Finance Monthly hears from Lynne Darcey-Quigley, founder and CEO of Know-It, on the problem of fraud plaguing UK firms and how they can protect themselves from it.
Throughout the 1960s, Frank Abagnale famously faked eight different identities, including a pilot, lawyer and a physician, to gain free flights and defraud banks. There was subsequently a film titled ‘Catch me if you can’, starring Leonardo DiCaprio, made about his life and how he conned people. Arguably his most ingenious (or in fact worrying) tactic was his ability to write personal cheques on his own overdrawn account. This, however, would work for only a limited time before the bank demanded payment, so he moved on to opening other accounts at different banks, eventually creating new identities to sustain this charade and continue to defraud financial institutions.
Although time has passed and technologies and systems have been put in place to weed out the Frank Abegnales, the issue of fraud and financial crime continues to linger. This has been made plainly obvious throughout the COVID-19 pandemic, where the Coronavirus Bounce Back Loan (BBLS) scheme has been plagued by fraudulent applications.
As a result, the National Audit Office (NAO) has estimated that taxpayers could lose as much as £26 billion from fraud, organised crime or default, as up to 60% of the loans may never be repaid.
An all too familiar story
For businesses across the UK, this may not be a surprise. Even before the pandemic, a study from PwC found that half of all UK companies had been the victim of fraud or economic crime between 2016 and 2018. The research found that for more than half of the organisations affected, criminal activity resulted in losses of around £72,000.
Fraud and financial crime, therefore, has clearly not been born as a result of the ongoing COVID-19 pandemic, nor will it diminish once the virus has passed. The case of COVID-19 loan fraud should, therefore, provide businesses, government and other stakeholders with a wake-up call and a chance to reflect on how they can reduce the risks of falling victim to financial fraud. But what lessons can these stakeholders learn and what needs to change?
Even before the pandemic, a study from PwC found that half of all UK companies had been the victim of fraud or economic crime between 2016 and 2018.
Always do your homework
We understand that the issuing of COVID-19 loan schemes was a unique situation. Lenders have been under huge amounts of pressure to approve loans quickly and help support struggling businesses. Unfortunately, this simply doesn’t give them the time they need to conduct the checks that are needed to protect themselves from fraud and financial crime. Yet this echoes similar findings from PwC’s research from a few years ago: UK organisations are generally not doing enough to prevent fraud, with only half carrying out a fraud risk assessment in the last two years.
Regardless of whether your organisation is an SME, a large enterprise or a national government, basic and thorough credit checks must be in place as part of the process of protecting your business. Through establishing the validity of a customer your business is looking to establish a working relationship with, you are immediately reducing the risk of exposing yourself to fraud or financial crime. But why stop there? Compiling credit reports and verifying a business’ status on Companies House before committing to a commercial arrangement are also effective measures that can help protect your business.
These checks go a long way for business owners, particularly SMEs, as late payments and of course, fraud, can cause disruptions to business cash flow. Cash flow issues can prove fatal for smaller business owners, which is why credit checking, building credit reports and validating other businesses and its financial status is key to survival.
Ensuring a smooth recovery
When it comes to government support loans, businesses do not have to begin paying back the money from May 2021 onwards. However, this time large time period isn’t a luxury when it comes to collecting payment from customers. Consequently, implementing a responsive and robust debt recovery process is essential to minimising the risk of non and late payment issues, helping business protect their cash flow and minimise risk.
Agreeing and making a record of credit terms in advance ensures that no business transactions can be disputed, which could later lead to businesses losing out on payment from customers Under the BBLS, the government provided lenders with a 100% guarantee for the loan. For SMEs in particular, this approach simply cannot be taken, especially if debt recovery steps, such as ensuring credit terms between businesses, are not agreed and recorded beforehand.
[ymal]
Chasing owed payments is far easier after the checks to validate a business have been made. Businesses can take measures which include; credit holding, which involves pausing services to a client until they have paid. Issuing final notices is also essential to the debt recovery process, the final correspondence before taking up legal proceedings usually resolves any delayed payment issues. The problem facing the government is that fraudsters applying for support loans will do so illegitimately, therefore remaining anonymous and slipping through the debt recovery net. This reiterates the importance of verifying and checking recipients during the early stages of a business agreement, as this eases the rest of the debt recovery process.
A final word on SMEs
However, it is not just the initial checks before the first commercial transaction that must be invested in. To truly protect themselves, infrastructure must be put in place to continually monitor and chase customers. In larger businesses it is common to have a designated department or employee who will handle this process – usually this person will be known as a ‘credit controller’. Yet, we understand that many – particularly smaller businesses – do not have the resources readily available to continuously check the credit status of their customers and conduct due diligence.
Fortunately, this is where advancement in technology play a critical role. For example, by using technology to automate the credit control process, this can help businesses streamline this process so they can credit check and monitor and conduct due diligence, all from one place. Automating this process, firms can collate the information and identify areas of concern, without expending huge amounts of time and precious resources, ultimately helping them to limit risk and reduce fraud.
Finance Monthly hears from Brice Corgnet, Professor at emlyon business school; Camille Cornand, Research Director at CNRS; and Nobuyuki Hanaki, Professor at Osaka University, on the results of their behavioural study and what they might mean for traders.
The COVID-19 pandemic has created unprecedented times. The lockdown measures that have been put in place have shut down schools, reduced socialisation to almost zero, and halted or hindered virtually all industries.
There has been a significant economic fallout from the pandemic, with job losses and bankruptcies occurring on a daily basis. Governments globally have been implementing various fiscal policies in an attempt to control the fallout, but they can’t do this indefinitely.
Even though events like the current pandemic are rare, they have a major impact as they are by definition surprising - meaning that they are highly likely to trigger a strong emotional response, which can have a significant impact on investments. For this reason, we decided to look into individuals’ behavioural and psychological response to extreme events and how these emotions can affect the way that they invest.
For this experiment, the participants were tasked with placing successive bids to acquire a financial asset that offered a positive reward, which also had the potential to have a large loss that could wipe out the participants accumulated earnings and bankrupt them.
Even though events like the current pandemic are rare, they have a major impact as they are by definition surprising - meaning that they are highly likely to trigger a strong emotional response, which can have a significant impact on investments.
During the experiment, the participants’ emotions were monitored by electrodermal activity (EDA). We placed electrodes on the participants’ index and middle fingers which measured their sweat. By doing this, we were able to learn how the individual was feeling at different stages of the experiment – when the decision screen was made and when the earnings were shown.
EDA is a valuable tool in physiological science as it is a biomarker of individual emotional responsiveness that can help detect, for example, anxiety.
The results show that different emotions can have various effects on investment decisions, but the most interesting result that we found was that, in times of uncertainty, anxiety could actually protect investors from extreme events. This is because investors who exhibit anxiety tend to take on fewer risks, which then means they are less likely to suffer extreme losses and bankruptcy than their less emotional counterparts.
Many people will find it surprising that being anxious could improve investment decisions as this is a complete contrast to what we are usually told. Normally, those that are more likely to take risks when investing are more likely to be successful. But we are in very unusual circumstances where experiencing anxiety when investing could be what saves your company.
[ymal]
Furthermore, the research revealed that emotions, such as anger and fear, can also affect investment decisions. Those who showed fear were more likely to decrease their bids, similar to those that are anxious. However, those who get angry when investing are more likely to increase their bids because they have an inability to make peace with their losses, which then promotes risk-seeking behaviours, creating a cycle.
The research highlights that the effect of emotions on financial decisions is particularly complex, since a negative event like COVID-19 can have completely different effects depending on the individual. But in our current circumstances, having emotions like fear and anxiousness can actually be beneficial for companies – something worth considering in this unstable climate.
Richard Harmon, Managing Director of Financial Services at Cloudera, discusses the importance of relevant machine learning models in today's age, and how the financial sector can prepare for future changes.
The past six months have been turbulent. Business disruptions and closures are happening at an unprecedented scale and impacting the economy in a profound way. In the financial services sector, S&P Global estimates that this year could quadruple UK bank credit losses. The economic uncertainty in the UK is heightened by Brexit, which will see the UK leave the European Union in 2021. In isolation, Brexit would be a monumentally disruptive event, but when this is conjoined with the COVID-19 crisis, we have a classic double shock wave. The duration of this pandemic is yet to be known, as is the likely future status of society and the global economy. What the ‘new normal’ will be once the pandemic has been controlled is a key topic of discussion and analysis.
It’s not easy to predict the unpredictable
In these circumstances, concerns arise about the accuracy of machine learning (ML) models, with questions flying around regarding the speed at which the UK and EU will recover relative to the rest of the world, and what financial institutions should do to address this. ML models have become essential tools for financial institutions, as the technology has the potential to improve financial outcomes for both businesses and consumers based on data. However, the majority of ML models in production today have been estimated using large volumes and deep histories of granular data. It will take some time for existing models to be re-estimated to adjust to the new reality we are finding ourselves in.
The most recent example of such complications and abnormalities, at a global scale, was the impact on risk and forecasting models during the 2008 financial crisis. Re-adjusting these models is by no means a simple task and there are a number of questions to be taken into consideration when trying to navigate this uncertainty.
ML models have become essential tools for financial institutions, as the technology has the potential to improve financial outcomes for both businesses and consumers based on data.
Firstly, it will need to be determined whether the current situation is a ‘structural change’ or a once in a hundred years ‘tail risk’ event. If the COVID-19 pandemic is considered a one-off tail risk event, then when the world recovers, the global economy, the markets, and businesses will operate in a similar environment to the pre-COVID-19 crisis. The ML challenge, in this case, is to avoid models from becoming biased due to the once-in-a-lifetime COVID-19 event. On the other hand, a ‘structural change’ represents the situation where the pandemic abates, and the world settles into a ‘new normal’ environment that is fundamentally different from the pre-COVID-19 world. This requires institutions to develop entirely new ML models that require sufficient data to capture this new and evolving environment.
There isn’t one right answer that fits every business, but there are a few steps financial services institutions can take to help them navigate this scenario.
How to navigate uncertainty with accurate machine learning
- Modify existing models: This will be the starting point for all data science teams and can involve using the latest data elements to modify current models while also creating scenario-based projections adjusted for various levels of model bias.
- Stress testing: A practice that helps businesses gain a clearer understanding of their hidden vulnerabilities. Finance leaders should work alongside Chief Risk Officers to set up multiple dynamic stress testing scenarios.
- Industrialisation of ML: This is the ideal time to invest in a platform that supports the entire ML life cycle to build, validate, productionise, manage and monitor all their models across the entire enterprise. Data about customers is coming from different places and is stored in different places, whether that’s the public cloud or on-premise. For ML models to be effective, they need to be taking all these streams of data into account, with the ability to understand what the different data is saying quickly. This can only be done effectively in a unified enterprise data cloud platform.
- Prescriptive analytics: This approach is complementary to ML and uses simulations for more accurate decision-making for different scenarios, brought on by shocks or market changes. One common approach is Agent-Based Modeling (ABM), a bottom-up simulation for modelling of complex and adaptive systems. ABMs help business project thousands of future scenarios without having to depend upon the limitations of historical data.
[ymal]
When facing a crisis of unprecedented size such as this one, it’s time to look inwards and review the technology investments in place and whether crucial tools such as ML models are being deployed in the best way possible. Financial institutions should face this issue not as responding to a one-off crisis, but as a chance to implement a longer-term strategy that enables a set of expanded capabilities to help prepare them for the next crisis. Businesses that put in time and effort to re-evaluate their machine learning models now will be setting themselves up for success.
Carl Slabicki, Head of Strategic Payment Solutions, BNY Mellon Treasury Services, explores the changing climate of US payments.
For a long time, banks in the US have competed primarily on price and service rather than as providers of payments solutions. But the payments and cash management space is now changing. New developments to existing payment rails, combined with the advent of new real-time solutions and overlay services are emerging, and organisations that are able to quickly adapt to the evolving payments landscape will be well placed to gain a significant market advantage.
As we enter this period of unprecedented disruption in the marketplace, the importance of expediting the journey from paper to digital transactions for payers and receivers is becoming increasingly clear; payments are faster, more streamlined and feature enhanced capabilities around validation, security and risk mitigation.
Certainly, in the current challenging environment, the continued investment in and implementation of digital solutions continues to highlight the timeliness of this initiative. Remote working has put a spotlight on the channels we choose to make payments, with the payments industry leaning more and more on a digital environment to stay connected and continue conducting efficient and timely business. So what changes are occurring, and how can organisations and their clients reap the rewards?
The payment system evolution
For over 45 years, the ACH network had been the core next-day batch settlements system in the US. But during its long tenure, the underlying ACH system – which is governed by the National Automated Clearing House Association (Nacha) – has continued to modernise and grow, with the latest figures showing an increase in transaction volumes of 8.1% year-on-year in Q4 2019. This growth has been driven by the increasing payment convenience brought about, in part, by the introduction of Same Day ACH (SDA), which from March 2020 has increased its transaction limit from US$25,000 to US$100,000 to help open up additional use cases for the market.
As we enter this period of unprecedented disruption in the marketplace, the importance of expediting the journey from paper to digital transactions for payers and receivers is becoming increasingly clear.
To meet that growing need, new payment rails are being introduced to replace legacy capabilities. For example, RTP® – the US’s real-time payments network – launched by The Clearing House in 2017, is providing real-time gross settlement on a 24/7/365 operating model. This is providing clients with greater speed, efficiency, convenience and transparency. What’s more, in a move that will further bolster the growth of faster payments in the US, the Federal Reserve has announced its intention to launch its real-time payments system, known as the FedNowSM Service, in 2023 or 2024.
Improving security
Sitting right at the centre of the evolving US payments landscape is the move towards pre-validation services – foundational tools that are addressing security concerns that surround the entire payment process. Regardless of the payment channel being used – whether it’s ACH, Wire, RTP or other – the question remains: how do you know the payment or account data you have been provided for a transaction is correct and legitimate?
Indeed, the advent of new technologies that have enabled faster and more efficient payments sits at the intersection of another trend, namely the sophistication of fraud in the payment space. And, as people have settled into working from home environments, such security concerns have been further accentuated. The need to positively verify that an individual is authorised to transact on a paying or receiving account is, as a result, also becoming increasingly important.
It is for this reason that market leading banks are turning their attention to delivering solutions that enable real-time pre-validation – meaning the confirmation that a payee is the legitimate party occurs prior to a payment being sent. These solutions leverage a national shared database, such as the one maintained by fraud management and prevention service provider Early Warning Services, to validate the routing and account number, and verify the owner on the account, before the payment is sent. This increases security and risk mitigation, reduces fraud losses, and helps reduce the costs and processes associated with checks and other legacy payment systems.
Digitalising paper
Elsewhere, a host of overlay services are coming to the fore to address historical market challenges. For example, the migration from checks to electronic payments remains a significant pain point for cash managers. Though accepting and processing checks comes with a heightened risk of fraud and an array of manual processes, they continue to remain necessary as many businesses do not have the information required, or the technology interface needed, to send or request a payment digitally.
[ymal]
To address these issues, directories that allow payees to securely register their payment details and identities electronically are emerging, such as Zelle® in the US. Owned by a consortium of banks, the Zelle directory allows users to register identifiers, such as an email address or mobile phone number – referred to as “tokens” – which, following a thorough authentication process, can then be used to send and request electronic payments. Banks will then pull that authenticated token from the directory to find out the beneficiary’s bank, before using ACH or the card network to settle the payment. Going forward, Zelle, with the support of some of its member banks, including BNY Mellon, is working with The Clearing House to add RTP as an additional settlement mechanism. It is hoped that these capabilities will be implemented within the next year.
And while Zelle represents an effective way to securely send electronic payments to consumers and small businesses, there is also a demand for this in the business to business or vendor payments space. They too want to reduce the time and effort it takes to collect supplier banking account information, validate and keep it updated, as well as ultimately reduce or eliminate paper checks. This is increasingly achieved through settlement networks such as Paymode-X®, the largest business to business vendor payment network in the US, with over 400,000 members, processing over $200 billion in payments annually. It allows clients to convert vendor payments from paper (check) to ACH with electronic remittance, with the potential to earn revenue share on payables.
Adapting to the “new norm”
With the emergence of real-time payments, updated legacy rails and a new layer of overlay services, the US payments space is transitioning to an entirely new payments culture. Developments are moving quickly, with many banks looking to outsource their solutions to a trusted provider that already has the technology available – enabling them to swiftly go to market for a fraction of the cost.
As banks look to transform in this way, it is vital that they are able to provide clients with the options and capabilities they need to enable their businesses to run effectively and efficiently in the new faster payments environment. There is not a single, optimal channel that can solve every issue and meet all requirements – making it crucial that banks have a variety of tools in their arsenal, ready for instant deployment. The opportunity to provide improved, digital services to organizations, with greater levels of security, ease and efficiency has arrived. By working together to achieve ubiquity and interoperability, banks are developing the modern tools necessary for delivering a truly optimised payments experience.
The views expressed herein are those of the author only and may not reflect the views of BNY Mellon. This does not constitute Treasury Services advice, or any other business or legal advice, and it should not be relied upon as such.
Matthew Leaney, Chief Revenue Officer at Silent Eight, examines the issue that correspondent banking poses to the financial sector.
On the one hand, it has long been a key mechanism for integrating developing countries into the global financial system and giving them access to the capital they need. On the other hand, correspondent banking relationships are inherently risky for the global banks that grant access to the respondent bank’s customers without being able to directly conduct Know Your Customer/Customer Due Diligence (KYC/CDD) checks on them.
It’s not a small problem: make access too easy and you risk allowing billions of illicit funds through your door; cut off the relationships and you starve emerging markets of capital and drive their transactions into the shadows.
To its credit, the Financial Action Task Force (FATF) understands the dilemma and has provided continued guidance to clarify the issue. In its October 2016 Guidance on Correspondent Banking Relationships, it explicitly stated that its standards “do not require financial institutions to conduct customer due diligence on the customers of their customer (i.e., each individual customer)”. Rather, they require the correspondent bank to conduct sufficient due diligence on the respondent bank’s processes to understand the risk they present and whether the risk is acceptable within their risk management framework.
Still, many global institutions have decided over the past few years to “de-risk” by shutting down or curtailing their correspondent banking relationships in many countries. It’s easy to see why. It makes sense to exit a relationship when the risk associated with it exceeds your risk tolerance. But the solution doesn’t need to be this drastic. After all, correspondent relationships aren’t inherently bad, they just present a higher level of risk than the bank is willing to accept. Lower the risk and you’re back in business.
It makes sense to exit a relationship when the risk associated with it exceeds your risk tolerance. But the solution doesn’t need to be this drastic.
The solution is straightforward, at least in concept: lower the risk by increasing the effectiveness of respondent banks’ AML/CTF programs. This approach is exemplified by our partner Standard Charter’s “De-Risking Through Education” strategy, featuring regional Correspondent Banking Academies to help raise awareness of best practices and emerging technologies.
Heidi Toribio,Managing Director, Global Head Financial Institutions, Global Banking,at Standard Chartered Bank said that the initiative was key to preserving correspondent banking relationships, and removing ambiguity from compliance standards through partnership. “Correspondent banking goes to the heart of facilitating cross-border trade and financing growth, which is central to our DNA and our purpose as a bank,” she said.
A key element to preserving these relationships is improving the controls within the respondent bank by leveraging emerging technologies like Artificial Intelligence. Silent Eight understands this and has developed solutions to meet this need. With its AI-driven screening system, banks in developing countries could demonstrate a data-driven AI process that learns and improves its output as it addresses alerts. The process gives reliable results, resolving each alert and documenting the reason for the action. The whole AI process is systematic, reliable, consistent and auditable, and provides the analyst clear information on which to make a final determination.
[ymal]
Leveraging AI solutions into AML/CTF programs is a priority for banks in developing countries so they can demonstrate that their programs are up to global standard. It should also be a priority for global institutions that are or were acting as correspondents, since it allows them to diversify into a broader range of markets at an acceptable level of risk. Together with initiatives like De-Risking Through Education, the adoption of technology like Silent Eight can help developing economies once again gain access to global financial markets and help keep their financial transactions out of the dark.
Andrew Durant, the head of the Forensic & Litigation Consulting team at FTI Consulting, offers Finance Monthly an analysis of the impending challenge to finance teams and advice on how they can overcome it.
Fraud was already shaping up as a big issue for businesses in 2020 before the COVID crisis struck. For instance, the Resilience Barometer 2020 research from my company, FTI Consulting (involving 2,000 senior executives) found that fraud was perceived as the number one financial crime, with 24% reporting being exposed to it.
This would mean that an enormous £28 billion was lost to fraud in 2019 alone by FTSE 350 businesses (based on an average loss on 5% of annual turnover - see 2018 ACFE Global Fraud Survey, Report to the Nations). Even at 1% of turnover, this would still be sizeable for victim businesses.
On top of this ongoing problem from fraud, in times of most global crises a spike in fraud typically follows. Sadly 2020 is going to be the worst year many of us will experience!
Why do more fraud cases appear after crises? A variety of reasons, such as an increased opportunity available to fraudsters with senior management teams rightly focused on other things, such as trying to keep their businesses afloat and their staff in jobs for a start.
Fraud was already shaping up as a big issue for businesses in 2020 before the COVID crisis struck.
What they will not be thinking about is the enemy within. And, in my experience, that is where the greatest risk lies. It is human nature to believe that threats arise from unknown individuals outside an organisation. However, it is more likely to be a fellow employee who knows the financial controls (and the weaknesses in them) and that you trust implicitly.
Crafty fraudsters will see 2020 as a ripe opportunity to pounce. In the current “lockdown” with increased home working, with corresponding less people at work overseeing finance, security and operations, fraudsters will have more opportunity, with less scrutiny, more freedom and fewer questions asked.
What can finance directors and their teams do to reduce the escalating risk of fraud? Here are three areas that seem simple but can actually make a huge difference to preventing and detecting frauds:
1. Encourage whistle-blowers to step forward
Most frauds are detected by tip-offs from employees, especially those who are involved in finance and procurement. Despite protections in place, whistle-blowers still fear that they will become the victim and either be exposed and/or lose their jobs. And, I don’t blame them. In many cases I have investigated, the immediate reaction of the company tended to be “who is the whistle-blower” or “they must have an axe to grind”, not “we need to investigate these allegations immediately and prevent further loss”.
2. Use of temps and contract staff should be monitored carefully
If a member of the finance department become unwell or need to take time off to care for a relative, it may be tempting to backfill with temporary or contract staff. Companies should ensure that they do not drop their guard and carry out fewer checks than normal. Fraudsters have been known in the past to target finance teams that have a higher propensity to rely on contract or temp staff.
[ymal]
3. Be diligent in your transaction approval process
The lockdown now looks likely to continue in some form until at least September, so it is important that finance teams remain vigilant and check all transactions carefully, especially scrutinising carefully any:
- ’Urgent’ transaction requests – in a recent case this modus operandi was used to pay away $5 million to an offshore account;
- Transactions just below an authorisation limit especially if there are multiple payments to the same third party – if you spot this pattern, check back to the contract to see whether there are any “red flags” around the identity of the supplier, the tender process or the approval process ; and
- Journal entries that may be requested, particularly around month or other period ends. This is a frequent method to disguise transactions or to “boost” results.
Despite taking all the precautions listed above, organisations will still suffer fraud. Once discovered, taking the right steps quickly ensures a higher chance of recovering missing funds and a lower chance of losses continuing.
Do not make emotional or hasty decisions
Fraud involves a breach of trust and, therefore, as an employer you may feel betrayed by what has happened. As a result, you may be tempted to take immediate action which may ultimately compound the situation.
Therefore:
Keep an open mind
There may be a logical explanation for the discrepancy that may not be immediately obvious.
Discuss this with as few people as possible
You may be unwittingly tipping off someone involved in the fraud. If you do need to escalate or discuss your concerns, speak to the head of internal audit or legal department. Do not discuss it with a colleague, even if you trust them implicitly (see above regarding the enemy within).
Plan a course of action
The actions taken in the first hours and days after a suspect comes to light can ultimately affect the successful outcome of any action. As the finance director, you will likely have a fraud response plan in place. However, I wonder how many of them are collecting dust, probably also years out of date? Also ensure that senior management in each teams or location knows about the plan, have tested it (akin to a fire alarm, the plan needs to be tested to ensure everyone knows what to do and when).
Finally, I would advise finance directors and their teams not to ignore that “sixth sense”. If you start to feel uncomfortable about something, there is usually a reason.
Below Simon Wood, CEO at accredited LEI issuer Ubisecure, discusses with Finance Monthly the significance and function of LEIs, what they are and how they work, but more importantly how the financial sector can work to reduce the risks involved in managing LEIs.
Comprising of 20-character alphanumeric reference codes, LEIs are designed to identify distinct legal entities and provide a free, publicly available, verifiable source of ‘who is who’ (organisation identity) and ‘who owns whom’ (organisation group structures). Crucially, by utilising LEIs, companies of all sizes can identify themselves as a true legal identity and trade globally.
LEIs offer many advantages to the banking industry, ranging from significantly reducing costs in customer onboarding to establishing transparency and enabling trust in transactions. Indeed, McKinsey & Company, along with the Global Legal Entity Identifier Foundation, recently found that LEIs could yield annual savings of over U.S. $150 million within the investment banking industry alone.
Despite these benefits, however, if LEIs are not managed correctly the potential risks could result in harmful ramifications, including non-compliance fines and negatively impacted reputations. With that in mind, it is important that the banking sector not only educates itself on these risks, but that it also acts to deploy tools and strategies to manage LEIs safely and effectively.
The role of LEIs in banking
The value LEIs bring to the banking sector can be categorised in two key ways – by enhancing transaction identification processes, and by simplifying the process of tracing information about a transaction.
LEIs are an ideal mechanism in situations where an identification process is required for payments. At the same time, they allow financial institutions to optimise the efficiency of their systems through automating and augmenting verification methods.
LEIs are an ideal mechanism in situations where an identification process is required for payments. At the same time, they allow financial institutions to optimise the efficiency of their systems through automating and augmenting verification methods.
Where payments need to be routed to the correct entity in a large corporate group, LEIs serve an equally essential function, making all members of the transaction aware of who owns whom via LEI level 2 data. They also allow economic crime and identity fraud to be quickly pinpointed and averted.
It’s therefore unsurprising that the SWIFT Payment Market Practice Group is a key advocate of LEIs, and has formally declared the ‘huge potential’ they offer for improving payment processes.
Moreover, the cost of customer onboarding can also be significantly reduced with LEIs as they standardise one comprehensive identifier for KYC/AML processes. In fact, recent research from McKinsey & Company suggested that by using LEIs to support all stages of the ‘customer management lifecycle’, the banking industry as a whole could save around U.S. $2.4 billion a year.
LEI management considerations
With ISO 20022/SWIFT becoming the global standard for financial transactions, there is a strong push for the inclusion of LEIs in payment messages. Consequently, LEIs are set to play an even more fundamental role within banking over the next year – so it is increasingly vital that they are managed in a secure and efficient way.
This involves ensuring that workflows and systems are able to obtain LEIs as required, and also that they don’t lapse. Ultimately, a host of new risks are introduced when LEIs are missing, incorrect or out-of-date. The implications can be severe, resulting in held-up trade and potential non-compliance fines.
Organisations are required to acquire and uphold LEIs in line with specific regulations – such as MiFID/MiFIR in the EU for example. If this doesn’t happen, then trade will be delayed and transactions frozen until the issue is resolved. For this reason, LEIs should be issued at the earliest stage possible to avoid payment workflow delays and disruption down the line.
[ymal]
Mitigating the risk
The first step around countering LEI risk is to ensure that the relevant staffers are fully aware of the consequences that come with lack of LEI preparation. With this, its essential that strategies are put in place to provide the necessary education.
In practical terms, employing a robust LEI issuance and management solution can help to reveal the existence and status of all current LEIs within an organisation’s internal and external groups. This also helps to provide an overview of all the LEIs in play within a single view, so financial organisations can easily identify and issue LEIs to anyone with missing identifiers.
By automating the LEI issuing and renewal processes, banks can significantly cut down administrative burdens, while simultaneously guarding themselves against the risk of lapses or fines from regulatory breaches.
As LEI use cases are set to explode, there’s no question that they are the future for driving progress within banking. Yet although the benefits are significant, the industry must also be aware that the potential costs of lapsed, missing or incorrect LEIs are also considerable. To fully reap the rewards, then, implementing systems and processes to manage them effectively is vital.
The interest in ATM malware and attacks is persistent and poses a threat to financial institutions and ATM manufacturers alike.
Here Amina Bashir, Associate Product Manager at business risk experts Flashpoint, offers Finance Monthly some insight into the underground market for malware designed for use in ATM cash-out schemes.
As giant boxes of cash, it’s understandable that ATMs are magnets for nefarious activity. Like many other forms of financially motivated crime, malicious activity against ATMs is supported by an underground ecosystem of illicit offerings and resources, as evidenced across Flashpoint’s datasets.
For example, information sourced across illicit online communities, encrypted chat services, and paste sites shows threat-actor mentions of ATMs on a par with mentions of distributed denial-of-service (DDoS) tools and attacks, far exceeding mentions of Remote Access Trojans, crypters, botnets, and ransomware. The interest in ATM malware and attacks is persistent and should be on the radar of financial institutions and ATM manufacturers alike.
Here’s a look at some known threats to ATMs:
Skimmers and Shimmers
Skimmers and shimmers are small, physical devices which are inserted into ATMs to steal payment card data. They are a popular commodity among fraudsters, but some criminals favor a more straightforward form of theft: directly stealing cash from the machine.
ATM Jackpotting
Jackpotting is the manipulation of an ATM so it ejects the cash within. It is often carried out with the help of specialised malware sold on illicit online marketplaces. During the past several years, malware-enabled ATM jackpotting attacks have been reported worldwide, from Europe and the U.S., to Latin America and Southeast Asia.
ATM Malware
ATM malware continues to be popular among threat actors operating across various platforms. Analysts have observed that ATM malware appears to be sold by only a few threat actors, some of whom may be associates. This is in contrast to other types of malware, which are sold by a wide range of vendors.
[ymal]
Inside the ATM Malware Market
WinPot, Cutlet Maker, and Yoda are among the most mentioned ATM malware variants. Due to similarities in posts, it is possible that some of these malware families are being created or sold by associated—if not the same—threat actors. Moreover, Flashpoint analysts have noted that many threat actors who advertise ATM malware also peddle other offerings on the cybercrime underground, including carding services and access to compromised bank accounts.
Uniquely among cyber threats, ATM malware attacks inherently require a physical presence at the targeted site. In fact, since most common and popular ATM malware variants are installed via USB, where attackers must physically open the machine’s exterior panel and connect an external device—attacking an ATM is hardly an inconspicuous endeavour.
And while some forms of ATM malware, such as ATMitch, can be administered without physical access to the machine by leveraging a known exploit against a financial institution’s servers, such an attack still requires the threat actor or a money mule to physically retrieve the stolen cash from the machine. As such, jackpotting crews are known to select their targeted sites carefully; ATMs stationed not at banks, but rather at small businesses, shopping centres, gas stations, and other retail locations are the most desirable targets for jackpotting crews.
ATMs stationed not at banks, but rather at small businesses, shopping centres, gas stations, and other retail locations are the most desirable targets for jackpotting crews.
So, in addition to keeping ATMs updated with the latest security software and patches, one of the best ways for operators to avoid being targeted in a malware attack is to noticeably bolster actual and perceived physical security at ATM sites. For example, an outdoor ATM set back from the sidewalk in a poorly-lit area could be a natural target for jackpotting, but the addition of motion-activated floodlights and conspicuous security cameras monitoring the premises from several angles to avoid blindspots could immediately deter threat actors.
In addition to enhancing visibility and surveillance, changing the lock on an ATM’s exterior panel is another simple way to thwart threat actors sniffing out vulnerable ATMs that use a generic, mass-produced key provided by the manufacturer.
Assessment
Despite being controlled by a relatively small number of threat actors, Flashpoint analysts believe the underground market for ATM malware will continue to flourish, serving a global customer base of threat actors and posing a threat to financial institutions and ATM manufacturers worldwide.
Flashpoint analysts have observed wide variance in the price of ATM malware within illicit marketplaces, from as low as $25 USD up to $5,000 USD depending on the malware being offered, in addition to other factors, such the vendor’s reputation and level of customer support, customisation, and bundled services.
Following the recent failure of a student housing investment scheme in Stoke-on-Trent, Peter Robinson, Joint Head of Property at Hunters Law LLP, examines the pitfalls that can be encountered in investing in 'off-plan' development schemes, particularly those involving leaseholds. Peter argues that buying 'off plan' is highly speculative and, therefore, high risk.
Investing in a commercial property development scheme has a number of risks associated with it. Some of these are illustrated by the problems being encountered by private investors in a student housing project in Stoke-on-Trent[1].
The scheme involved the developer selling long leases of individual rooms in student accommodation for capital sums and relatively high ground rents subject to review at five-yearly intervals throughout the term of the lease. Each investor then granted a sub-lease of his or her room to the management company (which appears to have been connected to the developer)[2].
The grant of nearly 200 leases on this basis generated for the developer [3] :
- capital receipts of several millions of pounds; and
- an annual ground rent income stream of nearly £150,000 which allowed the developer to sell the freehold for over £2.8 million.
In October 2018, investors failed to receive from the sub-tenant company the “additional rent” due to them under the sub-leases that they had granted. After a further default in making these payments, the sub-tenant company was put into administration[4].
The administrators subsequently advised investors that[5]:
- the management company had not generated enough income to pay the additional rents representing the returns to investors under the sub-leases;
- investors would have to fund payment of the rent and service charge payable under their own leases; and
- to enable the administrators to continue the process of administration the investors would have to waive their right to receive “additional rent” until all other necessary expenses of the administration had been paid.
This has frozen returns on the investments made in the scheme, at least, until the scheme is re-structured to generate an appropriate level of income.
[ymal]
In order to minimise the inherent risk of collective investment of this type, an investor should understand:
- the criteria for making the project a success (in a student housing scheme the criticality of opening at the beginning of the academic year); and
- the process of realization of the project and the associated risks.
Buying into such a scheme 'off plan' is speculative and, therefore, has a higher than normal level of risk. In particular:
- a number of individual units will need to be completed (on time and within budget) to make the whole development viable;
- a lease is both a wasting and, potentially because of the landlord's right to forfeit for non-payment of rent/service charge, vulnerable asset; and
- there are cost, timing and quality issues, particularly in a specialist sector such as student accommodation.
Engagement of appropriately experienced professionals to advise on making such an investment is a key part of a successful strategy for investing in such a scheme.
The benefits of such engagement in managing the inherent risks are:
- The standards which a professional must meet in order to have satisfied the duty of care owed to a client are high and, not meeting those standards would lead to the client having a claim for negligence against that professional; and
- A good and experienced solicitor/surveyor should be capable of identifying and advising on the potential risks of the scheme and, most importantly, be capable of advising the client not to proceed with the investment or, at least, not on the terms offered.
Informal collective investment property schemes are currently only loosely regulated and disaffected investors will, generally, not be able to obtain redress for lost or impaired investment from the state. Prudence, research and preparation before investing is such schemes is, therefore, imperative.
Sources:
[1] "How a £100m student accommodation scheme went wrong. Thomas Hale – July 3 2019 – FT Alphaville : https://ftaphalphaville.ft.com/2019/07/03/15562130014000/How-a--100m-student- accommodation-scheme-went-wrong/
[2] Paragraph 3 of A1 Properties (Leicester) Limited (In administration) Statement of Joint Administrators' Proposals Pursuant to Schedule B1 of the Insolvency Act 1986 of 23rd April 2019 – Companies House.
[3] Register entries for HM Land Registry Title Number SF514607
[4] Paragraph 3 of A1 Properties (Leicester) Limited (In administration) Statement of Joint Administrators' Proposals Pursuant to Schedule B1 of the Insolvency Act 1986 of 23rd April 2019 – Companies House.
[5] Paragraph 5 of A1 Properties (Leicester) Limited (In administration) Statement of Joint Administrators' Proposals Pursuant to Schedule B1 of the Insolvency Act 1986 of 23rd April 2019 – Companies House.
Here Jake Holloway, Chief Product Officer for Rizikon Assurance at Crossword Cybersecurity PLC, explains why Supplier Assurance Frameworks are becoming more-and-more essential in the new world of operational resilience.
More recently, the introduction of SMF24 under the Senior Managers and Certification Regime has put the ownership of resilience firmly in the boardroom. Those in the new SMF24 role need to have complete visibility of the operational risks that might exist not only in the organisation, but also within its own supply chains and partnerships. As we have seen with recent IT outages and high-profile cyber security incidents, it is not always the institution itself that is at fault, but it is them that faces the critical attention of their customers, the media and the regulators.
A new era of supplier risk management for the financial sector
In order to manage risk and build healthy supply chains in the financial sector, the right supplier assurance processes need to be in place. This could be seen as a challenge for procurement teams and the supplier onboarding process, but it reaches much further, with risk assessments needed across areas as diverse as anti-money laundering, the Modern Slavery Act, Health & Safety, GDPR and cyber security to name but a few.
Each of these areas impacts institutions in different ways, and indeed may require specialist expertise to assess the risks. Cyber security is a great example, where a weakness such as an unpatched VoIP phone or laptop, may be exploited in one supplier to reach back into the financial institutions themselves.
Normally, supplier assurance and procurement teams would stay well away from such technical and complex areas. For instance, with cyber security, where supplier due diligence requires a cyber security assessment, it’s happily handed over to specialists – whether internal or external. Any reports, risk acceptance or remediation activities are left with the specialists while supplier assurance teams focus on the core of financial risk, insurance cover, regulatory standards, governance and so on.
[ymal]
Building a Supplier Assurance Framework
Institutions need a different approach to reduce risks associated with suppliers, vendors and other third parties. One that combines the supplier assurance and procurement team’s approach based on good practice, controls, evidence of governance and commitments to improvement, with the deeper technical understanding of other teams. Supplier assurance and procurement teams have a far greater role to play in this than they may imagine through the implementation of a Supplier Assurance Framework.
A good framework, starts with the need for supplier assurance and other departments to gain an improved understanding about each other’s domains, objectives and responsibilities. A starting point is for them to jointly develop Supplier Impact criteria that systematically assess how much inherent risk every supplier or third party may have in that departments sphere.
Each supplier can then be measured against these criteria, and their supplier impact level established. A different approach for each level of impact should be agreed jointly and completely standardised across the organisation. For example, for suppliers with a Very High impact, the supplier should be expected to demonstrate a high level of internal controls. For cyber security, for example, this should take the shape of obtaining or working to achieve high standards such as ISO27001, IASME Governance or NIST. This means it’s the supplier’s responsibility to show a serious level of control rather than the hard-pressed cyber security team’s responsibility to dive into hundreds of hours of audit work. It also has the benefit of being easy for a non-cyber specialist to determine if the standard is present or not.
Where a technical assessment is needed, such as a penetration test or at least a “pen test” report from a credible third party, then the supplier assurance team can be responsible for managing that this takes place – handing over the responsibility to the cyber teams or external testers where needed. This ‘management of risk’ role cannot be handed over though, as tempting as it is when the talk gets incomprehensibly technical.
The approach at each level of supplier impact should also contain the ongoing levels of compliance required in order to maintain good risk management. Again, the supplier assurance team can timetable these ongoing reviews and focus on the governance of third-party risk – whether cyber, continuity, financial or regulatory.
Total risk visibility for the SMF24 role
What really helps is that the different teams involved in supplier risk start to use shared information systems to record and visualise supplier risks. We have seen users creating really impressive supplier scorecards showing a combined view of financial, cyber, GDPR, slavery and other risks all on one simple chart for each supplier. For the person in the SMF24 role, this creates a shared understanding of the totality of risk from each supplier and helps specialist teams, such as IT, and the supplier assurance team understand how their worlds fit together.
The SMF24 role completely changes the emphasis on operations from management to proactive resilience, but to achieve that the right supplier assurance framework, processes and technology need to be in place that give the boardroom the visibility it needs to control, manage and measure their exposure.
Part of the reason for this is a series of falsehoods which have taken root in the collective conscience of investors, including the belief that responsible investing somehow underperforms compared to alternative investment styles. Another popular one is that there is simply no place for being responsible when it comes to investing.
However, the rise of companies such as Beyond Meat, which are displaying clear signs of success, are helping to change some of these ingrained biases, according to Ryan Smith, head of ESG research at Kames Capital.
“There have been many theories over the last few decades about responsible investing and how it fails to offer as good an opportunity broadly to investors,” he said. “However, the facts are very different. Companies which do not give any consideration to their responsibilities to everyone beyond their shareholders are increasingly in the spotlight for the wrong reasons.
“Nonetheless, many myths still abound about responsible investing which must be dispelled.”
Below Smith looks at some of the most common myths around responsible investing, and reveals the reality of the situation behind them.
Myth 1: There is no place for ethics in investment
"Gordon Gekko didn’t do lunch and wasn’t strong on ethics."
Gordon (as they say) would sell his granny. In contrast, we think there is value in judging a company on the sustainability of its products or services. Industries or companies that perform no social function are inherently unsustainable. They impose costs on society and ultimately, it is highly probable that such activity will simply be regulated out of existence. The sustainability of a company’s products or services is therefore vital to its long-term strategic success. Strategic positioning and vision can be a long-term tailwind or headwind. An unsustainable product (e.g. coal) is a huge strategic headache for any management team, just as a sustainable one should create a tailwind of opportunities.
Myth 2: Thinking sustainably is a downside risk tool only
"It’s all about avoiding controversies and disasters."
True. Thinking about sustainability, combined with other risk metrics can provide investors with powerful downside protection. However, risk is a backward-looking measure. Thinking sustainably promotes a longterm focus, helps us to avoid short-term distractions and can also be useful for identifying sources of competitive advantage. In the Kames ethical and sustainable strategies, we look for growth stock investment opportunities and typically find that these disruptive, innovative growth companies are more likely to provide responsive investment opportunities and be willing to engage and improve.
Myth 3: Just invest in the best
"There are an increasing number of ESG products being launched, many of which use off-the-shelf third-party ESG ratings to construct their portfolios, or indices."
In most instances, they adopt a ‘best-in-class’ approach; because the best ESG companies must be the best investment right? Maybe, but in our experience, it’s often a bit more nuanced. ‘Best-in-class stocks’ according to these ratings also tend to be large-cap, well-known and well researched, and hence provide less opportunity for mispricing opportunity to capture alpha. Which is fine, because our focus is on the small and mid-cap space, where we believe better investment opportunities often occur. And to provide our clients with the breadth of negative screens that they seek, our ethical funds are always actively managed. Then, once invested, we take our stewardship responsibilities very seriously; meeting with management, challenging them and if we need to, selling our position.
Myth 4: Profits vs. principles
"Investing responsibly means giving up returns."
Actually, academic studies increasingly disprove this. Empirical evidence supports the premise that thinking carefully about sustainability as part of an investment process can enhance investment returns. Ultimately, investing is about employing an effective set of tools consistently in order to tip the odds in your favour. Sustainability analysis is one of these tools and it fills a key role in our toolbox, but it’s one which many investors still don’t consciously utilise.
According to Simon Hill, Head of Legal & Compliance at Certes Networks, this is mostly due to the fact that financial institutions are not only heavily regulated by data privacy requirements, but they are also under mounting pressure to be open to consumers and businesses about how they are protecting their data from potential breaches.
Additionally, no bank or financial services organisation wants to face the consequences of a data breach. This is demonstrated by the fallout of numerous data breaches in the industry over the years - from Capital One in 2019, to Equifax in 2016 and Tesco Bank in 2017. In the case of the Capital One data breach, a hacker was able to gain access to 100 million Capital One credit card applications and accounts. This included 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers. Additionally, an undisclosed number of people's names, addresses, credit scores, credit limits, balances and other information dating back to 2015 was involved, according to the bank and the US Department of Justice.
What’s more, the damages of these data breaches are not only reputational, but also financial. As a result of Equifax’s data breach, the organisation reached an agreement to pay at least $575 million and up to $700 million to compensate those whose personal data was exposed. In 2016 Tesco Bank was fined £16.4 million by the Financial Conduct Authority (FCA) over its "largely avoidable" cyber-attack that saw criminals steal over £2 million from 34 accounts. This clearly shows that these consequences can arise no matter how ‘large’ or ‘small’ a data breach may seem; companies that do not encrypt their data adequately enough to safeguard it will be penalised.
On top of this, the increasing expectations of consumers means that banks and financial institutions are trying to achieve a balancing act: how can they protect data privacy, while at the same time remaining transparent about how data is being protected? However, it doesn’t have to be a trade-off between meeting customer expectations and meeting cyber security compliance requirements. Banks and financial services organisations can utilise technology to the fullest extent while still protecting data and avoiding the unthinkable repercussions of a data breach.
The balancing act
To achieve this balance, banks and financial services organisations need to take greater measures to control their security posture and assume the entire network is vulnerable to the possibility of a cyber-attack. Robust encryption and controlled security policies should be a central part of an organisation’s cyber security strategy. When stringent policies are generated and deployed, it enables greater insight into applications communicating in and across the networks. New tools are now available to enforce these policies, not only impacting the application’s workload and behaviour, but the overall success of the system access.
Conclusion
Banks and financial services organisations should not have to worry about keeping data secure and protected when it is entirely possible to do so. Adopting new ways to look at how organisations define policies through micro-segmentation and separating workloads by regulations, is one example of how to keep data more secure. Also, ensuring policies define only those users who have a critical need to see the data limits network vulnerabilities. And lastly, a robust key management system that is automated whereby keys are rotated frequently, can also help to safeguard system access and strengthen the organisation’s security posture.
