Monday, 23 June 2008

Identity checks made simple - but what does it mean for consumers?

We are all familiar with the identity checks that banks and other financial services providers deploy whenever we wish to open a bank account, apply for a loan or register with a financial advisor.

In a number of cases, a lot of these so-called 'checks' require the customer to send copies of personal documents (utility bill, bank account statements, copy of driver's licence), details of which could be easily stolen, copied or intercepted and used for fraudulent purposes.

UK-based GB Group believes it has come up with the answer with its electronic identity verification service, eIDV, which enables financial advisors, accountants and solicitors to electronically check an individual's identity against a number of databases, including credit files, the electoral roll, telephone and sanctions data.

eIDV is based on GB Group's document checking technology, URU, which it jointly developed with British Telecom. URU not only validates utility bill and passport information, but also checks for alerts on Politically Exposed Persons and Bank of England sanctions lists.

Once a customer's information is validated, they are presented with an instant pass, fail or refer result based on a scoring methodology suited to the practitioner using the eIDV web portal.

A good thing about the solution is that it enables practitioners to more easily complete identity checks without compromising the safety of valuable personal information and to comply with more stringent anti-money laundering regulations, all in the one application.

However, it does highlight the 'Big Brother' culture that is growing up around anti-fraud prevention. Much like a police officer can type your name into a computer and come up with a list of previous offences and convictions, as well as checking you are who you say you are, financial service providers and advisors now have similar capabilities.

The question is how judicious are these providers likely to be in their scoring of individuals, and how transparent is the scoring process in terms of informing a customer why they have failed the identity check or scored a 'refer'?

With "Spot the Fraudster" as the marketing spiel for URU, it reminds me of UK TV Licensing Ads where they claim to be able to track you down if you haven't paid your TV license.

While eIDV may be great for financial advisors and other firms that need to validate a customer's identity and comply with onerous money laundering regulations, the question is what does it ultimately mean for the customer?

If their personal details are not stored on the databases eIDV checks, for whatever reason, does that necessarily mean they are not who they say they are?

Is rogue trading endemic?

Traditionally, most companies at the frontline of fighting fraud secured their 'perimeter fence' using firewalls, secure passwords and access tokens. All of these measures were largely designed to thwart an external threat or attack.

However, in recent years, the threat from within or from employees, be it accidental or malicious, is increasingly keeping company CEOs, risk managers and security experts awake at night. Recent rogue trading incidents only serve to remind companies, particularly banks, that often the greatest threat when it comes to fraud is from a 'trusted' employee.

French bank, Société Générale, made headlines earlier this year when fraudulent trades totaling $7.1 billion were racked up allegedly by a single trader. There have been other rogue trading scandals, most notably Nick Leeson and Barings Bank in 1995.

But incidences of rogue trading are not as isolated as company CEOs would like to think. Recently, Morgan Stanley announced that a London-based credit derivatives trader hit them for $120 million, and just last week the subprime mortgage crisis in the US resulted in two former Bear Stearns' hedge fund managers being arrested on securities fraud charges.

According to anti-fraud and compliance vendor, Actimize, there have now been five major(more than $100 million)rogue trading incidents reported in 2008? According to its Rogue Trading Peer Review, 50% of respondents estimated that thousands to millions of dollars of rogue trading activities go unreported every year at their firms and 24% said that they had experienced a case of trading fraud at their firms in the last year.

The reputational risk from such events appears to be such that financial services firms are not even reporting these incidents. That makes it difficult for fraud, risk and security experts to do their job properly if there is not recognition at boardroom level that internal fraud is occurring.

The threat from within is perhaps the greatest challenge the financial services industry faces, and combating it is not as straightforward as thwarting an external attack. No amount of firewalls and secure passwords can prevent a determined bonus hungry trader from overriding internal controls to perpetrate a fraud, nor is it going to help prevent the rise of a corporate culture that has a tendency to turn a blind eye to traders looking to boost theirs' and the company's profits by 'gambling' with investors' money.

One company I spoke to recently about internal fraud, pointed to multi-factor authentication as a means of combating it. They said users could set up a policy that says once a user has securely authenticated to a network, or once they launch a particular application, it may ask for another form of authentication such as a fingerprint or biometric. So in this example, a trader would need to swipe their fingerprint whenever a trade is conducted. Even if the trader was able to create “multiple accounts,” the fingerprint would provide an audit trail.

That may be one way of combating rogue trading, but the question is how far do companies go in implementing effective anti-fraud measures that do not make it more difficult, time consuming or onerous for employees or traders to perform legitimate business activities. It is a delicate balance to strike.
Posted by Anita Hawser

Saturday, 14 June 2008

Who should be liable for online fraud?

With a UK Parliamentary Report on Personal Internet Security released last August lambasting banks and ISPs for not doing enough to protect consumers from online fraud, it appears that banks are shirking their responsibilities when it comes to compensating victims of fraud.

According to an article in The Guardian newspaper, a minor amendment to the Banking Code introduced in March provides a loophole for banks to refuse compensation to victims of fraud if the anti-virus software on their computer is not up to date. The Guardian reports that the 2005 Banking Code contains a section (12.9), which advises customers to use "up-to-date antivirus and spyware and a personal firewall".

However, a new section (12.13) has since been added, which reportedly states that, "Unless you [the bank] have acted fraudulently or without reasonable care, you will not be liable for losses caused by someone else which take place through your online banking service." Security experts have interpreted this to mean that banks will be able to shift liability for online fraud to the consumer.

"The new provisions to the Banking Code, which mean that banks may now pass responsibility for card fraud to affected customers if they don't have AV software or firewalls, raise an interesting debate - should banks be able to transfer liability so easily, and how policeable will this be?" asks Holly Marshall, business development manager, UK Financial Services, Unisys.

"A balance of responsibility is needed between banks and consumers. Banks need to take a key role in educating consumers about these new guidelines to ensure they are fully aware of exactly what they are now liable for, but consumers need to take some responsibility too.

"Customers need to be proactive in learning about the guidelines and securing their personal computers to ensure all their dealings on the internet are protected adequately. Government and technology organisations have a role too - to advise and consult with banks on how best to implement and publicise the new provisions without degrading the customer experience."
Marshall has a valid point. Exactly how "policeable" is this new addition to the Banking Code going to be? Are banks going to go out and seize the computers of consumers that are victims of online fraud to check that their anti-virus and spyware is up to date, which is reportedly what banks in New Zealand have the power to do? It seems unlikely given the bad press and consumer backlash that they are likely to suffer as a result of doing just that.

"The technology required to check every single online banking customer's AV settings whilst available, would be expensive, invasive and in a way a piecemeal response to the problem of fraud," says Marshall. "Fraud doesn’t just come from unprotected computers. Insider fraud, bin raiding, and card skimming are equally as prevalent. How would the banks correctly attribute the instance of fraud with the correct cause?"

The new section within the Banking Code sounds like it has been added by lawyers as a safety net for banks that, let's face it, don't want to be paying out millions in consumer compensation. But it does reignite an interesting debate about responsibility for fraud. Instead of adopting an accusatory tone towards customers that are victims of fraud, banks need to work more closely with their customers on educating them about the potential risks, what to look out for, and how to make their online banking experiences safer.

At the same time, banks need to be more transparent about what levels of security they have deployed to protect online banking applications. They cannot expect consumers to be forthcoming about how well their desktop PC is protected if they are not willing to disclose steps they have taken as well.
Posted by Anita Hawser