However, not all crime is conducted directly online. Some people are tricked into giving away details over the phone or are told to use their banking app to transfer money into a safe account. This multi-channel approach means that at every touchpoint, an organization must be aware that their customers could be at risk; they need to put systems and processes in place to mitigate cybercrime.
According to a report by McAfee, the European economy is one of the worst affected areas in the world. The statistics suggest that 0.84% of Europe's GDP is affected. Looking at the UK specifically, it is estimated that the cost of cyber-crime to the UK economy is £27bn – and it is growing.
One of the latest and most high-profile risks that have come to people's attention over the past 18 months are customer data breaches. Customers are increasingly aware that organizations hold a lot of their personal data and they want to be sure that it is safe. The General Data Protection Regulation was brought into place to ensure that organizations are acting responsibly when it comes to processing and storing customer data.
The financial impact of not following these guidelines, or for not having the correct systems in place, has been significant. Just months after the new regulation came into place, British Airways were one of the first companies to fall foul when 500,000 pieces of customer data were stolen, which resulted in them receiving a £183m fine.
Before any cyber-crime has taken place, there is a significant cost to businesses that need to purchase software, implement new processes and training, and even employ new cybersecurity teams to deal with threats. For global organizations, there may also be a need to hire consultants to advise on what they need to do to keep themselves and their customers safe.
One of the consequences of cybercrime that will affect every business is the direct costs. This could be money lost by the business or by consumers. It could also be the loss of reputation to a brand. If a bank suffers a cyberattack and customers lose money, they are likely to lose confidence, which can have a huge knock-on impact on business performance and profits.
Following on from an attack, there may also be payments that need to be made. On top of losing money in an attack a business, may also need to pay out compensation, fines, and legal costs. Depending on the type and severity of the attack and the data that was lost, this can amount to millions of pounds, as demonstrated by the British Airways case.
Refinitiv, one of the world’s largest providers of financial markets data and infrastructure, has published its second annual financial crime report today. Innovation and the fight against financial crime: How data and technology can turn the tide highlights that almost three-quarters (72%) of organisations have been victims of financial crime over the past 12 months with a lax approach to due diligence checks when onboarding new customers, suppliers and partners cited as creating an environment in which criminal activity can thrive. This wake-up call has led to 59% of companies adopting new technologies to plug compliance gaps.
In its 2018 report, Refinitiv outlined that $1.45 trillion of aggregate turnover is lost as a result of financial crime. This year’s report shows that the cost could indeed be much greater. Only 62% of the 3,000 compliance managers Refinitiv surveyed across 24 geographies claimed that financial crimes were reported internally, and just 60% said that they were reported to the relevant external organization.
Over the next year, companies are intending to spend on average 51% more to mitigate the crisis. The increased investment emphasises the priority placed on fighting financial crime in 2019 and reflects the amount of pressure respondents are under to be more innovative to both reduce risk and costs.
According to the report, an overwhelming majority of respondents (97%) believe that technology can significantly help with financial crime prevention with cloud-based data and technology the top choice, followed by AI and Machine Learning tools. Technology-driven solutions, such as Artificial Intelligence and Machine Learning, are already allowing businesses to implement processes and check up to millions of customer and third-party relationships, more quickly and efficiently.
Phil Cotter, Managing Director of the Risk business at Refinitiv, said the results showed that businesses need to do more to invest in technology to address the problem: “It is clear from the results of this report that businesses exposed to financial crime threats need to maximize their use of technology and future collaboration could prove key to realising the potential of innovation, particularly between tech companies, governments and financial institutions.
“Significant advancements in technology, facilitated by innovations such as AI, ML and cloud computing, are already under way. These technologies are enabling intelligence to be gathered from vast and often disparate data sets which together with rapid advances in data science, are transforming the approach to compliance, streamlining processes such as Know Your Customer (KYC) and helping to uncover previously hidden patterns and networks of potential financial crime activity.”
While the report focuses on the many emerging technologies coming on stream in the fight against financial crime, it also urges organisations not to overlook another vital form of innovation – collaboration. Just over eight in 10 (81%) respondents said that there is some sort of existing partnership or taskforce in their country to combat financial crime. 86% believe that the benefits of sharing information within such a partnership organization outweighs any possible risks.
In 2018, Refinitiv partnered with the World Economic Forum and Europol to form a global Coalition to Fight Financial Crime. The Coalition is working with law enforcement agencies, advocacy groups, and NGOs to address the societal costs and risks that financial crime poses to the integrity of the global financial system.
Much that has been written about the General Data Protection Regulation (GDPR) relates to the burden of obtaining proper consents in order to process data. This general theme has provoked questions about whether and how financial institutions can process data to fight financial crime if they need consent of the data subject. While there are certainly valid questions, GDPR is much more permissive to the extent data is used to prevent or monitor for financial crime. Richard Malish, General Counsel at Nice Actimize, explains.
Clients and counterparties will oftentimes be more than happy to consent to data processing in order to participate in financial services. But consent can be withdrawn, so offering individuals the right to consent will give the impression that they can exercise data privacy rights which are not appropriate for highly-regulated activities.
Rather than relying on consent, the GDPR also permits processing which is necessary for compliance with a legal obligation to which the controller is subject and (2) processing which is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
Some areas of financial crime prevention are clearly for the purpose of complying with a legal obligation. For example, in most countries there are clear legal obligations for monitoring financial transactions for suspicious activity to fight money laundering. The European Data Protection Supervisor stated in 2013 that anti-money laundering laws should specify that "the relevant legitimate ground for the processing of personal data should… be the necessity to comply with a legal obligation by the obliged entities…." The 4th EU Anti-Money Laundering Directive requires that obliged entities provide notice to customers concerning this legal obligation, but does not require consent be received. And the UK Information Commissioner's Office gave the example of submitting a Suspicious Activity Report to the National Crime Agency under PoCA as a legal obligation which constitutes a lawful basis.
Very few commentators have attempted to cite a legal authority for anti-fraud legal obligations. The Payment Services Directive 2 (PSD2) requires that EU member states permit personal data processing by payment systems and that payment service providers prevent, investigate and detect payment fraud. But PSD2 has its own requirement for consent and this protection may fail without adequate implementing legislation in the relevant jurisdiction. Another possible angle is that fraud is a predicate offense for money laundering, and therefore the bank has an obligation to investigate fraud in order to avoid facilitating money laundering.
"Legitimate interests" are also permitted as a basis for processing. However, this basis can be challenged where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Financial institutions may not feel comfortable threading the needle between these ambiguous competing interests.
However, the GDPR makes clear that several purposes related to financial crime should be considered legitimate interests. For example, "the processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest" and profiling for the purposes of fraud prevention may also be allowed under certain circumstances. It is also worth recognizing that many financial market crimes such as insider trading, spoofing and layering are oftentimes prosecuted under anti-fraud statutes.
Compliance with a foreign legal obligations, such as a whistle-blowing scheme required by the US Sarbanes-Oxley Act, are not considered "legal obligations," but they should qualify as legitimate interests.
While legal obligations and legitimate interests do not cover all potential use cases, they should cover most traditional financial crime processing. Some banks have been informing their clients that a legal obligation justifies their processing for AML and anti-fraud. Others have included legal obligations and/or legitimate interests as potential justifications for a laundry list of potential processing activities.
Financial institutions should use the remaining days before GDPR's effective date to provide the correct notifications to data subjects and confirm that their processing adequately falls under a defensible basis for processing. And with this basic housekeeping performed there is hopefully little disruption to their financial crime and compliance operations.
New research by BAE Systems has found that 74% of business customers think banks use machine learning and artificial intelligence to spot money laundering. In reality banks rely on human investigators to manually sift through alerts – a hard-to-believe fact selected only by 31% of respondents. This lack of automation and modern processes is having a major impact on efficiency and expense when it comes to the fight against money laundering.
Brian Ferro, Global Compliance Solutions Product Manager at BAE Systems Applied Intelligence, said: “Compliance investigators at banks can spend up to three days of their working week dealing with alerts – which most of the time are false positives. By occupying key personnel with these manual tasks, banks are limiting the investigators’ role, impacting on their ability to stop criminal activity.”
Money laundering is known to fund and enable slavery, drug trafficking, terrorism, corruption and organised crime. Three quarters (75%) of business customers surveyed see banks as central actors in the fight against money laundering. The penalty for failing to stop money laundering can be high for banks – and is not restricted to significant fines. When questioned, 26% of survey respondents said they would move their business’ banking away from a bank that had been found guilty and fined for serious and sustained money laundering that it had not identified.
Ferro continued: “For banks to be on the front foot against money laundering, their investigators need to be supported by machine intelligence. Simplifying, optimising and automating the sorting of these alerts to give human investigators more time is the single most valuable thing banks and the compliance industry can do in the fight against money launderers. Right now, small improvements in efficiency of the systems banks use to find laundering can yield huge results.
“At BAE Systems we use a combination of intelligence-led advanced analytics to track criminals through the world’s financial networks. By putting machine learning and artificial intelligence systems to work to narrow down the number of alerts, human investigators can concentrate on tasks more suited to their talents and insight.”
(Source: BAE Systems)