Disrupting fraud as it happens

When the director of the UK's Serious Fraud Office (SFO) Richard Alderman comes out all guns blazing saying that his office is becoming more proactive, intelligence-led and plans on making better use of powers at its disposal, one cannot help but think, shouldn't you haven't been doing that all along anyway?

Much of the burden for detecting, policing and enforcing anti-fraud measures has historically fallen on the shoulders of banks, other financial service providers and individual victims. But with the Securities & Exchange Commission (SEC) in the US and many other regulatory bodies and government agencies caught napping in the wake of the $50 billion Madoff scandal, they are eager to challenge the publicly held notion that they are essentially 'toothless tigers'.

At the Sweet & Maxwell conference on the changing face of fraud trials, Alderman stated that the SFO was moving towards becoming an "intelligence-led organisation", assessing where the fraud risks are during this economic downturn and working with other agencies to disrupt fraud as it happens. That means the SFO is going to have to capture reliable and sophisticated intelligence if it is to stop fraud before it even happens and I am curious to know how they are going to do that.

The SFO has extended an olive branch to so-called City whistle blowers and says it is going to look more closely at hedge funds, but is that going to be enough to uncover major frauds? Take the alleged Bernard Madoff Ponzi scheme for example. There were plenty of whistle blowers warning the SEC that something was amiss, but on the whole they chose to ignore this information or did not investigate it thoroughly.

"We intend to take full advantage of all the powers that are available to us and that have been neglected by the SFO over the past years, but we also need to consider what further powers we need to make the SFO a more efficient organisation,” said Alderman. It begs the question why has the SFO neglected to use its powers and what has so fundamentally changed within the organisation that it is going to seize those powers now to keep fraudsters at bay?

Is this recognition finally that the powers that be are finally taking fraud more seriously and that the onus for detecting, policing and preventing fraud is no longer the onus of banks and individuals but intelligence-led policing? I'm not sure we can all breathe a collective sigh of relief just yet.

Fraud not on the agenda at banking conference

Posted by Anita Hawser

As investment banks and mortgage providers were dropping like flies last week as the credit crunch increased the pace of market consolidation, I was attending one of the world's largest international banking conferences, Sibos, in Vienna.

Hosted by SWIFT, the Society for Worldwide Interbank Financial Telecommunication, Sibos 2008 attracted approximately 8,000 bankers, however some conference speakers dropped out at the last minute as investment banks and mortgage lenders fell victim to market speculation and takeovers.

SWIFT as you may or may not know, is a bank-owned messaging network, which prides itself on never being hacked into or compromised by an external or internal threat. However, it did get into hot water a couple of years back with data privacy zealots when it allowed US intelligence agencies to look at messages being sent on its network as part of the US government's efforts to combat terrorism and money laundering.

While I can understand that banks probably have a lot more on their minds in today's difficult climate than combating fraud, I was surprised to see that identity fraud and banking fraud in general was not featured on the Sibos conference agenda.

Fraud only appeared to be up for discussion on the exhibition floor where a handful of dedicated information security vendors (SafeNet, NetEconomy) and AML solution providers were exhibiting their anti-fraud technologies and strategies.

"There is a lot of interest from banks around service-oriented architectures and designing security in from the get go rather than an afterthought," said Rene Bastien, product manager, payment products, SafeNet. Bastian says Basel II is also forcing banks to address operational risk.

SafeNet says that the current business climate is good for security vendors as it is forcing banks who were "caught with their pants down" to address their risk management and operational practices. And it seems security vendors are trying to make it easier for banks to embed security natively within applications using common standards such as XML, which means application developers do not need to be "crytographic geeks" in order to understand security.

Of course, banks en masse don't like to talk about fraud, particularly in this climate where banking failures in general are dominating newspaper headlines. Yet, fraud is an area banks cannot afford to ignore, not only because of the hefty fines likely to be imposed by regulators, but also the reputational risk and the impact on banks' balance sheets.

According to a survey conducted by Kroll on behalf of the Economist Intelligence Unit, financial services providers lost an average of $12.9 million to fraud in the last three years, although this figure is probably higher if one takes into account the reputational costs and the costs of fraud that banks are not even aware of or that remains undetected.

Kroll says the most common types of fraud financial service providers are exposed to include; regulatory or compliance breach (35%), financial mismanagement (29%), theft of physical assets or stock (27%), management conflict of interest (25%), information theft, loss or attack (24%) and internal financial fraud or theft (24%).

While it is difficult to put a precise figure on the reputational costs and brand damage caused by fraud, research by security software vendor, Symantec, suggests that consumers take a dim view of companies that do not do enough to protect their private data. Approximately 90% of consumers surveyed by Symantec stated that "reckless or repeated" data breaches should be punishable by imprisonment.

Seventy-six percent of companies polled by Symantec expected to lose customers if a data loss or breach occurred and 50% expected customer loyalty to fall off immediately. “These statistics are very concerning for business, particularly in the current unstable market conditions,” said John Brigden, senior vice president for Europe, the Middle East and Africa at Symantec. “Not only do they risk losing large numbers of customers following an incident of data loss, but almost 60% of companies said it would be a lot harder to attract new customers once the reputation had been tarnished.”

Fraud is so pervasive now that it is not just something CTOs or chief risk officers need to be concerned about. CFOs and CEOs should also be more attuned to the impact of fraud on their businesses.

"We expect to see fraud increase as conditions become tougher for business and the full impact of the credit crunch unfolds. Financial services companies need to focus their efforts, especially against regulatory and compliance breaches as the loss involved is far too much to justify," says Blake Coppotelli, senior managing director in Kroll's business intelligence and investigations division.

It is no longer acceptable for banking CEOs to say they do not understand the instruments their investment banking divisions are trading, nor should it be excusable for them to say they are not aware of the impact fraud is having on their business.

Who should be liable for online fraud?

With a UK Parliamentary Report on Personal Internet Security released last August lambasting banks and ISPs for not doing enough to protect consumers from online fraud, it appears that banks are shirking their responsibilities when it comes to compensating victims of fraud.

According to an article in The Guardian newspaper, a minor amendment to the Banking Code introduced in March provides a loophole for banks to refuse compensation to victims of fraud if the anti-virus software on their computer is not up to date. The Guardian reports that the 2005 Banking Code contains a section (12.9), which advises customers to use "up-to-date antivirus and spyware and a personal firewall".

However, a new section (12.13) has since been added, which reportedly states that, "Unless you [the bank] have acted fraudulently or without reasonable care, you will not be liable for losses caused by someone else which take place through your online banking service." Security experts have interpreted this to mean that banks will be able to shift liability for online fraud to the consumer.

"The new provisions to the Banking Code, which mean that banks may now pass responsibility for card fraud to affected customers if they don't have AV software or firewalls, raise an interesting debate - should banks be able to transfer liability so easily, and how policeable will this be?" asks Holly Marshall, business development manager, UK Financial Services, Unisys.

"A balance of responsibility is needed between banks and consumers. Banks need to take a key role in educating consumers about these new guidelines to ensure they are fully aware of exactly what they are now liable for, but consumers need to take some responsibility too.

"Customers need to be proactive in learning about the guidelines and securing their personal computers to ensure all their dealings on the internet are protected adequately. Government and technology organisations have a role too - to advise and consult with banks on how best to implement and publicise the new provisions without degrading the customer experience."

Marshall has a valid point. Exactly how "policeable" is this new addition to the Banking Code going to be? Are banks going to go out and seize the computers of consumers that are victims of online fraud to check that their anti-virus and spyware is up to date, which is reportedly what banks in New Zealand have the power to do? It seems unlikely given the bad press and consumer backlash that they are likely to suffer as a result of doing just that.

"The technology required to check every single online banking customer's AV settings whilst available, would be expensive, invasive and in a way a piecemeal response to the problem of fraud," says Marshall. "Fraud doesn’t just come from unprotected computers. Insider fraud, bin raiding, and card skimming are equally as prevalent. How would the banks correctly attribute the instance of fraud with the correct cause?"

The new section within the Banking Code sounds like it has been added by lawyers as a safety net for banks that, let's face it, don't want to be paying out millions in consumer compensation. But it does reignite an interesting debate about responsibility for fraud. Instead of adopting an accusatory tone towards customers that are victims of fraud, banks need to work more closely with their customers on educating them about the potential risks, what to look out for, and how to make their online banking experiences safer.

At the same time, banks need to be more transparent about what levels of security they have deployed to protect online banking applications. They cannot expect consumers to be forthcoming about how well their desktop PC is protected if they are not willing to disclose steps they have taken as well.
Posted by Anita Hawser