Monday, 15 December 2008

Banks reveal exposure to alleged fraud

The financial papers are abuzz with the news of leading European banks' exposure to the alleged fraud committed by Bernard Madoff of Bernard L. Madoff Investment Securities, headquartered in the US.

HSBC, RBS, Spain's Santander and France's BNP Paribas reportedly have varying levels of exposure to Mr Madoff's "alleged $50 billion pyramid scheme", which according to the Financial Times, prosecutors allege operated on the basis of paying old investors with money raised from new investors.

RBS, a recipient of the UK government's bail out package in October, reported a potential exposure of £400 million to the alleged pyramid vehicle. According to the Financial Times report, HSBC's potential exposure may be considerably higher (approximately $1 billion). Not good news at a time when banks are already experiencing a significant reversal of fortunes thanks to their exposure to subprime assets. And with counterparty risk high on everyone's agenda, this revelation will come as yet another blow for an already beleaguered banking industry which is likely to face some pointed questions from investors regarding the due diligence they undertook before placing money with Bernard L. Madoff.

It appears that the regulators (in this case the US Securities and Exchange Commission) have also come under fire for ignoring early warning signs pertaining to Bernard L. Madoff Investment Securities. If there had been no credit crisis, then perhaps Madoff's alleged "pyramid scheme" would never have come to light. It also highlights the increasing number of links being made between fraud and the credit crisis.

Before the Madoff incident, a couple of Bear Stearns hedge fund managers were arrested on securities fraud charges and since the subprime meltdown, the US Federal Bureau of Investigation has launched investigations into the collapse of Lehman Brothers, the insurer AIG, and mortgage providers Fannie Mae and Freddie Mac.

According to newspaper reports, the FBI is investigating whether these firms unduly influenced agencies to "inflate" their ratings. It is also looking at whether these firms misled investors about the true state of their assets. The FBI is also believed to be investigating a number of firms over what it terms "subprime lending practices".

The following is taken from a Financial Crimes Report published in 2007 by the FBI and alludes to the potential for fraud in light of the subprime meltdown:

"As publicly traded subprime lenders have suffered financial difficulties due to rising defaults, analyses of company financials have identified instances of false accounting entries, and fraudulently inflated assets and revenues. Investigations have determined that many of these bankrupt subprime lenders manipulated their reported loan portfolio risks and used various accounting schemes to inflate their financial reports. In addition, before these sub prime lenders' stocks rapidly declined in value, executives with insider information sold their equity positions and profited illegally."
The FBI's 2007 Financial Crimes Report shows that the incidence of pending cases related to corporate and securities and commodities fraud has been steadily increasing every year since 2003. The Serious Fraud Office in the UK is also reported to be targeting corporate fraud in the wake of the crisis, calling on bankers and City "whistle blowers" to come forward with any information.

Thursday, 11 December 2008

Anti-fraud technologies get smarter

With card fraud and other forms of fraud reportedly on the rise during the economic downturn, anti-fraud management software vendors are having to up their game to play catch-up to the fraudsters.

Business intelligence and analytics vendors such as SAS, focus on not just looking at fraud in terms of monitoring card transactions, but the ability to match seemingly unrelated events across different parts of the business. Its real-time card fraud detection system which is used by banks such as HSBC, reviews card transactions alongside other changes in customer behaviour and then based on that analysis advises in real time as to whether a card transaction should proceed or be flagged for further investigation. Using such a system, HSBC claims to have reduced false positive rates, which is one of the biggest bug bears of any fraud detection system.

But while banks may deploy a system to try and combat the different forms of fraud that are prevalent today, it needs to be flexible enough to predict and detect changes in fraudsters' behaviour patterns in order to avoid detection. Analytics and decision management vendor, Fair Isaac Corporation, is trying to do this in the debit and credit card space with version 6.0 of its Falcon Fraud Manager scoring server, which
uses recent advances in fraud analytics and profiling to help banks more quickly identify changing fraud patterns.

Using what it calls, "adaptive analytics", Fair Isaac provides "dynamic, real-time self-calibration of fraud detection models" to help firms more quickly identify changing fraud behavior patterns and improve fraud detection performance.

Another software provider, Actimize has incorporated IBM InfoSphere's Global Name Recognition (GNR) technology into its risk management platform. GNR is designed to help firms overcome challenges in matching names across different cultural and language barriers as part of their financial crime fighting efforts and works by analysing the order of a name, cultural spelling variations, nicknames and different spelling variations.

"[Global Name Analytics] ... can help to identify and correct names that may have been presented in non-standard or incorrect sequential order." It can also identify the "cultural classification" of a person's name using linguistic and statistical tools, which can be useful for Know Your Customer regulations and anti-fraud projects that entail matching names against lists or databases of suspected terrorists or Politically Exposed Persons.

Risk management in your Xmas stocking

This post first appeared on FinancialTech Insider

Go to a Christmas lunch these days and most people will be talking about what they are filling their Christmas stockings with or how they are looking forward to eating turkey yet again for the fourth time in a week. While the conversation at business intelligence and analytics vendor, SAS's Christmas press lunch may have been peppered with such conversational tid bits, the real subject of today's lunch was for SAS to publicise its recent foray into the capital markets space.

Building on its already strong base in the retail banking sector, particularly in the areas of operational risk, credit risk, market risk and financial crime, SAS has put together a team based in the UK that is wholly focused on selling its analytics and risk management solutions to capital markets firms.

2009 is likely to see increased regulatory oversight, particularly when it comes to the overlooked areas of liquidity and counterparty risk; and not one too miss an opportunity, SAS is eager to sell its solutions to a business that is drowning in information, but not quite sure what to do with it or how to make sense of it in order to determine risk, fraud liability etc.

It seems the poor old trader is likely to come under increasing surveillance with intelligent software algorithms monitoring their every move and looking for unusual patterns of behaviour (the ability to match seemingly unrelated events across different parts of the business). The technology certainly exists to provide such surveillance, but the cynic in me says most banks are only likely to embrace these technologies as a 'box ticking' exercise in order to comply with regulation, rather than seeing it as good business per se.

Risk management is suddenly the business to be in, but one has to wonder where was all this wonderful bells and whistles technology when things started going wrong in capital markets? And at the end of the day technology can only do so much.

If the people in charge still view "betting on the bank" as a necessary part of making money, or don't want to listen to those 'little voices' in their risk department warning them that something bad is about to happen; then no amount of technology can account for the fact that the culture within firms has to fundamentally change if risk management is to be viewed as a strategic asset and not something that is ferreted away in a back office somewhere filing reports to regulators that no one really concerns themselves with.

Interestingly, while we only get to hear about the multi-billion dollar losses racked up by rogue traders like Jerome Kerviel, there are plenty of other million dollar losses within banks, which occur on an almost daily basis (be they the result of human error or internal fraud) that we don't get to hear about.

Mark Hudson, industry consultant, Capital Markets, SAS, believes if firms can start minimising those million dollar losses we don't get to hear about via market or trader surveillance technologies then perhaps the industry will have achieved something.

Surely saving the bank a few 'mill' from combating accidental or internal fraud is going to make a CFO's ears prick up in this challenging business climate? And even if it doesn't, then Hudson believes the banks' customers and may be even their shareholders (which lets face it is the government these days) may insist on more risk management oversight.
Posted by Anita Hawser

Wednesday, 26 November 2008

"Underground" online economy is flourishing

While growth in the real economy is being hit hard by the global credit crisis, there appear to be no signs of a recession in the "underground" online economy, which is flourishing with millions of pounds being exchanged to buy stolen goods and "fraud-related services".

These are the findings of online security firm, Symantec's Report on the Underground Economy, which it compiled based on data gathered by its Security Technology and Response (STAR) organisation, from underground economy servers between July 1, 2007 and June 30, 2008.

According to Symantec, the potential value of total goods advertised in the "underground" online world was more than £184 million ($276 million). No prizes for guessing what was the most popular item for sale, and no it was not a Nintendo Wii or an iPhone but stolen credit card details.

Symantec said that credit card information accounted for 31% of the total goods for sale and that the potential worth of all credit cards advertised during the reporting period was £3.53 billion ($5.3 billion).

"The popularity of credit card information is likely due to the many ways this information can be obtained and used for fraud; credit cards are easy to use for online shopping and it’s often difficult for merchants or credit providers to identify and address fraudulent transactions before fraudsters complete these transactions and receive their goods," said Symantec. "Also, credit card information is often sold to fraudsters in bulk, with discounts or free numbers provided with larger purchases."

Stolen bank account information (20% of total goods advertised) was the second most popular item for sale with prices ranging from £6.50 ($10) to £650 ($1,000). According to Symantec's report, most of the underground activity was hosted by North American (45% of the total) servers, followed by EMEA on 38%. Asia Pacific was only 12% and Latin America 5%. "The geographical locations of underground economy servers are constantly changing to evade detection," said Symantec.

Friday, 21 November 2008

Tips for avoiding mortgage fraud

In the third part of our series on mortgage fraud, Anthony Riem, a specialist in multi-jurisdictional frauds and asset recovery with PCB Litigation, outlines the warning signs brokers should look for to detect mortgage fraud.

Some of the more obvious warning signs include the following:

  • Documents provided in support of an application such as bank statements, utility bills and passports that appear to be forgeries.

  • Income or employment details which are not supported by documentation supplied by the customer.

  • Inconsistent information provided by the same customer, i.e. various applications made with different incomes/details either to the same lender or lenders within a group.

  • Links with other applicants where fraud is suspected, for example shared addresses, purchases on same development, identical loan amounts etc.

  • Links between different mortgage applicants, for example shared bank accounts, and addresses.
  • Applications cancelled when further information/verification is requested.

The Law Society’s Practice Note on Mortgage Fraud also suggests the following warning signs:

  • The customer or the property being purchased is located a long distance from your firm. If bulk long distance instructions are not in your normal work, you may ask why they chose your firm, especially if they are a new customer.

  • The customer seems unusually uninterested in their purchase. You should look for other warning signs suggesting they are not the real purchaser

  • The seller is a private company or they have recently purchased the property from a private company. You should consider whether the office holders or shareholders of the private company are otherwise connected with the transaction you are undertaking, and whether this is an arms length commercial transaction.

  • The customer does not usually engage in property investment of this scale. You should ask why they are undertaking this new venture and where they are getting the financial backing from.

  • The current owner has owned the property for less than six months. You should ask them to explain why they are selling so quickly.

  • The customer's credit history is shorter than you would expect for their age, when you run a credit check. Fraudsters will often run a fake identity for a few months to give it legitimacy. You should ask your customer about this.
  • There are plans for a sub-sale or back-to-back transactions. You should ask your customer why they are structuring the transaction this way and seek information on the identities of the second purchaser, their solicitor and the lender.
  • The property value has significantly increased in a short period of time out of line with the market in the area.
  • The mortgage is for the full property value. While this is less likely in tighter credit conditions, you should consider it in light of the other warning signs.
  • The seller or developer has provided incentives, allowances or discounts. These may include cash back, free holidays, household fittings, payment of legal fees, help with mortgage repayments or rental guarantees, among others. You should consider whether this information has been properly disclosed to the lender.
  • The deposit is being paid by someone other than the purchaser. You should ask why, where the money is coming from, and whether this information has been properly disclosed to the lender.
  • The purchaser has paid the deposit directly to the seller. You should ask for evidence of the payment and consider whether this information has been properly disclosed to the lender.
  • There is money left over from the mortgage after the purchase price has been paid, and you are asked to pay this money to the account of someone you do not know, or to the introducer. You should ask why, and remember that you must not use your customer account as a mere banking facility.
  • You are asked to enter a price on the title that is greater than you know was paid for the property. You should ask why the prices are different.
What else can a Broker do?

The first and perhaps most important step in combating mortgage fraud is to ensure that you verify the identity of your customers in accordance with the Money Laundering Regulations 2007. This is particularly important in relation to applications received over the internet. Brokers should not act for customers who are unable or unwilling to produce sufficient proof of identity.

Thursday, 20 November 2008

The implications of mortgage fraud for brokers

In the second of our third-part series on mortgage fraud, Anthony Riem, a specialist in multi-jurisdictional frauds and asset recovery with PCB Litigation, outlines the implications for brokers who can easily get caught up in fraudulent applications.

An individual who intends to commit a mortgage fraud will generally seek to involve one or more professionals in the fraud to provide the transaction with an air of legitimacy in the eyes of the lender. Brokers may therefore find themselves targets of the fraudster.

Fraud is defined in the UK Fraud Act 2006 as including fraud by false representation and by failure to disclose information where there is a legal duty to disclose. A broker who makes representations to a lender on behalf of a customer may therefore find himself unwittingly committing a criminal offence if he has reason to believe that the representations being made might be misleading or untrue.

Proceeds of mortgage fraud are criminal property. Under Section 328 of the Proceeds of Crime Act 2002, a broker may commit a money laundering offence by being involved in an arrangement that facilitates the acquisition of criminal property. Where a broker has knowledge or suspicion that a customer intends to use him to perpetrate a mortgage fraud on a lender he may avoid liability by refusing to undertake the work.

Alternatively, if the broker decides to proceed with the application in such circumstances, his only defence to a money laundering offence (under s.338) would be to make the appropriate disclosure to the Serious Organised Crime Agency (‘SOCA’). If nothing further is heard from SOCA within seven days of making the disclosure then the broker may proceed with the transaction safe in the knowledge that he has a defence to any possible money laundering offence.

If, however, consent is withheld within the initial seven day period, then the authorities will have a further 31 days in which to take further action. No further steps may be taken by the broker during this period. If upon the expiry of the 31 day period nothing further has been heard, then the broker may proceed with the transaction once again safe in the knowledge that he has a defence to any possible money laundering offence.

The broker must not tell the customer (or any other person for that matter) that a disclosure concerning them has been made to SOCA. This may be difficult whilst applications are delayed pending SOCA’s consent, but to do otherwise will result in the broker committing a ‘tipping off’ offence under Section 333.

The Financial Services Authority operates a system with lenders under which they can confidentially pass to a Mortgage Intelligence helpline at the FSA details of loan applications received from brokers which they suspect to be fraudulent. The information received may be the catalyst for an investigation by the FSA. This is turn may result in proceedings of the nature of those brought against Mr Fawole and Oasis.

Finally, a broker may face the prospect of civil proceedings being brought against him by a defrauded lender.

In our next installment on mortgage fraud we will tackle the warning signs brokers should look out for.

Wednesday, 19 November 2008

Regulators clamp down on mortgage fraud

In the first of a three part series, Anthony Riem, a specialist in multi-jurisdictional frauds and asset recovery with PCB Litigation, lifts the lid on mortgage fraud, a common problem that the regulators are increasingly taking a dim view of.

On 11 August 2008, the Financial Services Authority (FSA) banned a mortgage broker and fined him £100,000 for submitting false mortgage applications. Omotayo Fawole was an FSA approved broker and the sole controller of Oasis Mortgage and Financial Services Limited (Oasis).

He had obtained a mortgage after submitting an application which significantly overstated the profits of Oasis and his own income; and had submitted another mortgage application on behalf of an Oasis employee which significantly overstated their earnings.

Mr Fawole was the eighteenth broker to be banned by the FSA this year as a result of involvement in submitting false mortgage applications. Although he had been the central figure in the fraud, the severity of the penalty nonetheless serves as a timely reminder of the seriousness with which mortgage fraud is viewed by law enforcement agencies and regulators.

What is Mortgage Fraud?
Mortgage fraud occurs where a borrower defrauds a financial institution or private lender through the mortgage process. Such frauds are typically perpetrated in one of two ways:

The borrower provides untrue or misleading information (as in the above case) or fails to disclose relevant information that bears upon his ability to repay the loan. For instance, the borrower may provide false information about his level of income, employment or other liabilities. He may also provide misleading information about the source of funds to be used in the purchase other than the mortgage or not disclose the fact that more than one lender is financing the purchase price; or

The borrower misrepresents the true value of the property. To give the proposed transaction an air of legitimacy he may conspire with a corrupt surveyor in order to obtain a false valuation. Another typical scam used is known as ‘flipping’. Flipping usually involves back to back sales in which the property is to be sold on to an often fictitious sub-purchaser so as to give the appearance of the property being sold very quickly for a substantially increased price. The fraudster then absconds with the difference between the mortgage advance and the initial purchase price, leaving the lender with inadequate security.

In the next installment we will look at the implications of mortgage fraud for brokers.

Friday, 14 November 2008

Personal data loss an "alarming" problem

High profile instances of accidental leakages of sensitive customer information show no signs of abating. This time last year the media was having a field day with the revelation that the UK's HM Revenue & Customs (HMRC) had lost two discs containing the personal details of 25 million people. According to Symantec, not much has improved since then.

Symantec says an additional nine million personal records have been lost since the HMRC incident by private companies and third party data handlers. The total loss of 34 million people's records means that more than half of the UK's 61 million population have had their data lost in the last year, which when you put it like that sounds alarming.

While UK Prime Minister Gordon Brown has made it abundantly clear that the government cannot guarantee the protection of personal data by bumbling bureaucrats who appear to have a penchant for leaving laptops and USB sticks lying around on trains or in pubs, Symantec's Data Loss Prevention survey, does not show much hope for the private sector either.

Almost half of UK companies surveyed admitted that one or more incidents of data loss had taken place, and another 25% had no strategy for dealing with data loss, which is concerning given the reputational risks and increasingly hefty fines.

Symantec's survey suggests that companies are not taking data protection seriously enough or that they don't know where to start.

It has provided companies with some useful pointers as to measures that can be taken to prevent data loss:

One of the big ones is to educate employees about the importance of data loss avoidance and procedures

Secondly, Symantec recommends "locking down" computers, mobile devices and other removable media using either software or physical locks. The big problem seems to be stopping employees from taking personal information outside the corporate firewall.)

Network access controls should mean that employees can only access "relevant" systems and information.

Data should also be monitored to prevent leakages (although with so much data residing in firms, data classification in terms of which data needs to be secured or classified 'top secret' is an essential first step).

AML on-demand search facility targets smaller firms

With anti-money laundering regulatory compliance costing firms millions to implement, smaller companies are at risk of non-compliance because of the upfront costs and investment typically required to implement the correct assessment and risk management procedures.

“Many firms have responded to the new anti-money laundering regulations but there are still some – particularly smaller firms - that, due to financial constraints, are failing to do so. The outcome could be very serious for those who choose to ignore these regulations resulting in heavy fines and as we have seen recently, prison sentences,” says James Sherwood-Rogers, managing director of Landmark Legal and Financial.

ASP solutions for AML are slowly starting to gain traction in the market and are more likely to appeal to smaller firms that don't want to make the upfront and ongoing investment required to implement and maintain a dedicated AML solution.

Landmark has just announced a new electronic on-demand AML search facility, for solicitors, which provides a pay-as-you-go type model for undertaking due diligence checks on new clients (companies or individuals). The electronic information service scans data sources such as government databases, databases of Politically Exposed Persons and terrorist sanction files.

Wednesday, 12 November 2008

Insurers fight fraud by sharing information

Any fraud officer is only too familiar with the challenges of detecting and reducing fraud; whether it is online banking fraud, identity theft or anti-money laundering. However, one industry appears to be having some success in fighting fraudsters, and it puts its achievements down to good old-fashioned information sharing.

By sharing claims data, the Association of British Insurers says that in the last three years, motor insurers alone have identified 70% more fraud equating to £5 million worth of claims per week. The Insurance Fraud Bureau (IFB) was established in July 2006 and uses a central computer system containing claims data from a number of insurers across the UK. Details of insurance policies and claims records are analyzed to identify suspicious activity.

Bogus and inflated insurance claims cost the UK insurance industry more than £1.6 billion a year. Insurance fraud ranges from policyholders exaggerating claims to organized criminal gangs inducing “innocent” motorists to crash into the backs of fraudsters’ vehicles. In a number of cases criminal gangs may have submitted bogus insurance claims to a number of insurers at the same time, so by sharing claims data, the hope is that it can be more easily detected.

While the insurance industry has enjoyed some success in combating fraud, Simon Evans, a partner at Cardiff-based law firm, Dolmans, warns that "fraudulent" insurance claims are still excessive.

"We have previously dealt with a case where a lady accidentally scratched a car door in a car park and, motivated by honesty, left her details to be contacted in order to arrange a repair of the minimal damage," says Evans. "However, when the claim came through it was for thousands of pounds of repairs. The lady has been dragged through the court system as a result, but without photographic evidence taken at the time, she has had little ability to defend her case.

“On the other side of the coin, I have been told about a recent occurrence when an intermediary tried to create a personal injury case to pass on to a solicitor. The intermediary had tried to encourage the victim of a car crash to make a claim for whiplash, even though no injury was suffered."

Evans said that charges, including perjury, contempt of court and obtaining monies by deception, were being used to deal with contrived and induced accidents. He pointed to the example of a claimant that was awarded £9,200 in compensation from a local Council after claiming he broke his ankle in a pothole. Further investigation found the claimant was injured playing football. The claimant was jailed for nine months after pleading guilty to obtaining property by deception and perjury.

The courts are also discarding evidence of a claimant if it is "tainted" by fraud and Evans said witnesses who give fraudulent supporting evidence are also likely to have any claim dismissed by the courts. However, the challenge for most firms is detecting fraud in the first place, and trying to prevent it before it even gets to the courts.

Tuesday, 4 November 2008

Individuals in the firing line for AML

A landmark case which saw the UK's financial regulator, the Financial Services Authority (FSA) fine a money laundering reporting officer for the first time, is a sign regulators are taking a no-nonsense approach towards AML.

The FSA fined Sindicatum Holdings Limited, a corporate advisory firm, £49,000 for failing to implement effective systems and controls for verifying client identities. It also fined the company's
Money Laundering Reporting Officer (Mr Michael Wheelhouse) £17,500. The fines imposed would have been 30% higher if Sindicatum had not agreed to an early settlement with the FSA.

"This fine is a warning to firms and individuals about the importance of complying with our rules in this area and we will not hesitate to clamp down on failures, where necessary," said William Amos, head of retail enforcement at the FSA.

Mark Dunn, manager, Risk & Compliance Services at LexisNexis said, “This is the latest indicator that the FSA is toughening up its approach to anti-money laundering compliance. Firms have had almost a year to update their systems and controls since the
Money Laundering Regulations 2007 came into force last December. Dunn said that record keeping in particular was important in order to demonstrate that the MLRO has taken reasonable steps to verify the identity of all clients.

Tim Dolan, a financial services partner in Pinsent Masons' Corporate Group and a former member of the FSA's Enforcement Division remarked that:

"This case is significant as it is the first time that the FSA has fined an individual Money Laundering Reporting Officer ("MLRO"). It serves as a timely reminder that individuals who hold the MLRO function have responsibilities and can be personally liable for their firm's failings."

Dolan said the case was also significant as it demonstrated that the FSA is prepared to take action in the case of corporate advisory firms' anti-money laundering systems failing. In Sindicatum's case, Dolan said a number of shortfalls in their AML measures were highlighted:

- clients were not being identified at the time of take-on by the firm
- no attempt was made to verify which particular individuals were directors or controllers of clients;
- documents were in foreign languages, but the documents and their translations were not reviewed by the MLRO;
- photocopies of documents were not properly certified;
- relevant documents (including in one case copies of passports) were lost;
- client acceptance checklists were not complete or had not been reviewed by the account executives and the MLRO.

Wednesday, 22 October 2008

Phishing attacks rise as banks are distracted

With banks focused on shoring up liquidity and preventing runs on their shares, it seems online fraudsters are taking advantage of this opportunity to launch an ever increasing number of phishing attacks.

Brand monitoring specialists,
Envisional identified almost half a million (460,000) separate phishing emails sent to bank customers in the six month period from April to September, with more than 170,000 in June alone (up 117% on June 2007).

According to Envisional, overall volumes of phishing emails sent to bank and insurance company customers were up 40% compared to 2007. It reports that one bank was hit by 350 separate attacks in one day.

Phishing emails which try to trick customers into giving away passwords and PINs, also demonstrated different targeting strategies, with 135,000 phishing emails targeting one specific bank in June. Phishers then changed tactics in July targeting two banks.

Who should be liable for online fraud?

Posted by Anita Hawser

Who should be liable/responsible for personal internet security? It is a subject that has stimulated much debate in the UK Houses of Parliament with the House of Lords Science and Technology Committee publishing its damning Personal Internet Security report last year.

Highlighting the increasing incidence of online fraud, ID theft and phishing, the report recommended establishing a framework for collecting and classifying data on e-crime, and “more rigorous and co-ordinated analysis” of the incidence and costs of such crime. The latest APACS figures show that online banking fraud losses increased 185% to £21.4 million in the six months to June.

It also talked about deployment of security software at ISP level, the need for a dedicated regulator for the online world, and for Government to increase banks' fraud liability. In essence the report said that instead of the weight of responsibility for online security falling on individuals, responsibility should be "distributed".

More than a year since the committee published its report, there is talk of
a specialised e-crime police unit being established. Other recommendations such as the passing of legislation to ensure banks take responsibility for losses incurred by electronic fraud and rules forcing software companies to accept culpability for damage caused by security flaws, which would allow individuals to report online fraud to the police rather than to their bank, have not been implemented.

With banks already having to receive a lifeline from the government just to finance their normal operations, it seems unlikely that the government (who is now a shareholder in UK banks) will pressure them into incurring liability for losses resulting from online fraud.

It comes back to that all important question I asked at the beginning - who should be culpable? And as responsibility for online fraud is distributed - amongst banks, ISP providers and hardware and software vendors - who is the most liable or culpable at any given point in time?

Phil Hickman, chairman of ValidSoft – internet security and transaction verification experts – argues that service providers should take responsibility for the security of users:

“Traditional security provisions employed online have been shown time and time again to be ineffective at protecting users from the threats presented by advanced fraudulent techniques. Authentication techniques used by financial institutions, for example, have so far proved unsuccessful at preventing identity theft and electronic fraud. Defence techniques currently used are simply not sophisticated enough to counter Man-in-the-Middle/Man-in-the-Browser attacks or information stealing techniques like phishing.”
The Parliamentary Committee has debated the idea of a "code of conduct" or "kite mark" for ISPs, this may be difficult to enforce and could increase costs for internet access. And given the "layered" nature of the internet, attribution of liability is problematic.

With the banks already focused on anti-money laundering and issuing customers with one time only password generators for online banking,it seems that UK politicians favour raising "the bar of expectation" on software vendors, either voluntarily or at the EU level.

Surely more needs to be done around giving the Data Protection Act more teeth, and in the case of government leakages or breaches of personal customer data imposing hefty fines equivalent to those imposed on private companies?

This is likely to become more of an issue given that the UK government wants to compile a huge centralised database containing personal details of people's communications in order to supposedly combat terrorism.

Securing laptops remotely

Posted by Anita Hawser

Mobile security is one of the biggest problems companies face. Employees taking laptops out of the company firewall and securing remote workers can be challenging to say the least.

And one does not need to point out that increasingly regulators are taking a dim view of customer data that is loss through company or employee negligence. Last year, the Financial Services Authority in the UK fined Nationwide Building Society £980,000 for the loss of a laptop which contained "confidential customer data" on 11 million customers.

Telecoms/network provider Alcatel-Lucent Bell believes it has the answer to securing remote workers and lap tops with its
OmniAccess 3500 Nonstop Laptop Guardian. Invented in Bell Labs, the solution is an "always-on mobile security solution card that remotely secures, monitors, manages and locates a mobile computer and protects laptops and the data that resides on them".

"The mobile blind spot is defined as a condition where enterprises have no visibility or control over the location, use or configuration of employee laptops, increasing the risk of government fines, company reputation and hampering day-to-day operations of organisations. With this technology, enterprises have 24/7 access to employee laptops – enabling them to automatically enforce policies for compliance and deliver software patches and upgrades to their increasingly mobile workforce even if the laptop is turned off."
Forty-five percent of respondents in a recent study of 255 executive level IT, security and compliance decision makers from the US and Germany, admitted they have to deal with mobile blind spots. “The study shows nearly three out of four IT security managers have had to help their company deal with the consequences of a lost or stolen company laptop,” explained Tom Burns, head of Alcatel-Lucent enterprise activities.

An additional 76% said a lost or stolen laptop needed to be protected with more than encryption – for example, having the ability to locate the device using GPS and remotely revoking access to data. This is particularly useful if the laptop has been stolen, although looking at the picture of the mobile security card, a question that springs to mind is what happens if someone removes the device from the lap top?

According to the survey, 50% of companies state they would switch their wireless service to a provider with a security solution that protects lost or stolen laptops used remotely. No surprises then that
SingTel of Singapore, Magyar Telekom of Hungary, and broadband carrier IIJ (Internet Initiative Japan Inc.) of Japan have announced they plan to offer the Laptop Guardian as a value-added service over their high-speed HSPA mobile data communications network.

The Laptop Guardian has its own processor, power supply and operating system, and it leverages wireless broadband networks, including next-generation, high-speed 3G GSM/HSPA networks. It has also been integrated with McAfee's Endpoint Encryption software.

Monday, 20 October 2008

Getting serious about money laundering

Posted by Anita Hawser

With banks' IT budgets stretched to breaking point and likely to come under increasing strain in the wake of the credit crunch, where does this leave current efforts around combating financial crime and money laundering?

In a webinar on AML trends 2008-2010, Neil Katkov, managing director, Asia research, Celent, says increasingly, banks are looking too "kill two birds with one stone" by seeking solutions that help solve multiple financial crime and compliance issues. Global spend on anti-money laundering was estimated to be $3.6 billion in 2006, with the bulk of the cost tied up in personnel training and reporting.

According to Katkov, some firms, particularly in Europe, are consolidating their financial crime efforts under one umbrella - a “Group Integrity” department that combines anti-money laundering (AML), fraud and, in some cases, security. US banks tend to lead their European and Asian counterparts in terms of AML technology spend - this may have something to do with strict enforcement and interpretation of the US Patriot Act, which places considerable focus on uncovering sources of terrorist financing.

Katkov says Asian banks have "only recently got serious about AML" (although their spending on AML is likely to grow at a faster pace) and that small banks in all regions are grappling with "manual approaches" to AML. At the lower end of the scale firms may prefer to implement an outsourced or ASP AML solution, which is slowly starting to gain traction. According to Katkov, at least one major bank in the US has outsourced its AML compliance operations

While various channels such as the diamond and arms trades are sometimes used to launder money, Katkov maintains that 82% of all money laundering activity goes through banks and brokerages. Insurance companies account for an estimated 10% of activity.

One of the biggest challenges Katkov identifies is applying existing anti-money laundering strategies and techniques to brokerage money laundering, which he says is typically part of the "layering" process - banks are the front line for money laundering. "You can’t just transfer bank AML techniques to brokerage," says Katkov, adding that trading behaviours are different.

For example, transaction peaks may not have the same significance on the brokerage side as they do on the banking side. It is also more difficult to profile customers as "execution only brokerages" may be executing trades on behalf of other firms.

Friday, 17 October 2008

A rogue trader's view on the credit crunch

Posted by Anita Hawser

Ex-rogue traders have a habit of crawling out of the woodwork in the midst of one of the worst collapses of the global financial system. Former rogue trader, Nick Leeson whose "unsupervised speculative trading" resulted in the collapse of the UK's Barings Bank in 1995, was speaking at a conference of European corporate treasurers in Barcelona recently.

Reminiscing about the good old days as an unsupervised derivatives trader in Singapore, Leeson leveled significant blame for the global credit crisis at central banks and the regulators, who he says don't understand the markets or risks they are supposed to be regulating.

"There is plenty of risk, but no one managing it," said Leeson. "After Barings there were new regulations by the Bank of England and they spoke about responsible lending, but it clearly hasn't happened."

As the financial system now has to grapple with the concept of heightened global regulation, Leeson suggests that central banks may not be the best candidates for enforcing these regulations. "Central bank understanding is very poor," he said. In his days as a derivative trader for Barings in Singapore, Leeson said the Singapore Monetary Exchange did not have people that understood the business.

"The monetary exchange knew my position. They had a process of non-disclosure but all they had to do is look up the rates on Bloomberg and see what my [total] position was. If they had done that they would have seen that I risked the capital of the bank." In 1994 Barings was capitalised at $250 million and Leeson had $500 million in Singapore.

Although the subprime crisis, which triggered the credit crunch has been attributed to the lack of transparency and complexity of mortgage-backed collateralised debt obligations, Leeson says it is not the instruments that are the problem. "It is the people operating them. Some of the biggest banks employ the best mathematicians, but their risk calculations haven't worked."

Leeson said he got away with so much during his time at Barings because management of the bank did not deem themselves to be in a position to challenge him - in other words they did not understand the markets he was investing in so he was pretty much given free reign as long as he was bringing in profits for the bank.

While rogue traders have not been directly linked to the credit crunch, the exposure of the $7 billion in losses Jerome Kerviel racked up at Societe Generale came at a time when the crunch was starting to bite and highlighted the precarious risk-taking counterculture within investment banks - some traders were literally betting the bank and getting away with it if those bets paid off. " Jerome Kerviel was a shock to me," said Leeson. "He was given far too much autonomy for a junior trader."

Tuesday, 14 October 2008

Chip and PIN is failing banking customers

Posted by Anita Hawser

With banks around the world distracted by the global credit crunch, plunging share prices and government bail-outs, this can be a time when fraudsters up the ante hoping that banks will be too distracted to notice the rising incidence of fraud.

According to risk management software provider, Actimize,
the number of mass data breaches, particularly those involving ATM and debit fraud, has accelerated, and a at time when banks' balance sheets look compromised, the reputational and direct costs of replacing lost or compromised cards, is an unwelcome additional cost for any bank to have to deal with.

Just as banks need to restore confidence in one another so interbank lending can resume, so too do they need to restore customer's confidence in debit and credit cards. But in a heightened threat landscape where the threat level is becoming increasingly sophisticated and insidious, banks appear to be on the back foot.

Fighting card fraud is not just about compromised ATMs or phishing emails anymore, as recent incidents have borne out. For example, according to Actimize, in Ireland recently fraudsters posing as bank workers, replaced credit card readers in a number of retail stores with fake readers that captured the data on 10,000 credit and debit cards.

In Calgary, Canada, local businesses were
defrauded of approximately CAN $2 million by fraudsters that broke into company databases and inflated the value of pre-paid debit cards. They then withdrew money at ATMs with "cloned" cards.

Authentication specialists,
GrIDsure, highlight a recent incident where MasterCard users were the victims of sophisticated Chip and PIN fraud involving up to 40 stores across Britain including Asda, Tesco and Sainsbury’s. It has called for affirmative action to avoid "further embarrassment" for the UK banking industry.

"While Chip and PIN scams are becoming more and more frequent, it seems that nobody is willing to address the issue head on," says Jonathan Craymer, chairman of GrIDsure. "It is blatantly obvious that Chip and PIN’s reliance on a fixed PIN number is leaving the system vulnerable to attack through sophisticated scams such as this recent one involving MasterCard customers. I wonder how many more people will fall victim to scams like this before the industry stands up and takes action."
Recent incidents highlight the vulnerabilities of Chip and PIN, which were introduced to try and prevent fraud, but Craymer seems to be saying that the industry needs to improve the security of the Chip and PIN system with the introduction of one-time PINs.

UK banks have sent smart card readers that generate one-time PINs to online banking customers, however, Craymer says it is time to find a solution that effectively addresses transaction authentication, not just on the UK high street, but also online and abroad. “Chip and PIN was introduced to put a stop to high street fraud, but as fraudsters begin to find their way around the system we have seen total card fraud losses increase by 14% in the first half of this year alone.”

Wednesday, 24 September 2008

Fraud not on the agenda at banking conference

Posted by Anita Hawser

As investment banks and mortgage providers were dropping like flies last week as the credit crunch increased the pace of market consolidation, I was attending one of the world's largest international banking conferences, Sibos, in Vienna.

Hosted by SWIFT, the Society for Worldwide Interbank Financial Telecommunication, Sibos 2008 attracted approximately 8,000 bankers, however some conference speakers dropped out at the last minute as investment banks and mortgage lenders fell victim to market speculation and takeovers.

SWIFT as you may or may not know, is a bank-owned messaging network, which prides itself on never being hacked into or compromised by an external or internal threat. However, it did get into hot water a couple of years back with data privacy zealots when it allowed US intelligence agencies to look at messages being sent on its network as part of the US government's efforts to combat terrorism and money laundering.

While I can understand that banks probably have a lot more on their minds in today's difficult climate than combating fraud, I was surprised to see that identity fraud and banking fraud in general was not featured on the Sibos conference agenda.

Fraud only appeared to be up for discussion on the exhibition floor where a handful of dedicated information security vendors (SafeNet, NetEconomy) and AML solution providers were exhibiting their anti-fraud technologies and strategies.

"There is a lot of interest from banks around service-oriented architectures and designing security in from the get go rather than an afterthought," said Rene Bastien, product manager, payment products, SafeNet. Bastian says Basel II is also forcing banks to address operational risk.

SafeNet says that the current business climate is good for security vendors as it is forcing banks who were "caught with their pants down" to address their risk management and operational practices. And it seems security vendors are trying to make it easier for banks to embed security natively within applications using common standards such as XML, which means application developers do not need to be "crytographic geeks" in order to understand security.

Of course, banks en masse don't like to talk about fraud, particularly in this climate where banking failures in general are dominating newspaper headlines. Yet, fraud is an area banks cannot afford to ignore, not only because of the hefty fines likely to be imposed by regulators, but also the reputational risk and the impact on banks' balance sheets.

According to a survey conducted by Kroll on behalf of the Economist Intelligence Unit, financial services providers lost an average of $12.9 million to fraud in the last three years, although this figure is probably higher if one takes into account the reputational costs and the costs of fraud that banks are not even aware of or that remains undetected.

Kroll says the most common types of fraud financial service providers are exposed to include; regulatory or compliance breach (35%), financial mismanagement (29%), theft of physical assets or stock (27%), management conflict of interest (25%), information theft, loss or attack (24%) and internal financial fraud or theft (24%).

While it is difficult to put a precise figure on the reputational costs and brand damage caused by fraud, research by security software vendor, Symantec, suggests that consumers take a dim view of companies that do not do enough to protect their private data. Approximately 90% of consumers surveyed by Symantec stated that "reckless or repeated" data breaches should be punishable by imprisonment.

Seventy-six percent of companies polled by Symantec expected to lose customers if a data loss or breach occurred and 50% expected customer loyalty to fall off immediately. “These statistics are very concerning for business, particularly in the current unstable market conditions,” said John Brigden, senior vice president for Europe, the Middle East and Africa at Symantec. “Not only do they risk losing large numbers of customers following an incident of data loss, but almost 60% of companies said it would be a lot harder to attract new customers once the reputation had been tarnished.”

Fraud is so pervasive now that it is not just something CTOs or chief risk officers need to be concerned about. CFOs and CEOs should also be more attuned to the impact of fraud on their businesses.

"We expect to see fraud increase as conditions become tougher for business and the full impact of the credit crunch unfolds. Financial services companies need to focus their efforts, especially against regulatory and compliance breaches as the loss involved is far too much to justify," says Blake Coppotelli, senior managing director in Kroll's business intelligence and investigations division.

It is no longer acceptable for banking CEOs to say they do not understand the instruments their investment banking divisions are trading, nor should it be excusable for them to say they are not aware of the impact fraud is having on their business.

Saturday, 13 September 2008

Browder unable to return to Russia

Posted by Nick Kochan

The Russian lawyers to Hermitage fund management company have been raided and key documents removed, Bill Browder, chairman of Hermitage Capital alleges. He claims that these documents have been used to steal the firm’s identity to perpetrate two frauds against it.

The first fraud, Hermitage alleges, involved obtaining court orders against the firm to perpetrate a massive theft. However, the alleged thieves found that the kitty was bare as Browder had sold out its Russian investments.

The thieves took another tack. Browder purports that they used the claims against the company in a book-keeping exercise to offset Hermitage profits. This allowed them to claim back the corporation tax Hermitage had paid in 2006. This amounted to $230 million. The Russian Tax Ministry believed the crooks’ tale, and paid it back, Hermitage claims.

Now Browder needs to protect his Russian companies and lawyers who he claims were raided and physically attacked.“They have raided and are trying to arrest the lawyers who are fighting the liquidation of the Russian companies. We filed a criminal complaint at the end of July,” he says.

Browder claims the Russian law enforcement and legal system has been incompetent at best. “We tipped off the law enforcement community in Russia. We filed [complaints] about the fraud and fake claims. It gave the police three weeks to freeze the companies’ accounts to make sure the tax crime never got committed. But they didn’t act.”

The alleged attack on Hermitage has persuaded Browder to revise his trenchant views on Russia’s Prime Minister and former President Vladimir Putin. “Between 2002 and 2004, Putin was fighting with the same guys who were stealing money from me. The oligarchs were stealing power from him and they were stealing money from me as a shareholder. When I complained to the government about the oligarchs stealing money, they responded favourably and cracked down on the stealing. How could I not think that was a good thing?”

Browder has equally revised his views of the oligarchs, whom he criticised for their mistreatment of shareholders. “I was critical of Mikhail Khodorkovsky (he was convicted for fraud and tax evasion and received an eight-year sentence) because he mistreated minority shareholders when he controlled Yukos and we were a shareholder in his subsidiaries. I now have huge sympathy for him. I think he has had a bum deal. He has paid any dues he could ever possibly pay for anything that he did to us as minority shareholders a long time ago.”

Browder has little hope of returning to Russia, where he is the subject of an arrest warrant. He now travels regularly to the Gulf region to manage an investment portfolio of some $2.8 billion. “It is an absolute delight to do business outside Russia. The UAE is my favourite location for doing business today,” he says.

End of part three

Friday, 12 September 2008

Hermitage cries foul in Russia

Posted by Nick Kochan

Bill Browder, the boss of Hermitage Capital had his visa to enter Russia refused. He claims Hermitage was persecuted as part of an alleged scam to defraud the Russian Tax Ministry of $230 million.

Browder claims that Hermitage’s lawyers were raided by police from the Russian Interior Ministry. He alleges that their computers, servers and files containing information were removed. The homes of other lawyers also working for Hermitage were raided at around the same time, he claims.

Browder alleged that one of the lawyers was seriously beaten and hospitalised for two weeks. “It wasn’t good to be a lawyer for us at that time,” he says. “All four of our law firms were raided again by the police. They invited all of the lawyers for questioning as witnesses.”

Hermitage alleges that these raids gave members of the Interior Ministry the means to steal its identity. So when a company unknown to Browder said that Hermitage had reneged on a sale of Gazprom shares and owed millions, Browder said he was helpless to resist it. Using the lawyers’ documents, Hermitage alleges that people from the Interior Ministry removed the legitimate managers and replaced them with their own cronies.

Hermitage alleges that liabilities were created by this scam to extract from the Russian Government $230 million worth of tax paid a year earlier by Hermitage. Browder claims that the scam’s perpetrators created “fake losses” exactly equal to that to create a new net profit of zero. “We paid $230 million of taxes and they filed amended tax returns and asked for the money back,” he said. Browder claims that the $230 million has been pocketed by the crooks.

The scam has yet to run its course. Browder says a package, packed with sensitive documents, was sent by DHL from London to the offices of Hermitage’s Moscow lawyers. The return address on the back of the envelope was given as Hermitage’s offices in Soho and the name attached to the address had been made up.

According to Browder, an investigation of the name found that it belonged to someone whose passport had been stolen. “We didn’t send the package,” he claims. “Two Eastern European-looking gentlemen paid cash to DHL at the Lambeth depot. We have them on close circuit television.”

Two hours after the package arrived at the lawyer’s office, Browder claims Russian police raided it and took away the package. Mere coincidence? Not so, alleges Browder, for whom this was merely another piece of evidence that he was targeted by a well-organised gang. “The obvious intention,” Browder claims, “is to create a trail from us to our lawyers. This stuff was going to be used to blame us and our lawyers.”

End of part two

Thursday, 11 September 2008

Russian Mafia exposed - The Browder Story

Posted by Nick Kochan

This is the first in a three part series on Bill Browder, the multi-millionaire chairman of Hermitage Capital who quit Russia following allegations of fraud at the highest levels.

The deeds of the Russian mafia may be murky, but they rarely get exposure. The members of organised crime are often hidden behind political and judicial structures. However, those that have done business in Russia are no longer shocked. They have seen it all, they claim. One such man is Bill Browder, the multi-millionaire chairman of Hermitage Capital. His $4 billion portfolio of Russian stocks made him the largest foreign investor in the country.

Now that he has quit Russia, he presents a document which he alleges shows the involvement of “a group of criminals at a reasonably high level in the Russian government” in the theft of $230 million from the Russian Tax Ministry. The document is entitled, Persecution of Hermitage in Russia in order to steal $230 million from the Russian People.

Browder is on a mission to cleanse Russia of its criminal class. He speaks with a zeal rarely found among financiers. He cannot overstate the “dire state” of business practices and ethics in Russia. “It is bent at every turn,” he claims. The alleged scam confirms Browder’s view that business conditions in Russia have retreated to the state he found them in when he set up his firm in Russia in 1992, with the assistance of money from the banker, Edmund Safra.

The key to Browder’s success was attacking Russian companies with poor corporate governance and seeing their stock prices rise as they improved their management and ethics. According to Browder, this approach upset senior members of the country’s political and economic elite and in 2005, his entry visa was withdrawn.

He mounted a crusade at the highest levels to re-instate his visa, even approaching Dmitry Medvedev, the man destined to be the president of Russia, at Davos last year. “I saw him tucking in to his dessert,” said Browder. “He was sitting on his own. I saw this as an interesting opportunity to have a chat with him and so I went to talk to him. He stood up. We knew each other. I know him, we have worked with him because he was the chairman of Gazprom and we were always very active in Gazprom. I asked him if he could get my visa reinstated. He knew all about me. He said yes, he would help me. He asked me for a copy of the visa application, which I got my office to produce.”

A month after the Medvedev meeting, Browder claims that his office in London received a call from a lieutenant colonel of the Interior Ministry, which it construed as a request for a bribe. Hermitage have a recording of the conversation.

According to Hermitage’s report, the lieutenant colonel asked if he could meet Browder. Hermitage’s report alleges the lieutenant colonel said, ‘The sooner we meet and you provide what is necessary, the sooner your problems will disappear.’ Browder says that the company receives requests like this every day. “People try and shake you down in every different place in Russia. We ignored it. This was the one case out of a hundred when something happened.”

End of part one

Tuesday, 9 September 2008

An 'inside' job

Posted by Anita Hawser
It's official. As we have all suspected for some time the "external bogeyman" is not the biggest fraud threat companies face. It is internal fraud, which is resulting in the largest losses, says the Association of Certified Fraud Examiners (ACFE).

Research company, Financial Insights, highlights some interesting findings from a 2004 ACFE study which found that more than 80% of internal fraud cases were committed not by "career criminals" but by first time offenders. No surprises then given recent incidents at banks like Société Générale, and a host of others, that subsequent ACFE studies have found that banks are the biggest victims of internal fraud.

According to ACFE’s 2008 Report to the Nation on Occupational Fraud & Abuse, the internal rate of fraud loss has increased to 7% of annual turnover for all companies. FinInsights cites two examples of internal fraud: SME Bank in Thailand, which included 27 loan cases involving fraud and corruption; and the rogue trading incident at Société Générale where more than 1,000 fraudulent transactions, dating back to 2004, were concealed.

The fact that these transactions at both banks bypassed internal controls and procedures, not only suggests that internal fraud controls are inadequate, but that firms have spent far too much time safeguarding the enterprise from "external bogeyman" and not from Joe Bloggs in accounts.

FinInsights then went on to outline some best practices in internal fraud control:

  • Establishing controls that reduce the opportunity for unauthorised use of organisational resources (firewalls, email scanning, ID access - most banks already have these)

  • Providing sufficient employee monitoring, segregating duties for operational processes, and regularly rotating staff in key positions

  • Thorough recruitment screening and educating employees about the legal repercussions of being involved in illegal activities to act as a deterrent (not so sure about this one as in the case of traders, it is known that they are not out to make money for themselves necessarily but for their company. Are they the kind of people investment banks want to screen out?)

  • Automated detection systems and advanced analytic technologies that look for suspicious behavior and anomalous patterns (problem with this is that technology can only do so much. If no one responds to the alerts, the technology is useless)

  • Financial institutions need to define and understand the layout of internal data and the business process data flows in order to determine the necessary sources of and data feeds for fraud solutions (highly complex given that data and business processes tend to be 'siloed' within most banks)

  • Educating both employees and upper management on security

  • Establish accountability and ownership for lax security procedures

  • Reprimand staff for breaking or failing to follow security protocol, even minor violations

  • Providing confidential and easy-to-use channels of communication for whistle blowers

So in other words, fighting internal fraud is not easy. It is not simply a case of putting up a perimeter fence and installing software that recognises unusual behaviour patterns. That is only the tip of the iceberg, and in the end educating people is likely to be more effective than a piece of technology on its own.

Tuesday, 2 September 2008

The UK’s credit card crisis

Posted by Nick Kochan

In the week that the Royal Bank of Scotland and NatWest have accepted that a computer sold on eBay has exposed the data of one million customers to possible abuse, a spokesman for the Government’s new National Strategic Fraud Authority, set to be launched on 1 October, says credit card and banking fraud will be a prime target.

Spokesman Adam Morris says the Agency is in discussions with representatives of UK banks and payment companies about the UK’s deteriorating position as a haven for credit card fraud. Morris says, ‘There are many agencies targeting fraud, but the Fraud Review found they were not always working together. We are targeting the symptoms of fraud and aim to bring banks and other stakeholders together.’

UK credit card fraud is at record levels due to abuse of the internet, says the banking industry body, APACS. Annual plastic card losses in 2007 amounted to £535.2m. This compares with £428m in 2006.

The majority of this -- £290.5m -- was incurred by those buying goods on the internet. ‘Card-not-present’ fraud increased by almost £80m on the previous year. As money has been poured into chip-and-pin to deal with lost and stolen cards -- down from £68.5m in 2006 to £56.2m in 2007 -- counterfeit theft and internet abuse of cards has risen sharply.

Metropolitan and City Police forces, fighting card fraud through the Dedicated Cheque and Plastic Crime Unit (a joint public/public sector agency), face an uphill struggle, say industry observers.

Thieves keep several steps ahead of the industry and the police, says Amir Orad, executive vice president of Actimize, the banking consultancy."Credit card fraud is growing and changing its form to respond to the growing efforts of those who seek to curb it. The crooks are a long way ahead of the institutions cracking down on it."

Leaky credit card systems in retailers presented thieves with their latest juicy target. A group of 11 worked together to break into the systems of US retailer TJX Companies. TJX owns the popular cut-price UK retailer TJ Maxx and the company has admitted that some of the 41 million credit card numbers hacked from retailers belonged to UK and Irish customers.

The 11 were allegedly engaged in ‘war-driving’, the concept of data-theft via wireless networks. The thieves had apparently gone cruising through different areas with a laptop looking for accessible wireless signals. They then installed ‘sniffer’ programs that captured credit and debit card numbers as they moved though the retailers processing networks. The information was stored on the thieves’ processors in Latvia and Ukraine.

The US Attorney General, Michael Mukasey, said, "They used sophisticated computer hacking techniques that would allow them to breach security systems and install programs that gathered enormous quantities of personal financial data, which they then allegedly either sold to others or used themselves."

Organised gangs perpetrate credit card fraud, says Paul Ravenscroft, a spokesman for Visa."Law enforcement tells us that some of the perpetrators of large scale payment card fraud are gangs that utilise the skills of technically sophisticated individuals. As we introduce new fraud countermeasures such criminals will migrate their attacks to other parts of the system."

The godfather in a credit card gang is the guy who understands the technology, says Kevin O’Leary, the chief executive officer at Norkom, a Dublin-based consultancy. "At the top is a group of technicians who provide the intellectual property of how to get at the data that you are going to need to perpetrate a fraud. They must understand how the point of sale server computer architecture works.

"People who commit the technical aspect of the crime need to be several degrees removed from the people who perpetrate the crime at the end of the chain. They do not think of themselves as criminals in the true sense." Smart con men occupy the gang’s second tier. O’Leary says that they go into the grocery store to install the rogue equipment and need to be brazen. "They risk criminal prosecution, if they are found and apprehended."

Street level functionaries "exchange data with other gangs and recruit hundreds of people to use fake cards to walk up to cash machines and make withdrawals. These are people at the bottom of the food chain." O’Leary warns companies to beware of insiders who obtain techniques from their employers to defraud them.

Banks do not sufficiently understand this threat, says David Porter, head of security and risk at Detica, the security consultancy. "Insider fraud has been under-addressed by the bank security community.

"Not all credit card fraud is perpetrated by external bogeyman. There are some highly effective technologies for spotting the unusual outlier in a community of employees who may be embezzling money or confidential data. Organisations need to tackle this problem area rather than sweep it under the carpet."
Banks and retailers need to completely review anti-fraud policies in the light of the burgeoning credit card fraud, says David Hobson, the managing director of Global Secure Systems. "Methods to counter data leakage are slowly coming together. Many banks still do this piecemeal. They are considering a single part of the issue rather than the whole issue."

O’Leary says banks have been slow to act. "Fixed-point solutions like credit card scoring and credit card detection technology on credit card transactions only work up to a point. They give you a fairly limited intelligence to understand what’s going on. Banks need to join all these things up and look at them in a unified fashion."

Fraudsters leave tracks across an organisation says Orad." Patterns of banking activity, like cheques, ATM machines and online banking are used to catch credit card fraud in particular and enterprise fraud in general."

Credit card payment companies like Visa and MasterCard have brought in new technology to attack credit card fraud. Customers tap in extra pieces of secure data, in addition to the PIN, when making a credit card purchase at a retailer.

APACS spokesman Mark Bowerman attacks retailers for failing to install the system to allow the customer to make the check. "Take-up has been slow but is now increasing. The vast majority of people need to use it and the vast majority of merchants need to use it. It is a competitive issue. It is up to them whether they decide to implement it in their business."

Merchants are the weak point in the credit card chain, says Hobson. "Credit card details are lost at merchants where there is not the same understanding of risk. They are actually custodians of the customer’s data. If a merchant is processing millions or billions of pounds says it doesn’t want to bring in the new secure systems, will any credit card company really refuse their business? Unlikely, as they take a business decision to take a risk!"

Anti-fraud technology based on Chip and PIN is lagging criminal techniques, says Porter. ‘There's been a lot of focus on Chip-and-PIN, but this is only half the solution since it's a preventative measure. We also need advances in the way we detect criminals who inevitably overcome these preventative measures.

"Banks and credit card processors have invested in automated detection systems based on behavioural modeling: learn how a fraudster does his tricks and then go looking for similar patterns. Fraudsters are getting wise to this method of detection. These legacy detection systems are unable to identify fragmented schemes where each entity or activity alone is too small to appear "on the radar".

Fraudsters are pouring resources into attacking credit card data. They have set their sights on opening up and benefiting from leaky systems and security glitches. Banks are in the firing line, but customers need to demand tighter controls at every link in the credit card chain if fraud is to be reduced, and costs to the user of the credit card on the high street reduced.

Monday, 23 June 2008

Identity checks made simple - but what does it mean for consumers?

We are all familiar with the identity checks that banks and other financial services providers deploy whenever we wish to open a bank account, apply for a loan or register with a financial advisor.

In a number of cases, a lot of these so-called 'checks' require the customer to send copies of personal documents (utility bill, bank account statements, copy of driver's licence), details of which could be easily stolen, copied or intercepted and used for fraudulent purposes.

UK-based GB Group believes it has come up with the answer with its electronic identity verification service, eIDV, which enables financial advisors, accountants and solicitors to electronically check an individual's identity against a number of databases, including credit files, the electoral roll, telephone and sanctions data.

eIDV is based on GB Group's document checking technology, URU, which it jointly developed with British Telecom. URU not only validates utility bill and passport information, but also checks for alerts on Politically Exposed Persons and Bank of England sanctions lists.

Once a customer's information is validated, they are presented with an instant pass, fail or refer result based on a scoring methodology suited to the practitioner using the eIDV web portal.

A good thing about the solution is that it enables practitioners to more easily complete identity checks without compromising the safety of valuable personal information and to comply with more stringent anti-money laundering regulations, all in the one application.

However, it does highlight the 'Big Brother' culture that is growing up around anti-fraud prevention. Much like a police officer can type your name into a computer and come up with a list of previous offences and convictions, as well as checking you are who you say you are, financial service providers and advisors now have similar capabilities.

The question is how judicious are these providers likely to be in their scoring of individuals, and how transparent is the scoring process in terms of informing a customer why they have failed the identity check or scored a 'refer'?

With "Spot the Fraudster" as the marketing spiel for URU, it reminds me of UK TV Licensing Ads where they claim to be able to track you down if you haven't paid your TV license.

While eIDV may be great for financial advisors and other firms that need to validate a customer's identity and comply with onerous money laundering regulations, the question is what does it ultimately mean for the customer?

If their personal details are not stored on the databases eIDV checks, for whatever reason, does that necessarily mean they are not who they say they are?

Is rogue trading endemic?

Traditionally, most companies at the frontline of fighting fraud secured their 'perimeter fence' using firewalls, secure passwords and access tokens. All of these measures were largely designed to thwart an external threat or attack.

However, in recent years, the threat from within or from employees, be it accidental or malicious, is increasingly keeping company CEOs, risk managers and security experts awake at night. Recent rogue trading incidents only serve to remind companies, particularly banks, that often the greatest threat when it comes to fraud is from a 'trusted' employee.

French bank, Société Générale, made headlines earlier this year when fraudulent trades totaling $7.1 billion were racked up allegedly by a single trader. There have been other rogue trading scandals, most notably Nick Leeson and Barings Bank in 1995.

But incidences of rogue trading are not as isolated as company CEOs would like to think. Recently, Morgan Stanley announced that a London-based credit derivatives trader hit them for $120 million, and just last week the subprime mortgage crisis in the US resulted in two former Bear Stearns' hedge fund managers being arrested on securities fraud charges.

According to anti-fraud and compliance vendor, Actimize, there have now been five major(more than $100 million)rogue trading incidents reported in 2008? According to its Rogue Trading Peer Review, 50% of respondents estimated that thousands to millions of dollars of rogue trading activities go unreported every year at their firms and 24% said that they had experienced a case of trading fraud at their firms in the last year.

The reputational risk from such events appears to be such that financial services firms are not even reporting these incidents. That makes it difficult for fraud, risk and security experts to do their job properly if there is not recognition at boardroom level that internal fraud is occurring.

The threat from within is perhaps the greatest challenge the financial services industry faces, and combating it is not as straightforward as thwarting an external attack. No amount of firewalls and secure passwords can prevent a determined bonus hungry trader from overriding internal controls to perpetrate a fraud, nor is it going to help prevent the rise of a corporate culture that has a tendency to turn a blind eye to traders looking to boost theirs' and the company's profits by 'gambling' with investors' money.

One company I spoke to recently about internal fraud, pointed to multi-factor authentication as a means of combating it. They said users could set up a policy that says once a user has securely authenticated to a network, or once they launch a particular application, it may ask for another form of authentication such as a fingerprint or biometric. So in this example, a trader would need to swipe their fingerprint whenever a trade is conducted. Even if the trader was able to create “multiple accounts,” the fingerprint would provide an audit trail.

That may be one way of combating rogue trading, but the question is how far do companies go in implementing effective anti-fraud measures that do not make it more difficult, time consuming or onerous for employees or traders to perform legitimate business activities. It is a delicate balance to strike.
Posted by Anita Hawser

Saturday, 14 June 2008

Who should be liable for online fraud?

With a UK Parliamentary Report on Personal Internet Security released last August lambasting banks and ISPs for not doing enough to protect consumers from online fraud, it appears that banks are shirking their responsibilities when it comes to compensating victims of fraud.

According to an article in The Guardian newspaper, a minor amendment to the Banking Code introduced in March provides a loophole for banks to refuse compensation to victims of fraud if the anti-virus software on their computer is not up to date. The Guardian reports that the 2005 Banking Code contains a section (12.9), which advises customers to use "up-to-date antivirus and spyware and a personal firewall".

However, a new section (12.13) has since been added, which reportedly states that, "Unless you [the bank] have acted fraudulently or without reasonable care, you will not be liable for losses caused by someone else which take place through your online banking service." Security experts have interpreted this to mean that banks will be able to shift liability for online fraud to the consumer.

"The new provisions to the Banking Code, which mean that banks may now pass responsibility for card fraud to affected customers if they don't have AV software or firewalls, raise an interesting debate - should banks be able to transfer liability so easily, and how policeable will this be?" asks Holly Marshall, business development manager, UK Financial Services, Unisys.

"A balance of responsibility is needed between banks and consumers. Banks need to take a key role in educating consumers about these new guidelines to ensure they are fully aware of exactly what they are now liable for, but consumers need to take some responsibility too.

"Customers need to be proactive in learning about the guidelines and securing their personal computers to ensure all their dealings on the internet are protected adequately. Government and technology organisations have a role too - to advise and consult with banks on how best to implement and publicise the new provisions without degrading the customer experience."
Marshall has a valid point. Exactly how "policeable" is this new addition to the Banking Code going to be? Are banks going to go out and seize the computers of consumers that are victims of online fraud to check that their anti-virus and spyware is up to date, which is reportedly what banks in New Zealand have the power to do? It seems unlikely given the bad press and consumer backlash that they are likely to suffer as a result of doing just that.

"The technology required to check every single online banking customer's AV settings whilst available, would be expensive, invasive and in a way a piecemeal response to the problem of fraud," says Marshall. "Fraud doesn’t just come from unprotected computers. Insider fraud, bin raiding, and card skimming are equally as prevalent. How would the banks correctly attribute the instance of fraud with the correct cause?"

The new section within the Banking Code sounds like it has been added by lawyers as a safety net for banks that, let's face it, don't want to be paying out millions in consumer compensation. But it does reignite an interesting debate about responsibility for fraud. Instead of adopting an accusatory tone towards customers that are victims of fraud, banks need to work more closely with their customers on educating them about the potential risks, what to look out for, and how to make their online banking experiences safer.

At the same time, banks need to be more transparent about what levels of security they have deployed to protect online banking applications. They cannot expect consumers to be forthcoming about how well their desktop PC is protected if they are not willing to disclose steps they have taken as well.
Posted by Anita Hawser