"Double-jeopardy" threat for banks

A regulatory partner at a London law firm has labeled the £3.2million fine the Financial Services Authority imposed on HSBC as unprecedented and draconian.

Yesterday, I wrote about HSBC being fined by the FSA for failing to adequately protect customer data by not encrypting computer discs containing personal information and for failing to keep personal paper files on site under lock and key. RPC partner, Jonathan Davies said fining HSBC for the latter was draconian. He said the £3.2 million fine was much more substantial than that imposed on Nationwide Building Society for similar failures back in 2007.

Back in 2007, the FSA imposed a £980,000 fine on Nationwide for ineffective information security controls following theft of a laptop from a Nationwide employee's home. "You can see that fines for financial services companies have undergone massive inflation as the FSA has instituted its get tough policy in response to the credit crunch,” said Davies.

Given the pubic backlash against data leakages and the increased threat of customer details being used for fraudulent purposes, particularly in difficult economic times, the hefty fine the FSA imposed on HSBC should come as no surprise even though it may be unprecedented.

Regulators are taking an increasingly dim and no-nonsense view of banks that fail to protect customer data and as banks trade on their reputation as trusted third parties, how can consumers take them seriously when banks fail to adequately protect customer data?

Banks could be in even more hot water from next year as in addition to FSA-imposed fines, the UK's Information Commissioner will also have the power to impose fines on companies for data breaches.

"When the Information Commissioner gains this power next year, any FSA-regulated firm may well be subject to “double jeopardy” fines for data protection breaches," said Oliver Bray, a partner at RPC specializing in data protection. "One careless mistake by a regulated firm could expose it to fines from both the Information Commissioner and the FSA. From a wider perspective, all businesses should be concerned that the Information Commissioner may be encouraged by this case to apply similar levels of fines when he starts flexing his new muscles next year."

HSBC businesses fail to protect customer information

We have all heard the horror stories of customers' confidential personal and account information being accidentally misplaced or stored on unencrypted discs by thoughtless employees in both public and private sector companies.

At the public level, Her Majesty's Revenue & Customs made one of the biggest gaffes when two CDs containing the personal details of 25 million customers goes missing. The HMRC was not fined but its boss Paul Gray quit over the missing discs.

However, in the private sector, the penalties for failing to adequately protect customer data are more severe, which is borne out by the £3 million fine the Financial Services Authority (FSA) in the UK has imposed on HSBC following a series of incidences in 2007 and 2008 regarding three of its businesses; Life UK, Actuaries & Consultants and Insurance Brokers.

Back in 2007, Citywire reports that HSBC Actuaries lost an unencrypted disk containing personal information, including national insurance numbers of approximately 2,000 pension scheme members. In February 2008, HSBC Life lost an unencrypted CD containing the details of 180,000 policy holders.

The FSA said despite increasing awareness of the need to protect people's confidential details, all three firms failed to put in place adequate procedures to manage their financial crime risks.

"All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals. It is also worrying that increasing awareness around the importance of keeping personal information safe and the dangers of fraud did not prompt the firms to do more to protect their customers' details," stated Margaret Cole, director of enforcement at the FSA.

Cole said that in areas where the FSA had previously warned firms of the need to improve, people can expect to see fines increase to deter others and change behaviour in the industry. But will fines be enough, as despite previous hefty fines, data leakage and firms' failure to encrypt confidential customer information remains a major problem. When protecting customer information is as simple as encrypting information stored on discs, why do firms remain non-compliant?

Firms fail to comply with data protection standards

In the fight against fraud, so much emphasis is placed on monitoring of individual transactions, that often firms forget about getting the basics right. Protecting confidential customer data is essential in the fight against fraud, yet companies continue to fail to adhere to data protection standards.

According to a survey published by BSI, the UK's National Standards Body, almost one in five businesses breached the Data Protection Act (DPA) on one or more occasions - many without even realising it. This could be because they failed to hold information securely, illegally transferred information to a third party or neglected other legal obligations.

Tim Thompson, UK Managing Director at 41st Parameter, says the cost of fraud is often thought of in terms of how much money is stolen, however, he says this is too much of a short-term view. "Now, more so than ever, organised 'fraud rings' are cashing in on an underground economy, which deals in stolen personal information."

Thompson said the BSI survey highlighted the fact that 65% of businesses provide no data protection training for their staff. Almost half of firms indicated that there was no one in their business with specific responsibility for data protection and 18% of businesses said that data protection was less of a priority in the current economic climate.

The latter is alarming given that fraud is reportedly on the rise in the current recession. Can firms afford to lose not only millions through fraud, but also a tarnished reputation with their customers, if they continue to take a lackadaisical approach to data protection?

"If a company is hit by a security breach and data is taken, not only is it highly likely that it will be hit with fraudulent actions, its reputation will quickly become tarnished, and new and existing customers will take their business elsewhere," says Thompson of 41st Parameter.

Government stimulus money vulnerable to fraudsters

Governments have ploughed billions of dollars into stimulus packages to breathe new life into flagging economies, however, they could be handing fraudsters an "unintentional" meal ticket, according to the latest Kroll Global Fraud Report.

Of the $5 trillion in stimulus funding various governments have doled out, Kroll estimates that as much as $500 billion could be lost to fraudsters as the investment amount and the highly complex procurement processes involved mean these kinds of "big-budget capital projects" are often targets for corruption. 

"The unprecedented amount of financial support that governments have pledged to help stabilise their economies leaves the door wide open to fraudsters," said Richard Abbey, managing director, Kroll's Financial Investigations practice. "It’s a once-in-a-generation opportunity for those engaging in corrupt practices to cut themselves a large slice of the pie and it’s important that governments and businesses alike are aware of the risk and are prepared to counteract them.”

Kroll says focusing on the "middlemen" who are entrusted with large sums of money is essential if this type of crime is to be prevented. That means procurement processes need to be highly transparent. Resources must also be made available to "root out" corruption and Kroll advises that salaries should be appropriate to discourage employees from committing fraud. 

So can we be sure that government stimulus and taxpayers' money has ended up in the right hands? And will the processes around how this money is assigned and spent be transparent to the public?

FBI knew of Stanford, according to Vanity Fair

According to Vanity Fair magazine, Sir Allen Stanford, who the SEC alleges ran a Ponzi scheme, was on the FBI's radar for a number of years since he was investigated for money laundering back in 1989.

The article in the July issue of Vanity Fair, quotes a former FBI agent who claims that there were a series of interagency investigations into Stanford, but none of them resulted in any legal action.

The article also claims that there were various "red flags" within Stanford International including a 70-year-old compliance officer.

First-party fraud largely goes unreported

Losses from first-party credit card fraud are bigger than those from third-party fraud, and although it represents 10% to 20% of bad debt, first-party fraud often goes unreported.

First-party fraud is a new threat to the banking industry and is more difficult to detect than third-party fraud as banks often write it off as bad debt, when in fact fraudsters have given inaccurate financial and personal details in order to obtain a credit card or loan without ever intending to pay it off.

At a recent webinar held by analyst firm Lafferty Group, Martin Warwick, principal consultant, solutions management, at decision-management software vendor, FICO, said first-party fraud is different from third-party fraud in that the account for a loan or credit card is set up using a "synthetic" or false identity. The application also contains false or "misrepresented" financial information. Banks continue to write it off as bad debt, he says, because of challenges around proving intent.

Warwick says first-party card fraud can be detected during the application process and the "transactional life" of the account. Things to look out for are:

• First payment defaults on cards
• Cases where the customer is massively over their credit limit
• Customer ends up as a no trace
• Or if less than 5% of the loan is repaid.

Stand-alone scorecards and customer profiling applications can be used at the time of applying for a card or loan to detect whether an individual is likely to commit first-party fraud. However, Warwick says a holistic approach needs to be taken as first-party fraud can start with current accounts and quickly spread to other banking accounts and channels such as loans, mortgages and insurance. Both qualitative and quantitative measures need to be used to distinguish first-party fraud from bad debt.

SEC on the war path?

When the tide goes out, it is amazing what you can find washed up on the beach. The latest jetsam to be found on US shores is Countrywide Financial's former chief executive officer, Angelo R. Mozilo who has been charged by the Securities & Exchange Commission (SEC) with securities fraud and insider trading.

Countrywide Financial, a mortgage provider in the US, was one of the victims of the recent credit crisis and was eventually bought by Bank of America. The Federal Bureau of Investigation has launched investigations into the collapse of a number of high profile credit crunch victims including AIG, Lehman's and Fannie Mae and Freddie Mac.

Focusing on cases it says are at the "root of the financial crisis", the SEC alleges that Mozilo misled investors about its "high-risk" lending practices, and claims he described Countrywide's loan products as "toxic" and "poison". The SEC is also querying profits Mozilo earned on selling shares in Countrywide.

Lawyers believe this is the first of many such suits the SEC is likely to bring in the wake of the financial crisis as it looks to restore its reputation which was tarnished by its failure to uncover the Bernard Madoff Ponzi scheme.

Bank sues auditor over losses resulting from card data breach

An interesting test case involving a US bank suing an auditor, which it claims was negligent in certifying a payment processing company, is believed to be the first case of its kind and could set a precedent for other cases to follow.

Merchant acquiring bank, Merrick Bank, based in Utah is suing auditor, Savvis Inc., claiming that it lost $16 million as a result of fraud, fines and other costs related to a 2004 data breach at payments processing provider, CardSystems, which resulted in hackers stealing 263,000 card numbers.

Merrick says its losses stemmed from having to pay Visa and MasterCard to reimburse their issuers from the breach-related fraud, as well as other costs including legal fees. Prior to the data breach, Savvis, had carried out an audit of CardSystems. Merchant Bank now claims that report was "false and misleading" and that Savvis "failed to use reasonable care and competence in representing that CardSystems was CISP-compliant when it fact it was not.”

The Cardholder Information Security Program (CISP) preceded the PCI-DSS standard for securely storing card data. One of the basic requirements of card data security is that the data should be encrypted.

A new form of credit card fraud

CHIP and PIN, Visa and MasterCard SecureCode and PCI-DSS for the safe storage of customer credit card data, are just some of the tactics deployed in the ongoing battle against credit card fraud.

All of these measures have had mixed success and while they may have helped reduce card present fraud, card-not-present fraud is on the increase particularly in online shopping and cross-border transactions.

A new form of credit card fraud called "first-party fraud" is also emerging and experts say it could cost banks and other card issuers up to $21 billion in losses this year. Instead of fraudsters stealing customer credit card details or trading credit card numbers in underground communities, "first-party fraud" involves people using false income and financial declarations to apply for a credit card, which they intend to use and never repay.

Banks typically treat these applications as bad debts and only discover much further down the line that instead they may be dealing with fraud. Lafferty Group estimates that "first-party fraud" losses this year were $15 billion for the US, $2.5 billion for Asia-Pacific, and $2.2 billion for Western Europe.

Increased focus on AML as banks look to recoup losses

Financial crime is likely to dominate banks' IT spending in the months to come, experts say, as banks look to recoup millions lost to fraud every year.

I was at an event recently held by business process management vendor, Pegasystems, on the topic of financial crime and the message from most speakers at the event was that financial crime and anti-money laundering (AML) had moved up the banking agenda. According to Daniel Mayo of analyst firm, Datamonitor, 37% of banks expect anti-money laundering (AML) will drive IT project spending in 2009.

Yet, questions remain about the effectiveness of AML in detecting terrorist financing and the quality of Suspicious Activity Reports generated by banks pertaining to proceeds from crime, including fraud, AML and terror financing.

Like it or not, banks are at the coalface of fighting fraud and while the Serious Fraud Office in the UK says it is going to rely more on market intelligence and whistle blowers to unearth fraud, a lot of the onus for detection of fraud is still on the banks.

Reetu Khosla, director of financial crime solutions at Pegasystems, says the regulators want to see banks take a more enterprise-wide, multiple-siloed view of fraud across all lines of business. "Regulators are saying not only should firms be looking at fraud, anti-money laundering and KYC, they should also be looking at these aspects across all lines of business," says Khosla. Banks will also need to be able to gather information from disparate systems and analyse it in such a way that links can be made between seemingly unrelated events.

Banks attending Pega's breakfast briefing on financial crime were interested in learning whether banks could follow the example of the insurance industry which has collaborated on setting up a database enabling insurers to share claim information. The database has helped insurers successfully reduce fraud. However, banks sharing customer information may open up a can of worms in terms of data privacy issues, and banks still see financial crime as a competitive issue, particularly in terms of how long it takes them to resolve alerts and transactions held up by false positives.

False positives remains a major issue for banks, given that banks are required to demonstrate sufficient due diligence around investigating alerts. "When it comes to financial crime alerts, most firms are faced with a high volume of false positives and a low volume of true hits," says Khosla. "However, the regulators point out that the risk of not evaluating each alert at some level is extremely high.

Regulators are taking fraud more seriously

The Financial Services Authority (FSA) appears to be upping the ante when it comes to insider trading by seeking to prosecute two City lawyers who are accused of illegally trading shares based on non-public information.

A corporate partner of US law firm Dorsey & Whitney and a former partner at Will & Emery are both being prosecuted for trading shares related to the takeover of Neutec Pharma by Swiss conglomerate Novartis.

Police have also arrested two men over a suspected fund management fraud worth more than £50 million after the FSA earlier froze the operations of three firms - Business Consulting International, John Anderson Consulting and Kenneth Peacock Consulting - which are alleged to have mishandled millions in investors' money.

Criminal lawyers have also warned that the Serious Fraud Office is also taking the issue of corporate bribery and corruption more seriously and we understand that legislation is pending regarding the seizing of corporate assets in bribery and corruption cases.

Disrupting fraud as it happens

When the director of the UK's Serious Fraud Office (SFO) Richard Alderman comes out all guns blazing saying that his office is becoming more proactive, intelligence-led and plans on making better use of powers at its disposal, one cannot help but think, shouldn't you haven't been doing that all along anyway?

Much of the burden for detecting, policing and enforcing anti-fraud measures has historically fallen on the shoulders of banks, other financial service providers and individual victims. But with the Securities & Exchange Commission (SEC) in the US and many other regulatory bodies and government agencies caught napping in the wake of the $50 billion Madoff scandal, they are eager to challenge the publicly held notion that they are essentially 'toothless tigers'.

At the Sweet & Maxwell conference on the changing face of fraud trials, Alderman stated that the SFO was moving towards becoming an "intelligence-led organisation", assessing where the fraud risks are during this economic downturn and working with other agencies to disrupt fraud as it happens. That means the SFO is going to have to capture reliable and sophisticated intelligence if it is to stop fraud before it even happens and I am curious to know how they are going to do that.

The SFO has extended an olive branch to so-called City whistle blowers and says it is going to look more closely at hedge funds, but is that going to be enough to uncover major frauds? Take the alleged Bernard Madoff Ponzi scheme for example. There were plenty of whistle blowers warning the SEC that something was amiss, but on the whole they chose to ignore this information or did not investigate it thoroughly.

"We intend to take full advantage of all the powers that are available to us and that have been neglected by the SFO over the past years, but we also need to consider what further powers we need to make the SFO a more efficient organisation,” said Alderman. It begs the question why has the SFO neglected to use its powers and what has so fundamentally changed within the organisation that it is going to seize those powers now to keep fraudsters at bay?

Is this recognition finally that the powers that be are finally taking fraud more seriously and that the onus for detecting, policing and preventing fraud is no longer the onus of banks and individuals but intelligence-led policing? I'm not sure we can all breathe a collective sigh of relief just yet.

Banks in the firing line for misleading investors

In the wake of the credit crunch a number of banks are in the firing line as investors allege that they were misled concerning the purchase of particular financial instruments or the true state of the bank's financial situation.

A class-action lawsuit was launched against the Royal Bank of Scotland (RBS) in the US earlier this year based on allegations that the bank misled investors by failing to disclose the damage caused by debt securities on its balance sheet, as well as the damage caused by the acquisition of ABN-AMRO, and its inadequate capital buffer to safeguard it against subprime losses.

RBS, which is now majority owned by UK taxpayers, suffered the biggest loss (in excess of £24 billion) in corporate history back in February, has been a high profile victim of the subprime meltdown. But it is not the only bank in the firing line over misleading investors.

Italian police are also reported to have seized $630 million worth of assets belonging to Deutsche Bank, UBS, Depfa Bank and JP Morgan as part of an investigation into an alleged fraud against Milan's city authority.

The alleged fraud dates back to 2005 when Milan's city authority was sold derivatives contracts linked to a bond issue. According to the allegations the banks failed to adequately inform the authority of the risks linked to the derivatives and "falsely claimed" the authority would save money.

Losses for the authority are estimated to be in the region of €300 million , although it could be more. The banks however pocketed more than €100 million in" illicit profits", according to the allegations.

It will be interesting to see if the authorities can prove that the banks deliberately misled the city authority, as the lack of suitable reference data surrounding some derivatives contracts and the subsequent emergence of a less favourable interest rate environment, may make it difficult to establish whether the banks intentionally set out to defraud the authority.

Due diligence in a post-Madoff world

Following the exposure of the $50 billion Bernard Madoff Ponzi scheme, investors and fund managers are under increasing pressure to perform more rigorous due diligence of hedge funds. But is that easier said than done?

If you look at some of the facts surrounding the Madoff scheme; lack of clear separation of duties, an unregistered auditor and the promise of high returns; then it is clear that feeder funds and other investors in Madoff's scheme failed to perform sufficient due diligence. In fact it seems as if their only rationale for putting money into Madoff's fund was his previously untarnished reputation (he was a former Nasdaq chairman) and the spectre of high returns.

Corgentum Consulting, a hedge fund operational risk consultancy based in New Jersey, has some interesting insights into how the exposure of Madoff's $50 billion Ponzi scheme is likely to change the world of hedge fund due diligence.

"Successful operational risk management in the post-Madoff world will require hedge funds to walk a tightrope of continually boosting investor confidence in a fund’s operational risk management capabilities, while not destroying and competitive advantages or informational edges through the dissemination of this information," says Corgentum.

Instead of outsourcing operational due diligence to "hedge fund allocators", Corgentum's believes that investors will want to exert greater control over the process and that the scope and depth of operational issues covered in a due diligence review will be more exhaustive. The frequency of hedge fund reviews will also be increased, says Corgentum.

"No longer will it be sufficient for investors to rely on generic due diligence questionnaires or to be granted a meeting with a hedge fund’s senior operational professionals for a few hours once a year for an annual review," says Corgentum. "Investors will likely request much greater detail on a host of different operational issues ranging from legal and compliance issues, information technology, cash management and valuation."

The upshot of all this is that hedge fund's "already strained" resources are likely to come under further pressure, resulting in lower profit margins, says Corgentum. Only those funds that make the due diligence process run as smoothly as possible for investors are likely to attract capital.

But that does not account for the age-old problem of human greed - investors and fund managers are driven to seek high returns. So despite all this talk of more rigorous due diligence of hedge funds, will it still be easy for a Madoff-type character to pull the wool over investors' and fund managers' eyes purely by promising market-beating returns?

Cultural impediments to AML in Middle East

The UK's Independent newspaper was the first to report that ransom money paid to Somali pirates was being laundered via the Middle East. The newspaper quoted shipping industry investigators who claim that approximately $80 million (£56 million) had been paid out in the past year alone in ransom money to Somali pirates, with millions being laundered through bank accounts in the United Arab Emirates and other parts of the Middle East.

Dubai's deputy police commander general has since denied any involvement by the UAE saying it has strict anti-money laundering (AML) legislation that requires all transactions above 40,000 dirhams ($10,889) to be reported.

Yet, a common laundering technique is to split large sums of money up into smaller amounts so that it cannot be detected by AML controls. I also stumbled across an interesting article posted on the web by Hany Abou-El-Fotouh, director of Policy & Corporate Affairs at CI Capital, the investment banking arm of Egypt's Commercial International Bank (CIB).

He points to cultural factors, which he says makes the strict enforcement of AML procedures in the Middle East difficult. Abou-El-Fotouh says that in some Middle Eastern countries setting up proper controls and strictly enforcing them in order to detect suspicious transactions or activities, conflicts with customer relationships and cultural customs.

He says many Middle Eastern financial institutions are adopting corporate cultures that weaken AML and anti-terrorist financing efforts. "One of the biggest problems for AML initiatives in the Middle East is cultural customs that accept deference to customers and anonymity. Accounts lacking full identification details or with misleading information are not unusual in the region," he said.

Abou-El-Fotouh says Know Your Customer (KYC) requirements are lacking at many Middle Eastern financial institutions as customers may view banks' requests for additional information as intrusive or offensive. "For example, it can be difficult for a bank to refuse to enter into or to exit a relationship with a politically connected person," Abou-El-Fotouh explained. "Doing so could mean trouble for the staffer involved."

Is mobile banking really secure?

With mobile banking transactions tipped to rise from 2.7 billion annually in 2007 to 37 billion by 2011, security experts are warning of the security risks associated with new mobile banking and payment channels.

Every time a bank opens up a new channel to customers, it presents new opportunities for fraudsters. Anti-fraud software provider, 41st Parameter, claims that users have good reason to be sceptical about the security of mobile banking transactions.

Ori Eisen, founder and chief innovation officer at 41st Parameter, says transactions between a mobile device and the bank are not as well-guarded as internet transactions as they only use basic identification and verification checkpoints.

According to Eisen, mobile banking systems are not able to determine whether a device accessing its mobile banking site is a mobile device, PC or laptop.

"Mobile banking touch points are easier to gain access to as they don’t have the security layers that internet sites do. Because fraudsters are able to mimic the appearance of a mobile device as easily as they can a PC or laptop, they are capable of infiltrating an unsuspecting bystander’s mobile banking account," writes Eisen in a white paper entitled: Mobile Banking - An Easy Target for fraud?

Eisen maintains that a multi-layered approach to security incorporating a firewall, password and encryption barriers and real-time tracking that identifies devices that were initially refused admission to a site and have changed their identity to try and gain access, is the best way of securing mobile banking transactions.

In addition to the information (credit credentials and personal identity) that is typically used to authenticate an individual, Eisen says Client Device Identification (CDI) goes beyond simple user names and passwords to detect suspect mobiles at device level. CDI can differentiate a device visiting a site regardless of the credentials presented or the IP address.

Insurers struggle to keep up with fraudsters

Last week, the Association of British Insurers (ABI) warned against the rise of insurance fraud in a recession and published figures demonstrating a 17% increase in insurance fraud from 2007 to 2008, with the total value of fraudulent claims (£730 million) rising by 30%.

Dishonest claims on home insurance were the most common accounting for 55,000 false or exaggerated claims. By value, however, fraudulent motor insurance claims were the highest. The rising cost of fraud adds an additional £40 a year to insurance premiums, the ABI stated.

Bart Patrick, head of insurance at risk management and business intelligence firm, SAS UK, made the following comments regarding the latest ABI figures:

"It is hardly surprising that in the current economic conditions that fraud is rising. A sophisticated approach is required to overcome the increasingly savvy fraudsters out there, and sadly insurers will always struggle to keep up with their activities while they adopt a piecemeal approach to fraud detection, using a range of disjointed systems, and unsophisticated methods.

A link analysis tool and a bunch of rules does not a fraud strategy make. An integrated system, which uses the widest range of techniques (rules, advanced analytics, profiling, visualisation and experience) is the answer when implemented in an environment which has the people and process to action the frauds discovered. You can lead an SIU (Special Investigation Unit) to the fraud trough, but without the people and process to action this, you cannot make it drink.

Accuracy is key in being effective. The SIU must focus on the biggest frauds first, however if they are chasing shadows with a high false positive rate, then much of their effort is wasted. Only an integrated set of techniques can achieve this. If you have a simple, single approach to fraud, you are almost certainly wasting your company's time and money.

While fraud is viewed as an after the claim event, insurers will always play catch up. Most realise that some insurance policies are written just for the purpose of committing fraud. However they have no way of stopping this at policy inception. More importantly is the rising spectre of claims abuse, whereby people inflate their claims by a "reasonable" amount. This type of activity lives in the thin layer between acceptable behaviour and fraud, and this is where much of the insurance industry's real problems lay.

We are reaching the stage where a vicious circle is emerging. The SIU's are undermanned and over burdened as the numbers of potential frauds increase. Without a concerted, co-ordinated and sophisticated approach to fraud, using good old fashioned investigation and the latest technology in harmony, companies will struggle.

Let's flip this argument around to something policyholders will understand - the longer the insurers ignore fraud, the longer they will persist in charging a higher than necessary premium to cover the cost of fraud. In this increasingly competitive and fickle market with policyholders buying on price, it's actually impacting on competitiveness, so combating claims abuse and fraud is now a critical commercial consideration for all insurers. Ultimately, better Fraud and claims abuse detection reduces claims expenditure, reduces combined ratios, protects market share and increases profits."

Data security standards - A toothless tiger?

Some alarming statistics have been published by Verizon regarding data breaches. According to the 2009 Verizon Business Data Breach Investigations Report, more electronic records were breached in 2008 than in the previous four years combined, and banks were the worst culprits for compromising records.

The report says that the financial sector accounted for 93% of the 285 million records compromised during 2008 and that 90% of the records breached were reportedly targeted by groups involved in organised crime.

Interestingly, most (74%) of the data breaches were from external parties, and only 20% were caused by insiders. So the biggest threat to confidential customer data still appears to come from external hackers hacking into servers and applications online. Financial service providers are doing nowhere near enough to secure customer data, including implementing basic forms of protection such as data encryption.

The credit card companies introduced the PCI-DSS (Payment Card Industry Data Security Standard) standard which includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures for securing credit card data. The standard includes basic requirements such as implementing a firewall, and encrypting the transmission of cardholder data across open networks.

However, according to Verizon's report, 81% of affected organisations subject to PCI-DSS were non-compliant prior to being breached. Firms that fail to comply with PCI-DSS risk losing their merchant account, and could be subject to fines, lawsuits and bad publicity, as in the case of TJX in the US, which suffered the largest known data breach to date when hackers stole 45.7 million credit and debit card numbers, as well as personal data, including driver's license numbers of another 455,000 customers.

TJX did not comply with PCI-DSS as cardholder data was unencrypted. Penalties for noncompliance range from fines of up to $500,000 to increased auditing requirements or losing the ability to process credit card transactions. But if Verizon's stats are anything to go by, PCI-DSS appears to be somewhat of a 'toothless tiger' in terms of forcing companies to implement even the most basic of data security measures.

It begs the question, why aren't companies encrypting data? Is it a cost factor, a technology issue (what form of encryption to use) or just plain ignorance? Certainly the reputational implications, as evidenced by TJX, outweigh the upfront costs of securing and encrypting customer data.

"Mini-Madoffs"

In the wake of the Bernard Madoff revelations, Ponzi schemes, on a much smaller scale than Madoff's $50 billion scam, are being unearthed.

Eager to be seen to be proactive rather than reactive, the US Securities & Exchange Commission (SEC) is charging funds left right and centre with running Ponzi schemes. Some of the latest victims on the SEC's watch list include Shawn R. Merriman, who according to reports, is accused of fraudulently obtaining between $17 million and $20 million from investors in three US states through his company Market Street Advisors. Similar to Madoff, Merriman is alleged to have promised investors "impressive" returns.

Other reports claim that "mini-Madoffs" are you using the video-sharing web site, YouTube, to promote "cash gifting" programs. According to a Los Angeles Times report, the Better Business Bureau claims to have uncovered 23,000 clips promoting these so-called 'gifting' schemes. Viewers are reportedly directed to a web site where they are asked to sign up at a cost of between $150 and $5000. A spokesperson from the Better Business Bureau is quoted as saying, "They make it seem like it's legal and an easy way to make money, but it's nothing more than a pyramid scheme."

A "smart computer" to detect insider trading

Increasingly fraudsters are devising more sophisticated means of committing fraud, and for the technology companies charged with combating fraud, it always seems like they are playing catch-up. But when the nature of the fraud is more insidious, the challenge is greater, as is the case with insider fraud.

Fraud committed from the inside is more difficult to contend with than external threats. As a company how do you identify who is likely to commit fraud within your organisation? How do you give employees access to applications and systems they need to do their job, without locking everything down or introducing a 'Big Brother' culture?

At the University of Sunderland, they are working on a new "smart computer" that uses artificial intelligence and "headline analysis techniques" to try and detect suspicious share dealing. Insider trading or rogue trades have long plagued the capital markets and some stats suggest that upwards of 20% of deals in the UK, and 40% in the US, may be tainted.

The "smart computer" project at Sunderland is entitled CASSANDRA (Computerised Analysis of Stocks and Shares for Novelty Detection of Radical Activities) and it has been awarded £90,000 by Northstar Funding to investigate the merits of combining artificial intelligence and analysis techniques to combat financial fraud.

Dr Dale Addison, project manager, CASSANDRA, says the problem with current anti-fraud systems is that they generate too many 'false positives'. "As many as 75% false positive flagging has been observed by some systems," he says.

CASSANDRA on the other hand looks at news stories affecting a particular company. So for example if two companies are in the process of merging and someone finds out the merger is not going ahead, they may go out and buy and or sell that company's stock based on that inside knowledge.

According to Addison, CASSANDRA would be able to detect that based on its analysis of news events from Reuters, Bloomberg and other sources, as well as the movement of stocks and shares of a specific company. "This system will have the ability to allow users to look at news information and rank it according to how significant an impact it has had on share dealing." But how do you know which piece of news or information has altered trading in a particular stock?

Information on US and UK stock markets is being provided to the Sunderland team by Canadian company, Measured Markets,which provides an "early warning" analysis service alerting investors when a stock's trading pattern changes.

Dr Addison plans to build a bigger computer that can be used to detect market abuse or false and exaggerated news that helps traders earn more money.

Madoff "feeder" funds in spotlight

Civil law suits pertaining to "feeder funds" in the Bernard Madoff Ponzi scheme continue to play out with Connecticut-based hedge fund, Fairfield Greenwich the subject of allegations that it failed to carry out adequate due diligence on Madoff.

According to newspaper reports, the fund, whose manager reportedly worked with Madoff for 18 years, is accused of being "blinded" by the hefty performance fees it earned for funneling funds into the alleged Ponzi scheme. The fund funnelled a reported $7.2 billion into Mr Madoff's company. Fairfield Greenwich is believed to be contesting the charges brought by Massachusetts authorities.

Combating AML and terrorist financing

The International Monetary Fund (IMF) is reported to have announced a "donor-supported fund" that will provide $31 million over the next five years in the fight against anti-money laundering (AML) and terrorist financing. Fund donors include the United Kingdom, Switzerland, Norway, Luxembourg, France, South Korea, Saudi Arabia and Japan.

The fund will commence operations in May and is geared towards providing "technical expertise" to those countries that want to strengthen their national AML and counter-terrorist financing strategies. Currently, at least in countries such as the UK and the US, a lot of the onus for detecting money laundering and terrorist financing falls on banks, however, not all funds are laundered through banks. The diamond trade is also a conduit for laundering.

The figures speak for themselves in terms of how successful governments have been in seizing terrorist funds. Since 2001 in the UK there were £400,000 worth of cash seized under the Anti-Terrorism, Crime and Security Act, £475,000 seized under the Proceeds of Crime Act, and £477,000 frozen by HM Treasury.

One of the challenges for banks is that some of them have been unwittingly caught out by US terror financing legislation for transferring money to organisations in Palestine, for example, that the US recognises as terrorist organisations, but which other countries don't necessarily.

Online fraud is flourishing

A report in the Wall Street Journal features remarks made by Katherine Hutchinson, senior director of global risk management at PayPal. She reportedly told the Web 2.0 Expo in San Francisco that the online fraud industry was so lucrative that an "underground community" existed where fraudsters offered their specialist skills to others.

She also warned that the use of IP addresses for determining a customer's location were no longer a suitable method of combating online fraud - IPs addresses can be easily masked for one thing, and fraudsters often use "zombie" computers. She also warned that all the confusion in the banking sector caused by the current economic crisis left the door open for phishing attacks by fraudsters asking customers for bank account details.

Companies plagued by cheque fraud

Payments fraud is on the increase, including old fashioned forms of fraud such as cheque fraud according to the findings of the 2009 Association of Finance Professionals' (AFP) Payments and Fraud Control Survey.

More than 70% of companies surveyed experienced actual or attempted payments fraud in 2008, with 40% experiencing increased fraud activity during the second half of 2008 as economic conditions worsened in the U.S. Overall 30% of respondents said incidents of fraud increased in 2008 compared to 2007.

The pickings appeared to be richer for fraudsters from larger companies, with 80% of companies with annual revenues in excess of $1 billion falling victim to payments fraud in 2008, compared with just 63% of companies with annual revenues under $1 billion.

Also old fashioned payment methods such as cheque appeared to be more susceptible to fraud with nine out of 10 companies that experienced attempted or actual payments fraud in 2008 being victims of cheque fraud. Other common forms of fraud were ACH debit (28%); consumer credit/debit cards (18%); corporate/commercial cards (14%t); ACH credits (7%); and wire transfers (6%).

US companies are being encouraged to write less cheques with solutions such as ACH and commercial cards being offered as an alternative, but it seems there is still some way to go before all payments migrate to electronic channels, which are still susceptible to fraud, but perhaps not to the same extent as fraudulent cheques.

Government stimulus funds could increase fraud

Ponzi schemes and other old fashioned forms of fraud are growing, and efforts by governments to combat the credit freeze are presenting new opportunities for fraudsters. That is the conclusion drawn in the latest Kroll Global Fraud Report. According to Kroll the greatest threat is misuse of government stimulus funds, particularly in areas such as infrastructure funding.

"Those impacted by the economic instability who are inclined to engage in fraudulent business practices will work to secure stimulus funds by any means possible,” said Blake Coppotelli, senior managing director in Kroll’s Business Intelligence and Investigations practice. “One prime area is infrastructure projects. With the near collapse of the real estate and construction markets, traditional fraud and rackets, such as bribery, kickbacks and bid-rigging, will find a wealth of opportunity in the stimulus funds. In our experience, without extensive anti-fraud policies, oversight and enforcement, 10% of these funds will be lost to fraud and criminal activity.”

Fraudsters will also be provided with new opportunities, says Kroll such as preying on companies as they move into "riskier geographies" in search of growth, to cheating to obtain a piece of the huge government stimulus pies. In its latest fraud report, Kroll says Ponzi schemes and other "old classics" are growing –for example, various financial scams and straight-forward corruption. According to Kroll, " smaller scale" pyramid schemes are multiplying in Latin American countries and elsewhere.

Often some of the most difficult frauds to predict are those committed by so-called "corporate saviours", as they "cook the books" not so much for personal gain but out of the misguided belief that they are acting in the best interests of the company or its employees. "They do not even realize that their actions would be considered fraudulent, or the damage that they might cause to others," says Kroll.

Kroll also says that the risks for companies that look to do more business in other geographies are also more acute in developing regions. Its survey found that the incidence of the top 10 major
frauds is generally higher in the Middle East and African countries, and lower, except for IP (intellectual property) fraud, in Europe and North America.

Despite the proliferation of fraud, Kroll says more regulation may not be the answer. After the Enron and WorldCom scandals at the beginning of the millennium, the US government introduced Sarbanes-Oxley legislation, but Kroll says despite such legislation fraudsters continue to penetrate and defraud companies in any industry, in any country around the world.

Chip and PIN no 'panacea'

Chip and PIN has forced fraudsters away from the high street, Shopsafe.co.uk director Simon Crisp was quoted as saying recently. While that may be true, what it has done is resulted in higher levels of card-not-present fraud and cross-border card fraud.

Crisp is quoted as saying stopping card fraud is about staying "one step ahead" of the fraudsters and that Chip and PIN is helping deter criminals. Well most so-called fraud experts would argue that Chip and PIN is not the 'panacea' some thought it would be and that it has merely forced fraudsters to become more sophisticated in their efforts to use cards for criminal purposes.

While it may have helped reduce the amount of card present fraud committed on the high street, online shopping presents numerous opportunities for fraudsters as the card is not presented. Malicious software and phishing attacks can also be used to capture personal banking as well as PIN and password details. I don't think Chip and PIN can really be classed as staying one step ahead of the fraudsters, as they have already jumped that 'hurdle'.

Banks still spending on fraud prevention

A new report on US banks' fraud management strategies concludes that funding for addressing fraud is unlikely to be scaled back despite the economic downturn,

"The good news is that funding for addressing fraud management is seen as mission-critical by financial institutions," says Nick Holland, senior analyst with Aite Group and author of the report. Holland says bank fraud management departments are centralising, investing in monitoring technology and continuing to place a strong emphasis on the "human element" as the most critical component of fraud mitigation.

The report, which is based on interviews with fraud managers at 23 of the top 150 US financial institutions, also sheds some interesting light on the drivers for banks' fraud management strategies, both now and in three years time. Supporting law enforcement efforts and recouping fraud losses are not necessarily high on banks' agenda. Instead more than 80% said preventing fraud losses and meeting compliance requirements was important now, increasing to 90% or more in three years.

While banks spend a lot of time, money and effort in trying to meet regulatory requirements, preventing fraud should be a priority of the bank regardless of compliance, as not only does it cost the banks millions ever year, but it also tarnishes their relationship with customers and impacts brand loyalty. Will there come a day when people shop for banks based not only on interest rates but also their track record in preventing fraud?

Banks could do more to protect customer data

As more fraudsters take over customer bank accounts, a company that shreds confidential information says banks need to do more in terms of safeguarding confidential material and educating customers about the risks of fraud.

According to CIFAS, the UK’s fraud prevention service, in 2008 there was a 207% rise in facility takeover fraud, whereby "scammers" intercept bank statements, credit card bills, receipts and account slips so that they can take over bank accounts that belong to other people.

Interestingly, while banks appear to have done considerable work in terms of implementing internal systems to detect fraud, sending credit card or account statements and PIN numbers by post to customers is hardly state-of-the-art fraud prevention.

Shred Easy, which collects, destroys and recycles materials including paper and IT equipment, believes more could be done to educate bank customers about fraud and that banks should provide free advice on fraud and identity theft.

There is something to be said for greater customer awareness of what indicators to look out for in order to help prevent and detect fraud earlier. When you open an account with a bank it would be good to receive a pamphlet/brochure on bank account and credit card fraud and tips as to what telltale signs or behaviours customers should look for.

But also banks need to rethink their approach to safeguarding customer data. If they are still sending out paper account statements that can easily be intercepted (instead of say a digitally signed encrypted electronic file) then customer education will only go so far in helping reduce fraud.

Detecting suspicious activity sooner rather than later

This is what Michelle Weatherhead, manager, EMEA, Risk Solutions for payments software provider, ACI Worldwide, had to say recently about the rise in UK card fraud in 2008.

The APACS annual statistics finding that UK card fraud in 2008 increased by 14% is, unfortunately, relatively unsurprising. The one statistic that was immediately notable was the increase in card ID theft, which was up 39%.

Card ID theft, which is when someone gets hold of your card details and PIN and starts to use them on an ongoing basis, is a real problem. There is the issue of consumer education - encouraging members of the public to shred card statements when they dispose of them, change PINs regularly and carefully check statements to make sure they are accurate, is a first step. However, there are techniques that the bank can use to help prevent this type of fraud.

One step that many banks are turning to is monitoring all activity on an account, both financial and non-financial transactions, as well as combining intelligence about how a customer uses all their cards and accounts, not just an individual one.

This helps the banks build up a complete profile of that individual - how often they travel, where they tend to shop, how much they usually spend - so that as soon as a transaction occurs that is outside that customer's usual spending patterns, alarm bells start to ring and that transaction can be flagged as suspicious. What is important is that the banks detect suspicious activity as soon as the account is taken over, otherwise the fraudster will build up their own 'profile' so activity may appear genuine.

This leads to tools such as SMS alerting, which banks are starting to implement to help them stop fraud early. SMS alerting means that if suspicious activity occurs, such as a transaction that is overseas, over a certain value, or in a type of outlet the customer hasn't used before, the bank can send a text message to the customer immediately, informing them of the transaction and asking them to respond if it isn't genuine.

This can also be used to confirm with customers that they have changed their address or requested a new PIN for example, which can be a first sign of account takeover.This combination of activity can enable the banks to block compromised cards quickly, protecting themselves from losses, and also building confidence with members of the public that they are protected too.

Fraud is always changing and moving - the APACS’ statistics for 2009 when they come out in 12 months’ will show similar trends to those we have seen in this announcement - but as banks embrace the latest technology, just maybe some of these numbers will start to come down.

The battle against fraud steps up a gear

For some time now I have been drawing links between the economic crisis and the increased discovery of fraud. It is not rocket science really, as economic hardship can make people that may not normally commit fraud, find themselves suddenly fiddling the books or altering accounts in order to cover up losses or poor performance.

Of course, there is always the more criminal element that looks for vulnerabilities to commit new and varied forms of fraud. Most of the fraud experts I have spoken to have said that the crisis is not likely to lead to a greater incidence of fraud, but greater discovery of frauds that may have been going on for some time. The Madoff Ponzi scheme is a case in point.

However, a survey conducted by Vanson Bourne on behalf of predictive analytics software provider, SPSS Inc., has found that one in four (26%) financial companies reported increased levels of fraud, which it claims is double the UK average of 12%.

But it is not necessarily a lack of preparation that is exposing financial service providers to fraud, as 82% of respondents said they were very or well prepared to combat fraud, compared to 73% across all industry sectors. Now this is obviously where SPSS comes in and says predictive analytics is one tool that financial service providers should have in their anti-fraud armoury.

Yet, having the latest whizz bang anti-fraud solutions in place does not necessarily mean you are less exposed to fraud. Firstly it depends what solutions you have in place, whether they are joined up enterprise-wide or operate in silos, how well educated and trained your staff are to uncover various types of fraud and to interpret various data inputs and analytics that could suggest fraud.

We have all heard the stories of fraud technologies that generate "false positives", which means staff spend more time responding to false alerts or red flags than they do to real incidences of fraud. Professional fraudsters are also fairly adaptable and can change certain behaviours in order to circumvent technologies, which may only be programmed to look for past known behaviours of fraudsters, not new permutations.

While the bulk of the responsibility and liability for fraud has historically been with the companies that are the victims, increasingly the government appears to be assuming more responsibility with the setting up of a National Fraud Reporting Centre (NFRC) where people and businesses will be able to report suspected cases of fraud.

The UK National Fraud Strategic Authority has also given the Crown Courts extended powers to bar solicitors and estate agents from working if they are convicted of fraud. It is all part of the Government's efforts to change the perception that fraud is a "victimless" crime, but while businesses take fraud seriously, will this get the police to treat fraud more seriously?

There was an interesting report on the BBC's Panorama program recently about the government's inability to successfully recover the assets of organised crime or money earned through illicit means. While a reporting centre is a step up as information sharing can often uncover patterns of fraud across various enterprises, the authorities need to make the evidence stick and the information needs to be adequately followed up by the police, which to date have not made significant inroads when it comes to catching fraudsters.

FSA faces multimillion pound compensation claim

The Securities & Exchange Commission in the US has copped serious flack over its handling of the alleged Madoff Ponzi scheme and it looks like it is the turn of the UK's Financial Services Authority (FSA) to cop some flak - in fact it is facing a multimillion pound compensation claim from investors in collapsed fund, GFX Capital Markets.

According to a report in The Times, the FSA knew about concerns pertaining to GFX's business practices and that its boss Terry Freeman had changed his name after earlier being disqualified until 2012 as a company director.

Lawyers for investors in GFX which collapsed with estimated losses of £44 million, claim that the FSA could have acted sooner based on the knowledge it possessed. Is this the first of many such claims that we are likely to see against the FSA as angry investors seek retribution for their losses?

While it is all to easy to use the regulators as a scape goat for a lack of due diligence by investor or investment funds, this crisis raises serious questions about the regulatory oversight and due diligence conducted by the FSA and perhaps suggests that more regulation or granting more powers to the FSA is not going to be the panacea some hope it might.

What to look for in a web-based fraud detection system

For online retailers the growth of online shopping is a double-edged sword. While the recession is driving more shoppers online to search for bargains, the more people that shop online the greater the risk of fraud, which makes the cost of acquiring online customers a bit of a tricky biscuit.

As an online retailer you may spend considerable sums not only on customer acquisition but also on automated anti-fraud monitoring technologies, but do the benefits outweigh the costs?

Some online retailers would probably say no, yet as the recession continues to bite, anti-fraud software vendors are eager to tout their automated fraud monitoring solutions, however with so much choice out there and with vendors prescribing different solutions for different operational silos and levels of fraud, how can retailers be sure that they are choosing the right solution?

Gartner recently published its Magic Quadrant for Web Fraud Detection, which describes the market as "still maturing" and consisting of vendors that have "a lot of work to do to round out their product lines". In other words this is a rapidly evolving market and vendors are having to keep up with the rapidly changing =nature of online fraud, which means that solutions with built in flexibility and the ability to quickly introduce new functionality as and when needed without a major overhaul of the existing installation, is key.

Gartner says most web fraud detection systems can be broken down into two types: rules-based software and predictive software that uses artificial intelligence to detect potentially fraudulent behaviours. According to Gartner, predictive software is more effective at catching fraud as rules-based systems tend to be based on past known events that have already occurred, therefore it is not good at detecting new or unknown types of fraud. The more rules you have, the more difficult it is to manage, so Gartner suggests that rules-based systems are only suitable for those companies with minimum levels of fraud.

When selecting a fraud detection system Gartner advises firms to opt for those solutions with a 70% fraud detection rate and a "false-positive" rate of one in five in order to minimise the time spent unnecessarily investigating legitimate transactions. Some anti-fraud solutions such as "geolocation" and "client device identification" have a short shelf life and can be spoofed or fail to keep up with increasingly sophisticated attacks.

Gartner also advises firms to buy solutions that provide value-added services such as authentication in conjunction with fraud detection as well as solutions that work across multiple channels and accounts. Those vendors whose web detection solutions can easily "plub and play" with different authentication technologies score highly.

Prioritising alerts is also key. "Enterprises want and need to be able to prioritise alerts based on their severity and urgency," writes Gartner. "Unless the system returns a score that ranks the severity, it is difficult to know which alerts demand priority attention."

Ease of use may sound like a no-brainer but Gartner says most web fraud detection vendors fall short in terms of providing consoles that enable alerts to be investigated easily. Sufficient levels of reporting also tends to be a downfall. More advanced fraud detection solutions, says Gartner, not only look at log on details or web site access, but also transaction information and user navigation.

Online retailers fight "recession fraud"

A survey conducted by Vanson Bourne indicates that online retailers are fighting back against the increased threat of "recession fraud".

The research conducted on behalf of SPSS, a predictive analytics software provider, shows that 37% of online businesses had implemented new measures such as customer behaviour analysis, restricting purchases from "high risk" locations or countries and reducing the number of payment methods available, to help reduce online payment fraud.

The 2009 UK Online Fraud Report estimates that UK online retailers lost up to 5% of total revenues to fraud in 2008, however, while retail sales on the high street are declining, online sales are increasing (up 14% in December 2008 compared to the previous year), so retailers cannot afford to be complacent about fraud.

One in four retailers surveyed by Vanson Bourne indicated they are using customer analytics, which focus on unusual behaviour patterns, to detect fraud. Eighteen percent said they had also reduced the number of payment methods in the belief that it reduced the opportunities for fraudsters.

Learning the lessons of due diligence

A few months back when the alleged Bernard Madoff Ponzi scheme was first exposed, I remember writing on this blog that the alleged $50 billion fraud was only the tip of the iceberg, and that the recession would result in other scams or alleged frauds being exposed.

Not that I want to beat my own drum, but it doesn't take much to realise that a deep economic recession and tightened credit availability are all it takes to bring suspected frauds that have gone undetected, to light. When banks don't want to lend and investors panic and want to withdraw funds, things start to unravel.

I don't think we can say that the credit crisis is causing fraud to spiral out of control, however, it is resulting in greater levels of discovery. Since Madoff, there has been the $1.5 billion fraud at Indian IT firm Satyam Computers, other Ponzi schemes and dodgy investor scams are being uncovered on a regular basis and now the SEC alleges that Allen Stanford duped investors who bought bonds from his Stanford International Bank in Antigua and claim that he also lied about the performance of their savings and the extent of investors' exposure to Bernard Madoff's alleged Ponzi scheme.

Not only is more fraud likely to be uncovered in trying economic times, but also financial regulators are on the war path, eager to redress the perception that they failed to adequately supervise financial firms when times were good. Now that times are not so good we can expect to see the heavy hand of regulation come down on banks.

In the UK the Financial Services Authority is calling for a sea change in the way commercial banks, investment banks and building societies manage their liquidity. The new liquidity standards, which are scheduled to come into force in October, will also impact US banks with branches in the UK and are designed to try and prevent an event like the Lehman's collapse in the US, spilling over into the UK by forcing bank branches to become self-sustaining when it comes to liquidity.

While managing liquidity is not directly related to fraud, what is perhaps more interesting is that observers believe the FSA is likely to not only make an example of those banks that fail to comply with its new liquidity standards, but they may also "disbar" those company chairman and executive directors of banks that don't measure up.

Corporate governance is back on the agenda again and it is the guys at the top that are likely to take the heat, however one has to question how serious the regulators really are when you read reports that a former disqualified company director was able to foil the FSA merely by changing his name and becoming a director of three companies.

We have all heard the corporate governance rant before - isn't that what Sarbanes-Oxley was all about? Yet financial accounting scandals are still very much with us and some suggest it is only going to get worse as company executives resort to fiddling the books in order to preserve banking covenants, meet analyts' expectations or avoid bankruptcy.

But heightened levels of corporate governance in the form of greater regulatory oversight is not the panacea some think it is. If anything is to be learned from the Madoff and Stanford cases it is the lack of due diligence by investors and investment funds. All the warning signs were there; fly-by-night accountants and a lack of separation of duties; and if anyone had bothered to do their due diligence they would have uncovered enough to raise alarm bells.

However, it seems everyone wanted to believe the unbelievable; market beating returns; and it seems we all want to believe that some of the gold dust will rub off on us, which means a lot of financiers are not subjected to the level of scrutiny that they should be.

Corporate bribery

Former investment banks are in the spotlight again, this time relating to allegations of corporate bribery.

According to a report in the Financial Times, Morgan Stanley's global head of real estate investing has been suspended following disclosure of a Securities & Exchange Commission (SEC) filing that indicates a China-based employee violated the foreign corrupt practices act.

Morgan Stanley was a major investor in Chinese real estate, a sector which is believed to be plagued by bribery and corruption. A number of fraud and risk specialists I have spoken to in recent weeks have highlighted increasing reports of corporate bribery and corruption where business contracts are awarded on the basis of financial rewards.

In the US and the UK corporate bribery can attract substantial fines, which often exceed the initial bribe. According to Kroll's 2008-2009 Global Fraud Report, regulatory and compliance breaches increased from 19% to 25%.

Balancing fraud and profit

I received an interesting email from an Amsterdam-based company, Directness, which is running a Risk v Reward: Balancing Fraud and Profit conference for retailers in Amsterdam tomorrow.

Organiser, Adam Dorrell, said that the event was triggered by retailers such as Nike, Philips and Sony getting fed up with the cost of fraud. The problem for many retailers is that they have to invest considerable sums in automated solutions for combating credit card fraud, but the return on investment is uncertain in that they may be spending more to acquire customers, only to lose them to fraud or "charge-backs".

Do the risks outweigh the rewards? Well if you believe what you read in the newspapers and various surveys that are published, the risks, particularly in the online shopping world appear to be significant. This appears to have convinced a significantly large proportion (41%) of the UK population not to shop online, according to CyberSource's latest annual survey of more than 150 merchants and 1000 consumers.

Security was an issue for the 41% of UK consumers that said they did not shop online. Out of the total sample, including those that did shop online, 66% said they were concerned about the level of risk. Given that most online shopping sites now carry a secure padlock icon or the green VeriSign bar which demonstrates that the web site has met more stringent standards around web site integrity, this is still a surprisingly high number.

Some of the other basic precautions online shoppers can take is signing up to the MasterCard SecureCode or Verified by Visa programmes, which adds an additional authentication layer by asking for a password, but not all shopping sites carry this and arguably it is still open to abuse if the password is easy to guess or replicate.

CHIP and PIN while reducing fraud when the card is presented, has only served to increase the incidence of fraud in card-not-present transactions (online or over the telephone). Some security vendors suggest that one-time passwords are more secure, but there has been no uptake of this by the card companies.

Another problem is that the cost of fraud is borne by the poor retailer who has to foot the cost of charge backs and fraud in general, as well as investing in anti-fraud measures. It will be interesting to hear what comes out of the event in Amsterdam tomorrow and whether retailers can come up with a joint industry solution to combat fraud. We hope to provide you with coverage after the event.

Lloyds warns against phishing attacks

Newly-merged UK-banking group Lloyds TSB and HBOS have taken the unusual step of warning customers that fraudsters may take advantage of their merger to launch phishing attacks.

In recent years, phishing scams which typically involve the sending of "official-looking" emails asking customers to confirm bank password, security and account details, have been steadily rising. Banks and other security providers have cautioned customers not to respond or open emails sent to them asking for such information.

However, in an effort to head off a potential attack as it goes through a long and protracted merger with HBOS, Lloyds TSB said customers should be on their guard and that it would not email them requesting account, PIN or security information.

More Ponzi schemes

While the alleged Bernard Madoff Ponzi scheme is capturing most of the headlines, other Ponzi schemes are also coming to light.

According to newspaper reports, Japanese police have arrested a 75-year-old bedding company executive on suspicion of running a "pyramid scheme" that promised investors high returns.

According to some experts, Ponzi schemes are increasing and are recurrent. Estimates suggest that in 2002, US citizens lost $9.6 billion to Ponzi schemes. Some suggest that Ponzi schemes are happening with increasing frequency and point the finger at unregulated hedge funds or alternative investments put together by investment advisors.

Madoff - who is to blame?

The US Securities & Exchange Commission (SEC) continues to cop flak over its handling of tip offs regarding the alleged Bernard Madoff Ponzi scheme.

According to a report in the UK's Financial Times newspaper, Lord Jacobs a peer who lost money in the alleged $50 billion scheme, is pointing the finger at the SEC for "the grossest negligence it is possible to conceive" for not fully investigating a whistleblower’s detailed exposé.

He is not alone in his condemnation of the US regulator. Members of the US Senate Committee on Banking, Housing and Urban Affairs also expressed disbelief and amazement at how regulators did not uncover the alleged Madoff Investment Securities Ponzi scheme, citing numerous "red flags" such as the fact that he did not use a separate custodian for his investment advisory business, and that his accountant was not registered with The Public Company Accounting Oversight Board (PCAOB).

However, as a privately held broker-dealer, the Senate hearing heard how Madoff was able to avoid adhering to these requirements. At the same Senate hearing, senior representatives from the SEC defended their investigations of Madoff saying their examinations which were limited to the scope of his broker/dealer business, not his investment advisory business, did not find fraud.

Madoff registered as an investment advisor in 2006. The SEC said it could not examine every investment advisor and that 10% of registered advisors were examined every three years, but that these examinations were limited in their scope and targeted specific activities. The SEC also pointed towards resource constraints.

Nevertheless it seems that the SEC is going to cop a lot more flak over its handling of the alleged Ponzi scheme as a number of investors that have lost money question how detailed tip offs from a reliable source failed to uncover anything. The truth perhaps lies somewhere in the fact that the SEC said it only examined Madoff's broker/dealer activities, not his investment advisory business. Regulatory loopholes appeared to have allowed Madoff's investment advisory activities to escape rigorous scrutiny.

AIG in the spotlight again

US insurance company, AIG, one of the high profile victims of the credit crunch, is in the spotlight again with one of its former vice presidents being jailed for four years for falsely inflating the company's share price and reserves.

According to reports, Christian Milton, who was convicted back in 2008 of conspiracy, mail fraud, securities fraud and making false statements to the Securities and Exchange Commission, participated in a scheme whereby AIG "secretly paid" General Reinsurance to take out reinsurance policies with the company in 2000 and 2001. The scheme reportedly cost investors up to $597 million.

It is not the first time that AIG has been implicated in fraud. According to Wikipedia, an accounting scandal resulted in former CEO Maurice R. Greenberg being ousted in 2005. The allegations made at the time included fraudulent business practice, securities fraud, common law fraud, and other violations of insurance and securities laws. All criminal charges were later dropped however and Greenberg was not held responsible.

AIG, and other victims of the credit crunch are also being investigated by the FBI. The investigation is believed to be looking at whether these firms unduly influenced agencies to "inflate" their ratings and misled investors about the true state of their assets.

Card fraud stats - who do you believe?

Various organisations produce statistics on the incidence of credit card fraud, but the UK payments association, APACS, has hit back at a recent survey published by "life assistance" group CPP, which claims that 12 million people were victims of card fraud in 2008 and that the average loss was £650.

APACS says CPP's stats are "spurious" and that according to its own data, which is drawn from stats provided by its member banks, 2007 figures indicate there were just over a million reported cases of card fraud; and although card fraud increased in 2008 (APACS will publish figures in March), APACS says CPP’s suggestion that there were 12 million victims in 2008 is "wildly out of line".

Is it a case of CPP, which provides protection and insurance against identity theft and card fraud, talking up the incidence of card fraud in order to scare consumers into thinking the problem is much bigger than it really is? There is no question that some organisations may be talking up fraud to benefit their own cause, which is not helpful as card fraud remains a persistent problem for online merchants and exaggerating the levels of fraud, only serves to suggest that none of the solutions deployed so far to combat it are actually working.

Having said that more certainly needs to be done, as CHIP and PIN may have reduced "over-the-counter" fraud, but most reports indicate card-not-present fraud is on the increase, particularly online. Some providers have suggested the use of one-time PINs and passwords to "toughen up" existing security.

Regulatory loopholes may have helped Madoff

Members of the US Senate Committee on Banking, Housing and Urban Affairs expressed disbelief and amazement at how regulators did not uncover the alleged Madoff Investment Securities Ponzi scheme. On Tuesday the committee listened to witnesses' testimony regarding regulatory and oversight concerns and the need for reform in light of the alleged Ponzi scheme.

Senators expressed disbelief that securities regulators, the Securities & Exchange Commission (SEC) and the Financial Industry Regulatory Authority (Finra), missed numerous "red flags" pertaining to Madoff, including the fact that he did not use a separate custodian for his investment advisory business, and that his accountant was not registered with The Public Company Accounting Oversight Board (PCAOB).

During the hearing one senator remarked: "... it is inexplicable how the SEC missed it (Madoff's alleged Ponzi scheme). It is as if there was a giant elephant standing next to the SEC in a rather small room for 25 years and the SEC never noticed the elephant or even smelt the peanuts on its breath. And it is not as if the SEC were not looking around the room."

The SEC is conducting its own investigation into its handling of the alleged Madoff Ponzi scheme. During Tuesday's testimony senior SEC officials stressed that their past examinations of Madoff were restricted to his broker dealer activities and did not include his investment advisory business which was registered in 2006.

The SEC said 10% of registered investment advisors were examined every three years, and that these examinations were limited in their scope and targeted specific activities. The other regulator in the spotlight regarding the alleged Ponzi scheme, Finra, said its jurisdiction was limited to Madoff's broker dealer operations and that this meant it could not be an "extra set of eyes".

However, during Tuesday's hearing, Professor John Coffee, Professor of Law at Columbia University, said Finra did have jurisdiction over Madoff Investment Securities. He also stated that registered investment advisors are required to use a "qualified" custodian. However, he said Madoff used himself and that he was able to do this because the SEC gave us an "illusory" rule which allows investment advisors, where it has a broker dealer affiliate, to use its own broker dealer to be its custodian.

Following the implementation of Sarbanes-Oxley, Coffee said broker dealers were supposed to use accountants registered with the PCAOB. However, he said on three occasions, the SEC adopted and extended an exemptive rule that said privately-held broker dealers did not have to use such a PCAOB registered accountant.

Coffee said Ponzi schemes were increasing in regulatory and frequency and tended to occur in unregulated hedge funds or alternative investments put together by investment advisors.

Online fraud continues to rise despite countermeasures

Despite ongoing investment in tackling fraud, online merchants continue to see their losses from fraud increase, according to a survey of 150 online retailers conducted by Cybersource Ltd.

The overall rate of fraud increased 2.6%, which does not sound like much, however, Cybersource says for approximately 13% of merchants, the rate of fraud increased by more than 20% and 37% of merchants experience losses due to fraud of 1% or more. These increases are in spite of the fact that in the UK at least, approximately 60% of merchants now deploy Verified by Visa and MasterCard SecureCard schemes, which require the purchaser to type in a private code known only to them and their bank.

But it is perhaps the indirect costs of fraud that are more telling. According to the survey, 20% of merchants reject more than 5% of orders because they suspect fraud, although some of these orders may be authentic.

Despite the increasing sophistication of automated fraud screening software, Cybersource's survey indicates that 10% of merchants still reviewed every order manually, which is deemed costly and inefficient. It begs the question, do merchants see automated fraud screening as too costly or difficult to implement?

How did "India's Enron" come about?

"We will see a significant increase in
[ financial accounting scandals], however the jurisdiction is shifting from the more regulated markets where Sarbanes-Oxley, independent audit committees and the significant level of oversight make it more difficult to get away with, to emerging markets where supervision and broad oversight is not as advanced," said Richard Abbey, managing director, Financial Investigations for risk consulting company, Kroll.

I have reported these comments from Abbey before in an earlier posting, but I wanted to highlight them again in light of the Financial Times publishing its account of B. Ramalinga Raju, the former chairman of Indian IT firm, Satyam Computers and how "India's Enron" unfolded.

According to the newspaper report, Mr Raju became "obsessed with market capitalisation", which is what Abbey is alluding to in his statement above.

The report goes on to say that Mr Raju also appeared to benefit from the silliness that prevailed during the dot.com boom when the market cap of companies was wildly overinflated and no one, including those financing dot.com companies, really paid any attention to a company's earnings or P&L .

According to the FT, Mr Raju listed Satyam Infoway on the Nasdaq in 1999, and was able to immediately raise money despite the fact that the company had lost money. But once the dot.com bubble burst, according to the police the accounting fraud began in 2001 when the share price deflated.

Fund heaped praise on Madoff

As more details come to light about the alleged Madoff Ponzi scheme, lawyers representing those investors that lost millions are pointing the finger at the apparent lack of due diligence conducted by the banks and the funds that invested money with Madoff.

According to a report in the Financial Times, Santander's Swiss-based alternative investment arm, Optimal, "heaped praise" on Madoff before his arrest, for his ability “to find great entry and exit points to benefit investors”.

With parent bank, Banco Santander admitting losses of up to €2.33 billion as a result of the alleged Ponzi scheme, lawyers will be clambering all over this latest revelation.

Another Ponzi scheme?

Bloomberg is carrying news of the latest alleged Ponzi scheme coming out of Japan. Japanese housewives have reportedly been hit by the alleged currency trading scam.

Recession - the mother of invention

A recession is the mother of invention, and never one to miss an opportunity, fraudsters are reportedly targeting investors whose money is trapped in Icelandic bank, Kaupthing Singer & Friedlander.

According to Citywire, depositors with money trapped in Kaupthing Singer & Friedlander, on the Isle of Man, which went into administration late last year, have been approached by a company calling itself Kristen Heather Investments (Isle of Man). The company claimed it could return depositors' funds in Kaupthing Singer & Friedlander for a fee.

The Isle of Man Financial Services Commission says the firm has a fake address and had copied the real bank’s website. PricewaterhouseCoopers, which is liquidating Kaupthing, says it appeared to be "an entirely fraudulent endeavour".

As I mentioned in my previous post, Madoff - who is culpable?, with irate investors and shareholders having lost substantial sums of money, there is likely to be a raft of legal action in the wake of the credit crisis. Some of the big class action suits may be some time in coming, but meanwhile, according to The Press & Journal, an 83-year-old QC is suing Royal Bank of Scotland claiming that the bank was "insolvent" when it "fraudulently" sold him shares in a rights issue.

As part of his small claims action, the QC is trying to prove that the bank was "technically insolvent" when it sold him stock valued at £1,282 as part of a rights issue. If the case is successful, it could lead to similar action being taken by other bank shareholders.

Madoff - Who is culpable?

Given the amount of corporate fraud cases and lack of due diligence that has been brought to light as as a result of the current financial crisis, litigators will be clambering all over it trying to find some means of recourse for their clients who have suffered substantial financial losses.

In the case of the alleged Madoff $50 billion Ponzi scheme, there could be a number of potential targets in the firing line for litigators to take action against. Investors whose money ended up in Madoff's scheme are likely to turn to the managers of the "feeder funds" who earned commissions from feeding funds into the alleged Ponzi scheme. Questions also remain over the due diligence conducted further down the line by those banks that have revealed exposure to the Ponzi scheme.

Some experts also question whether the US securities regulator, the Securities Exchange Commission (SEC) is culpable. According to the latest newspaper reports, the SEC missed "red flags" regarding Madoff's alleged Ponzi scheme when it investigated an accountancy firm with ties to Madoff back in 1992. The New York Times claims that the SEC's probe found that the accountancy firm kept "almost no records", and that one of the partners told investigators that the $441 million it controlled was managed by Mr Madoff.

Forensic accountants currently working on the Madoff case in New York and London, say there appeared to be a “patent lack of segregation of duties” as the management, administration and custody of the fund in question was conducted either by Madoff or associated parties. However, standards of due diligence in this area are still developing and there was no apparent legal onus on Madoff to separate these duties.

One source I spoke to involved in the Madoff investigation recalled the BCCI scandal in the UK in 1991 when the Middle Eastern bank collapsed with £7 billion of undeclared debts. The financial regulator at the time was the Bank of England and victims of BCCI, led by the liquidator Deloitte & Touche, later brought a lawsuit against the Bank of England claiming up to £1 billion in damages. The victims alleged the Bank of England was "guilty of negligence amounting to 'misfeasance', or wilful misconduct." The case later collapsed.

Questions now remain about whether the SEC could have done more to uncover the alleged Madoff Ponzi scheme. As to whether it could face its day in court is debatable as the SEC may be able to declare immunity from being sued. As the BCCI lawsuit also demonstrated it may also be difficult to prove that the SEC "deliberately" failed in its duties.

Learning old lessons about fraud

With "Ponzi" schemes and "rocketing levels of discovery" of insider fraud that has gone undetected for years finally being exposed by the credit crisis, corporate fraud will be an area of renewed focus this year as companies go back to basics to defend themselves against malicious and non-malicious attacks perpetrated by insiders.

With so much press and industry focus on the multitude of threats looming outside the corporate firewall, until recently insider fraud attracted few column inches. Given the impact exposure of corporate fraud has on a company's brand and reputation, it is not surprising perhaps that most incidences of insider fraud (50% in the case of insider fraud in banks, according to Celent) goes unreported.

Yet, with figures published by analyst firm Celent indicating that insider fraud accounts for 60% of all bank fraud cases involving a data breach or theft of funds, corporate fraud is an endemic problem and fraud experts anticipate it will be ratcheted up a notch or two by the recession.

Richard Abbey, managing director, Financial Investigations, for risk consulting company, Kroll, says the recession could give rise to the "non-malicious" corporate fraudster - those that commit fraud not for personal gain, but to save their company and employees' jobs. "It's misplaced loyalty if you like as they do not really think they are committing fraud," says Abbey. While anti-fraud measures tend to be focused on new employees, Abbey says the typical fraudster is the long-serving, loyal employee that knows their way around a company's systems.

Despite the introduction of Sarbanes-Oxley in the US, which placed more rigorous reporting requirements on a company's financials in the wake of the Enron and WorldCom corporate accounting scandals, Abbey expects to see more financial accounting scandals in the wake of the recession as corporate executives falsely inflate profits and cover up debts in an effort to maintain core ratios or to protect themselves from breaching banking covenants.

"We will see a significant increase in that type of fraud, however the jurisdiction is shifting from the more regulated markets where Sarbanes-Oxley, independent audit committees and the significant level of oversight make it more difficult to get away with, to emerging markets where supervision and broad oversight is not as advanced," says Abbey.

No surprises then that the latest accounting scandal has rocked Indian IT outsourcing firm, Satyam Computers, where the company's chairman has admitted to a $1 billion fraud, which is being billed as "India's Enron". Kroll is also seeing more companies reporting allegations of corporate bribery and corruption, which if proved true can attract hefty fines far in excess of the original bribe.

Given the threat landscape, it may be tempting for corporate executives and chief risk officers to reach for the latest gadgets: biometrics; enterprise anti-fraud systems; software that detects the potential for fraud in emails; however, fraud experts caution that brandishing the sword of technology is not necessarily the answer.

According to Abbey most corporate fraud is detected not as a result of controls companies put in place, but by accident or whistle blowers. There are, however, more immediate measures firms can put in place to protect themselves against insider fraud, segregation of duties being the main one, to ensure that no single person, regardless of how long they have been with the company, has "end-to-end" control over a business processes or processes.

In its latest Global Fraud Report, Kroll concludes that the financial crisis will lead to more fraud claims, legal disputes and regulatory action. Greater due diligence and levels of corporate governance will also be required and cross-border transactions are likely to increase exposure to "complex fraud and corruption".

“There are some wonderful technologies that can help solve fraud,” says David Porter, head of security and risk at consultancy, Detica, “but it is not just about wielding the sword of technology. It is about con artists scamming people. There is a soft human element to combating fraud. This year, companies are going to be learning a lot of old lessons about fraud.”