Thursday, 30 April 2009

Banks in the firing line for misleading investors

In the wake of the credit crunch a number of banks are in the firing line as investors allege that they were misled concerning the purchase of particular financial instruments or the true state of the bank's financial situation.

A class-action lawsuit was launched against the Royal Bank of Scotland (RBS) in the US earlier this year based on allegations that the bank misled investors by failing to disclose the damage caused by debt securities on its balance sheet, as well as the damage caused by the acquisition of ABN-AMRO, and its inadequate capital buffer to safeguard it against subprime losses.

RBS, which is now majority owned by UK taxpayers, suffered the biggest loss (in excess of £24 billion) in corporate history back in February, has been a high profile victim of the subprime meltdown. But it is not the only bank in the firing line over misleading investors.

Italian police are also reported to have seized $630 million worth of assets belonging to Deutsche Bank, UBS, Depfa Bank and JP Morgan as part of an investigation into an alleged fraud against Milan's city authority.

The alleged fraud dates back to 2005 when Milan's city authority was sold derivatives contracts linked to a bond issue. According to the allegations the banks failed to adequately inform the authority of the risks linked to the derivatives and "falsely claimed" the authority would save money.

Losses for the authority are estimated to be in the region of €300 million , although it could be more. The banks however pocketed more than €100 million in" illicit profits", according to the allegations.

It will be interesting to see if the authorities can prove that the banks deliberately misled the city authority, as the lack of suitable reference data surrounding some derivatives contracts and the subsequent emergence of a less favourable interest rate environment, may make it difficult to establish whether the banks intentionally set out to defraud the authority.

Tuesday, 28 April 2009

Due diligence in a post-Madoff world

Following the exposure of the $50 billion Bernard Madoff Ponzi scheme, investors and fund managers are under increasing pressure to perform more rigorous due diligence of hedge funds. But is that easier said than done?

If you look at some of the facts surrounding the Madoff scheme; lack of clear separation of duties, an unregistered auditor and the promise of high returns; then it is clear that feeder funds and other investors in Madoff's scheme failed to perform sufficient due diligence. In fact it seems as if their only rationale for putting money into Madoff's fund was his previously untarnished reputation (he was a former Nasdaq chairman) and the spectre of high returns.

Corgentum Consulting, a hedge fund operational risk consultancy based in New Jersey, has some interesting insights into how the exposure of Madoff's $50 billion Ponzi scheme is likely to change the world of hedge fund due diligence.

"Successful operational risk management in the post-Madoff world will require hedge funds to walk a tightrope of continually boosting investor confidence in a fund’s operational risk management capabilities, while not destroying and competitive advantages or informational edges through the dissemination of this information," says Corgentum.
Instead of outsourcing operational due diligence to "hedge fund allocators", Corgentum's believes that investors will want to exert greater control over the process and that the scope and depth of operational issues covered in a due diligence review will be more exhaustive. The frequency of hedge fund reviews will also be increased, says Corgentum.

"No longer will it be sufficient for investors to rely on generic due diligence questionnaires or to be granted a meeting with a hedge fund’s senior operational professionals for a few hours once a year for an annual review," says Corgentum. "Investors will likely request much greater detail on a host of different operational issues ranging from legal and compliance issues, information technology, cash management and valuation."

The upshot of all this is that hedge fund's "already strained" resources are likely to come under further pressure, resulting in lower profit margins, says Corgentum. Only those funds that make the due diligence process run as smoothly as possible for investors are likely to attract capital.

But that does not account for the age-old problem of human greed - investors and fund managers are driven to seek high returns. So despite all this talk of more rigorous due diligence of hedge funds, will it still be easy for a Madoff-type character to pull the wool over investors' and fund managers' eyes purely by promising market-beating returns?

Friday, 24 April 2009

Cultural impediments to AML in Middle East

The UK's Independent newspaper was the first to report that ransom money paid to Somali pirates was being laundered via the Middle East. The newspaper quoted shipping industry investigators who claim that approximately $80 million (£56 million) had been paid out in the past year alone in ransom money to Somali pirates, with millions being laundered through bank accounts in the United Arab Emirates and other parts of the Middle East.

Dubai's deputy police commander general has since denied any involvement by the UAE saying it has strict anti-money laundering (AML) legislation that requires all transactions above 40,000 dirhams ($10,889) to be reported.

Yet, a common laundering technique is to split large sums of money up into smaller amounts so that it cannot be detected by AML controls. I also stumbled across an interesting article posted on the web by Hany Abou-El-Fotouh, director of Policy & Corporate Affairs at CI Capital, the investment banking arm of Egypt's Commercial International Bank (CIB).

He points to cultural factors, which he says makes the strict enforcement of AML procedures in the Middle East difficult. Abou-El-Fotouh says that in some Middle Eastern countries setting up proper controls and strictly enforcing them in order to detect suspicious transactions or activities, conflicts with customer relationships and cultural customs.

He says many Middle Eastern financial institutions are adopting corporate cultures that weaken AML and anti-terrorist financing efforts. "One of the biggest problems for AML initiatives in the Middle East is cultural customs that accept deference to customers and anonymity. Accounts lacking full identification details or with misleading information are not unusual in the region," he said.

Abou-El-Fotouh says Know Your Customer (KYC) requirements are lacking at many Middle Eastern financial institutions as customers may view banks' requests for additional information as intrusive or offensive. "For example, it can be difficult for a bank to refuse to enter into or to exit a relationship with a politically connected person," Abou-El-Fotouh explained. "Doing so could mean trouble for the staffer involved."

Is mobile banking really secure?

With mobile banking transactions tipped to rise from 2.7 billion annually in 2007 to 37 billion by 2011, security experts are warning of the security risks associated with new mobile banking and payment channels.

Every time a bank opens up a new channel to customers, it presents new opportunities for fraudsters. Anti-fraud software provider, 41st Parameter, claims that users have good reason to be sceptical about the security of mobile banking transactions.

Ori Eisen, founder and chief innovation officer at 41st Parameter, says transactions between a mobile device and the bank are not as well-guarded as internet transactions as they only use basic identification and verification checkpoints.

According to Eisen, mobile banking systems are not able to determine whether a device accessing its mobile banking site is a mobile device, PC or laptop.

"Mobile banking touch points are easier to gain access to as they don’t have the security layers that internet sites do. Because fraudsters are able to mimic the appearance of a mobile device as easily as they can a PC or laptop, they are capable of infiltrating an unsuspecting bystander’s mobile banking account," writes Eisen in a white paper entitled: Mobile Banking - An Easy Target for fraud?

Eisen maintains that a multi-layered approach to security incorporating a firewall, password and encryption barriers and real-time tracking that identifies devices that were initially refused admission to a site and have changed their identity to try and gain access, is the best way of securing mobile banking transactions.

In addition to the information (credit credentials and personal identity) that is typically used to authenticate an individual, Eisen says Client Device Identification (CDI) goes beyond simple user names and passwords to detect suspect mobiles at device level. CDI can differentiate a device visiting a site regardless of the credentials presented or the IP address.

Monday, 20 April 2009

Insurers struggle to keep up with fraudsters

Last week, the Association of British Insurers (ABI) warned against the rise of insurance fraud in a recession and published figures demonstrating a 17% increase in insurance fraud from 2007 to 2008, with the total value of fraudulent claims (£730 million) rising by 30%.

Dishonest claims on home insurance were the most common accounting for 55,000 false or exaggerated claims. By value, however, fraudulent motor insurance claims were the highest. The rising cost of fraud adds an additional £40 a year to insurance premiums, the ABI stated.

Bart Patrick, head of insurance at risk management and business intelligence firm, SAS UK, made the following comments regarding the latest ABI figures:

"It is hardly surprising that in the current economic conditions that fraud is rising. A sophisticated approach is required to overcome the increasingly savvy fraudsters out there, and sadly insurers will always struggle to keep up with their activities while they adopt a piecemeal approach to fraud detection, using a range of disjointed systems, and unsophisticated methods.

A link analysis tool and a bunch of rules does not a fraud strategy make. An integrated system, which uses the widest range of techniques (rules, advanced analytics, profiling, visualisation and experience) is the answer when implemented in an environment which has the people and process to action the frauds discovered. You can lead an SIU (Special Investigation Unit) to the fraud trough, but without the people and process to action this, you cannot make it drink.

Accuracy is key in being effective. The SIU must focus on the biggest frauds first, however if they are chasing shadows with a high false positive rate, then much of their effort is wasted. Only an integrated set of techniques can achieve this. If you have a simple, single approach to fraud, you are almost certainly wasting your company's time and money.

While fraud is viewed as an after the claim event, insurers will always play catch up. Most realise that some insurance policies are written just for the purpose of committing fraud. However they have no way of stopping this at policy inception. More importantly is the rising spectre of claims abuse, whereby people inflate their claims by a "reasonable" amount. This type of activity lives in the thin layer between acceptable behaviour and fraud, and this is where much of the insurance industry's real problems lay.
We are reaching the stage where a vicious circle is emerging. The SIU's are undermanned and over burdened as the numbers of potential frauds increase. Without a concerted, co-ordinated and sophisticated approach to fraud, using good old fashioned investigation and the latest technology in harmony, companies will struggle.

Let's flip this argument around to something policyholders will understand - the longer the insurers ignore fraud, the longer they will persist in charging a higher than necessary premium to cover the cost of fraud. In this increasingly competitive and fickle market with policyholders buying on price, it's actually impacting on competitiveness, so combating claims abuse and fraud is now a critical commercial consideration for all insurers. Ultimately, better Fraud and claims abuse detection reduces claims expenditure, reduces combined ratios, protects market share and increases profits."

Friday, 17 April 2009

Data security standards - A toothless tiger?

Some alarming statistics have been published by Verizon regarding data breaches. According to the 2009 Verizon Business Data Breach Investigations Report, more electronic records were breached in 2008 than in the previous four years combined, and banks were the worst culprits for compromising records.

The report says that the financial sector accounted for 93% of the 285 million records compromised during 2008 and that 90% of the records breached were reportedly targeted by groups involved in organised crime.

Interestingly, most (74%) of the data breaches were from external parties, and only 20% were caused by insiders. So the biggest threat to confidential customer data still appears to come from external hackers hacking into servers and applications online. Financial service providers are doing nowhere near enough to secure customer data, including implementing basic forms of protection such as data encryption.

The credit card companies introduced the PCI-DSS (Payment Card Industry Data Security Standard) standard which includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures for securing credit card data. The standard includes basic requirements such as implementing a firewall, and encrypting the transmission of cardholder data across open networks.

However, according to Verizon's report, 81% of affected organisations subject to PCI-DSS were non-compliant prior to being breached. Firms that fail to comply with PCI-DSS risk losing their merchant account, and could be subject to fines, lawsuits and bad publicity, as in the case of TJX in the US, which suffered the largest known data breach to date when hackers stole 45.7 million credit and debit card numbers, as well as personal data, including driver's license numbers of another 455,000 customers.

TJX did not comply with PCI-DSS as cardholder data was unencrypted. Penalties for noncompliance range from fines of up to $500,000 to increased auditing requirements or losing the ability to process credit card transactions. But if Verizon's stats are anything to go by, PCI-DSS appears to be somewhat of a 'toothless tiger' in terms of forcing companies to implement even the most basic of data security measures.

It begs the question, why aren't companies encrypting data? Is it a cost factor, a technology issue (what form of encryption to use) or just plain ignorance? Certainly the reputational implications, as evidenced by TJX, outweigh the upfront costs of securing and encrypting customer data.

Tuesday, 14 April 2009


In the wake of the Bernard Madoff revelations, Ponzi schemes, on a much smaller scale than Madoff's $50 billion scam, are being unearthed.

Eager to be seen to be proactive rather than reactive, the US Securities & Exchange Commission (SEC) is charging funds left right and centre with running Ponzi schemes. Some of the latest victims on the SEC's watch list include Shawn R. Merriman, who according to reports, is accused of fraudulently obtaining between $17 million and $20 million from investors in three US states through his company Market Street Advisors. Similar to Madoff, Merriman is alleged to have promised investors "impressive" returns.

Other reports claim that "mini-Madoffs" are you using the video-sharing web site, YouTube, to promote "cash gifting" programs. According to a Los Angeles Times report, the Better Business Bureau claims to have uncovered 23,000 clips promoting these so-called 'gifting' schemes. Viewers are reportedly directed to a web site where they are asked to sign up at a cost of between $150 and $5000. A spokesperson from the Better Business Bureau is quoted as saying, "They make it seem like it's legal and an easy way to make money, but it's nothing more than a pyramid scheme."

Wednesday, 8 April 2009

A "smart computer" to detect insider trading

Increasingly fraudsters are devising more sophisticated means of committing fraud, and for the technology companies charged with combating fraud, it always seems like they are playing catch-up. But when the nature of the fraud is more insidious, the challenge is greater, as is the case with insider fraud.

Fraud committed from the inside is more difficult to contend with than external threats. As a company how do you identify who is likely to commit fraud within your organisation? How do you give employees access to applications and systems they need to do their job, without locking everything down or introducing a 'Big Brother' culture?

At the University of Sunderland, they are working on a new "smart computer" that uses artificial intelligence and "headline analysis techniques" to try and detect suspicious share dealing. Insider trading or rogue trades have long plagued the capital markets and some stats suggest that upwards of 20% of deals in the UK, and 40% in the US, may be tainted.

The "smart computer" project at Sunderland is entitled CASSANDRA (Computerised Analysis of Stocks and Shares for Novelty Detection of Radical Activities) and it has been awarded £90,000 by Northstar Funding to investigate the merits of combining artificial intelligence and analysis techniques to combat financial fraud.

Dr Dale Addison, project manager, CASSANDRA, says the problem with current anti-fraud systems is that they generate too many 'false positives'. "As many as 75% false positive flagging has been observed by some systems," he says.

CASSANDRA on the other hand looks at news stories affecting a particular company. So for example if two companies are in the process of merging and someone finds out the merger is not going ahead, they may go out and buy and or sell that company's stock based on that inside knowledge.

According to Addison, CASSANDRA would be able to detect that based on its analysis of news events from Reuters, Bloomberg and other sources, as well as the movement of stocks and shares of a specific company. "This system will have the ability to allow users to look at news information and rank it according to how significant an impact it has had on share dealing." But how do you know which piece of news or information has altered trading in a particular stock?

Information on US and UK stock markets is being provided to the Sunderland team by Canadian company, Measured Markets,which provides an "early warning" analysis service alerting investors when a stock's trading pattern changes.

Dr Addison plans to build a bigger computer that can be used to detect market abuse or false and exaggerated news that helps traders earn more money.

Friday, 3 April 2009

Madoff "feeder" funds in spotlight

Civil law suits pertaining to "feeder funds" in the Bernard Madoff Ponzi scheme continue to play out with Connecticut-based hedge fund, Fairfield Greenwich the subject of allegations that it failed to carry out adequate due diligence on Madoff.

According to newspaper reports, the fund, whose manager reportedly worked with Madoff for 18 years, is accused of being "blinded" by the hefty performance fees it earned for funneling funds into the alleged Ponzi scheme. The fund funnelled a reported $7.2 billion into Mr Madoff's company. Fairfield Greenwich is believed to be contesting the charges brought by Massachusetts authorities.

Combating AML and terrorist financing

The International Monetary Fund (IMF) is reported to have announced a "donor-supported fund" that will provide $31 million over the next five years in the fight against anti-money laundering (AML) and terrorist financing. Fund donors include the United Kingdom, Switzerland, Norway, Luxembourg, France, South Korea, Saudi Arabia and Japan.

The fund will commence operations in May and is geared towards providing "technical expertise" to those countries that want to strengthen their national AML and counter-terrorist financing strategies. Currently, at least in countries such as the UK and the US, a lot of the onus for detecting money laundering and terrorist financing falls on banks, however, not all funds are laundered through banks. The diamond trade is also a conduit for laundering.

The figures speak for themselves in terms of how successful governments have been in seizing terrorist funds. Since 2001 in the UK there were £400,000 worth of cash seized under the Anti-Terrorism, Crime and Security Act, £475,000 seized under the Proceeds of Crime Act, and £477,000 frozen by HM Treasury.

One of the challenges for banks is that some of them have been unwittingly caught out by US terror financing legislation for transferring money to organisations in Palestine, for example, that the US recognises as terrorist organisations, but which other countries don't necessarily.

Online fraud is flourishing

A report in the Wall Street Journal features remarks made by Katherine Hutchinson, senior director of global risk management at PayPal. She reportedly told the Web 2.0 Expo in San Francisco that the online fraud industry was so lucrative that an "underground community" existed where fraudsters offered their specialist skills to others.

She also warned that the use of IP addresses for determining a customer's location were no longer a suitable method of combating online fraud - IPs addresses can be easily masked for one thing, and fraudsters often use "zombie" computers. She also warned that all the confusion in the banking sector caused by the current economic crisis left the door open for phishing attacks by fraudsters asking customers for bank account details.