Wednesday, 24 September 2008

Fraud not on the agenda at banking conference

Posted by Anita Hawser

As investment banks and mortgage providers were dropping like flies last week as the credit crunch increased the pace of market consolidation, I was attending one of the world's largest international banking conferences, Sibos, in Vienna.

Hosted by SWIFT, the Society for Worldwide Interbank Financial Telecommunication, Sibos 2008 attracted approximately 8,000 bankers, however some conference speakers dropped out at the last minute as investment banks and mortgage lenders fell victim to market speculation and takeovers.

SWIFT as you may or may not know, is a bank-owned messaging network, which prides itself on never being hacked into or compromised by an external or internal threat. However, it did get into hot water a couple of years back with data privacy zealots when it allowed US intelligence agencies to look at messages being sent on its network as part of the US government's efforts to combat terrorism and money laundering.

While I can understand that banks probably have a lot more on their minds in today's difficult climate than combating fraud, I was surprised to see that identity fraud and banking fraud in general was not featured on the Sibos conference agenda.

Fraud only appeared to be up for discussion on the exhibition floor where a handful of dedicated information security vendors (SafeNet, NetEconomy) and AML solution providers were exhibiting their anti-fraud technologies and strategies.

"There is a lot of interest from banks around service-oriented architectures and designing security in from the get go rather than an afterthought," said Rene Bastien, product manager, payment products, SafeNet. Bastian says Basel II is also forcing banks to address operational risk.

SafeNet says that the current business climate is good for security vendors as it is forcing banks who were "caught with their pants down" to address their risk management and operational practices. And it seems security vendors are trying to make it easier for banks to embed security natively within applications using common standards such as XML, which means application developers do not need to be "crytographic geeks" in order to understand security.

Of course, banks en masse don't like to talk about fraud, particularly in this climate where banking failures in general are dominating newspaper headlines. Yet, fraud is an area banks cannot afford to ignore, not only because of the hefty fines likely to be imposed by regulators, but also the reputational risk and the impact on banks' balance sheets.

According to a survey conducted by Kroll on behalf of the Economist Intelligence Unit, financial services providers lost an average of $12.9 million to fraud in the last three years, although this figure is probably higher if one takes into account the reputational costs and the costs of fraud that banks are not even aware of or that remains undetected.

Kroll says the most common types of fraud financial service providers are exposed to include; regulatory or compliance breach (35%), financial mismanagement (29%), theft of physical assets or stock (27%), management conflict of interest (25%), information theft, loss or attack (24%) and internal financial fraud or theft (24%).

While it is difficult to put a precise figure on the reputational costs and brand damage caused by fraud, research by security software vendor, Symantec, suggests that consumers take a dim view of companies that do not do enough to protect their private data. Approximately 90% of consumers surveyed by Symantec stated that "reckless or repeated" data breaches should be punishable by imprisonment.

Seventy-six percent of companies polled by Symantec expected to lose customers if a data loss or breach occurred and 50% expected customer loyalty to fall off immediately. “These statistics are very concerning for business, particularly in the current unstable market conditions,” said John Brigden, senior vice president for Europe, the Middle East and Africa at Symantec. “Not only do they risk losing large numbers of customers following an incident of data loss, but almost 60% of companies said it would be a lot harder to attract new customers once the reputation had been tarnished.”

Fraud is so pervasive now that it is not just something CTOs or chief risk officers need to be concerned about. CFOs and CEOs should also be more attuned to the impact of fraud on their businesses.

"We expect to see fraud increase as conditions become tougher for business and the full impact of the credit crunch unfolds. Financial services companies need to focus their efforts, especially against regulatory and compliance breaches as the loss involved is far too much to justify," says Blake Coppotelli, senior managing director in Kroll's business intelligence and investigations division.

It is no longer acceptable for banking CEOs to say they do not understand the instruments their investment banking divisions are trading, nor should it be excusable for them to say they are not aware of the impact fraud is having on their business.

Saturday, 13 September 2008

Browder unable to return to Russia

Posted by Nick Kochan

The Russian lawyers to Hermitage fund management company have been raided and key documents removed, Bill Browder, chairman of Hermitage Capital alleges. He claims that these documents have been used to steal the firm’s identity to perpetrate two frauds against it.

The first fraud, Hermitage alleges, involved obtaining court orders against the firm to perpetrate a massive theft. However, the alleged thieves found that the kitty was bare as Browder had sold out its Russian investments.

The thieves took another tack. Browder purports that they used the claims against the company in a book-keeping exercise to offset Hermitage profits. This allowed them to claim back the corporation tax Hermitage had paid in 2006. This amounted to $230 million. The Russian Tax Ministry believed the crooks’ tale, and paid it back, Hermitage claims.

Now Browder needs to protect his Russian companies and lawyers who he claims were raided and physically attacked.“They have raided and are trying to arrest the lawyers who are fighting the liquidation of the Russian companies. We filed a criminal complaint at the end of July,” he says.

Browder claims the Russian law enforcement and legal system has been incompetent at best. “We tipped off the law enforcement community in Russia. We filed [complaints] about the fraud and fake claims. It gave the police three weeks to freeze the companies’ accounts to make sure the tax crime never got committed. But they didn’t act.”

The alleged attack on Hermitage has persuaded Browder to revise his trenchant views on Russia’s Prime Minister and former President Vladimir Putin. “Between 2002 and 2004, Putin was fighting with the same guys who were stealing money from me. The oligarchs were stealing power from him and they were stealing money from me as a shareholder. When I complained to the government about the oligarchs stealing money, they responded favourably and cracked down on the stealing. How could I not think that was a good thing?”

Browder has equally revised his views of the oligarchs, whom he criticised for their mistreatment of shareholders. “I was critical of Mikhail Khodorkovsky (he was convicted for fraud and tax evasion and received an eight-year sentence) because he mistreated minority shareholders when he controlled Yukos and we were a shareholder in his subsidiaries. I now have huge sympathy for him. I think he has had a bum deal. He has paid any dues he could ever possibly pay for anything that he did to us as minority shareholders a long time ago.”

Browder has little hope of returning to Russia, where he is the subject of an arrest warrant. He now travels regularly to the Gulf region to manage an investment portfolio of some $2.8 billion. “It is an absolute delight to do business outside Russia. The UAE is my favourite location for doing business today,” he says.

End of part three

Friday, 12 September 2008

Hermitage cries foul in Russia

Posted by Nick Kochan

Bill Browder, the boss of Hermitage Capital had his visa to enter Russia refused. He claims Hermitage was persecuted as part of an alleged scam to defraud the Russian Tax Ministry of $230 million.

Browder claims that Hermitage’s lawyers were raided by police from the Russian Interior Ministry. He alleges that their computers, servers and files containing information were removed. The homes of other lawyers also working for Hermitage were raided at around the same time, he claims.

Browder alleged that one of the lawyers was seriously beaten and hospitalised for two weeks. “It wasn’t good to be a lawyer for us at that time,” he says. “All four of our law firms were raided again by the police. They invited all of the lawyers for questioning as witnesses.”

Hermitage alleges that these raids gave members of the Interior Ministry the means to steal its identity. So when a company unknown to Browder said that Hermitage had reneged on a sale of Gazprom shares and owed millions, Browder said he was helpless to resist it. Using the lawyers’ documents, Hermitage alleges that people from the Interior Ministry removed the legitimate managers and replaced them with their own cronies.

Hermitage alleges that liabilities were created by this scam to extract from the Russian Government $230 million worth of tax paid a year earlier by Hermitage. Browder claims that the scam’s perpetrators created “fake losses” exactly equal to that to create a new net profit of zero. “We paid $230 million of taxes and they filed amended tax returns and asked for the money back,” he said. Browder claims that the $230 million has been pocketed by the crooks.

The scam has yet to run its course. Browder says a package, packed with sensitive documents, was sent by DHL from London to the offices of Hermitage’s Moscow lawyers. The return address on the back of the envelope was given as Hermitage’s offices in Soho and the name attached to the address had been made up.

According to Browder, an investigation of the name found that it belonged to someone whose passport had been stolen. “We didn’t send the package,” he claims. “Two Eastern European-looking gentlemen paid cash to DHL at the Lambeth depot. We have them on close circuit television.”

Two hours after the package arrived at the lawyer’s office, Browder claims Russian police raided it and took away the package. Mere coincidence? Not so, alleges Browder, for whom this was merely another piece of evidence that he was targeted by a well-organised gang. “The obvious intention,” Browder claims, “is to create a trail from us to our lawyers. This stuff was going to be used to blame us and our lawyers.”

End of part two

Thursday, 11 September 2008

Russian Mafia exposed - The Browder Story

Posted by Nick Kochan

This is the first in a three part series on Bill Browder, the multi-millionaire chairman of Hermitage Capital who quit Russia following allegations of fraud at the highest levels.

The deeds of the Russian mafia may be murky, but they rarely get exposure. The members of organised crime are often hidden behind political and judicial structures. However, those that have done business in Russia are no longer shocked. They have seen it all, they claim. One such man is Bill Browder, the multi-millionaire chairman of Hermitage Capital. His $4 billion portfolio of Russian stocks made him the largest foreign investor in the country.

Now that he has quit Russia, he presents a document which he alleges shows the involvement of “a group of criminals at a reasonably high level in the Russian government” in the theft of $230 million from the Russian Tax Ministry. The document is entitled, Persecution of Hermitage in Russia in order to steal $230 million from the Russian People.

Browder is on a mission to cleanse Russia of its criminal class. He speaks with a zeal rarely found among financiers. He cannot overstate the “dire state” of business practices and ethics in Russia. “It is bent at every turn,” he claims. The alleged scam confirms Browder’s view that business conditions in Russia have retreated to the state he found them in when he set up his firm in Russia in 1992, with the assistance of money from the banker, Edmund Safra.

The key to Browder’s success was attacking Russian companies with poor corporate governance and seeing their stock prices rise as they improved their management and ethics. According to Browder, this approach upset senior members of the country’s political and economic elite and in 2005, his entry visa was withdrawn.

He mounted a crusade at the highest levels to re-instate his visa, even approaching Dmitry Medvedev, the man destined to be the president of Russia, at Davos last year. “I saw him tucking in to his dessert,” said Browder. “He was sitting on his own. I saw this as an interesting opportunity to have a chat with him and so I went to talk to him. He stood up. We knew each other. I know him, we have worked with him because he was the chairman of Gazprom and we were always very active in Gazprom. I asked him if he could get my visa reinstated. He knew all about me. He said yes, he would help me. He asked me for a copy of the visa application, which I got my office to produce.”

A month after the Medvedev meeting, Browder claims that his office in London received a call from a lieutenant colonel of the Interior Ministry, which it construed as a request for a bribe. Hermitage have a recording of the conversation.

According to Hermitage’s report, the lieutenant colonel asked if he could meet Browder. Hermitage’s report alleges the lieutenant colonel said, ‘The sooner we meet and you provide what is necessary, the sooner your problems will disappear.’ Browder says that the company receives requests like this every day. “People try and shake you down in every different place in Russia. We ignored it. This was the one case out of a hundred when something happened.”

End of part one

Tuesday, 9 September 2008

An 'inside' job

Posted by Anita Hawser
It's official. As we have all suspected for some time the "external bogeyman" is not the biggest fraud threat companies face. It is internal fraud, which is resulting in the largest losses, says the Association of Certified Fraud Examiners (ACFE).

Research company, Financial Insights, highlights some interesting findings from a 2004 ACFE study which found that more than 80% of internal fraud cases were committed not by "career criminals" but by first time offenders. No surprises then given recent incidents at banks like Société Générale, and a host of others, that subsequent ACFE studies have found that banks are the biggest victims of internal fraud.

According to ACFE’s 2008 Report to the Nation on Occupational Fraud & Abuse, the internal rate of fraud loss has increased to 7% of annual turnover for all companies. FinInsights cites two examples of internal fraud: SME Bank in Thailand, which included 27 loan cases involving fraud and corruption; and the rogue trading incident at Société Générale where more than 1,000 fraudulent transactions, dating back to 2004, were concealed.

The fact that these transactions at both banks bypassed internal controls and procedures, not only suggests that internal fraud controls are inadequate, but that firms have spent far too much time safeguarding the enterprise from "external bogeyman" and not from Joe Bloggs in accounts.

FinInsights then went on to outline some best practices in internal fraud control:

  • Establishing controls that reduce the opportunity for unauthorised use of organisational resources (firewalls, email scanning, ID access - most banks already have these)

  • Providing sufficient employee monitoring, segregating duties for operational processes, and regularly rotating staff in key positions

  • Thorough recruitment screening and educating employees about the legal repercussions of being involved in illegal activities to act as a deterrent (not so sure about this one as in the case of traders, it is known that they are not out to make money for themselves necessarily but for their company. Are they the kind of people investment banks want to screen out?)

  • Automated detection systems and advanced analytic technologies that look for suspicious behavior and anomalous patterns (problem with this is that technology can only do so much. If no one responds to the alerts, the technology is useless)

  • Financial institutions need to define and understand the layout of internal data and the business process data flows in order to determine the necessary sources of and data feeds for fraud solutions (highly complex given that data and business processes tend to be 'siloed' within most banks)

  • Educating both employees and upper management on security

  • Establish accountability and ownership for lax security procedures

  • Reprimand staff for breaking or failing to follow security protocol, even minor violations

  • Providing confidential and easy-to-use channels of communication for whistle blowers

So in other words, fighting internal fraud is not easy. It is not simply a case of putting up a perimeter fence and installing software that recognises unusual behaviour patterns. That is only the tip of the iceberg, and in the end educating people is likely to be more effective than a piece of technology on its own.

Tuesday, 2 September 2008

The UK’s credit card crisis

Posted by Nick Kochan

In the week that the Royal Bank of Scotland and NatWest have accepted that a computer sold on eBay has exposed the data of one million customers to possible abuse, a spokesman for the Government’s new National Strategic Fraud Authority, set to be launched on 1 October, says credit card and banking fraud will be a prime target.

Spokesman Adam Morris says the Agency is in discussions with representatives of UK banks and payment companies about the UK’s deteriorating position as a haven for credit card fraud. Morris says, ‘There are many agencies targeting fraud, but the Fraud Review found they were not always working together. We are targeting the symptoms of fraud and aim to bring banks and other stakeholders together.’

UK credit card fraud is at record levels due to abuse of the internet, says the banking industry body, APACS. Annual plastic card losses in 2007 amounted to £535.2m. This compares with £428m in 2006.

The majority of this -- £290.5m -- was incurred by those buying goods on the internet. ‘Card-not-present’ fraud increased by almost £80m on the previous year. As money has been poured into chip-and-pin to deal with lost and stolen cards -- down from £68.5m in 2006 to £56.2m in 2007 -- counterfeit theft and internet abuse of cards has risen sharply.

Metropolitan and City Police forces, fighting card fraud through the Dedicated Cheque and Plastic Crime Unit (a joint public/public sector agency), face an uphill struggle, say industry observers.

Thieves keep several steps ahead of the industry and the police, says Amir Orad, executive vice president of Actimize, the banking consultancy."Credit card fraud is growing and changing its form to respond to the growing efforts of those who seek to curb it. The crooks are a long way ahead of the institutions cracking down on it."

Leaky credit card systems in retailers presented thieves with their latest juicy target. A group of 11 worked together to break into the systems of US retailer TJX Companies. TJX owns the popular cut-price UK retailer TJ Maxx and the company has admitted that some of the 41 million credit card numbers hacked from retailers belonged to UK and Irish customers.

The 11 were allegedly engaged in ‘war-driving’, the concept of data-theft via wireless networks. The thieves had apparently gone cruising through different areas with a laptop looking for accessible wireless signals. They then installed ‘sniffer’ programs that captured credit and debit card numbers as they moved though the retailers processing networks. The information was stored on the thieves’ processors in Latvia and Ukraine.

The US Attorney General, Michael Mukasey, said, "They used sophisticated computer hacking techniques that would allow them to breach security systems and install programs that gathered enormous quantities of personal financial data, which they then allegedly either sold to others or used themselves."

Organised gangs perpetrate credit card fraud, says Paul Ravenscroft, a spokesman for Visa."Law enforcement tells us that some of the perpetrators of large scale payment card fraud are gangs that utilise the skills of technically sophisticated individuals. As we introduce new fraud countermeasures such criminals will migrate their attacks to other parts of the system."

The godfather in a credit card gang is the guy who understands the technology, says Kevin O’Leary, the chief executive officer at Norkom, a Dublin-based consultancy. "At the top is a group of technicians who provide the intellectual property of how to get at the data that you are going to need to perpetrate a fraud. They must understand how the point of sale server computer architecture works.

"People who commit the technical aspect of the crime need to be several degrees removed from the people who perpetrate the crime at the end of the chain. They do not think of themselves as criminals in the true sense." Smart con men occupy the gang’s second tier. O’Leary says that they go into the grocery store to install the rogue equipment and need to be brazen. "They risk criminal prosecution, if they are found and apprehended."

Street level functionaries "exchange data with other gangs and recruit hundreds of people to use fake cards to walk up to cash machines and make withdrawals. These are people at the bottom of the food chain." O’Leary warns companies to beware of insiders who obtain techniques from their employers to defraud them.

Banks do not sufficiently understand this threat, says David Porter, head of security and risk at Detica, the security consultancy. "Insider fraud has been under-addressed by the bank security community.

"Not all credit card fraud is perpetrated by external bogeyman. There are some highly effective technologies for spotting the unusual outlier in a community of employees who may be embezzling money or confidential data. Organisations need to tackle this problem area rather than sweep it under the carpet."
Banks and retailers need to completely review anti-fraud policies in the light of the burgeoning credit card fraud, says David Hobson, the managing director of Global Secure Systems. "Methods to counter data leakage are slowly coming together. Many banks still do this piecemeal. They are considering a single part of the issue rather than the whole issue."

O’Leary says banks have been slow to act. "Fixed-point solutions like credit card scoring and credit card detection technology on credit card transactions only work up to a point. They give you a fairly limited intelligence to understand what’s going on. Banks need to join all these things up and look at them in a unified fashion."

Fraudsters leave tracks across an organisation says Orad." Patterns of banking activity, like cheques, ATM machines and online banking are used to catch credit card fraud in particular and enterprise fraud in general."

Credit card payment companies like Visa and MasterCard have brought in new technology to attack credit card fraud. Customers tap in extra pieces of secure data, in addition to the PIN, when making a credit card purchase at a retailer.

APACS spokesman Mark Bowerman attacks retailers for failing to install the system to allow the customer to make the check. "Take-up has been slow but is now increasing. The vast majority of people need to use it and the vast majority of merchants need to use it. It is a competitive issue. It is up to them whether they decide to implement it in their business."

Merchants are the weak point in the credit card chain, says Hobson. "Credit card details are lost at merchants where there is not the same understanding of risk. They are actually custodians of the customer’s data. If a merchant is processing millions or billions of pounds says it doesn’t want to bring in the new secure systems, will any credit card company really refuse their business? Unlikely, as they take a business decision to take a risk!"

Anti-fraud technology based on Chip and PIN is lagging criminal techniques, says Porter. ‘There's been a lot of focus on Chip-and-PIN, but this is only half the solution since it's a preventative measure. We also need advances in the way we detect criminals who inevitably overcome these preventative measures.

"Banks and credit card processors have invested in automated detection systems based on behavioural modeling: learn how a fraudster does his tricks and then go looking for similar patterns. Fraudsters are getting wise to this method of detection. These legacy detection systems are unable to identify fragmented schemes where each entity or activity alone is too small to appear "on the radar".

Fraudsters are pouring resources into attacking credit card data. They have set their sights on opening up and benefiting from leaky systems and security glitches. Banks are in the firing line, but customers need to demand tighter controls at every link in the credit card chain if fraud is to be reduced, and costs to the user of the credit card on the high street reduced.