finance
monthly
Personal Finance. Money. Investing.
Contribute
Newsletter
Corporate

Jay Floyd, Senior Principal Financial Crime Consultant at ACI Worldwide, offers Finance Monthly his thoughts on how banks can keep pace with payments innovation to better protect consumers.

Contactless and digital payments have without doubt grown in popularity during the last year, accelerated by the COVID-19 pandemic and consumers trying to avoid using cash to reduce the spread of the virus. As a consequence, the contactless limit in the UK has recently been increased to £100. While a welcome move for both consumers and the payments ecosystem, this increase comes with the inherent risk of more fraud.

It means a consumer with four debit cards on them now carries a minimum of £400 worth of payments without a PIN, rather than the current £180. This figure is actually likely to be higher, given issuers typically allow five consecutive transactions to be made before a PIN is requested. In this example, that could be up to £2,000 worth of payments. This means your leather wallet is now worth a lot more to a thief than before the limit rise.

As we face one of the worst economic challenges since the 2008 financial crash, banks need to make sure their fraud protection measures are up to scratch. And there needs to be greater consumer education about the risk of making a payment which many now view as a simple ‘tap and don’t think’ action.

Contactless paves road for payments innovation 

Today’s consumers want access to fast and seamless payment experiences. In my view, contactless payments and the increase in limits will pave the way for greater payments innovation in the years to come.

For the broader payment landscape, it’s real-time payments that are leading the way for increased innovation and the growing adoption of different payment technologies - such as QR codes for payments and digital wallets.

Today’s consumers want access to fast and seamless payment experiences.

However, new payments methods and processes always present new opportunities for crime. The recent increase in real-time payment transactions in the UK has sparked an increase in fraudulent activity. UK Finance recently reported that in the first half of 2020, £207.8 million was lost to Authorised Push Payment fraud, with financial institutions only able to return £73.1 million of losses to victims.

The pandemic has further accelerated our move towards a more digital world. While the number of physical bank branches had been declining for some time, recent announcements highlight a rapid acceleration in the closure of bank branches since lockdown. During this process, criminals have adapted their methods of committing fraud, taking advantage of the rising use of contactless and real-time payments. With the adoption rate showing no signs of slowing down, banks need to adapt to the changing landscape and equip themselves with the right measures to protect customers from fraud.

Real-time fraud management solutions will increase fraud detection

Effective fraud prevention requires solutions that can detect all possible types of fraud, across all channels. Real-time payments for example track every step of the transaction processing lifecycle instantly. The good news for banks is this means fraud detection can be instant too.

Through real-time fraud management solutions, banks can increase fraud detection accuracy with advanced machine learning (ML) models to make better informed and faster decisions. It also ensures banks can be confident in remaining compliant with all fraud regulations - such as PSD2 and Anti Money Laundering directives - while delivering the ultimate customer experience.

Combining real-time payments data with ML, network intelligence and community fraud signals, fraud teams can detect fraud to improve overall fraud prevention rates at a much faster pace. Real-time fraud prevention solutions can perform millions of fraud checks within seconds and continuously learn from the data to become more accurate and effective over time.

[ymal]

Avoiding the financial crime of tomorrow

Fraud trends are moving fast and ultimately fraudsters will always find new ways to make money illegally. While banks have put in place numerous fraud prevention measures since the start of the pandemic, spending habits will continue to change, and they must be prepared to protect customers - and themselves - from the financial crime of tomorrow.

By taking advantage of the benefits of real-time payments technology, banks can put themselves in the best position to detect fraudulent activity and protect consumers and ultimately their reputation.

Finance Monthly hears from Nic Sarginson, Principal Solutions Engineer at Yubico, on emerging trends in data security that may soon be coming to financial services.

This past year has prompted a rise in take-up of digital banking services. As people stayed at home they went online to work, shop, stay in touch and manage their money. While this shift to online banking presents an opportunity to service providers with a digital-first approach, it also presents a target for cybercriminals intent on profiting from data breaches and account takeovers. Banks and their customers are adapting to a new, remote, relationship; as they do, the strength of online security protection will become a greater talking point and, for some institutions, even a source of competitive advantage.

According to some reports, as many as six million people in the UK made the switch to digital banking in March/April last year. Customers setting up their accounts will have created a password/PIN to use with a user ID to gain access. This form of authentication will be familiar from other log-in services; what may be less so is the additional strong customer authentication (SCA) check, such as a one-time passcode generated by a card reader or sent as a text to a registered mobile phone.

Password weaknesses

This second line of defence is incredibly important for financial services, as passwords are notoriously weak at preventing bank account takeovers. Reused passwords render multiple accounts vulnerable should a data breach put this information into the hands of cybercriminals. Passwords can also be guessed with a range of common word and number combinations in use, and bank details are some of the most coveted data breach spoils.

Additional ID checks therefore boost security, but not all forms of stronger authentication are completely resistant to security threats. Mobile-based one-time codes that are so popular with banks, for example, can be vulnerable to SIM-swap and modern man-in-the-middle (MitM) and phishing attacks.

According to some reports, as many as six million people in the UK made the switch to digital banking in March/April last year.

During a MiTM attack the innocent party believes they are communicating with a legitimate organisation, such as their bank, but in reality information is being intercepted and relayed by a malicious third party. It isn’t easy to recognise this type of attack, even for the cyber savvy, as attackers create personalised and convincing communications to trick their targets. Routes in can include unprotected Wi-Fi and manipulated URLs.

In the more widely known phishing attack, people are tricked into parting with personal information such as login details. Phished credentials are then used to gain access to the user’s account and may be tried against other services as part of a multiple account takeover.

Managing the customer experience

For financial services, the strongest possible authentication to protect data and accounts does not always marry with the best customer experience. Each additional check can add time and frustration to the log-in experience, preventing customers from accessing their accounts whenever they want to – if, for example, they are in a mobile-restricted location.

Strong authentication therefore must meet the dual requirement of protecting account details and financial and personal information, while also providing a convenient, preferably frictionless, user experience. Added to that is another consideration - how simple it is to integrate additional authentication into back-end systems for both the existing product portfolio and future innovations. With the rate at which financial services are digitising, and payments moving cashless, this is a challenge most banks will find concerning. The finance industry is also faced with the critical need to ensure compliance with various industry regulations including GDPR, PCI DSS and PSD2 mandates that govern access to sensitive data.

Protecting corporate infrastructure

Financial institutions must also protect access to their own systems and applications. Here, the challenge is exacerbated by the fact that most banking infrastructures are a mix of legacy on-premise systems, and private or public cloud-hosted services. They must all be protected against unauthorised access, a challenge that has been heightened by the rapid transition to large-scale homeworking of the past year.

[ymal]

Finance teams and employees working from unfamiliar locations expand the potential attack surface with home networks and personal devices suddenly a part of a bank’s corporate IT estate. Seamless, convenient and high-assurance multi-factor authentication (MFA) must be in place to protect data and corporate assets so that employees can securely access systems remotely without introducing new risks and vulnerabilities.

Financial services are starting to embrace hardware-based tools such as security keys as a route to strong authentication, which protects business and customer data without inconveniencing increasingly impatient financial customers. When it comes to their financial data, users appreciate authentication devices being something they have, as opposed to something they know, to protect against phishing attacks. For customers, they provide protection for accounts, while in the corporate setting they can secure access to systems and applications. Whether tasked with upgrading a bank’s legacy infrastructure, or a new generation of fintech developers operating solely in the cloud, such an approach can offer seamless integration with operating systems, and conformance with global authentication standards.

If the finance industry is to effectively protect customers and customer data while providing the user experience that today’s consumers expect, they must look beyond basic protection methods to provide strong yet frictionless authentication. It’s shocking that social media accounts are often more secure than bank accounts as of today. Since consumers are increasingly exposed to better protection elsewhere, they'll soon be demanding the same security assurances for their bank account.

Philippe Alcoy, Security Technologies for NETSCOUT, describes the cybersecurity threat facing the financial services sector, the damage it has done and how it can best be safeguarded against.

In 2020, for the first time in history, the annual number of Distributed Denial-of-Service (DDoS) attacks exceeded 10 million. These attacks took place at greater frequency, speed, and strength, enabling attackers to knock out their targets faster than ever before. Now, NETSCOUT is seeing threat actors re-targeting companies who were previously able to prevent being attacked, focusing particularly on the finance industry.

Before looking at DDoS attacks in relation to the financial sector, it is important to understand what a DDoS attack is. DDoS attacks can be described as malicious attempts to make online services unavailable, which is achieved by overwhelming the service with traffic from multiple systems. The industries targeted by these attacks are wide-ranging, from telecommunications and eCommerce to finance and healthcare.

In 2020, the financial sector emerged as a prime target for cybercriminals. NETSCOUT observed that there were more DDoS attacks against the finance industry in the month of June than there were from January to May 2020. In fact, from June to August 2020, there were more attacks against the industry in this period than were seen in total between April 2016 and May 2020. There was also an increase in the speed of attacks that were taking place against the financial sector, with the total throughput of attacks increasing by roughly 4.5 times worldwide.

DDoS extortion campaign

This campaign of DDoS attacks targeting the finance industry was taking place worldwide, with banks, exchanges and other financial services organisations all being hit. But there was something unusual about these DDoS attacks: they were part of an extortion campaign. This involves extortionists demanding a payment via Bitcoin within a specified amount of time prior to or following a demonstration DDoS attack. In most scenarios, when the demands of the attackers aren’t met, the ensuing attack that was threatened does not end up taking place.

In 2020, for the first time in history, the annual number of Distributed Denial-of-Service (DDoS) attacks exceeded 10 million.

More recently however, NETSCOUT has discovered that the same attackers are returning to previous targets. The organisations that were successfully able to mitigate the first DDoS extortion attack are now being retargeted in follow-on attacks, months after the original attacks took place.

The impact of the campaign

The financial sector is a prime focus for this DDoS extortion series and the more recent retargeting campaign because they are perceived to have access to large amounts of money, as well as vast swathes of private data, making them an obvious target for those behind the campaign.

It should be noted that the attackers claim to be part of well-known attack groups, such as ‘Lazarus Group’, ‘Fancy Bear’, and ‘Armada Collective’ to try and boost their credibility and scare their targets into paying up. As such, NETSCOUT has given the attackers the nickname ‘Lazarus Bear Armada’ (LBA).

Unlike other threat actors, these LBA attackers have carried out extensive research into identifying the appropriate email inboxes that are regularly checked and used, to make sure their threats are read by the right people. The increased accuracy of the extortion emails has the potential to cause serious damage to those in the financial sector. It has the capability to disrupt a large number of services used by finance organisations, from online banking platforms and website access to internal systems that help the organisations to operate and fulfil the needs of customers.

A DDoS extortion campaign can lead to institutions losing a large amount of money, even without a ransom being paid, because the initial demonstration DDoS attack results in downtime for part of the company.

An indirect consequence of a DDoS extortion attack is the reputational damage that it can cause. For example, when financial organisations are hit by a DDoS attack, customers may be unable to access their money and financial information, and may feel put off or let down by the organisation not having the appropriate DDoS countermeasures in place.

[ymal]

In order to mitigate the risk posed by DDoS extortion campaigns, financial services organisations must have a solid plan of action in place. It is vital that when organisations are attacked, they know who to contact and notify. This should include key stakeholders, security providers and local regulators. Financial institutions should also learn from previous DDoS extortion campaigns that targeted the industry. For example, there are clear similarities between the DD4BC series of attacks that took place from 2014-2016, and the current extortion campaign, with both targeting the financial sector.

While a DDoS extortion attack can be devastating for those organisations in the financial services sector, providing they have the right protection and plan of action in place, the damage caused by the attack can be kept to a minimum.

What Is a Tradeline?

Tradelines or AU tradelines are credit accounts that appear on your credit report. Credit agencies use the information within those tradelines, such as their payment history, balance, activity, and creditor’s name, to form your credit score.

Your credit score is a figure that measures how credit-worthy you are. If you have made payments on time, have been responsible with credit, and kept your balances low, then you may have a high credit score. Banks and lenders may then be more likely to look favorably at you for lending. However, if you have too many tradelines open or haven’t made the best decisions regarding your credit, your credit score may be low.

To combat a low credit score or build a positive payment history, you may decide to purchase tradelines. These can improve a low credit score and allow you to build up a payment history. As common as this practice is, it’s easy to make some of the following mistakes.

Mistake #1: Not Knowing How Tradelines Work

You may have heard that tradelines can improve your credit score. If you don’t know a lot more than that, it can be easy to purchase too many tradelines, the wrong ones, or be led into making tradeline purchases that aren’t in your best interests.

Mistake #2: Expecting Instant Results

When you add an authorised user tradeline to your account, you may think your credit score will immediately increase. You may then put plans in place to secure a mortgage or take out a loan. Tradelines are not instant. Instead, when you purchase an authorised tradeline, it can take up to 30 days to see an improvement, as long as you’ve selected one that can improve your credit score.

Mistake #3: Thinking Tradelines Repair Your Credit

Many people don’t understand their credit score. Sometimes, it’s only when you go to take out a loan that you come to realise it’s not as high as you expected it to be. If your credit score is surprisingly low, a tradeline is not a way to repair it. Instead, it’s a way to add information to your credit report to potentially increase your score. If you have a low credit score and you’re unsure why, you have the right to question it. You may be able to correct anything that appears to be wrong and subsequently lift your score.

[ymal]

Mistake #4: Adding Tradelines With Credit Freezes or Fraud Alerts On Your Account

If a credit bureau has put a fraud alert or credit freeze on your account, any tradelines you purchase will not be posted to your credit report. Before you go down the tradelines route, contact the associated credit bureau to have those alerts removed.

Mistake #5: Choosing the Wrong Tradelines

Each tradeline is going to have a different effect on each person’s credit report. Its power will depend on what your credit report already outlines. The goal is to choose a tradeline that has better features than what you already have. For example, if your accounts’ average age is eight years, a five-year-old tradeline is not going to benefit you as much as one that has an average age of 10 years.

When the time comes to request a loan or a mortgage, it helps to understand as much about your credit report as possible. You can then learn about ways to improve it, repair it, and use it to your advantage.

Finance Monthly hears from Lynne Darcey-Quigley, founder and CEO of Know-It, on the problem of fraud plaguing UK firms and how they can protect themselves from it.

Throughout the 1960s, Frank Abagnale famously faked eight different identities, including a pilot, lawyer and a physician, to gain free flights and defraud banks. There was subsequently a film titled ‘Catch me if you can’, starring Leonardo DiCaprio, made about his life and how he conned people. Arguably his most ingenious (or in fact worrying) tactic was his ability to write personal cheques on his own overdrawn account. This, however, would work for only a limited time before the bank demanded payment, so he moved on to opening other accounts at different banks, eventually creating new identities to sustain this charade and continue to defraud financial institutions.

Although time has passed and technologies and systems have been put in place to weed out the Frank Abegnales, the issue of fraud and financial crime continues to linger. This has been made plainly obvious throughout the COVID-19 pandemic, where the Coronavirus Bounce Back Loan (BBLS) scheme has been plagued by fraudulent applications.

As a result, the National Audit Office (NAO) has estimated that taxpayers could lose as much as £26 billion from fraud, organised crime or default, as up to 60% of the loans may never be repaid.

An all too familiar story

For businesses across the UK, this may not be a surprise. Even before the pandemic, a study from PwC found that half of all UK companies had been the victim of fraud or economic crime between 2016 and 2018. The research found that for more than half of the organisations affected, criminal activity resulted in losses of around £72,000.

Fraud and financial crime, therefore, has clearly not been born as a result of the ongoing COVID-19 pandemic, nor will it diminish once the virus has passed. The case of COVID-19 loan fraud should, therefore, provide businesses, government and other stakeholders with a wake-up call and a chance to reflect on how they can reduce the risks of falling victim to financial fraud. But what lessons can these stakeholders learn and what needs to change?

Even before the pandemic, a study from PwC found that half of all UK companies had been the victim of fraud or economic crime between 2016 and 2018.

Always do your homework

We understand that the issuing of COVID-19 loan schemes was a unique situation. Lenders have been under huge amounts of pressure to approve loans quickly and help support struggling businesses. Unfortunately, this simply doesn’t give them the time they need to conduct the checks that are needed to protect themselves from fraud and financial crime. Yet this echoes similar findings from PwC’s research from a few years ago: UK organisations are generally not doing enough to prevent fraud, with only half carrying out a fraud risk assessment in the last two years.

Regardless of whether your organisation is an SME, a large enterprise or a national government, basic and thorough credit checks must be in place as part of the process of protecting your business. Through establishing the validity of a customer your business is looking to establish a working relationship with, you are immediately reducing the risk of exposing yourself to fraud or financial crime. But why stop there? Compiling credit reports and verifying a business’ status on Companies House before committing to a commercial arrangement are also effective measures that can help protect your business.

These checks go a long way for business owners, particularly SMEs, as late payments and of course, fraud, can cause disruptions to business cash flow. Cash flow issues can prove fatal for smaller business owners, which is why credit checking, building credit reports and validating other businesses and its financial status is key to survival.

Ensuring a smooth recovery

When it comes to government support loans, businesses do not have to begin paying back the money from May 2021 onwards. However, this time large time period isn’t a luxury when it comes to collecting payment from customers. Consequently, implementing a responsive and robust debt recovery process is essential to minimising the risk of non and late payment issues, helping business protect their cash flow and minimise risk.

Agreeing and making a record of credit terms in advance ensures that no business transactions can be disputed, which could later lead to businesses losing out on payment from customers Under the BBLS, the government provided lenders with a 100% guarantee for the loan. For SMEs in particular, this approach simply cannot be taken, especially if debt recovery steps, such as ensuring credit terms between businesses, are not agreed and recorded beforehand.

[ymal]

Chasing owed payments is far easier after the checks to validate a business have been made. Businesses can take measures which include; credit holding, which involves pausing services to a client until they have paid. Issuing final notices is also essential to the debt recovery process, the final correspondence before taking up legal proceedings usually resolves any delayed payment issues. The problem facing the government is that fraudsters applying for support loans will do so illegitimately, therefore remaining anonymous and slipping through the debt recovery net. This reiterates the importance of verifying and checking recipients during the early stages of a business agreement, as this eases the rest of the debt recovery process.

A final word on SMEs

However, it is not just the initial checks before the first commercial transaction that must be invested in. To truly protect themselves, infrastructure must be put in place to continually monitor and chase customers. In larger businesses it is common to have a designated department or employee who will handle this process – usually this person will be known as a ‘credit controller’. Yet, we understand that many – particularly smaller businesses – do not have the resources readily available to continuously check the credit status of their customers and conduct due diligence.

Fortunately, this is where advancement in technology play a critical role. For example, by using technology to automate the credit control process, this can help businesses streamline this process so they can credit check and monitor and conduct due diligence, all from one place. Automating this process, firms can collate the information and identify areas of concern, without expending huge amounts of time and precious resources, ultimately helping them to limit risk and reduce fraud.

Finance Monthly hears from Jay Floyd, Senior Principal Financial Crime Consultant at ACI Worldwide, on the threat faced by banks and countermeasures they can employ against it.

Fraudsters are natural opportunists and extremely innovative with their methods. Whether through authorised push payment (APP) fraud scams, phishing attacks or even targeting vulnerable people during the COVID-19 crisis, they will always find new ways to make money with no remorse.

Making the task of protecting consumers and companies from fraudsters relentless activities an increasingly challenging one for banks. Especially during a time of global crisis and uncertainty along with growing payment channels through Open Banking.

However, by thinking seriously about how they (banks) can embrace strategic anti-fraud technologies and ensuring that their Open Banking platforms are secure by engaging with QTSPs (Qualified Trust Service Providers), banks can protect their customers against fraudsters both today and tomorrow.

Fraud is constantly evolving and growing

A decade ago, deploying malware was the easiest and most common method of getting into someone’s account. But as banks have strengthened their technical defences, fraudsters have increasingly turned to social engineering. Whether via email or telephone, many criminal gangs now impersonate a victim’s bank or other authorities like the police, persuading the victim to hand over account authentication codes or even make fraudulent transactions themselves.

Taking this one step further, some fraudsters are even combining remote access trojans with social engineering. Persuading victims to install malicious software on their device so they can carry out their fraudulent activity without needing to engage with the victim in the future. With such scams constantly evolving, it is increasingly difficult for banks to combat fraud.

Fraudsters are natural opportunists and extremely innovative with their methods.

As such, instant payments fraud is growing at an alarming speed. And while it should be acknowledged instant payments have revolutionised banking – in an era of pandemics, it’s no exaggeration to say we are dealing with a payments pandemic.

Recent figures from UK Finance add stark colour to this picture. Card fraud (both debit and credit) accounted for £288 million in the first half of 2020 – an 8% decrease compared to the same period in 2019. However, cases of remote banking fraud and APP fraud both increased – by 59% and 15% respectively. When combined, this amounts to £287.5 million lost to remote banking and APP fraud in the first half of 2020 – almost on par with card fraud. Though there are industry initiatives such as ‘Confirmation of Payee’, in the very near future, it is expected that remote banking and APP fraud will overtake card fraud across Europe and UK. And this is worrying.

Engage with QTSPs to mitigate fraud

The rise in remote banking fraud may further be accentuated by the proliferation of open banking services. But despite the fact fraudsters will look to exploit weakness in Open Banking, this relatively new service should be embraced. Its benefits cannot be underestimated or denied. In fact, recent OBIE data suggests 50% of UK small businesses now use open banking services to see their accounts in real time, forecast their cashflow and issue paperless invoices to clients. But banks do need to think seriously about weakness and loop holes and how they protect customers from fraud in the coming months and years.

Fraudsters are already exploiting the vulnerabilities around open banking, especially when it comes to Account Information Service Providers (AISPs). Authorised to retrieve account data provided by banks and financial institutions, AISPs are a critical piece of the open banking infrastructure jigsaw. However, it is believed criminals are starting to create fake AISPs. In some cases, pretending to be legitimate AISPs, much like doxing, to gain access and data to customers’ accounts.

[ymal]

To mitigate this risk, banks need to think seriously about how they engage with Qualified Trust Service Providers (QTSPs) to certify and validate AISPs and PISPs. QTSPs provide banks the digital certificate for AISPs and PISPs, and are themselves regulated under the eIDAS directive. But while they have been around since early 2019, QTSPs still remain largely invisible in the financial community.  Banks must configure their anti-fraud technology to monitor AISP and PISP activities and also establish a process to validate eIDAS certificates via QTSP’s to ensure that they only release access to customers’ accounts to the right people. Not only will this help banks mitigate the risk of fraudulent AISPs and PISP’s or man in the middle attacks, it will also enable them to meet a range of other electronic security requirements as well.

Real time payments bring a sense of urgency for both the fraudster and the victim of the bank. And while instant payments and open banking have undoubtedly brought countless benefits, the rising levels of fraud are real cause for concern. Fraudsters will always find new ways to make money illegally. But by ensuring they have the right fraud technology and aligning that technology to integrate with Open Banking messages and with QTSPs, banks can put themselves in the best position to detect fraudulent AISPs / PISP’s and prevent as much fraud as possible.

Laws governing financial crimes within the market haven’t always been as quick to catch up with the trend of crimes themselves, as has law regulating more traditional crimes such as larceny or robbery. However, when it comes to fraud, the law is fairly clear, and the penalties are steep.

A company director making a false or misleading statement is committing a federal offense that carries the threat of serious prison time .

Fraud can take a number of forms from the top of company leadership

A company director is the figurehead of corporate leadership, and speaks directly for the company. It is against the law to misrepresent information that is relevant to the company’s status in any way that may impact investment decisions, manipulate stock prices, or otherwise influence the course of business and the market.

A common instance of fraud is when a company’s directors mislead investors as to the real state of the company’s financial health. Another form of fraud may be presented internally, such as if a CEO sends a memo to their staff informing them that they are running a quarterly profit, when they are in fact running a deficit.

Whatever the means, the law itself is pretty clear-cut. The sentence for making false statements can increase when additional counts are involved, and corporate fraud also involves other financial crime elements.

Other common forms of fraud that may be included in a bundle of charges against a company director for making false statements include:

A company director is the figurehead of corporate leadership, and speaks directly for the company.

Regardless of the charges, however, any charge is bound to come on the heels of an extensive criminal investigation. This may start with a complaint or anonymous tip. It could also arise from suspicions on the part of competing firms or directly from regulators or legal investigators.

The criminal investigation

Just as there are a number of ways for company directors to commit fraud through the issuing or simple verbalizing of false or misleading statements, so too are there a number of ways to get caught. Some of the ways a company director may be exposed for illegally making a false statement include:

Of this list, getting caught lying to investigators seems like an unlikely path to downfall for a chief executive, but it happens quite often. For example, former MiMedX CEO Parker Petit was convicted of fraud in November 2020 after the Securities and Exchange Commission (SEC) found that he had falsified the company’s actual financial situation in SEC filings, with the associated securities fraud charge carrying a maximum sentence of twenty years in prison.

While not the same as lying to police in the interrogation room, falsifying an SEC filing, while it seems a brazenly reckless move to make given the consequences, is a common cause for fraud charges.

Running a legal defence to prosecutorial offense

Unlike most criminals, guilty company directors in fraud cases tend to have some of the best legal representation available on the planet. There are a number of mechanisms and legal arguments that a good defense attorney or company’s general counsel can employ when their company director is charged with making false statements.

[ymal]

A primary line of defence is to attempt to argue that the company director did not know that what they were saying was false. This argument could be supported by evidence that another member of the company falsified the information. It could be chalked up to accounting error.

While a tried and not always true method of defense, a common approach is to simply deny that the company director did make a false statement. This is certainly a tougher argument to make if documented evidence suggests otherwise. Ultimately, these cases will come down to a combination of the strength of the respective legal teams involved and the truth itself.

Price comparison website ComparetheMarket has been issued a £17.9 million fine by the Competition and Markets Authority (CMA) for overcharging on home insurance.

An investigation by the competition watchdog found that the site imposed “most favoured nation” clauses in contracts between December 2015 and December 2017 that prohibited home insurance providers selling on its platform from offering lower prices on other comparison websites, protecting ComparetheMarket from being undercut by competitors.

The CMA said that the policy “limited competitive pressures” on insurers selling through ComparetheMarket and made it more difficult for competing price comparison websites to grow and challenge the company’s entrenched market position. The resulting slack in competition between ComparetheMarket and these other sites also resulted in higher insurance premiums, according to the CMA.

“Price comparison websites are excellent for consumers,” said Michael Grenfell, executive director for enforcement at the CMA. “They promote competition between providers, offer choice for customers, and make it easier for consumers to find the best bargains.”

“It is therefore unacceptable that ComparetheMarket, which has been the largest price comparison site for home insurance for several years, used clauses in its contracts that restricted home insurers from offering bigger discounts on competing websites — so limiting the bargains potentially available to consumers.”

ComparetheMarket hit out at the ruling. “CompareTheMarket.com is disappointed with the CMA’s decision and does not recognise its analysis of the home insurance market,” the company said in a statement.

[ymal]

“We fundamentally disagree with the conclusions the CMA has drawn and will be carefully examining the detailed rationale behind the decision and considering all of our options.”

ComparetheMarket is one of the UK’s largest price comparison websites and well-known for its television adverts featuring meerkat puppets.

German payments fintech Wirecard, which collapsed following a fraud scandal earlier this year, will see a significant portion of its remaining assets purchased by Madrid-based Banco Santander.

Wirecard’s insolvency administrator Michael Jaffe said on Monday that Santander “will acquire the technology platform of the payment service provider in Europe as well as all highly specialised technological assets”. The deal marks the conclusion for the dissolution of Wirecard “despite unfavourable conditions”, Jaffe added.

In a separate statement, Santander said that it would acquire technological assets from Wirecard’s merchant payments business as part of plans to accelerate the bank’s growth in Europe. A source familiar with the deal told Germany’s Süddeutsche Zeitung that Santander had agreed to pay around €100 million for these assets.

Around 500 Wirecard employees who manage the technology acquired by Santander will join the bank’s global merchant services team, but remain in their current locations, according to the Santander statement. No Wirecard companies were involved in the acquisition and Santander will not assume any legal liability relating to the company or its past actions.

Wirecard was a rising star in Europe’s fintech scene until June this year, when it emerged that €1.9 billion of customer deposits could not be found in the company’s accounts. The resulting fraud scandal led to the arrest of former Wirecard CEO Markus Braun and a warrant being issued for the arrest of COO Jan Marsalek. The company filed for insolvency in August.

[ymal]

The scandal was an embarrassment for German financial regulator BaFn, and Jan Marsalek remains at large despite an ongoing Interpol search.

Investor processes are still underway for the sale of Wirecard’s other subsidiaries in Asia, Turkey and South Africa, Jaffe said. The sale of assets from subsidiaries in North America, Brazil and Romania has already been included, with results expected in the coming weeks.

This investigation is conducted to see whether you were actually hurt at work or are attempting to use the company's insurance policy to collect money.

Being investigated may seem like a complete invasion of privacy, but the investigation is completely legal in some states. You won't automatically be under investigation if you're injured at work, but in cases, your employer will hire someone to discreetly observe you if it is believed that you may be faking, exaggerating, or malingering your injury. Malingering refers to drawing out your healing time so you can receive additional benefits or avoid returning to work.

In some instances, the investigator can take your actions out of context and present the information to your employer to reduce your settlement amount. For example, if you hurt your back at work, the investigator may submit a photo of you playing catch with your children or picking up your baby. This will make it seem that you aren't really hurt and can still perform your normal work duties.

Tactics Implemented by Worker' Comp Investigators

Investigators will keep tabs on your actions through:

Investigators will often watch you when you're outside of your home and in a public space. Technically, since the investigator is not observing you when you're in a private location, the surveillance is legal.

This means the investigators can watch you while you're in your driveway or yard, at the grocery store or a shopping center, or when you're in a public park. Keep in mind that any time you're in a public area where others can see, the investigator is allowed to "see" you as well.

Being investigated may seem like a complete invasion of privacy, but the investigation is completely legal in some states.

More About Investigator Surveillance

The insurance company representing your place of work can also conduct online surveillance. This means the investigator may be watching to see what you post on social media or in chat rooms.

If you post anything that gives the impression that you are not truly injured, the investigator can take this evidence to the insurance company. Be careful about what you post, in written or video form, or avoid being on social media altogether until your worker's compensation case is settled.

Investigators may also speak with you in person without revealing their identity or talk to your family and friends. Be mindful of what you say about your work injury since investigators don't have to tell you if they're working on behalf of the insurance company.

The report submitted by the investigator will often be used as a form of evidence at your hearing. Investigators also submit the report to your doctor to verify your physical abilities when you're not at work. This could impact your physician's opinion about providing further treatment.

Does My Case Have to Be Investigated?

Generally, insurance companies may conduct surveillance if it is believed that:

While you may be offended at the idea of being watched, it's important to note that worker's compensation fraud does happen. So if your employer has any reason to suspect that you're trying to get more money than your case is worth, you'll be put under investigation.

[ymal]

Even if the case is new and you haven't given your company any reason to suspect fraud, your employer may still appoint an investigator to make sure your claims are legitimate.

Remember that insurance companies don't want to pay out for workers' compensation if they don't have to, and they certainly don't want to award funds to people who are not entitled to them. Workers' compensation fraud impacts the state system for accommodating employees who are truly injured and raises the cost of insurance. This is why companies take worker's comp fraud very seriously.

Are You Under Investigation?

Most of the time, you won't realise you're being watched. Private investigators are discreet, and again, they don't have to reveal their identities. However, there are some signs to look out for.

If you see a car outside of your home that you don't recognise or you realise you're being followed when you're traveling to a public area, you could be under surveillance. If your friends or relatives may have spoken with someone new, this could be a clue as well. Ask your loved ones if anyone has contacted them regarding your work injury.

Protect your rights as an injured worker with the help of a worker's compensation attorney. It's best to contact an attorney as soon as you can when you're injured on the job. Your lawyer will carefully investigate every detail of your case so you'll know exactly what you're entitled to in a settlement.

Wayne Johnson, CEO of Encompass Corporation, offers Finance Monthly his thoughts on where responsibility lies in the case of the FinCEN Files and how better tech can prevent money laundering from going unnoticed.

On 20 September, it was globally publicised that the FinCEN Files had been leaked to BuzzFeed News. Said files exposed some of the world’s largest banks, suggesting that they had been aware of cases of money laundering, corruption and fraudulent activity, contained in up to $2 trillion worth of transactions over an 18 year period between 1999 and 2017.

As a result, global banking shares plummeted by up to 8% on 21 September, and public outrage was aimed at those caught up in the scandal. News editors and agenda setters were quick to pin the blame on the banks, but is it that clear-cut?

The leaked FinCEN Files refer to approximately 2,100 Suspicious Activity Reports (SARs) filed by banks with the US Department of Treasury’s Financial Crime Enforcement Network (FinCEN). These files refer to suspicious and potentially illicit activity reported by financial institutions in the private sector, to financial intelligence units.

Reporting these findings is required by law and, as soon as a SAR is filed, it becomes the responsibility of regulators to investigate these leads, in order to stop any money laundering in its tracks. Reporting to a customer that a SAR has been filed is illegal and can compromise substantial investigations or impact national security.

Of course, suggesting that the banks are entirely blameless in the context of the money laundering exposed by the FinCEN Files leak would be false. The fact that criminals have even signed up to a bank successfully is an indictment on a bank’s initial customer due diligence and onboarding processes.

It is therefore clear that improved money laundering prevention methods are required by the banks themselves to stop instances like this from ever occurring again. However, the extensive and comprehensive Know Your Customer (KYC) processes that are required to identify risk at the point of onboarding a new customer have placed such a burden on resources that banks are struggling to maintain the quality of KYC. ICIJ’s analysis of the FinCEN Files leak found that in 160 SARs banks actively sought more information about the corporate vehicles behind the transaction without response. These gaps in initial KYC expose banks to significant risks down the line, as the FinCEN leaks have made clear.

The fact that criminals have even signed up to a bank successfully is an indictment on a bank’s initial customer due diligence and onboarding processes.

Acknowledging that existing processes are unsustainable, and that RegTech offers the only way forward, these once novel solutions are now seen as critical tools to be incorporated in a bank’s initial due diligence policy when onboarding and evaluating all customers. These solutions can collect, analyse and integrate critical KYC information far more quickly and accurately than humans, making it far easier for banks to determine beneficial ownership and other information needed for sound onboarding decisions.

The use of RegTech allows banks to truly unlock the potential of their data for KYC purposes. This improves a bank’s ability to detect and fend off risk at the earliest possible opportunity and throughout the entire customer lifecycle. And in the event of risks emerging further down the line, a complete customer profile allows a bank to craft SARs that provide meaningful information that help regulators prioritise and maximise the success of investigations.

The financial sector has made strides in implementing technology to address their regulatory challenges - there is more to be done for sure, but we are seeing banks globally incorporating RegTech and the pace of digital transformation accelerating.

In the case of the FinCEN Files, the issue resides across the entire ecosystem of the regulatory process. It is understood that a severe backlog of SARs, and a lack of adequate funding, has meant that regulators have not had the means to address or thoroughly investigate each and every case. Emboldened criminals are taking full advantage to launder money and expand their empires, and regulators now have no choice but to look at their own processes and make the improvements needed to get through the backlog of SARs and improve responsiveness to new ones.

Fortunately, solutions are available and able to support the SARs programme by helping to improve the reporting policy, both in terms of allowing banks to measure anomalies and ‘suspicious’ activity more accurately, and allowing regulators to prioritise certain cases and conduct efficient investigations.

[ymal]

SupTech (supervisory technology) is a category adjacent to fintech and RegTech and refers to technology used by regulators to improve their ability to supervise the implementation of and adherence to Anti-Money Laundering (AML) and other regulation. This approach could help further sift out irrelevant information, so that regulators and law enforcement agencies aren’t overloaded when investigating leads, and are able to focus on what they really need to.

Furthermore, RegTech, especially in the case of automation, is an increasingly important part of a bank’s technology stack. As previously mentioned, a robust KYC process that generates and maintains accurate and complete digital KYC files will ensure that subsequent activities, such as transaction screening and monitoring, are as precise and effective as possible.

Regardless of who, or what, is to blame for the gross abundance of money laundered through some of the world’s leading banks since 1999 (which, incidentally, is only a tiny fraction of the total amount of money laundered in this period), the fact remains that processes across the landscape are outdated, and the SARs reporting and investigation system must be changed if it is to effectively diagnose and eradicate the more sophisticated methods of criminal activity that have emerged. Solving this issue with RegTech and SupTech is key to improving the effectiveness of compliance at all points, and is essential to stamping out the financial crime that will continue to affect the world’s leading financial institutions.

Syed Rahman, Legal Director at Rahman Ravelli, offers Finance Monthly an analysis of the implications that the FinCEN Files hold for financial services and regulators.  

To use an old phrase, you shouldn’t wash your dirty laundry in public. But with the FinCEN Files it seems as if the banks have had many of their dirtiest secrets made very public. And, appropriately enough, they relate to their failure to tackle money laundering.

The FinCEN Files are 2,657 leaked documents; 2,121 of which are Suspicious Activity Reports (SARs) from some of the world’s largest banks and financial institutions. They identify more than $2 trillion in transactions between 1999 and 2017 that were flagged by financial institutions’ internal compliance officers - via SARs - as relating to possible money laundering or other crime.

Significantly, the documents beg the question why the banks did little or nothing to follow up their concerns. They are a blow to the credibility of both financial institutions and those that regulate them. The quality of SARs as well as the timing of them shows a meeting of the minimum requirements rather than any real intent when it comes to tackling money laundering. Quite how far any retrospective analysis of this conduct goes remains to be seen. But any identifiable failings could prompt civil or criminal proceedings.

Estimates put the leaked SARs as being a mere 0.02% of the total filed to FinCEN (the US Financial Crimes Enforcement Network). Yet while they may be a small percentage of the full picture, they raise big concerns about the lack of thorough checks being made by banks and the implications of this.

These concerns have made the news for a variety of reasons and in a wide range of reports. But while the headlines about facts, figures and prominent personalities are all worth absorbing, our main focus in all of this needs to be on the inadequacy of the system – or the operation of the system - that has allowed money laundering on such a huge scale. The FinCEN files would seem to indicate that we are at a tipping point when it comes to the banks and money laundering: either governments put more resources into the agencies who are supposed to investigate SARs or they work with the financial institutions, regulatory agencies and law enforcement bodies to repair or even replace what appears to be a system with serious fault lines running through it.

Estimates put the leaked SARs as being a mere 0.02% of the total filed to FinCEN.

There has been recent tightening in the UK and US of legislation in relation to laundering. In the UK alone, we have seen implementation of money laundering directives, creation of the National Economic Crime Centre, the arrival of unexplained wealth orders and account freezing orders and government commitments in its Economic Crime Plan. Yet it appears that more needs to be done. The fact that more than 3,000 UK companies appear in the FinCEN files cannot be ignored. This is more than any other state, and confirms the UK’s unwanted title of most favoured location for money launderers.

At this stage, it is perhaps too early to say with certainty precisely how the blame should be shared out. The fallibility of the system, the shortcomings of the banks and law enforcement’s lack of action or resources appear to be the prime suspects. Closer scrutiny of the individual SARs in question – if and when they become available – may help identify exactly where responsibility for this lies.

Yet wherever the finger is pointed, those who face criticism may well be able to point to mitigating circumstances. In terms of resources, there is no doubt that the SARs regime is placing huge strain on the National Crime Agency’s UK Financial Intelligence Unit (UKFIU), whose job it is to process them. April 2017 to March 2018 saw UKFIU receive more than 450,000 SARs. And while banks and other financial institutions may be criticised, they can point to the fact that by filing the SARs they have complied with their statutory requirements. If, in the wake of these leaks, these requirements are not deemed adequate or effective then another approach – even a whole new way of tackling the problem – may need to be devised. But at the very least a lot of thought needs to be given to the allocating of more resources to the existing approach.

The Law Commission has recommended certain improvements to the UK SARs regime; most notably including a call for them to be made more useful to law enforcement. The Commission said too many reports are of poor quality, as they are mainly made primarily as a defence to any potential allegation of money laundering against the financial institution. It also said that the current system is complex, resource intensive and lacks any accompanying guidance.

[ymal]

The leaking of thousands of documents has, if anything, validated the Commission’s views. The main issue now is what is done to improve or replace a system that suits nobody other than those it is supposed to be working against.

About Finance Monthly

Universal Media logo
Finance Monthly is a comprehensive website tailored for individuals seeking insights into the world of consumer finance and money management. It offers news, commentary, and in-depth analysis on topics crucial to personal financial management and decision-making. Whether you're interested in budgeting, investing, or understanding market trends, Finance Monthly provides valuable information to help you navigate the financial aspects of everyday life.
© 2024 Finance Monthly - All Rights Reserved.
News Illustration

Get our free monthly FM email

Subscribe to Finance Monthly and Get the Latest Finance News, Opinion and Insight Direct to you every month.
chevron-right-circle linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram