Crime still pays as banks play catch up with the fraudsters

As Ther Banker went to press it was being reported that a Swiss banker from UBS had been one of 19 people arrested in connection with an anti-money laundering investigation, in which Brazilian police claimed to have recovered over $4m in cash.

Amid allegations by Brazil’s federal police that Brazilian companies were avoiding taxes by laundering money through Swiss banks, the investigation was also targeting Clariden Leu, a private banking arm of Credit Suisse, and AIG.

Fraudulent activity in the financial world is alive and well despite initiatives such as Sarbanes-Oxley, a US federal law which, among other things, has the right to oversee, regulate, inspect and, where necessary, discipline public companies via a specially set-up body.

Another step, this time in Europe, has been the Third Money Laundering Directive that puts the onus on a company to know its customer, and regularly monitor and authenticate its customer base to highlight such contingencies as fraudulent activity.

Closing loopholes

“Organised criminals are very clever and will always find a loophole,” says Helen Lord, fraud and regulatory compliance director for Experian, the information analytics provider.

“The key to preventing fraud is about closing those loopholes and making sure that you have the most up-to-date technology.”

Regulatory reform is only one part of the solution, as shown in January 2006 when TJX Companies, the commercial giant that owns retail chains in the US, Canada and Europe, announced that it had suffered an ‘unauthorised intrusion’ into its computer systems that process and store information relating to customer transactions.

This resulted in one gift card fraud ring running up more than $8m in charges at other retailers by using the information gleaned from the security breach.

This clearly shows that additional measures must be taken by organisations if they are to mitigate the risk of fraud. TJX was complying with the Payment Card Industry (PCI) Data Security Standard, which establishes requirements for enhancing payment account data security.

The company had passed the standard’s qualifying audit yet when the case was brought before a magistrate, the court documents suggested that the firm had failed to comply with nine of the standard’s 12 requirements.

State of compliance

“It is very difficult to have visibility into a state of compliance within an organisation from a process and policy perspective,” says Mike Flouton, a product manager with OpenPages, a business governance solutions software provider.

“Consequently organisations need to turn to tools that will give them that visibility and automate the assessment process.”

And Brian Gregory, senior director of solution sales, financial applications for Oracle EMEA, adds: “The more you automate the process, the more difficult it becomes to circumvent the policies that you have in place.”

In response to this problem some interesting technology is coming to market with solutions that can either sit at employee desktop level or be knitted into an organisation’s network to recognise fraudulent information.

E-mail protection, for example, is offered by companies such as Vontue and Fidelis – this uses pattern recognition software to monitor outbound messages, in particular bank account numbers and account data.

Money laundering

According to the IMF, about $1500bn derived from illegal activities is laundered through the world’s financial systems each year, while Celent reports that the five-year compound annual growth rate for identity theft costs is 29%.

“What we are saying is that most investment banks are almost certainly going to be spending at least one quarter, possibly as much as a third, of their IT budget on preventing fraud of this nature,” says Anthony Kirby, visiting fellow of Promethee, a French think-tank.

Financial institutions have become wise very quickly about outsiders accessing their networks, and the majority of fraud they are now faced with is from criminal organisations with an internal connection.

Sophisticated offenders

“The trend in banking systems is to look for more sophisticated offenders rather than focus on criminals that are only after credit histories, name details and cardholder details,” says Dr Neil Dodgson, director of risk and compliance at Oracle EMEA.

In the meantime, banks can do a number of things to mitigate the risk of internal fraud, including the use of software with behaviour detection algorithms that detect abnormal or suspicious activity by an employee and alert the compliance department.

While this sounds all very ‘Big Brother’, a more restrained approach would be to carry out more stringent checks on the credit histories and criminal records of new employees.

Financial institutions are also guilty of neglecting their computer installations and systems – recent technical glitches and lack of control have led to them losing not insignificant sums of money.

In August, for instance, Australian bank Westpac embarrassingly admitted that a computer problem had allowed one of its customers to overdraw almost $9m from his account.

So far this year alone in the UK more than £57m ($118m) has been paid out in pensions and income support to people who are no longer alive.

Mr Flouton says that most failures in technology or most losses that an organisation encounters from a technology perspective can be traced back to either policy or process.

“Organisations should have policies of continuous auditing and monitoring to enable compensating controls to be put in place, ensuring among other things that payments aren’t made to the deceased,” he says.

Financial institutions’ technology systems are incredibly complex and it is unrealistic to expect technology vendors and the IT department to solve every problem from a risk standpoint.

Monitoring actions

“Fraudsters are becoming much more systemic as to how they attack financial institutions,” says Mr Kirby.

He continues: “Banks need to adopt much more holistic practices to screen clients that they take on and to monitor customers’ actions in a dynamic sense. To my knowledge no bank does this.”

The only way to really safeguard against fraud is to have strong security policies. The problem in too many cases is that the policies are long out of date and and unread by staff.

Smart fraudsters normally take advantage of more than just one of a bank’s weak points.

Having a great system in place is not enough on its own. Banks too need to look more holistically at people, best practice, standards and technology.