Financial institutions – managing and mitigating fraud and financial crime
February 2017 | SPECIAL REPORT: CORPORATE FRAUD & CORRUPTION
Financier Worldwide Magazine
FW moderates a discussion on managing and mitigating fraud and financial crime for financial institutions between Garry W.G. Clement at the Clement Advisory Group, José Bonilla at Jones Day, Amy Van Gelder at Skadden, Arps, Slate, Meagher & Flom LLP, and Amparo Zabala at Zurich.
FW: Could you provide an overview of the main types of financial crime that financial institutions (FIs) encounter on a regular basis? What are the common sources of such risks?
Clement: The range of threats is wide and constantly evolving. FIs, particularly large international banks, face an array of financial crime threats from every corner of the real and virtual worlds, and the attackers span the gamut from low-level, unskilled opportunists to sophisticated, coordinated organised criminal and terror groups. Key risks facing institutions, either directly or on behalf of customers, include money laundering, fraud, identity theft, corruption, tax evasion, dealing with sanctioned entities and ensuring bank or customer data is not stolen by hackers, just to name some of the major concerns encompassed under the overarching umbrella of financial crime compliance.
Bonilla: In addition to conventional financial crime which remains, as always, a risk for all FIs, most entities are worried about technological security breaches which can lead to embezzlement of funds managed by them, as well as the misappropriation of their client’s private information. Both the breach of the technological security of the entity and the appropriation of the clients’ information are independent and separate criminal offences under Spanish law. Money laundering and tax fraud are also two important areas of concern for FIs. Recent cases, such as the one affecting the Chinese bank ICBC, or the Falciani case related to HSBC, have created great concern in FIs which are aware of the risk of not trying to prevent criminal offences by clients or even unwillingly helping them to commit them.
Van Gelder: FIs today face a wide range of traditional and novel financial crimes, including fraud, money laundering, tax evasion, bribery and terrorism financing. Threats loom from both insiders and outsiders. In the wake of a recent Consumer Financial Protection Bureau enforcement action, alleging that bank employees opened unauthorised or unnecessary accounts in order to earn financial incentives, regulators have turned their attention to FIs’ internal sales practices. As the inquiry into this emerging area of concern unfolds, FIs can expect scrutiny of sales incentive programmes, management oversight and internal controls. At the same time, cyber crime remains a central source of risk. Hackers and other cyber criminals are becoming increasingly sophisticated, and FIs are racing to keep pace. Cyber attacks are likely to increase with the growing use of social media and the steady rise in mobile banking applications.
Zabala: FIs have to deal with many threats, including malware, DoS attacks, phishing, spoofing, and theft of identity and personal data, corporate information and funds. These threats often arise from organised criminals operating as financial fraudsters, cyber activists, rogue employees and even state actors. Cyber attacks on FIs are an increasing threat, more than in any other sector of the global economy. This has been highlighted in recent industry reports on information security. These increasingly sophisticated threats are coming from all angles. In the past, individuals were targeted, but now it is not uncommon to deal with corporate espionage or the disruption of an organisation’s operation for competitive advantage. Data is also used in different ways. Stolen information no longer needs to be sold immediately. Hackers are now more patient and will wait until the moment when it has the right value to be traded or acted upon.
FW: What strategies are FIs deploying to manage fraud and financial crime? In your opinion, are they allocating sufficient resources to tackling the problem?
Van Gelder: Although FIs devote substantial resources to managing fraud and financial crime, their efforts are often undermined to the extent that they utilise a fragmented approach. Traditionally, FIs have delegated responsibilities for ferreting out different types of financial crime to separate divisions, often with their own unique systems and processes, and with minimal communication. This lack of cohesion reduces efficiency, creates information silos and leaves security gaps. Regulators in the US and beyond increasingly expect FIs to adopt a more holistic approach by establishing a company-wide framework and fostering communication across the various risk assessment groups. This collaborative approach not only plugs security gaps, it also reduces redundancies and maximises the efficiency of the significant resources that FIs dedicate to tackling this problem.
Zabala: FIs must balance their growing reliance on technology with their need to protect against cyber security risks, which are second only to regulatory concerns. As a result, expenditure has grown steeply in recent years. Budgets will continue to grow, but this growth is unlikely to be sustainable. Technology is only as good as its users. FIs are finding it difficult to identify people with the right technical skills, business know-how and requisite strategic thinking to implement effective cyber security initiatives. At some point security investment will shift focus, from technology to people and skills. Business resilience and continuity planning is critical. The plans of FIs are not always robust, and should be tested for IT security, operational risks, legal and corporate relations and exposure to fraud and financial crime. They must be continually improved.
Bonilla: Arguably, the key strategies could be divided into two different areas. Firstly, there has been considerable investment in technology, in securing the information that companies hold. Secondly, organisational improvements have been made, which have been required in order to catch up with new laws and actually prevent criminal offences being carried out within the financial institution. Regarding the latest, the creation of compliance departments and procedures has been absolutely necessary in the last two years in order to comply with market standards and amendments to the Spanish Criminal Code. FIs are very much aware of the problem and at least the largest are taking the proper steps and allocating enough resources.
Clement: Institutions in the US, and other countries, have had longstanding regulatory requirements to create formal programmes in certain areas, including anti-money laundering (AML), sanctions and fraud. More recently, compliance requirements around corruption, cyber security and tax evasion have entered the picture in a big way. In some states, like New York, those requirements go even deeper, including parameters around transaction monitoring and sanctions screening and frameworks to identify, respond and recover from cyber attacks. Some institutions have attempted to manage this expanding web of risk by getting out ahead of it, through enterprise-wide compliance programmes, smart adoption of new technologies and the incorporation of threat intelligence in order to stay on top of new threats.
FW: Do FIs need to pay more attention to due diligence procedures across all their business activities? Where should the responsibility lie for assessing risk levels, identifying red flags and monitoring relationships?
Zabala: It is vital that FIs pay more attention to due diligence procedures across all of their business activities. Some corporate FIs already include a certain level of cyber due diligence in their processes, prior to mergers and acquisitions. However, many still fail to take this into account. There are many reasons for this failure. Law firms and other due diligence implementers tend to focus on existing rather than future liabilities or regulatory challenges related to the lack of uniform global cyber legislation. The risks that FIs might have to face for insufficient cyber due diligence prior to an M&A deal, include the continuation of existing breaches, inadequate security programs and weak legacy systems, which can be costly to maintain and reduce the potential for innovation.
Clement: Customer due diligence (CDD) and transparency – and its flip side, financial secrecy and corporate anonymity – was one of the major themes in financial crime enforcement actions throughout 2016, particularly in light of major cases and scandals like the Panama Papers. The focus on this area is unlikely to lessen in 2017. Without the proper depth of due diligence to truly uncover how risky an individual may be, subsequent compliance steps are likely to fall flat. The customer’s risk profile and scoring may be incorrect, the transaction monitoring system will not be tuned to give that individual, entity or company the proper amount of ongoing scrutiny, periodic reviews may be scheduled too infrequently, and so on. The accuracy and depth of the data being utilised in CDD programmes and systems is another focal point, and reoccurring criticism of institutions in enforcement exams in recent years. The mantra is: good data in, good data out. Conversely, we are all familiar with the saying, ‘garbage in, garbage out’. Unreliable, inaccurate or outdated data in CDD programmes is a persistent and serious challenge. Responsibility and accountability for customer due diligence should fall squarely on the shoulders of the financial crime compliance officer and, in some cases, the chief compliance officer. That said, these roles should not be expected to go it alone.
Van Gelder: A comprehensive and unified due diligence programme is critical to minimising risk across FIs’ business activities. Although separate, specialised teams may be directly responsible for assessing risk for specific business units, collaboration is the key to an effective diligence programme. FIs should encourage open communication among senior risk officers in all lines of business in order to ensure that threats in one particular category are known to other groups. Additionally, it is critical that FIs periodically review and update their due diligence procedures to keep abreast of any emerging threats and advances in technology that could lead to new types of financial crime. Maintaining a strong due diligence programme is particularly important in light of regulators’ growing expectation that FIs take greater responsibility for thwarting financial crime, and reporting suspicious activity to the authorities.
Bonilla: In general, Spanish FIs are quite diligent and conservative in the way they carry out their business. For the corporate sector, compliance culture is quite a new phenomenon. However, Spanish FIs have a long tradition of compliance, though in the past it was more a sectoral issue – for example, money laundering rules on one side, consumer rules on the other – and now, all larger FI have organised themselves in a way which stipulates that a single department oversees supervision compliance obligations. Larger entities are implementing, or have implemented, procedures in order to assess the risks and provide adequate answers regarding any breach of the rules. Compliance officers alone are no longer an option. Modern compliance operations cannot be completed by organisations without large scale investment in technology. Many FIs are now investing in these areas.
FW: With the scale and sophistication of cyber attacks representing a particularly damaging scenario, what can FIs do to manage and mitigate this particular threat? What are the consequences of failing to address cyber vulnerabilities?
Bonilla: Undoubtedly, considerable investment in technology has to be made and most FIs have stepped up and invested. However, it is almost impossible to fully prevent a cyber attack from being successful. Therefore, we recommend FIs have a very detailed cyber response plan in place which stipulates the necessary steps which should be taken immediately after an FI realises that it has been the subject of a cyber attack. This protocol should include names and institutions to be contacted immediately after the attack by the persons in charge of protecting the FIs’ security. A lot of damage can be avoided by reacting immediately. Failing to address cyber vulnerabilities can prove fatal for the entity.
Zabala: The consequences of failing to address cyber risks can be devastating to a FI. These can include data breaches that can incur direct costs, such as detection, remediation and notification, as well as indirect costs, including loss of customers and reputational damage; financial losses due to business interruption; loss of competitive advantage from corporate information theft; and data protection related fines – the EU General Data Protection Regulation will significantly increase potential fines and PCI-DSS fines. Rather than focusing on deployment, FIs should invest in highly qualified people to implement their defences, and the processes by which they can guarantee technology integration and strategic coverage. They should also invest in cyber resilience. This cannot be built on sporadic, uncoordinated attempts but must be part of the operating model, ingrained in the C-suite objectives and cascaded to all employees. Finally, cyber risk is globalised; as such, the FI community needs to collaborate and to share information to help build industry-wide defences.
Clement: When responding to cyber threats, institutions sometimes overlook or under-emphasise two core considerations: the human factor and the value of robust response planning. Obviously the more technical aspect of cyber security is essential, but as security researchers estimate that roughly 90 percent of cyber attacks are partly or largely attributable to human failures, employee training and awareness is equally essential. This can include ongoing training on emerging threats, group exercises that simulate a cyber incident, such as a data breach or ransomware attack, as well as testing to determine if employees are vulnerable to common cyber-fraud schemes. For example, some institutions are sending out mock spear-phishing messages to their employees, and using the results to create teachable moments and guide further training. The consequences stemming from cyber threats vary greatly, but it is fair to say they have the potential to be catastrophically disruptive to a company’s operations and reputation.
Van Gelder: Increasingly, the question is not ‘if’ a FI will face a cyber security intrusion, but ‘when’. Given this growing threat, FIs should implement a coordinated, company-wide approach to preventing breaches and, if a breach occurs, limiting damage. Administering such a platform can prove difficult, as it requires alignment throughout the institution: business units that depend on user-friendly interfaces to attract customers, IT staff, information security professionals, legal, compliance and internal audit groups must all buy-in. However, failure to employ an integrated approach can lead to significant consequences. Setting aside the obvious costs associated with an intrusion, both reputational and otherwise, FIs face increasing regulatory scrutiny regarding information security measures. The Securities and Exchange Commission, the Consumer Financial Protection Bureau and the Financial Industry Regulatory Authority all have brought enforcement actions against FIs related to alleged cyber security failures, while regulators have increased their focus on information security during routine reviews.
FW: To what extent are FIs using technology resources to help them navigate the significant regulatory compliance burden they face, and meet demands for greater transparency and integrity in their financial dealings?
Clement: There is a tremendous interest in applying innovative technological solutions to regulatory compliance in the financial institution space, but actual adoption has been uneven to date. Many of the larger global institutions and service providers have taken steps to develop and implement current-edge technological resources, from advanced capabilities, to analysing Big Data, to machine learning tools in transaction monitoring. For smaller institutions, and even some regional affiliates or recent mergers of large institutions, the use of more advanced technologies is spotty. Many institutions are still relying on a patchwork of legacy systems, stitched together with manual processes for compliance functions like customer due diligence, suspicious activity reporting and even transaction monitoring.
Van Gelder: Increased regulatory demands for compliance and transparency, coupled with larger penalties than ever before, have put enormous pressure on the FI sector. In response, many FIs are beginning to utilise forensic data analytics to help identify and pre-empt criminal activity across all lines of business, from insider threats to potential third-party data breaches. The implementation of the latest data analytics techniques enables FIs to better predict financial crimes, rather than addressing them reactively. Sophisticated data analytics systems anticipate threats and continually derive intelligence by synthesising enormous volumes of current and historical data across all areas of the business. As criminals continue to discover new methods to exploit FIs’ vulnerabilities, data analytics likely will become instrumental in the war against fraud and financial crime.
Bonilla: In Spain, FIs are very aware of the importance of technology resources in order to be compliant with legal requirements. Actually, the Spanish public prosecutor’s office has issued a ruling regarding compliance requirements which states, for the first time, that the prosecutors would not consider a compliance programme as a trustworthy programme for the purposes of avoiding criminal liability if such a programme was not supported by the technological resources adequate to the size of the company and the programme itself. FIs are undoubtedly using the technology required and are being encouraged by the Spanish authorities for the purposes of complying with the applicable rules, and for the purposes of transparency.
Zabala: Globalisation has forced FIs to deal with regulatory requirements that can differ from country to country. To help them to comply with such diversity, they are increasingly looking at RegTech, the term coined to classify organisations which save costs and effort in compliance by utilising new technologies such as cloud computing, Big Data, data visualisation and the blockchain. Some of the biggest Spanish banks are using RegTech, though it is predicted that usage will expand to smaller FIs because of the benefits it offers to them and to regulators. RegTech also enables more accurate and granular information for regulatory bodies so it increases transparency and control over the entire financial system. However, RegTech companies are relatively new, and while it is unknown how they will evolve, the potential benefits to the financial system seem encouraging as people begin to look beyond established methods of working.
FW: How important is internal training to keep staff abreast of the latest developments in fraud and financial crime – and how to spot them?
Van Gelder: A comprehensive internal training programme is pivotal to ensuring that staff remain focused on the latest trends in fraud and financial crime. FIs should routinely train employees on regulatory developments, emerging risks and new technologies, sensitising them to all areas of vulnerability. Further, in light of recent regulatory scrutiny, management should review its sales incentive programmes to ensure goals are reasonably attainable, employees are properly trained, and robust monitoring is in place. Generally, FIs should aim to foster a proactive, rather than reactive, approach to combating fraud and financial crime. Senior management should lead by example, setting the tone from the top by enforcing tough accountability standards, promoting transparency, and exhibiting zero tolerance toward unethical or illegal activity.
Zabala: Internal training for staff is critical. FIs are beginning to learn that they must leave behind the ‘once a year online training’ method and must look instead to develop an all-encompassing culture of cyber security awareness. This can be achieved through regular security-related communications, small-scale table-top exercises and mock spear-phishing campaigns. FIs are sharing the outcomes of these exercises with all their employees in an effort to make them embrace cyber security culture and play an active role in protecting their jobs against cyber threats. These measures are also being extended to include education of business partners and vendors and, as far as possible, to customers. Finally, staff must be aware of each other’s behaviour. Employees can sometimes work on their own or with criminals to steal information or funds, so while trust is important, staff know not to be complacent.
Clement: Internal training is absolutely central to creating a robust financial crime compliance programme. The most advanced tech and well-crafted policies and procedures are fairly useless without well-informed, capable staff implementing them. In recent years, regulators in the US and other nations have repeatedly emphasised the importance not just of training, but cross-training employees outside of their immediate department or job role. This is partly in response to a financial crime risk landscape that is more diverse than ever before – institutions face threats not just from money launderers, but also tax evaders, corrupt officials, cyber-fraudsters and many others. This necessitates a need for employees with a diverse skill set and the awareness to spot and detect a wide range of risks and suspicious activity.
Bonilla: Training is a key issue which has been addressed by recent amendments to the Spanish Criminal Code. Compliance programmes have to be updated on a regular basis – depending on the business and the size of the company – and employees and management must receive training on a regular basis and whenever legal or regulatory changes happen as part of a credible compliance programme. It is impossible to avoid and to spot any possible fraud or financial crime but in order to avoid liability the FI should be in a position to show that the staff who should supervise the compliance programme or the staff close to the facts have been duly trained to spot or avoid the offence, and that the criminal offence was committed despite the best efforts of the FI to comply with the law.
FW: What advice can you offer to FIs on implementing effective processes to combat fraud and financial crime? How can they align risk management strategies with operational realities?
Zabala: In order to align cyber security strategies with business and operational realities, FIs should focus on lifecycle management, innovate in terms of technology and processes, create a cyber talent pool and rotate between departments to expand capability, keep cyber risk metrics simple and focus on those that are critical, include third parties in their risk assessments and response plans, be active in probing for vulnerabilities, increase resilience by updating disaster recovery and business continuity plans, and build partnerships with experienced cyber security experts. They should also explore cyber risk insurance which pays third-party indemnities and first-party costs. This usually includes pre-agreed cyber security experts such as lawyers, PR companies, cyber extortion professionals, infrastructure for data breach notification and identity theft monitoring.
Bonilla: The main advice we can give is to be as pragmatic as possible. It is important to use the technological tools already available in the market or to create specific ones better adapted to the needs of the FI. However, a compliance programme has to be reasonable and keep in mind that it is impossible to avoid all financial crime. Creating excessive burdens on the organisation which we suspect are not going to be met at the end of the day only creates problems for the FI if a criminal offence is committed and some of the prevention measures were not taken due to lack of resources. It is difficult to evaluate in the abstract the best way to align the business with risk management, but our advice would be to be duly updated on the situation in the market and adopt best practices in the field.
Clement: Institutions need financial crime risk management programmes that respond holistically to the full range of criminal threats, and are implemented consistently across the entire enterprise. This is far more easily said than done, and even the largest institutions struggle with effective enterprise-wide compliance – look no further than the plethora of multi-million or multi-billion penalties against major banks in the US, UK and elsewhere. One tactic institutions can start with is building closer ties and better information-sharing across departments responsible for financial crime detection and prevention. As an example, a key US regulatory body, the Financial Crimes Enforcement Network, recently issued guidance on tackling cyber crime that called for the AML, fraud and IT departments to collaborate closely, share intelligence, and cooperate to provide better reports to law enforcement in response to cyber attacks. The past approach to financial crime detection and prevention was heavily reliant on narrowly-focused departments that operated in their own largely separate silos.
Van Gelder: As an initial step, FIs should conduct a comprehensive risk assessment to identify all potential vulnerabilities based on their unique profile – size, channels, services, clients and geographic locations. Once vulnerabilities have been identified, FIs can harness the power of increasingly sophisticated data analytics to pre-emptively target and monitor any areas of concern. The implementation of this technology, coupled with a holistic approach to risk management, which involves collaboration among senior officers across all lines of business, will help to eliminate information silos and security gaps. At the same time, FIs should implement regular training to ensure that staff are sensitised to both traditional and emerging risks. Finally, FIs should consider participating in industry-wide initiatives and partnering with law enforcement to more effectively combat financial crimes perpetrated by both insiders and third parties.
Garry Clement relies on his 34 years of policing experience, having worked in roles as the national director for the RCMP’s ‘Proceeds of Crime Programme’, in addition to having worked as an investigator and undercover operator into some of the highest organised crime levels throughout Canada. As well as being a senior adviser to the Association of Certified Financial Crime Specialists, he is also the organisation’s executive president, with a mandate of helping shape its future. He can be contacted on +1 (905) 355 1066 or by email: gclement@clementadvisorygroup.ca.
José Bonilla represents individuals and companies in white-collar criminal proceedings, with a particular focus on financial and securities matters, including tax fraud and money laundering criminal matters. He also regularly advises on compliance matters for large corporations. Mr Bonilla has advised private funds in connection with the purchase of Spanish companies involved in criminal proceedings as well as individuals involved in corruption cases. He can be contacted on +34 91 5203939 or by email: jbonilla@jonesday.com.
Amy Van Gelder is a partner in Skadden’s Chicago office with experience representing a variety of clients in complex commercial litigation, including securities and consumer fraud class actions, bankruptcy litigation, shareholder derivative suits and disputes relating to mergers and acquisitions and commercial contracts. Ms Van Gelder’s experience includes counselling clients in federal and state court throughout the country and in all phases of litigation, including trial and appeal. She can be contacted on +1 (312) 407 0903 or by email: amy.vangelder@skadden.com.
Amparo Zabala has worked for Zurich for 17 years. Her first job in the company was in the Risk Engineering department, as she holds a degree in Chemistry. After six years she moved to underwriting, where she has worked in several departments. She has been the head of professional indemnity of Zurich Insurance plc, Spanish branch for almost four years. Zurich's cyber insurance proposition in the Spanish market is among her responsibilities in this role. She can be contacted on +34 (93) 366 7417 or by email: amparo.zabala@zurich.com.
© Financier Worldwide
THE PANELLISTS
Clement Advisory Group
Jones Day
Skadden, Arps, Slate, Meagher & Flom LLP
Zurich Global Corporate Spain
FORUM: Financial institutions – managing and mitigating fraud and financial crime
The Committee of Sponsoring Organizations returns to its fraud roots after 30 years
Great internal controls and then it happens – fraud
Fraud prevention and detection – focus on the technological trend
M&A and FCPA due diligence – the stakes are high
Developments in corporate criminal liability
Plea agreements in Brazil: concept, procedures and impact on corruption cases