At Sibos 2019, industry experts will be discussing today’s payments landscape and how banks now need to balance their customer demands for speed with regulatory demands for financial crime and risk controls.
The payments industry is undergoing a renewal, with major strategic implications for infrastructure operators, their participating banks and their new client groups. It must be considered that new platforms, new processes and new services have far-reaching implications, not least because many market practices and technology stacks have been in place for decades.
In addition to this, after a year of uncertainty about global trade wars, a significant impact is being seen with forecasts for lower growth of trade, but are there opportunities that promise a bright future?
Ahead of Sibos in London, Finextra spoke to leading figures in financial services: Jennifer Page from KPMG’s Financial Crime Technology practice; Rob Cutler, KPMG Forensic Partner and Andres Kitter, CEO of LHV UK about geopolitics and the impact of political uncertainty on financial services.
Brexit and risk as opposing forces
How can FIs continue to manage risk and outpace fraudsters when political uncertainty is creating new implications? How much of an impact has Brexit had on an operational level within a bank? Has compliance been left by the wayside?
Page takes the example of the UK and says that different financial institutions (FIs) have taken different approaches to Brexit. “The larger global FIs tend to already be affected by the changing geo-political landscape and introduction of new regulation.
“Adapting to change and operating models in diverging business markets is part and parcel of the compliance function and drives the ways in which they support their customers. Smaller FIs are perhaps more affected where their primary business is international.”
She continues to explain that during times of uncertainty, fraud risk does increase and therefore, Brexit could result in individuals, organisations and FIs falling victim or could be the recipient of fraudulently-received funds.
“The indirect consequences of Brexit could include for example, staff being uncertain about their future and being more prone to committing fraud or more vulnerable to falling victim to scams, even if the frauds themselves are not enabled by Brexit. To counter any potential new vulnerabilities, FIs should make sure education is specific, targeted and appropriately delivered as part of any Brexit programme.”
Page lists other examples of how Brexit could impact FIs:
• Reduced regulation may present opportunities for riskier trading practices that generate higher returns. This could be mis-sold to remote investors or company boards looking for higher returns.
• As business relocate operations there is an increased risk of funds being fraudulently diverted. This could include Business Email Compromise, where accounts of senior staff are spoofed to request immediate payments into ‘Brexit accounts’ or suppliers are impersonated with requests for future payments to be directed to their European accounts.
• Fraudsters may sell immigration services to companies or individuals that abuse or circumvent work and residency restrictions.
• Due to removal of EU funding and possible moves to plug gaps by UK funding, fraudsters may seek to improperly get involved either by seeking to represent genuine claimants and then charging spurious fees / diverting grant funds or by making bogus claims for newly introduced government funds.
Kitter adds that it is a rare sight to see masked criminals rushing into bank branches nowadays - phishing, card and investment fraud are today’s daily challenges for banks. “The financial sector invests a lot into fraud management systems which prioritises using technology to improve processes, but also needs to involve the customer so as to improve its fraud awareness and knowledge.
“It is considered a no brainer to protect your wallet from strangers, but that often doesn’t apply to entering your bank account details into dodgy internet sites. Fraudsters tend to attack the weakest link, which often happens to be the customer.”
He has a dissimilar attitude and says that while emerging fintechs have increased choice and improved user experience, these firms have also exposed new risks. “Brexit on the other hand does not expose that many new risks, but creates lots of uncertainties for the organisations which have leveraged on the advantage of belonging to the common EU market.”
Kitter goes on to say that there is difficulty in preparing for Brexit without knowledge of whether or not a deal will be struck. “It is frustrating for the market and also poses significant financial costs. It will be very important that in the event of Brexit going ahead that the EU and UK maintain a similar approach to regulation in terms of data protection and openness of the banking sector.”
Opening doors for hackers
Has the adoption and implementation of emerging technologies had the opposite effect, where FIs now have to deal with multiple entry points from which hackers can attack?
Following on from Kitter’s point on fintech firms exposing new risks, Page posits that due to money exponentially moving in a digital manner, data is changing hands at an increased rate which in turn, increases the risk of breaches. Further to this, the emergence of open banking and the implementation of PSD2 have added a new dimension to the data breach discussion.
“It is critical to consider the security implications at every touchpoint, especially as mobile and cloud expand as enterprise options. Whilst the adoption and implementation of emerging technologies can address some of these issues, they can also, if not implemented with caution, cause new vulnerabilities,” an increasing problem when considering communication between FIs and third-party vendors.
Page referred to the 2018 KPMG report ‘Clarity on financial crime in banking’ and revealed that cyber was the primary method in which banks were subjected to financial crime (29%), followed by information security attacks (25%).
“It is not all doom and gloom however. FIs are amongst the most mature industries from a cyber security perspective due to their historically conservative approach to risk, their consistent, sizeable investments in security and privacy safeguards and their tradition of collaboration within the industry and with authorities.
The FIs at the forefront of implementing effective cyber controls are those who have ensured cyber is viewed as a business risk, not an IT issue, and thus have ensured board level ownership of cyber to make sure there is sufficient focus of cyber as part of the changing nature of risk in a digital world.”
In addition to this, FIs have traditionally responded to digital incidents such as cyber-attack, human error or sabotage with quick managed action. “There are a number of ways this can be achieved from ensuring digital forensic readiness to control and limit the damage caused by a digital incident, to education and empowerment of employees to identify risks in a broader range of issues and specific threat scenarios, from IT security to cybercrime. The more technically advanced FIs are also exploring the use of deep learning to counter deep learning threats,” Page says.
Preparing for the next financial crisis
What kind of counter-terrorism strategies have FIs put in place? Where does one start? Why has there not been a global standard put in place if the next financial crisis is expected to be a cyber-attack?
In the same way that FIs are historically known to be the best at financial crime preparedness, Cutler highlights that most businesses already have a multi-faceted strategy to deal with terrorism related issues. This includes “a strategy regarding key areas such as data, people, infrastructure, physical etc.
“Each of these areas will have a specific response such as having disaster recovery sites, offsite data centres, physical bollards in front of buildings, screening of bags to get into buildings etc. The use of cloud technology has helped with the above strategies as this has made firms less reliant on on-prem physical servers etc.”
While the implementation of technology is an easy solution, it is difficult to determine where a global standard could play a part in the ultimate prevention of the next financial crisis. This would depend “on the size of the firm, how it is structured, how it deploys technology, physical location of buildings and the type of business it does (e.g. firms from high risk countries or doing business in high risk countries). We would expect all firms to have understood the risks, considered the risks and then put in place controls/arrangements to minimise the risk.”
Kitter continues the conversation: “Without proper collaboration and information sharing, the success of the individual contributing results are often questionable. Especially critical is collaboration with state organisations and agencies as banks will never hold as much information as the law enforcement agencies.
“At the same time banks should collaborate more within the industry because - while we all have access to the sanction lists and have internal tools for preventing money laundering - cross-industry collaboration is lacking.”