Q&A: Mitigating fraud and financial crime in the financial services sector
May 2023 | SPECIAL REPORT: FINANCIAL SERVICES
Financier Worldwide Magazine
May 2023 Issue
FW discusses mitigating fraud and financial crime in the financial services sector with Liviu Chirita, Penny Dunn and Mark Rigby at PwC.
FW: Could you provide an insight into how organisations have responded to the increased focus on fraud and financial crime in the financial services sector?
Rigby: Firstly, it is worth acknowledging that increased focus on fraud and financial crime issues is not just being driven by regulators – there is far greater public pressure on organisations to actively explore how they can improve customer protections and minimise societal impact from money laundering and the potential funding of terrorist organisations. A welcome evolution has been the general elevation of these issues within organisations. Aligning management of the risks with enterprise-level strategies, along with active discussion at C-suite and board levels, is enabling greater investment and organisational focus. More so than ever, organisations are also looking externally and exploring how emerging technologies and a burgeoning RegTech sector, along with enhanced data sharing and industry collaboration, can further shift their efforts from detection and response to prevention.
Chirita: We have seen a shift in the way organisations manage their operational commitments in fraud and financial crime compliance. It is our observation that, after a period of sustained spend on all aspects of financial crime risk management and the operations to undertake that task, organisations are looking for opportunities to optimise for cost and value. More than 50 percent of financial institutions invested heavily in financial crime compliance over the past decade. Fraud, financial crime and regulatory matters are top threats which could lead to major crises. Some organisations have learnt the hard way by facing regulatory examinations and scrutiny. By applying a ‘process excellence’ approach, organisations have been able to redesign and streamline operating models, make outsourcing and co-outsourcing decisions, understand costs more accurately to make strategic decisions, better define financial crime operations internally, and distinguish even further between volume ‘coverage’ tasks and a risk-based approach.
Dunn: Financial services organisations are actively taking steps to enhance their response to increased fraud and financial crime risk. Some of the key observed areas of focus include the following. First, an increased interest and investment in anti-fraud and financial crime prevention technologies, such as artificial intelligence (AI), machine learning (ML) and blockchain, to detect and prevent fraudulent activities. This has been enabled by growing regulator support of banks adopting new technologies to combat fraud and financial crime threats. Second, elevated focus on strengthening compliance and risk management programmes and governance through increased management reporting and regular technology-enabled risk assessments to identify areas of vulnerability and help them prioritise resources and investment to more efficiently address the most significant risks for their organisation. And third, a greater willingness to collaborate and share information with industry peers, regulators, law enforcement agencies, telecommunications providers and industry groups.
FW: In what ways are organisations tackling the rising cost of compliance in relation to anti-money laundering (AML) and counter-terrorism financing (CTF)?
Dunn: Increased digitalisation, modernisation of payments and the introduction of open banking, has significantly changed the scope, complexity and cost of managing financial crime risk and compliance. Technology, tools and data are being observed as key solutions adopted by organisations to address these emerging challenges. Accordingly, those that have adopted a multilayered approach to compliance through investment in technology, digital and physical intelligence and behavioural analytics have been able to adapt more quickly to change with less impact on the cost and efficiency of their compliance operations, while maintaining the experience of their customers. The challenge organisations face, however, is that financial crime processes are often highly nuanced. There is often an expectation that technology alone can drive automation and reduce operational cost. Though technology, data and tools can drive significant benefits in balancing risk and cost, they should not be considered alone. In order to realise sustainable efficiencies while maintaining compliance, organisations should make optimisation decisions within a broader strategic financial crime compliance framework and strategy that also considers the efficiency of existing policy and processes against current and emerging compliance requirements, possible synergies across non-financial risk processes and functions – including fraud, financial crime and cyber – and resource model optimisation.
Chirita: We know that spend on financial crime compliance has grown with the trend in global losses associated with those crimes, and associated fines for failings. That is what we refer to as cost of compliance. Most of this cost – 60 percent – is associated with operations, such as surveillance, monitoring and fraud prevention activities. These are increasingly connected, made up of many moving parts which perform at their peak when they are coordinated, synchronised, managed and measured. The creation of transformation and operational roles in financial crime, from customer onboarding through to ongoing monitoring, is one illustration. Though many organisations recognise the gain that could be made by removing waste and friction in processes, the setting of targets to understand where those gains can be made is a challenge. Our experience indicates that organisations are setting spend and productivity goals for major programmes of financial crime compliance and bringing the same goals into BaU.
FW: In this time of economic downturn, do you believe organisations are paying enough attention to insider threats including fraud, bribery and corruption?
Chirita: We see many institutions that are underinvesting in building resilience against fraud and insider threats. It is our observation that 80 percent of investments are still on building and enhancing anti-money laundering (AML) and sanctions controls, while the remainder is allocated to fighting fraud, corruption and insider threats. It does not mean that the latter risks are less important – rather that they are less regulated. Moreover, fraud and insider threats, while they carry reputational and even regulatory risks, have mostly a financial impact and are perceived as a cost of doing business. However, organisations are paying increased attention to creating more convergence between AML, sanctions, fraud, corruption and insider threats into holistic financial crime units. Similarly, we see enhanced cooperation between the three lines of defence and even a fourth line of defence – the regulators – which helps tackle these risks in a more holistic manner.
Dunn: Insider threats are undoubtedly one of the most underestimated risks to organisations. Economic downturn, coupled with greater digitalisation, the shift to hybrid and remote working practices and the growing volume and interconnectedness of information, is creating a more serious and sophisticated threat to organisations. Many organisations are struggling with understanding the significance of this threat and require greater unified visibility and control across their systems and resources. Given the increased threats facing organisations today, greater prioritisation should be given to preventing insider threats. This can be achieved by improving the understanding of current and emerging risks to the organisation, and adopting a programmatic approach which encompasses people, process, policy and technology and provides integrated intelligence sharing across key organisational functions, such as cyber, fraud, financial crime, HR and physical security, to drive a more holistic approach to insider threat management.
Rigby: Insider threat as a risk class is often not well understood, although component parts, such as internal fraud and the handling of sensitive information, are often documented in detail and proactively managed individually. Integrity-based risks that employees – and other parties that have ‘insider’ access, such as contractors – pose need to be managed at an enterprise level as it is often only through connecting disparate data and information sources that issues are identified. Clearer, centralised governance and more cross-team collaboration between highly skilled personnel – in areas such as cyber, fraud risk management and human resources – will help organisations identify potential issues quicker and strengthen preventative measures. Of specific insider threats, bribery and corruption is an under-discussed issue, as much of the regulatory infrastructure is geared around interactions with public officials. Limited overt enforcement action regarding private-to-private corruption has seen the issue fall behind others in terms of the level of investment and organisational focus afforded it.
FW: What steps are organisations taking to protect customers from the surge in scams? What more could they be doing?
Dunn: Organisations are taking a number of steps to protect their customers, including investing heavily in building customer and staff education and awareness about prevalent scams and how to protect themselves from becoming victims – this includes developing more innovative ways to communicate with customers in channel, driven by real time risk indicators and intelligence. We are also observing increased investment in technology to enable earlier detection and prevention of scams through use of advanced analytics, behavioural biometrics and greater collaboration between banks and telecommunications providers to develop innovative technology-enabled preventative countermeasures. While organisations have made positive progress to address the threat of scams, there remains an opportunity for many to further develop synergies across their financial crime, cyber and fraud transaction monitoring and intelligence functions, to enhance investigations and customer outcomes through improved data orchestration and more integrated investigations.
Chirita: Big tech firms – including social media platforms, search engines and telecommunications providers – play a critical role in connecting scammers with a wide array of targets. Banks argue that placing the responsibility for scam losses on banks’ shoulders is a short-sighted approach that fails to address the full scale of the problem. Moreover, scammers’ efforts are about to get easier thanks to generative AI tools like ChatGPT. In some jurisdictions, banks have proposed a ‘polluter pays’ model that would require big tech firms to take greater ownership of the scams issue. Organisations need to invest in technologies such as biometrics and detection engines enhanced with behavioural models to prevent scams or minimise the losses posed by emerging threats. We also see an increased role played by regulators in identifying, reporting and testing for emerging threats and imposing fines for failure to detect and prevent these threats, which accelerates the adoption of new controls by various organisations.
Rigby: We have seen different regulatory approaches to scams in different jurisdictions, but the financial losses and personal trauma sustained by customers run across national borders, and the velocity of attacks and sophistication of perpetrators continues to increase. The ability to manage scams may become a growing source of differentiation for customers, influencing their choice of who to bank with. Organisations are understandably working across a number of fronts to better protect customers – improving awareness of the risk and making it easier to identify potential scams, strengthening transaction monitoring to identify anomalous behaviour that may be indicative of potential scams and strengthening technological safeguards for payments being salient examples. This is, however, an issue that needs to be fought on a unified front across financial services, telecommunications, government and other industries. More can be done to work within privacy legislation and better understand how organisations can collaborate on the issue to give customers greater comfort when they are targeted or fall victim.
FW: What advice would offer to boards and senior executives seeking to better understand fraud and financial crime risks, and how their organisations can effectively manage those risks?
Chirita: Firstly, it is of paramount importance for business leaders to understand the fraud and financial crime risks and typologies that are particular to their business structures and models. We see an increase in senior executives getting certified in anti-financial crime. That is in line with what regulators are requiring: having board members responsible for the fight against financial crime and applying individual fines for failing to do so. Of equal importance is for senior executives not to look at their compliance and financial crime units as cost centres, but as enablers to providing enhanced and secure customer services and products.
Dunn: It is critical for senior executives and boards to have a clear understanding of their organisation’s risk and vulnerabilities, relevant regulations and methods in place to detect and prevent key risks and threats to the organisation. This should be enabled through regular management and board reporting that illustrates the effectiveness of controls in managing current and emerging risks to the organisation, and responsive actions being taken to strengthen the control environment. Awareness and understanding can be further enabled through regular engagement and interaction with external experts to provide additional insight and guidance on better practice approaches and emerging threats to support decision making and investment prioritisation. Further, securing specialist financial crime and fraud talent in key management roles, along with assigning executive responsibility for fraud and financial crime risk and investing in training across the organisation, are critical to ensuring that the organisation has the right skills and resources in place to manage its key risks.
Rigby: Regulators expect senior executives, and more than ever board members, to understand the key fraud and financial crime risks that are relevant to their organisations. Important initiatives to help them be actively involved in managing these issues include the following. First, commissioning and refreshing enterprise wide risk assessments that include a mixture of qualitative and quantitative inputs to clearly show differentiated areas of exposure across their organisations. Boards should see results from these assessments in full. Second, requesting regular, impactful reporting that is risk driven to make plain how key risks are being managed and where more work needs to be done and greater investment made. Reporting should also look to the future and help articulate how risks are evolving. Finally, making it as easy as possible for internal teams to escalate significant risks quickly – a looming issue should not be delayed or stifled travelling through layers of governance.
FW: How is technology impacting the fight against fraud and financial crime? In what areas does it still have a bigger role to play?
Rigby: Innovation in RegTech is undoubtedly accelerating, and some of the world’s largest technology companies are also exploring how their sophistication in software development, computing power and ML capabilities can be brought to bear against fraud and financial crime. Almost universally, organisations understand the need, and opportunity, to automate – to minimise manual process intervention and harness capabilities including AI. But complexity in data storage arrangements, legacy technology platforms and highly varied customer interactions can make it hard to deliver change and realise benefits quickly. For example, customer information can exist in one part of an organisation but not be accessible to others because of the way it is captured and stored. Standardising data collection, as much as practically possible, can be a labour-intensive prerequisite to harnessing more sophisticated analytics to better identify fraud and manage money laundering and terrorist financing risk. Also, while many organisations want to evolve their approach to a number of areas, such as including more behavioural-driven analysis of customer transactions, they are naturally conservative regarding potential near-term impacts to regulatory compliance that can stem from operational change. The next three to five years will be critical to demonstrating the value from increased investment and showing how transformation programmes have enabled sustainable risk management outcomes. Smarter use of technology will be a key component of organisations being able to do so.
Chirita: While technology has a crucial role to play here, it is only an enabler of transformation. There are a number of important steps that all financial institutions should take to review and renew their processes before they implement new technology. It is our observation that, of the total cost of compliance, 60 percent can be attributed to operations, such as alert clearing and customer onboarding, while 40 percent relates to technology. Despite its huge costs, monitoring produces – on average – between 90 to 99 percent false-positive alerts. And there remains a risk of failing to detect suspicious activity. Process excellence is, or should be, a precursor to digitalisation and the use of tools for automation and straight-through processing. Yet organisations often turn to technology before they have prioritised, rationalised and improved processes. Instead, they should deploy data analytics tools to understand more about the time, friction, hand-offs and other aspects of compliance controls.
FW: How important is it for large organisations to collaborate and share intelligence to combat fraud and financial crime?
Dunn: As fraudsters and criminals now become more sophisticated and use more complex methods to perpetrate their crimes, it is increasingly difficult for organisations to detect and prevent crimes. To enhance their fraud prevention measures we are seeing financial institutions become more collaborative and willing to share better practice and intelligence with law enforcement, industry bodies and industry peers. The result is the ability to more effectively identify patterns of criminal behaviour or networks much earlier, which in turn can strengthen an organisation’s response to current and emerging threats more efficiently. Realising the benefits of collaboration and intelligence exchange, we are observing increased focus and investment across the globe in partnership intelligence sharing approaches along with a shared recognition that more can be done to tackle financial crime and fraud through public-private data sharing.
Chirita: Intelligence sharing among private institutions may be difficult to achieve in light of data protection rules, commercial secrecy and other information protection standards. Consequently, it is imperative that regulators and industry wide forums, such as financial services associations, exchange intelligence to enable access to emerging risk typologies which should help organisations to enhance their controls. One of our recent studies shows that more countries in Europe are in the process of adopting solutions for information sharing, including money mules. Regulators are also upgrading their own capabilities by adopting technology platforms for risk-based supervision, adopting more tools for evidence-based examinations, and conducting industry wide thematic reviews to identify fraud and financial crime. Large organisations should continue connecting with their regulators to strengthen risk intelligence sharing approaches and enhance victim protection mechanisms through improved legislative controls.
Rigby: Fraudsters and money launderers are determined, increasingly sophisticated and, when it comes to attacking financial services organisations, often coordinated. They look for weaknesses across organisations and plot how best to exploit them. The more organisations can work together to share information, data and knowledge as a collective, the more they will be able to strengthen their systems, processes and controls as individual organisations. It will also quicken the pace at which they become aware of evolving modus operandi and enable them to take decisive action to negate it. Industry bodies and regulators have a role to play in supporting greater engagement, facilitating necessary agreements and in helping organisations work within important privacy regimes. The infrastructure to support successful intelligence sharing requires sustained focus and leadership.
Liviu Chirita is a partner at PwC CEE, experienced in cross-border transformation projects in Europe, the Middle East and North America. His focus includes leading PwC’s Global Financial Crime Technology practice, focusing on technology and analytics to combat financial crime. He has served as leader of various financial crime non-governmental organisations and as law enforcement liaison officer in several financial institutions. He can be contacted on +42 077 497 7596 or by email: liviu.chirita@pwc.com.
Penny Dunn is a Melbourne-based partner in PwC’s Australia’s corporate consulting practice with specialisation and industry experience in financial crime and fraud advisory, regulatory response and remediation. She can be contacted on +61 4 0736 7561 or by email: penny.dunn@pwc.com.
Mark Rigby is a Sydney-based partner in PwC’s corporate consulting practice. He has 15-plus years of experience specialising in anti-fraud, anti-bribery and corruption, and anti-money laundering and counter-terrorism financing. He is a member of PwC’s Global Forensics Leadership Council and global financial crime technology group. He can be contacted on +61 4 0382 3157 or by email: mark.rigby@pwc.com.
© Financier Worldwide
THE PANELLISTS
PwC Czech Republic
PricewaterhouseCoopers Consulting (Australia)
PricewaterhouseCoopers Consulting (Australia)
Q&A: Mitigating fraud and financial crime in the financial services sector
New DOJ policy adds choice and complexity to the decision to self-report
Current climate, key drivers and issues in FCA enforcement
Embedded finance providers: friend or foe?
How do you regulate an asset like crypto?
UK and EU sanctions on Russia: the end of the beginning
Mergers & acquisitions in the financial sector: a financial crime focus
How can an alternative asset manager ‘acquire’ permanent capital via a BDC or closed-end RIC?
Finance for positive sustainable change
Q&A: Tackling ESG and climate risk: advice for financial services