21 October 2009

Risk Management applied to Banking fraud

Trends in contemporary Risk Management and Enterprise Security

The Banking industry continues to be beset by external and internal fraud, covering a range of lines of business, from securities, online channels, application fraud, ATM, checks and money laundering. Recent best practices have recognized that Risk Management techniques yield the best results in detecting and preventing some of these diverse types of fraud.

From the earliest years when banking services were introduced in support of commerce, long distance trade and the prosecution of wars, there were creative and immoral intellects applying themselves to the task of fraudulently obtaining a share of the wealth. Banking has always been about trust, and finding mechanisms for allowing the legitimate control over flows of money that are difficult to counterfeit or circumvent.

In recent years, with the addition of the Internet and other online Banking channels (such as mPayments, Debit/Credit Cards and Wire Transfers), the tasks for banks have become exponentially more challenging. In addition to a huge increase in the value of transactions operating over electronic channels, there has also been a dramatic level of growth in the number and speed of such transactions. Given this trend, and the costs associated with manually checking each transaction for signs of fraud, Banks have been forced to invest in ever more complex systems and processes for detecting and preventing illegitimate transactions.

One of the earliest online international banking frauds hit Citibank in 1994, when a Russian criminal, Vladimir Levin, purchased access details for Citibank's X.25-based Cash Management system from fellow hackers. Over the next four months, he illegally transferred $10.7 million to several international accomplices. Citibank's fraud detection systems eventually were triggered, leading to investigation by the FBI, who traced the connections to St. Petersburg, which led to Levin's eventual arrest and successful prosecution.

In recent years, Citibank has again been hit by Russian fraudsters, who used ATM card information (including PINs) which were stolen from a compromised 3rd party banking system. With Ukrainian confederates, $2 million was stolen in cash from ATMs around New York over a period of months in late 2007, then laundered through various methods back to Russia.

Of much greater impact in recent times is the growth of insider fraud, which in more serious cases has led to the complete wiping out of a bank's assets -- such as the Barings Bank collapse in 1995, triggered when rogue trader Nick Leeson lost $1.4 billion from unauthorized futures trading positions. Austrian bank BAWAG hid $1 billion in losses for seven years until 2005, with on-going court cases, and the forced sale of the bank to new owners. An HSBC clerk stole $143 million from the bank in April 2008, using stolen account information. Credit Agricole lost $250 million from unauthorized trades in credit market indexes in its New York Calyon unit. And most spectacularly, Jerome Kerviel lost $7.1 billion from his employer, Societe Generale, from uncontrolled and highly risky trades in equity derivatives (hedge funds) based on European stocks.

These cases, while spectacular, are the tip of the iceberg, as many banks refuse to dislose publicly many of the smaller losses incurred, such as hundreds of millions annually from phishing attacks against customer accounts, as well as substantial levels of persisting check and credit card fraud. Understandably, banker's reluctance is driven by the fear that customers would lose confidence in a bank with such a poor security track record, and justifiably so. However, recent surveys [Unisys] have shown that many banking customers already are highly concerned about security, as more of them are hit by phishing, identity theft, advance-fee fraud and increased costs from banks, not to mention the dramatic liquidity crisis resulting from apparently fraudulent sale of unsecured mortgages and their toxic derivatives.

Bankers have not been unconcerned, and the most promising efforts in this area have come from a combination of self-regulation and government legislation. For the former, the Basel Committee on Banking Supervision has released many documents which outline voluntary codes by which banks can regulate their internal controls and risk management processes, especially in regards to Credit and Operational Risk. The Three Pillars of Basel II include:

1. Minimum capital requirements -- defining mechanisms for calculating the required level of capital adequacy to deal with market, operational or credit risk (potential losses);
2. Supervisory review process -- increasing accountability and transparency of banking supervision, in particular in its Risk Management processes and procedures;
3. Market disclipine -- requirements for a bank to publicly disclose its known risks and capital positions.

Beyond these voluntary accords, which have been successfully applied world-wide by banks in hundreds of countries, governments have enacted legislation intended to strengthen confidence in the banking system by requiring greater protection for consumers, as well as regulating bank's behaviours in selected markets. These laws include, for example, MiFID (European law for governing the sale of securities); 2nd and 3rd EU AML Directives, OFAC lists, FATF 40+9 (which regulate bank's behaviour in regard to requiring the detection and prevention of money laundering and terrorist financing,) and a host of other local laws that seek to improve Governance, Regulatory and Compliance processes within the financial services sector.

Such industry self-regulation and government laws have unfortunately not significantly diminished the growing wave of financial crime which threatens the banking industry. There is a trend for well-funded, ruthless and highly skilled and motivated international criminal gangs, which deliberately target the weakest institutions and the apparently threadbare security of online banking channels (according to one recent survey by the University of Michigan, 75% of a sample of 214 banking web sites have significant security flaws which could be used for identity theft or other fraudulent activities.)

Banks are driven by increasing complexity in the management of their business, with consumer demand for faster response, lower costs, wider ranges of products and services, and regulatory pressure. All of these conflicting demands mean that the necessary investments in security have not kept pace with the rapid rate of change in the fraud landscape, and the almost monthly tales of huge losses due to unauthorized insider trading and the rapid growth in identity theft paint a grim picture. Banking management will spend on security only in the face of a compelling event, such as recent major loss, or threat of government intervention. Until then, they will perform a rational risk cost/benefit analysis -- are the losses due to fraud likely to be significantly higher than the investments required and internal process changes needed to better detect and prevent such fraud? When the answer to this question is no, then banks will spend the minimum required to achieve compliance with the basic standards, and hope that customers won't notice the difference. Fortunately, consumers are becoming more discriminating, and are starting to insist that banks take responsibility for the poor state of banking security and its concomitant lack of confidence.

Can we continue to trust banks? In my view, the answer is maybe -- and those banks which demonstrate a higher level of security competence and investment in improved Governance, Regulatory and Compliance activity will get my business, while those other "soft target" banks will struggle to maintain their position. A revolution is needed--but fortunately the evolutionary effects of increasingly more successful "predators" (the fraudsters and criminals) will have the effect of weeding out the weaker banks, leading to an overall strengthening of security.

No comments: