, for example shared addresses, purchases on same development, identical loan amounts etc.

Links between different mortgage applicants, for example shared bank accounts, and addresses.

Applications cancelled when further information/verification is requested.

The Law Society’s Practice Note on Mortgage Fraud also suggests the following warning signs:

The customer or the property being purchased is located a long distance from your firm. If bulk long distance instructions are not in your normal work, you may ask why they chose your firm, especially if they are a new customer.

The customer seems unusually uninterested in their purchase. You should look for other warning signs suggesting they are not the real purchaser

The seller is a private company or they have recently purchased the property from a private company. You should consider whether the office holders or shareholders of the private company are otherwise connected with the transaction you are undertaking, and whether this is an arms length commercial transaction.

The customer does not usually engage in property investment of this scale. You should ask why they are undertaking this new venture and where they are getting the financial backing from.

The current owner has owned the property for less than six months. You should ask them to explain why they are selling so quickly.

The customer's credit history is shorter than you would expect for their age, when you run a credit check. Fraudsters will often run a fake identity for a few months to give it legitimacy. You should ask your customer about this.

There are plans for a sub-sale or back-to-back transactions. You should ask your customer why they are structuring the transaction this way and seek information on the identities of the second purchaser, their solicitor and the lender.

The property value has significantly increased in a short period of time out of line with the market in the area.

The mortgage is for the full property value. While this is less likely in tighter credit conditions, you should consider it in light of the other warning signs.

The seller or developer has provided incentives, allowances or discounts. These may include cash back, free holidays, household fittings, payment of legal fees, help with mortgage repayments or rental guarantees, among others. You should consider whether this information has been properly disclosed to the lender.

The deposit is being paid by someone other than the purchaser. You should ask why, where the money is coming from, and whether this information has been properly disclosed to the lender.

The purchaser has paid the deposit directly to the seller. You should ask for evidence of the payment and consider whether this information has been properly disclosed to the lender.

There is money left over from the mortgage after the purchase price has been paid, and you are asked to pay this money to the account of someone you do not know, or to the introducer. You should ask why, and remember that you must not use your customer account as a mere banking facility.

You are asked to enter a price on the title that is greater than you know was paid for the property. You should ask why the prices are different.

What else can a Broker do?

The first and perhaps most important step in combating mortgage fraud is to ensure that you verify the identity of your customers in accordance with the Money Laundering Regulations 2007. This is particularly important in relation to applications received over the internet. Brokers should not act for customers who are unable or unwilling to produce sufficient proof of identity.

The implications of mortgage fraud for brokers

2008-11-20T18:13:00.005Z

In the second of our third-part series on mortgage fraud, Anthony Riem, a specialist in multi-jurisdictional frauds and asset recovery with PCB Litigation, outlines the implications for brokers who can easily get caught up in fraudulent applications.

An individual who intends to commit a mortgage fraud will generally seek to involve one or more professionals in the fraud to provide the transaction with an air of legitimacy in the eyes of the lender. Brokers may therefore find themselves targets of the fraudster.

Fraud is defined in the UK Fraud Act 2006 as including fraud by false representation and by failure to disclose information where there is a legal duty to disclose. A broker who makes representations to a lender on behalf of a customer may therefore find himself unwittingly committing a criminal offence if he has reason to believe that the representations being made might be misleading or untrue.

Proceeds of mortgage fraud are criminal property. Under Section 328 of the Proceeds of Crime Act 2002, a broker may commit a money laundering offence by being involved in an arrangement that facilitates the acquisition of criminal property. Where a broker has knowledge or suspicion that a customer intends to use him to perpetrate a mortgage fraud on a lender he may avoid liability by refusing to undertake the work.

Alternatively, if the broker decides to proceed with the application in such circumstances, his only defence to a money laundering offence (under s.338) would be to make the appropriate disclosure to the Serious Organised Crime Agency (‘SOCA’). If nothing further is heard from SOCA within seven days of making the disclosure then the broker may proceed with the transaction safe in the knowledge that he has a defence to any possible money laundering offence.

If, however, consent is withheld within the initial seven day period, then the authorities will have a further 31 days in which to take further action. No further steps may be taken by the broker during this period. If upon the expiry of the 31 day period nothing further has been heard, then the broker may proceed with the transaction once again safe in the knowledge that he has a defence to any possible money laundering offence.

The broker must not tell the customer (or any other person for that matter) that a disclosure concerning them has been made to SOCA. This may be difficult whilst applications are delayed pending SOCA’s consent, but to do otherwise will result in the broker committing a ‘tipping off’ offence under Section 333.

The Financial Services Authority operates a system with lenders under which they can confidentially pass to a Mortgage Intelligence helpline at the FSA details of loan applications received from brokers which they suspect to be fraudulent. The information received may be the catalyst for an investigation by the FSA. This is turn may result in proceedings of the nature of those brought against Mr Fawole and Oasis.

Finally, a broker may face the prospect of civil proceedings being brought against him by a defrauded lender.

In our next installment on mortgage fraud we will tackle the warning signs brokers should look out for.

Regulators clamp down on mortgage fraud

2008-11-19T10:05:00.005Z

In the first of a three part series, Anthony Riem, a specialist in multi-jurisdictional frauds and asset recovery with PCB Litigation, lifts the lid on mortgage fraud, a common problem that the regulators are increasingly taking a dim view of.

On 11 August 2008, the Financial Services Authority (FSA) banned a mortgage broker and fined him £100,000 for submitting false mortgage applications. Omotayo Fawole was an FSA approved broker and the sole controller of Oasis Mortgage and Financial Services Limited (Oasis).

He had obtained a mortgage after submitting an application which significantly overstated the profits of Oasis and his own income; and had submitted another mortgage application on behalf of an Oasis employee which significantly overstated their earnings.

Mr Fawole was the eighteenth broker to be banned by the FSA this year as a result of involvement in submitting false mortgage applications. Although he had been the central figure in the fraud, the severity of the penalty nonetheless serves as a timely reminder of the seriousness with which mortgage fraud is viewed by law enforcement agencies and regulators.

What is Mortgage Fraud?
Mortgage fraud occurs where a borrower defrauds a financial institution or private lender through the mortgage process. Such frauds are typically perpetrated in one of two ways:

The borrower provides untrue or misleading information (as in the above case) or fails to disclose relevant information that bears upon his ability to repay the loan. For instance, the borrower may provide false information about his level of income, employment or other liabilities. He may also provide misleading information about the source of funds to be used in the purchase other than the mortgage or not disclose the fact that more than one lender is financing the purchase price; or

The borrower misrepresents the true value of the property. To give the proposed transaction an air of legitimacy he may conspire with a corrupt surveyor in order to obtain a false valuation. Another typical scam used is known as ‘flipping’. Flipping usually involves back to back sales in which the property is to be sold on to an often fictitious sub-purchaser so as to give the appearance of the property being sold very quickly for a substantially increased price. The fraudster then absconds with the difference between the mortgage advance and the initial purchase price, leaving the lender with inadequate security.

In the next installment we will look at the implications of mortgage fraud for brokers.

Personal data loss an "alarming" problem

2008-11-14T11:13:00.004Z

High profile instances of accidental leakages of sensitive customer information show no signs of abating. This time last year the media was having a field day with the revelation that the UK's HM Revenue & Customs (HMRC) had lost two discs containing the personal details of 25 million people. According to Symantec, not much has improved since then.

Symantec says an additional nine million personal records have been lost since the HMRC incident by private companies and third party data handlers. The total loss of 34 million people's records means that more than half of the UK's 61 million population have had their data lost in the last year, which when you put it like that sounds alarming.

While UK Prime Minister Gordon Brown has made it abundantly clear that the government cannot guarantee the protection of personal data by bumbling bureaucrats who appear to have a penchant for leaving laptops and USB sticks lying around on trains or in pubs, Symantec's Data Loss Prevention survey, does not show much hope for the private sector either.

Almost half of UK companies surveyed admitted that one or more incidents of data loss had taken place, and another 25% had no strategy for dealing with data loss, which is concerning given the reputational risks and increasingly hefty fines.

Symantec's survey suggests that companies are not taking data protection seriously enough or that they don't know where to start.

It has provided companies with some useful pointers as to measures that can be taken to prevent data loss:

One of the big ones is to educate employees about the importance of data loss avoidance and procedures

Secondly, Symantec recommends "locking down" computers, mobile devices and other removable media using either software or physical locks. The big problem seems to be stopping employees from taking personal information outside the corporate firewall.)

Network access controls should mean that employees can only access "relevant" systems and information.

Data should also be monitored to prevent leakages (although with so much data residing in firms, data classification in terms of which data needs to be secured or classified 'top secret' is an essential first step).

AML on-demand search facility targets smaller firms

2008-11-14T10:36:00.005Z

With anti-money laundering regulatory compliance costing firms millions to implement, smaller companies are at risk of non-compliance because of the upfront costs and investment typically required to implement the correct assessment and risk management procedures.

“Many firms have responded to the new anti-money laundering regulations but there are still some – particularly smaller firms - that, due to financial constraints, are failing to do so. The outcome could be very serious for those who choose to ignore these regulations resulting in heavy fines and as we have seen recently, prison sentences,” says James Sherwood-Rogers, managing director of Landmark Legal and Financial.

ASP solutions for AML are slowly starting to gain traction in the market and are more likely to appeal to smaller firms that don't want to make the upfront and ongoing investment required to implement and maintain a dedicated AML solution.

Landmark has just announced a new electronic on-demand AML search facility www.landmarkaml.co.uk, for solicitors, which provides a pay-as-you-go type model for undertaking due diligence checks on new clients (companies or individuals). The electronic information service scans data sources such as government databases, databases of Politically Exposed Persons and terrorist sanction files.

Insurers fight fraud by sharing information

2008-11-12T08:35:00.004Z

Any fraud officer is only too familiar with the challenges of detecting and reducing fraud; whether it is online banking fraud, identity theft or anti-money laundering. However, one industry appears to be having some success in fighting fraudsters, and it puts its achievements down to good old-fashioned information sharing.

By sharing claims data, the Association of British Insurers says that in the last three years, motor insurers alone have identified 70% more fraud equating to £5 million worth of claims per week. The Insurance Fraud Bureau (IFB) was established in July 2006 and uses a central computer system containing claims data from a number of insurers across the UK. Details of insurance policies and claims records are analyzed to identify suspicious activity.

Bogus and inflated insurance claims cost the UK insurance industry more than £1.6 billion a year. Insurance fraud ranges from policyholders exaggerating claims to organized criminal gangs inducing “innocent” motorists to crash into the backs of fraudsters’ vehicles. In a number of cases criminal gangs may have submitted bogus insurance claims to a number of insurers at the same time, so by sharing claims data, the hope is that it can be more easily detected.

While the insurance industry has enjoyed some success in combating fraud, Simon Evans, a partner at Cardiff-based law firm, Dolmans, warns that "fraudulent" insurance claims are still excessive.

"We have previously dealt with a case where a lady accidentally scratched a car door in a car park and, motivated by honesty, left her details to be contacted in order to arrange a repair of the minimal damage," says Evans. "However, when the claim came through it was for thousands of pounds of repairs. The lady has been dragged through the court system as a result, but without photographic evidence taken at the time, she has had little ability to defend her case.

“On the other side of the coin, I have been told about a recent occurrence when an intermediary tried to create a personal injury case to pass on to a solicitor. The intermediary had tried to encourage the victim of a car crash to make a claim for whiplash, even though no injury was suffered."

Evans said that charges, including perjury, contempt of court and obtaining monies by deception, were being used to deal with contrived and induced accidents. He pointed to the example of a claimant that was awarded £9,200 in compensation from a local Council after claiming he broke his ankle in a pothole. Further investigation found the claimant was injured playing football. The claimant was jailed for nine months after pleading guilty to obtaining property by deception and perjury.

The courts are also discarding evidence of a claimant if it is "tainted" by fraud and Evans said witnesses who give fraudulent supporting evidence are also likely to have any claim dismissed by the courts. However, the challenge for most firms is detecting fraud in the first place, and trying to prevent it before it even gets to the courts.

Individuals in the firing line for AML

2008-11-04T10:00:00.016Z

A landmark case which saw the UK's financial regulator, the Financial Services Authority (FSA) fine a money laundering reporting officer for the first time, is a sign regulators are taking a no-nonsense approach towards AML.

The FSA fined Sindicatum Holdings Limited, a corporate advisory firm, £49,000 for failing to implement effective systems and controls for verifying client identities. It also fined the company's Money Laundering Reporting Officer (Mr Michael Wheelhouse) £17,500. The fines imposed would have been 30% higher if Sindicatum had not agreed to an early settlement with the FSA.

"This fine is a warning to firms and individuals about the importance of complying with our rules in this area and we will not hesitate to clamp down on failures, where necessary," said William Amos, head of retail enforcement at the FSA.

Mark Dunn, manager, Risk & Compliance Services at LexisNexis said, “This is the latest indicator that the FSA is toughening up its approach to anti-money laundering compliance. Firms have had almost a year to update their systems and controls since the Money Laundering Regulations 2007 came into force last December. Dunn said that record keeping in particular was important in order to demonstrate that the MLRO has taken reasonable steps to verify the identity of all clients.

Tim Dolan, a financial services partner in Pinsent Masons' Corporate Group and a former member of the FSA's Enforcement Division remarked that:

"This case is significant as it is the first time that the FSA has fined an individual Money Laundering Reporting Officer ("MLRO"). It serves as a timely reminder that individuals who hold the MLRO function have responsibilities and can be personally liable for their firm's failings."

Dolan said the case was also significant as it demonstrated that the FSA is prepared to take action in the case of corporate advisory firms' anti-money laundering systems failing. In Sindicatum's case, Dolan said a number of shortfalls in their AML measures were highlighted:

- clients were not being identified at the time of take-on by the firm
- no attempt was made to verify which particular individuals were directors or controllers of clients;
- documents were in foreign languages, but the documents and their translations were not reviewed by the MLRO;
- photocopies of documents were not properly certified;
- relevant documents (including in one case copies of passports) were lost;
- client acceptance checklists were not complete or had not been reviewed by the account executives and the MLRO.

Phishing attacks rise as banks are distracted

2008-10-22T12:53:00.006+01:00

With banks focused on shoring up liquidity and preventing runs on their shares, it seems online fraudsters are taking advantage of this opportunity to launch an ever increasing number of phishing attacks.

Brand monitoring specialists, Envisional identified almost half a million (460,000) separate phishing emails sent to bank customers in the six month period from April to September, with more than 170,000 in June alone (up 117% on June 2007).

According to Envisional, overall volumes of phishing emails sent to bank and insurance company customers were up 40% compared to 2007. It reports that one bank was hit by 350 separate attacks in one day.

Phishing emails which try to trick customers into giving away passwords and PINs, also demonstrated different targeting strategies, with 135,000 phishing emails targeting one specific bank in June. Phishers then changed tactics in July targeting two banks.

Who should be liable for online fraud?

2008-10-22T11:30:00.004+01:00

Posted by Anita Hawser

Who should be liable/responsible for personal internet security? It is a subject that has stimulated much debate in the UK Houses of Parliament with the House of Lords Science and Technology Committee publishing its damning Personal Internet Security report last year.

Highlighting the increasing incidence of online fraud, ID theft and phishing, the report recommended establishing a framework for collecting and classifying data on e-crime, and “more rigorous and co-ordinated analysis” of the incidence and costs of such crime. The latest APACS figures show that online banking fraud losses increased 185% to £21.4 million in the six months to June.

It also talked about deployment of security software at ISP level, the need for a dedicated regulator for the online world, and for Government to increase banks' fraud liability. In essence the report said that instead of the weight of responsibility for online security falling on individuals, responsibility should be "distributed".

More than a year since the committee published its report, there is talk of a specialised e-crime police unit being established. Other recommendations such as the passing of legislation to ensure banks take responsibility for losses incurred by electronic fraud and rules forcing software companies to accept culpability for damage caused by security flaws, which would allow individuals to report online fraud to the police rather than to their bank, have not been implemented.

With banks already having to receive a lifeline from the government just to finance their normal operations, it seems unlikely that the government (who is now a shareholder in UK banks) will pressure them into incurring liability for losses resulting from online fraud.

It comes back to that all important question I asked at the beginning - who should be culpable? And as responsibility for online fraud is distributed - amongst banks, ISP providers and hardware and software vendors - who is the most liable or culpable at any given point in time?

Phil Hickman, chairman of ValidSoft – internet security and transaction verification experts – argues that service providers should take responsibility for the security of users:

“Traditional security provisions employed online have been shown time and time again to be ineffective at protecting users from the threats presented by advanced fraudulent techniques. Authentication techniques used by financial institutions, for example, have so far proved unsuccessful at preventing identity theft and electronic fraud. Defence techniques currently used are simply not sophisticated enough to counter Man-in-the-Middle/Man-in-the-Browser attacks or information stealing techniques like phishing.”

The Parliamentary Committee has debated the idea of a "code of conduct" or "kite mark" for ISPs, this may be difficult to enforce and could increase costs for internet access. And given the "layered" nature of the internet, attribution of liability is problematic.

With the banks already focused on anti-money laundering and issuing customers with one time only password generators for online banking,it seems that UK politicians favour raising "the bar of expectation" on software vendors, either voluntarily or at the EU level.

Surely more needs to be done around giving the Data Protection Act more teeth, and in the case of government leakages or breaches of personal customer data imposing hefty fines equivalent to those imposed on private companies?

This is likely to become more of an issue given that the UK government wants to compile a huge centralised database containing personal details of people's communications in order to supposedly combat terrorism.

Securing laptops remotely

2008-10-22T10:42:00.008+01:00

Posted by Anita Hawser

Mobile security is one of the biggest problems companies face. Employees taking laptops out of the company firewall and securing remote workers can be challenging to say the least.

And one does not need to point out that increasingly regulators are taking a dim view of customer data that is loss through company or employee negligence. Last year, the Financial Services Authority in the UK fined Nationwide Building Society £980,000 for the loss of a laptop which contained "confidential customer data" on 11 million customers.

Telecoms/network provider Alcatel-Lucent Bell believes it has the answer to securing remote workers and lap tops with its OmniAccess 3500 Nonstop Laptop Guardian. Invented in Bell Labs, the solution is an "always-on mobile security solution card that remotely secures, monitors, manages and locates a mobile computer and protects laptops and the data that resides on them".

"The mobile blind spot is defined as a condition where enterprises have no visibility or control over the location, use or configuration of employee laptops, increasing the risk of government fines, company reputation and hampering day-to-day operations of organisations. With this technology, enterprises have 24/7 access to employee laptops – enabling them to automatically enforce policies for compliance and deliver software patches and upgrades to their increasingly mobile workforce even if the laptop is turned off."

Forty-five percent of respondents in a recent study of 255 executive level IT, security and compliance decision makers from the US and Germany, admitted they have to deal with mobile blind spots. “The study shows nearly three out of four IT security managers have had to help their company deal with the consequences of a lost or stolen company laptop,” explained Tom Burns, head of Alcatel-Lucent enterprise activities.

An additional 76% said a lost or stolen laptop needed to be protected with more than encryption – for example, having the ability to locate the device using GPS and remotely revoking access to data. This is particularly useful if the laptop has been stolen, although looking at the picture of the mobile security card, a question that springs to mind is what happens if someone removes the device from the lap top?

According to the survey, 50% of companies state they would switch their wireless service to a provider with a security solution that protects lost or stolen laptops used remotely. No surprises then that SingTel of Singapore, Magyar Telekom of Hungary, and broadband carrier IIJ (Internet Initiative Japan Inc.) of Japan have announced they plan to offer the Laptop Guardian as a value-added service over their high-speed HSPA mobile data communications network.

The Laptop Guardian has its own processor, power supply and operating system, and it leverages wireless broadband networks, including next-generation, high-speed 3G GSM/HSPA networks. It has also been integrated with McAfee's Endpoint Encryption software.

Getting serious about money laundering

2008-10-20T17:33:00.009+01:00

Posted by Anita Hawser

With banks' IT budgets stretched to breaking point and likely to come under increasing strain in the wake of the credit crunch, where does this leave current efforts around combating financial crime and money laundering?

In a webinar on AML trends 2008-2010, Neil Katkov, managing director, Asia research, Celent, says increasingly, banks are looking too "kill two birds with one stone" by seeking solutions that help solve multiple financial crime and compliance issues. Global spend on anti-money laundering was estimated to be $3.6 billion in 2006, with the bulk of the cost tied up in personnel training and reporting.

According to Katkov, some firms, particularly in Europe, are consolidating their financial crime efforts under one umbrella - a “Group Integrity” department that combines anti-money laundering (AML), fraud and, in some cases, security. US banks tend to lead their European and Asian counterparts in terms of AML technology spend - this may have something to do with strict enforcement and interpretation of the US Patriot Act, which places considerable focus on uncovering sources of terrorist financing.

Katkov says Asian banks have "only recently got serious about AML" (although their spending on AML is likely to grow at a faster pace) and that small banks in all regions are grappling with "manual approaches" to AML. At the lower end of the scale firms may prefer to implement an outsourced or ASP AML solution, which is slowly starting to gain traction. According to Katkov, at least one major bank in the US has outsourced its AML compliance operations

While various channels such as the diamond and arms trades are sometimes used to launder money, Katkov maintains that 82% of all money laundering activity goes through banks and brokerages. Insurance companies account for an estimated 10% of activity.

One of the biggest challenges Katkov identifies is applying existing anti-money laundering strategies and techniques to brokerage money laundering, which he says is typically part of the "layering" process - banks are the front line for money laundering. "You can’t just transfer bank AML techniques to brokerage," says Katkov, adding that trading behaviours are different.

For example, transaction peaks may not have the same significance on the brokerage side as they do on the banking side. It is also more difficult to profile customers as "execution only brokerages" may be executing trades on behalf of other firms.

A rogue trader's view on the credit crunch

2008-10-17T16:20:00.008+01:00

Posted by Anita Hawser

Ex-rogue traders have a habit of crawling out of the woodwork in the midst of one of the worst collapses of the global financial system. Former rogue trader, Nick Leeson whose "unsupervised speculative trading" resulted in the collapse of the UK's Barings Bank in 1995, was speaking at a conference of European corporate treasurers in Barcelona recently.

Reminiscing about the good old days as an unsupervised derivatives trader in Singapore, Leeson leveled significant blame for the global credit crisis at central banks and the regulators, who he says don't understand the markets or risks they are supposed to be regulating.

"There is plenty of risk, but no one managing it," said Leeson. "After Barings there were new regulations by the Bank of England and they spoke about responsible lending, but it clearly hasn't happened."

As the financial system now has to grapple with the concept of heightened global regulation, Leeson suggests that central banks may not be the best candidates for enforcing these regulations. "Central bank understanding is very poor," he said. In his days as a derivative trader for Barings in Singapore, Leeson said the Singapore Monetary Exchange did not have people that understood the business.

"The monetary exchange knew my position. They had a process of non-disclosure but all they had to do is look up the rates on Bloomberg and see what my [total] position was. If they had done that they would have seen that I risked the capital of the bank." In 1994 Barings was capitalised at $250 million and Leeson had $500 million in Singapore.

Although the subprime crisis, which triggered the credit crunch has been attributed to the lack of transparency and complexity of mortgage-backed collateralised debt obligations, Leeson says it is not the instruments that are the problem. "It is the people operating them. Some of the biggest banks employ the best mathematicians, but their risk calculations haven't worked."

Leeson said he got away with so much during his time at Barings because management of the bank did not deem themselves to be in a position to challenge him - in other words they did not understand the markets he was investing in so he was pretty much given free reign as long as he was bringing in profits for the bank.

While rogue traders have not been directly linked to the credit crunch, the exposure of the $7 billion in losses Jerome Kerviel racked up at Societe Generale came at a time when the crunch was starting to bite and highlighted the precarious risk-taking counterculture within investment banks - some traders were literally betting the bank and getting away with it if those bets paid off. " Jerome Kerviel was a shock to me," said Leeson. "He was given far too much autonomy for a junior trader."

Chip and PIN is failing banking customers

2008-10-14T08:41:00.005+01:00

Posted by Anita Hawser

With banks around the world distracted by the global credit crunch, plunging share prices and government bail-outs, this can be a time when fraudsters up the ante hoping that banks will be too distracted to notice the rising incidence of fraud.

According to risk management software provider, Actimize, the number of mass data breaches, particularly those involving ATM and debit fraud, has accelerated, and a at time when banks' balance sheets look compromised, the reputational and direct costs of replacing lost or compromised cards, is an unwelcome additional cost for any bank to have to deal with.

Just as banks need to restore confidence in one another so interbank lending can resume, so too do they need to restore customer's confidence in debit and credit cards. But in a heightened threat landscape where the threat level is becoming increasingly sophisticated and insidious, banks appear to be on the back foot.

Fighting card fraud is not just about compromised ATMs or phishing emails anymore, as recent incidents have borne out. For example, according to Actimize, in Ireland recently fraudsters posing as bank workers, replaced credit card readers in a number of retail stores with fake readers that captured the data on 10,000 credit and debit cards.

In Calgary, Canada, local businesses were defrauded of approximately CAN $2 million by fraudsters that broke into company databases and inflated the value of pre-paid debit cards. They then withdrew money at ATMs with "cloned" cards.

Authentication specialists, GrIDsure, highlight a recent incident where MasterCard users were the victims of sophisticated Chip and PIN fraud involving up to 40 stores across Britain including Asda, Tesco and Sainsbury’s. It has called for affirmative action to avoid "further embarrassment" for the UK banking industry.

"While Chip and PIN scams are becoming more and more frequent, it seems that nobody is willing to address the issue head on," says Jonathan Craymer, chairman of GrIDsure. "It is blatantly obvious that Chip and PIN’s reliance on a fixed PIN number is leaving the system vulnerable to attack through sophisticated scams such as this recent one involving MasterCard customers. I wonder how many more people will fall victim to scams like this before the industry stands up and takes action."

Recent incidents highlight the vulnerabilities of Chip and PIN, which were introduced to try and prevent fraud, but Craymer seems to be saying that the industry needs to improve the security of the Chip and PIN system with the introduction of one-time PINs.

UK banks have sent smart card readers that generate one-time PINs to online banking customers, however, Craymer says it is time to find a solution that effectively addresses transaction authentication, not just on the UK high street, but also online and abroad. “Chip and PIN was introduced to put a stop to high street fraud, but as fraudsters begin to find their way around the system we have seen total card fraud losses increase by 14% in the first half of this year alone.”

Fraud not on the agenda at banking conference

2008-09-24T18:21:00.013+01:00

Posted by Anita Hawser

As investment banks and mortgage providers were dropping like flies last week as the credit crunch increased the pace of market consolidation, I was attending one of the world's largest international banking conferences, Sibos, in Vienna.

Hosted by SWIFT, the Society for Worldwide Interbank Financial Telecommunication, Sibos 2008 attracted approximately 8,000 bankers, however some conference speakers dropped out at the last minute as investment banks and mortgage lenders fell victim to market speculation and takeovers.

SWIFT as you may or may not know, is a bank-owned messaging network, which prides itself on never being hacked into or compromised by an external or internal threat. However, it did get into hot water a couple of years back with data privacy zealots when it allowed US intelligence agencies to look at messages being sent on its network as part of the US government's efforts to combat terrorism and money laundering.

While I can understand that banks probably have a lot more on their minds in today's difficult climate than combating fraud, I was surprised to see that identity fraud and banking fraud in general was not featured on the Sibos conference agenda.

Fraud only appeared to be up for discussion on the exhibition floor where a handful of dedicated information security vendors (SafeNet, NetEconomy) and AML solution providers were exhibiting their anti-fraud technologies and strategies.

"There is a lot of interest from banks around service-oriented architectures and designing security in from the get go rather than an afterthought," said Rene Bastien, product manager, payment products, SafeNet. Bastian says Basel II is also forcing banks to address operational risk.

SafeNet says that the current business climate is good for security vendors as it is forcing banks who were "caught with their pants down" to address their risk management and operational practices. And it seems security vendors are trying to make it easier for banks to embed security natively within applications using common standards such as XML, which means application developers do not need to be "crytographic geeks" in order to understand security.

Of course, banks en masse don't like to talk about fraud, particularly in this climate where banking failures in general are dominating newspaper headlines. Yet, fraud is an area banks cannot afford to ignore, not only because of the hefty fines likely to be imposed by regulators, but also the reputational risk and the impact on banks' balance sheets.

According to a survey conducted by Kroll on behalf of the Economist Intelligence Unit, financial services providers lost an average of $12.9 million to fraud in the last three years, although this figure is probably higher if one takes into account the reputational costs and the costs of fraud that banks are not even aware of or that remains undetected.

Kroll says the most common types of fraud financial service providers are exposed to include; regulatory or compliance breach (35%), financial mismanagement (29%), theft of physical assets or stock (27%), management conflict of interest (25%), information theft, loss or attack (24%) and internal financial fraud or theft (24%).

While it is difficult to put a precise figure on the reputational costs and brand damage caused by fraud, research by security software vendor, Symantec, suggests that consumers take a dim view of companies that do not do enough to protect their private data. Approximately 90% of consumers surveyed by Symantec stated that "reckless or repeated" data breaches should be punishable by imprisonment.

Seventy-six percent of companies polled by Symantec expected to lose customers if a data loss or breach occurred and 50% expected customer loyalty to fall off immediately. “These statistics are very concerning for business, particularly in the current unstable market conditions,” said John Brigden, senior vice president for Europe, the Middle East and Africa at Symantec. “Not only do they risk losing large numbers of customers following an incident of data loss, but almost 60% of companies said it would be a lot harder to attract new customers once the reputation had been tarnished.”

Fraud is so pervasive now that it is not just something CTOs or chief risk officers need to be concerned about. CFOs and CEOs should also be more attuned to the impact of fraud on their businesses.

"We expect to see fraud increase as conditions become tougher for business and the full impact of the credit crunch unfolds. Financial services companies need to focus their efforts, especially against regulatory and compliance breaches as the loss involved is far too much to justify," says Blake Coppotelli, senior managing director in Kroll's business intelligence and investigations division.

It is no longer acceptable for banking CEOs to say they do not understand the instruments their investment banking divisions are trading, nor should it be excusable for them to say they are not aware of the impact fraud is having on their business.

Browder unable to return to Russia

2008-09-13T10:50:00.005+01:00

Posted by Nick Kochan

The Russian lawyers to Hermitage fund management company have been raided and key documents removed, Bill Browder, chairman of Hermitage Capital alleges. He claims that these documents have been used to steal the firm’s identity to perpetrate two frauds against it.

The first fraud, Hermitage alleges, involved obtaining court orders against the firm to perpetrate a massive theft. However, the alleged thieves found that the kitty was bare as Browder had sold out its Russian investments.

The thieves took another tack. Browder purports that they used the claims against the company in a book-keeping exercise to offset Hermitage profits. This allowed them to claim back the corporation tax Hermitage had paid in 2006. This amounted to $230 million. The Russian Tax Ministry believed the crooks’ tale, and paid it back, Hermitage claims.

Now Browder needs to protect his Russian companies and lawyers who he claims were raided and physically attacked.“They have raided and are trying to arrest the lawyers who are fighting the liquidation of the Russian companies. We filed a criminal complaint at the end of July,” he says.

Browder claims the Russian law enforcement and legal system has been incompetent at best. “We tipped off the law enforcement community in Russia. We filed [complaints] about the fraud and fake claims. It gave the police three weeks to freeze the companies’ accounts to make sure the tax crime never got committed. But they didn’t act.”

The alleged attack on Hermitage has persuaded Browder to revise his trenchant views on Russia’s Prime Minister and former President Vladimir Putin. “Between 2002 and 2004, Putin was fighting with the same guys who were stealing money from me. The oligarchs were stealing power from him and they were stealing money from me as a shareholder. When I complained to the government about the oligarchs stealing money, they responded favourably and cracked down on the stealing. How could I not think that was a good thing?”

Browder has equally revised his views of the oligarchs, whom he criticised for their mistreatment of shareholders. “I was critical of Mikhail Khodorkovsky (he was convicted for fraud and tax evasion and received an eight-year sentence) because he mistreated minority shareholders when he controlled Yukos and we were a shareholder in his subsidiaries. I now have huge sympathy for him. I think he has had a bum deal. He has paid any dues he could ever possibly pay for anything that he did to us as minority shareholders a long time ago.”

Browder has little hope of returning to Russia, where he is the subject of an arrest warrant. He now travels regularly to the Gulf region to manage an investment portfolio of some $2.8 billion. “It is an absolute delight to do business outside Russia. The UAE is my favourite location for doing business today,” he says.

End of part three

Hermitage cries foul in Russia

2008-09-12T10:27:00.006+01:00

Posted by Nick Kochan

Bill Browder, the boss of Hermitage Capital had his visa to enter Russia refused. He claims Hermitage was persecuted as part of an alleged scam to defraud the Russian Tax Ministry of $230 million.

Browder claims that Hermitage’s lawyers were raided by police from the Russian Interior Ministry. He alleges that their computers, servers and files containing information were removed. The homes of other lawyers also working for Hermitage were raided at around the same time, he claims.

Browder alleged that one of the lawyers was seriously beaten and hospitalised for two weeks. “It wasn’t good to be a lawyer for us at that time,” he says. “All four of our law firms were raided again by the police. They invited all of the lawyers for questioning as witnesses.”

Hermitage alleges that these raids gave members of the Interior Ministry the means to steal its identity. So when a company unknown to Browder said that Hermitage had reneged on a sale of Gazprom shares and owed millions, Browder said he was helpless to resist it. Using the lawyers’ documents, Hermitage alleges that people from the Interior Ministry removed the legitimate managers and replaced them with their own cronies.

Hermitage alleges that liabilities were created by this scam to extract from the Russian Government $230 million worth of tax paid a year earlier by Hermitage. Browder claims that the scam’s perpetrators created “fake losses” exactly equal to that to create a new net profit of zero. “We paid $230 million of taxes and they filed amended tax returns and asked for the money back,” he said. Browder claims that the $230 million has been pocketed by the crooks.

The scam has yet to run its course. Browder says a package, packed with sensitive documents, was sent by DHL from London to the offices of Hermitage’s Moscow lawyers. The return address on the back of the envelope was given as Hermitage’s offices in Soho and the name attached to the address had been made up.

According to Browder, an investigation of the name found that it belonged to someone whose passport had been stolen. “We didn’t send the package,” he claims. “Two Eastern European-looking gentlemen paid cash to DHL at the Lambeth depot. We have them on close circuit television.”

Two hours after the package arrived at the lawyer’s office, Browder claims Russian police raided it and took away the package. Mere coincidence? Not so, alleges Browder, for whom this was merely another piece of evidence that he was targeted by a well-organised gang. “The obvious intention,” Browder claims, “is to create a trail from us to our lawyers. This stuff was going to be used to blame us and our lawyers.”

End of part two

Russian Mafia exposed - The Browder Story

2008-09-11T16:14:00.010+01:00

Posted by Nick Kochan

This is the first in a three part series on Bill Browder, the multi-millionaire chairman of Hermitage Capital who quit Russia following allegations of fraud at the highest levels.

The deeds of the Russian mafia may be murky, but they rarely get exposure. The members of organised crime are often hidden behind political and judicial structures. However, those that have done business in Russia are no longer shocked. They have seen it all, they claim. One such man is Bill Browder, the multi-millionaire chairman of Hermitage Capital. His $4 billion portfolio of Russian stocks made him the largest foreign investor in the country.

Now that he has quit Russia, he presents a document which he alleges shows the involvement of “a group of criminals at a reasonably high level in the Russian government” in the theft of $230 million from the Russian Tax Ministry. The document is entitled, Persecution of Hermitage in Russia in order to steal $230 million from the Russian People.

Browder is on a mission to cleanse Russia of its criminal class. He speaks with a zeal rarely found among financiers. He cannot overstate the “dire state” of business practices and ethics in Russia. “It is bent at every turn,” he claims. The alleged scam confirms Browder’s view that business conditions in Russia have retreated to the state he found them in when he set up his firm in Russia in 1992, with the assistance of money from the banker, Edmund Safra.

The key to Browder’s success was attacking Russian companies with poor corporate governance and seeing their stock prices rise as they improved their management and ethics. According to Browder, this approach upset senior members of the country’s political and economic elite and in 2005, his entry visa was withdrawn.

He mounted a crusade at the highest levels to re-instate his visa, even approaching Dmitry Medvedev, the man destined to be the president of Russia, at Davos last year. “I saw him tucking in to his dessert,” said Browder. “He was sitting on his own. I saw this as an interesting opportunity to have a chat with him and so I went to talk to him. He stood up. We knew each other. I know him, we have worked with him because he was the chairman of Gazprom and we were always very active in Gazprom. I asked him if he could get my visa reinstated. He knew all about me. He said yes, he would help me. He asked me for a copy of the visa application, which I got my office to produce.”

A month after the Medvedev meeting, Browder claims that his office in London received a call from a lieutenant colonel of the Interior Ministry, which it construed as a request for a bribe. Hermitage have a recording of the conversation.

According to Hermitage’s report, the lieutenant colonel asked if he could meet Browder. Hermitage’s report alleges the lieutenant colonel said, ‘The sooner we meet and you provide what is necessary, the sooner your problems will disappear.’ Browder says that the company receives requests like this every day. “People try and shake you down in every different place in Russia. We ignored it. This was the one case out of a hundred when something happened.”

End of part one

An 'inside' job

2008-09-09T08:37:00.007+01:00

Posted by Anita Hawser
It's official. As we have all suspected for some time the "external bogeyman" is not the biggest fraud threat companies face. It is internal fraud, which is resulting in the largest losses, says the Association of Certified Fraud Examiners (ACFE).

Research company, Financial Insights, highlights some interesting findings from a 2004 ACFE study which found that more than 80% of internal fraud cases were committed not by "career criminals" but by first time offenders. No surprises then given recent incidents at banks like Société Générale, and a host of others, that subsequent ACFE studies have found that banks are the biggest victims of internal fraud.

According to ACFE’s 2008 Report to the Nation on Occupational Fraud & Abuse, the internal rate of fraud loss has increased to 7% of annual turnover for all companies. FinInsights cites two examples of internal fraud: SME Bank in Thailand, which included 27 loan cases involving fraud and corruption; and the rogue trading incident at Société Générale where more than 1,000 fraudulent transactions, dating back to 2004, were concealed.

The fact that these transactions at both banks bypassed internal controls and procedures, not only suggests that internal fraud controls are inadequate, but that firms have spent far too much time safeguarding the enterprise from "external bogeyman" and not from Joe Bloggs in accounts.

FinInsights then went on to outline some best practices in internal fraud control:

Establishing controls that reduce the opportunity for unauthorised use of organisational resources (firewalls, email scanning, ID access - most banks already have these)

Providing sufficient employee monitoring, segregating duties for operational processes, and regularly rotating staff in key positions

Thorough recruitment screening and educating employees about the legal repercussions of being involved in illegal activities to act as a deterrent (not so sure about this one as in the case of traders, it is known that they are not out to make money for themselves necessarily but for their company. Are they the kind of people investment banks want to screen out?)

Automated detection systems and advanced analytic technologies that look for suspicious behavior and anomalous patterns (problem with this is that technology can only do so much. If no one responds to the alerts, the technology is useless)

Financial institutions need to define and understand the layout of internal data and the business process data flows in order to determine the necessary sources of and data feeds for fraud solutions (highly complex given that data and business processes tend to be 'siloed' within most banks)

Educating both employees and upper management on security

Establish accountability and ownership for lax security procedures

Reprimand staff for breaking or failing to follow security protocol, even minor violations

Providing confidential and easy-to-use channels of communication for whistle blowers

So in other words, fighting internal fraud is not easy. It is not simply a case of putting up a perimeter fence and installing software that recognises unusual behaviour patterns. That is only the tip of the iceberg, and in the end educating people is likely to be more effective than a piece of technology on its own.

The UK’s credit card crisis

2008-09-02T08:55:00.012+01:00

Posted by Nick Kochan

In the week that the Royal Bank of Scotland and NatWest have accepted that a computer sold on eBay has exposed the data of one million customers to possible abuse, a spokesman for the Government’s new National Strategic Fraud Authority, set to be launched on 1 October, says credit card and banking fraud will be a prime target.

Spokesman Adam Morris says the Agency is in discussions with representatives of UK banks and payment companies about the UK’s deteriorating position as a haven for credit card fraud. Morris says, ‘There are many agencies targeting fraud, but the Fraud Review found they were not always working together. We are targeting the symptoms of fraud and aim to bring banks and other stakeholders together.’

UK credit card fraud is at record levels due to abuse of the internet, says the banking industry body, APACS. Annual plastic card losses in 2007 amounted to £535.2m. This compares with £428m in 2006.

The majority of this -- £290.5m -- was incurred by those buying goods on the internet. ‘Card-not-present’ fraud increased by almost £80m on the previous year. As money has been poured into chip-and-pin to deal with lost and stolen cards -- down from £68.5m in 2006 to £56.2m in 2007 -- counterfeit theft and internet abuse of cards has risen sharply.

Metropolitan and City Police forces, fighting card fraud through the Dedicated Cheque and Plastic Crime Unit (a joint public/public sector agency), face an uphill struggle, say industry observers.

Thieves keep several steps ahead of the industry and the police, says Amir Orad, executive vice president of Actimize, the banking consultancy."Credit card fraud is growing and changing its form to respond to the growing efforts of those who seek to curb it. The crooks are a long way ahead of the institutions cracking down on it."

Leaky credit card systems in retailers presented thieves with their latest juicy target. A group of 11 worked together to break into the systems of US retailer TJX Companies. TJX owns the popular cut-price UK retailer TJ Maxx and the company has admitted that some of the 41 million credit card numbers hacked from retailers belonged to UK and Irish customers.

The 11 were allegedly engaged in ‘war-driving’, the concept of data-theft via wireless networks. The thieves had apparently gone cruising through different areas with a laptop looking for accessible wireless signals. They then installed ‘sniffer’ programs that captured credit and debit card numbers as they moved though the retailers processing networks. The information was stored on the thieves’ processors in Latvia and Ukraine.

The US Attorney General, Michael Mukasey, said, "They used sophisticated computer hacking techniques that would allow them to breach security systems and install programs that gathered enormous quantities of personal financial data, which they then allegedly either sold to others or used themselves."

Organised gangs perpetrate credit card fraud, says Paul Ravenscroft, a spokesman for Visa."Law enforcement tells us that some of the perpetrators of large scale payment card fraud are gangs that utilise the skills of technically sophisticated individuals. As we introduce new fraud countermeasures such criminals will migrate their attacks to other parts of the system."

The godfather in a credit card gang is the guy who understands the technology, says Kevin O’Leary, the chief executive officer at Norkom, a Dublin-based consultancy. "At the top is a group of technicians who provide the intellectual property of how to get at the data that you are going to need to perpetrate a fraud. They must understand how the point of sale server computer architecture works.

"People who commit the technical aspect of the crime need to be several degrees removed from the people who perpetrate the crime at the end of the chain. They do not think of themselves as criminals in the true sense." Smart con men occupy the gang’s second tier. O’Leary says that they go into the grocery store to install the rogue equipment and need to be brazen. "They risk criminal prosecution, if they are found and apprehended."

Street level functionaries "exchange data with other gangs and recruit hundreds of people to use fake cards to walk up to cash machines and make withdrawals. These are people at the bottom of the food chain." O’Leary warns companies to beware of insiders who obtain techniques from their employers to defraud them.

Banks do not sufficiently understand this threat, says David Porter, head of security and risk at Detica, the security consultancy. "Insider fraud has been under-addressed by the bank security community.

"Not all credit card fraud is perpetrated by external bogeyman. There are some highly effective technologies for spotting the unusual outlier in a community of employees who may be embezzling money or confidential data. Organisations need to tackle this problem area rather than sweep it under the carpet."

Banks and retailers need to completely review anti-fraud policies in the light of the burgeoning credit card fraud, says David Hobson, the managing director of Global Secure Systems. "Methods to counter data leakage are slowly coming together. Many banks still do this piecemeal. They are considering a single part of the issue rather than the whole issue."

O’Leary says banks have been slow to act. "Fixed-point solutions like credit card scoring and credit card detection technology on credit card transactions only work up to a point. They give you a fairly limited intelligence to understand what’s going on. Banks need to join all these things up and look at them in a unified fashion."

Fraudsters leave tracks across an organisation says Orad." Patterns of banking activity, like cheques, ATM machines and online banking are used to catch credit card fraud in particular and enterprise fraud in general."

Credit card payment companies like Visa and MasterCard have brought in new technology to attack credit card fraud. Customers tap in extra pieces of secure data, in addition to the PIN, when making a credit card purchase at a retailer.

APACS spokesman Mark Bowerman attacks retailers for failing to install the system to allow the customer to make the check. "Take-up has been slow but is now increasing. The vast majority of people need to use it and the vast majority of merchants need to use it. It is a competitive issue. It is up to them whether they decide to implement it in their business."

Merchants are the weak point in the credit card chain, says Hobson. "Credit card details are lost at merchants where there is not the same understanding of risk. They are actually custodians of the customer’s data. If a merchant is processing millions or billions of pounds says it doesn’t want to bring in the new secure systems, will any credit card company really refuse their business? Unlikely, as they take a business decision to take a risk!"

Anti-fraud technology based on Chip and PIN is lagging criminal techniques, says Porter. ‘There's been a lot of focus on Chip-and-PIN, but this is only half the solution since it's a preventative measure. We also need advances in the way we detect criminals who inevitably overcome these preventative measures.

"Banks and credit card processors have invested in automated detection systems based on behavioural modeling: learn how a fraudster does his tricks and then go looking for similar patterns. Fraudsters are getting wise to this method of detection. These legacy detection systems are unable to identify fragmented schemes where each entity or activity alone is too small to appear "on the radar".

Fraudsters are pouring resources into attacking credit card data. They have set their sights on opening up and benefiting from leaky systems and security glitches. Banks are in the firing line, but customers need to demand tighter controls at every link in the credit card chain if fraud is to be reduced, and costs to the user of the credit card on the high street reduced.

Identity checks made simple - but what does it mean for consumers?

2008-06-23T16:36:00.010+01:00

We are all familiar with the identity checks that banks and other financial services providers deploy whenever we wish to open a bank account, apply for a loan or register with a financial advisor.

In a number of cases, a lot of these so-called 'checks' require the customer to send copies of personal documents (utility bill, bank account statements, copy of driver's licence), details of which could be easily stolen, copied or intercepted and used for fraudulent purposes.

UK-based GB Group believes it has come up with the answer with its electronic identity verification service, eIDV, which enables financial advisors, accountants and solicitors to electronically check an individual's identity against a number of databases, including credit files, the electoral roll, telephone and sanctions data.

eIDV is based on GB Group's document checking technology, URU, which it jointly developed with British Telecom. URU not only validates utility bill and passport information, but also checks for alerts on Politically Exposed Persons and Bank of England sanctions lists.

Once a customer's information is validated, they are presented with an instant pass, fail or refer result based on a scoring methodology suited to the practitioner using the eIDV web portal.

A good thing about the solution is that it enables practitioners to more easily complete identity checks without compromising the safety of valuable personal information and to comply with more stringent anti-money laundering regulations, all in the one application.

However, it does highlight the 'Big Brother' culture that is growing up around anti-fraud prevention. Much like a police officer can type your name into a computer and come up with a list of previous offences and convictions, as well as checking you are who you say you are, financial service providers and advisors now have similar capabilities.

The question is how judicious are these providers likely to be in their scoring of individuals, and how transparent is the scoring process in terms of informing a customer why they have failed the identity check or scored a 'refer'?

With "Spot the Fraudster" as the marketing spiel for URU, it reminds me of UK TV Licensing Ads where they claim to be able to track you down if you haven't paid your TV license.

While eIDV may be great for financial advisors and other firms that need to validate a customer's identity and comply with onerous money laundering regulations, the question is what does it ultimately mean for the customer?

If their personal details are not stored on the databases eIDV checks, for whatever reason, does that necessarily mean they are not who they say they are?

Is rogue trading endemic?

2008-06-23T14:28:00.018+01:00

Traditionally, most companies at the frontline of fighting fraud secured their 'perimeter fence' using firewalls, secure passwords and access tokens. All of these measures were largely designed to thwart an external threat or attack.

However, in recent years, the threat from within or from employees, be it accidental or malicious, is increasingly keeping company CEOs, risk managers and security experts awake at night. Recent rogue trading incidents only serve to remind companies, particularly banks, that often the greatest threat when it comes to fraud is from a 'trusted' employee.

French bank, Société Générale, made headlines earlier this year when fraudulent trades totaling $7.1 billion were racked up allegedly by a single trader. There have been other rogue trading scandals, most notably Nick Leeson and Barings Bank in 1995.

But incidences of rogue trading are not as isolated as company CEOs would like to think. Recently, Morgan Stanley announced that a London-based credit derivatives trader hit them for $120 million, and just last week the subprime mortgage crisis in the US resulted in two former Bear Stearns' hedge fund managers being arrested on securities fraud charges.

According to anti-fraud and compliance vendor, Actimize, there have now been five major(more than $100 million)rogue trading incidents reported in 2008? According to its Rogue Trading Peer Review, 50% of respondents estimated that thousands to millions of dollars of rogue trading activities go unreported every year at their firms and 24% said that they had experienced a case of trading fraud at their firms in the last year.

The reputational risk from such events appears to be such that financial services firms are not even reporting these incidents. That makes it difficult for fraud, risk and security experts to do their job properly if there is not recognition at boardroom level that internal fraud is occurring.

The threat from within is perhaps the greatest challenge the financial services industry faces, and combating it is not as straightforward as thwarting an external attack. No amount of firewalls and secure passwords can prevent a determined bonus hungry trader from overriding internal controls to perpetrate a fraud, nor is it going to help prevent the rise of a corporate culture that has a tendency to turn a blind eye to traders looking to boost theirs' and the company's profits by 'gambling' with investors' money.

One company I spoke to recently about internal fraud, pointed to multi-factor authentication as a means of combating it. They said users could set up a policy that says once a user has securely authenticated to a network, or once they launch a particular application, it may ask for another form of authentication such as a fingerprint or biometric. So in this example, a trader would need to swipe their fingerprint whenever a trade is conducted. Even if the trader was able to create “multiple accounts,” the fingerprint would provide an audit trail.

That may be one way of combating rogue trading, but the question is how far do companies go in implementing effective anti-fraud measures that do not make it more difficult, time consuming or onerous for employees or traders to perform legitimate business activities. It is a delicate balance to strike.
Posted by Anita Hawser

Who should be liable for online fraud?

2008-06-14T10:42:00.013+01:00

With a UK Parliamentary Report on Personal Internet Security released last August lambasting banks and ISPs for not doing enough to protect consumers from online fraud, it appears that banks are shirking their responsibilities when it comes to compensating victims of fraud.

According to an article in The Guardian newspaper, a minor amendment to the Banking Code introduced in March provides a loophole for banks to refuse compensation to victims of fraud if the anti-virus software on their computer is not up to date. The Guardian reports that the 2005 Banking Code contains a section (12.9), which advises customers to use "up-to-date antivirus and spyware and a personal firewall".

However, a new section (12.13) has since been added, which reportedly states that, "Unless you [the bank] have acted fraudulently or without reasonable care, you will not be liable for losses caused by someone else which take place through your online banking service." Security experts have interpreted this to mean that banks will be able to shift liability for online fraud to the consumer.

"The new provisions to the Banking Code, which mean that banks may now pass responsibility for card fraud to affected customers if they don't have AV software or firewalls, raise an interesting debate - should banks be able to transfer liability so easily, and how policeable will this be?" asks Holly Marshall, business development manager, UK Financial Services, Unisys.

"A balance of responsibility is needed between banks and consumers. Banks need to take a key role in educating consumers about these new guidelines to ensure they are fully aware of exactly what they are now liable for, but consumers need to take some responsibility too.

"Customers need to be proactive in learning about the guidelines and securing their personal computers to ensure all their dealings on the internet are protected adequately. Government and technology organisations have a role too - to advise and consult with banks on how best to implement and publicise the new provisions without degrading the customer experience."

Marshall has a valid point. Exactly how "policeable" is this new addition to the Banking Code going to be? Are banks going to go out and seize the computers of consumers that are victims of online fraud to check that their anti-virus and spyware is up to date, which is reportedly what banks in New Zealand have the power to do? It seems unlikely given the bad press and consumer backlash that they are likely to suffer as a result of doing just that.

"The technology required to check every single online banking customer's AV settings whilst available, would be expensive, invasive and in a way a piecemeal response to the problem of fraud," says Marshall. "Fraud doesn’t just come from unprotected computers. Insider fraud, bin raiding, and card skimming are equally as prevalent. How would the banks correctly attribute the instance of fraud with the correct cause?"

The new section within the Banking Code sounds like it has been added by lawyers as a safety net for banks that, let's face it, don't want to be paying out millions in consumer compensation. But it does reignite an interesting debate about responsibility for fraud. Instead of adopting an accusatory tone towards customers that are victims of fraud, banks need to work more closely with their customers on educating them about the potential risks, what to look out for, and how to make their online banking experiences safer.

At the same time, banks need to be more transparent about what levels of security they have deployed to protect online banking applications. They cannot expect consumers to be forthcoming about how well their desktop PC is protected if they are not willing to disclose steps they have taken as well.
Posted by Anita Hawser