• An estimated $600 billion, nearly 1% of global gross domestic product, is lost to cybercrime annually
• Frauds and cyber-enabled frauds are growing as the world is changing and becoming more technology-centric
• Regulators are increasingly tightening their stance and bigger penalties are being handed out to banks

Digital disruption has rapidly changed the dynamics of the financial services industry. New players have introduced shared ecosystem-based digital platforms that provide customer-centric digital and instant services that are vigorously acquiring new customers. Banks have quickly expanded their digital channel offerings, opening doors to interconnected world, expanding partnerships with fintech players while investing readily into digital technologies.

With these major industry trends, the patterns of cyber threats and financial crimes are quickly changing.

The losses from financial frauds also continue to escalate. According to a report by The Centre for Strategic and International Studies and US computer security company McAfee, an estimated $600 billion, nearly 1% of global gross domestic product, is lost to cybercrime annually. This is significantly higher than the estimated $445 billion in 2014.

Regulators are becoming stricter by coming up with constantly evolving guidelines and raising penalties. United States handed out the biggest penalties for anti-money laundering (AML), Know Your Customer measures and sanctions amounting to $23 billion in the last 10 years, while $0.6 billion was handed out in the Asia-Pacific (APAC) sector in the same period, according to international lifecyle management firm Fenergo.

Changing patterns of financial crimes

“Frauds and cyber-enabled frauds are growing as the world is changing and becoming more technology-centric, which increased the scale and frequency of threats. Furthermore, in a complicated geopolitical environment where sanctions have become the tool of choice for foreign policymakers and are being deployed with ever growing complexity across sectors or territories, the management of that risk causes significant challenge for the banks,” said David Howes, global co-head in financial crime compliance at Standard Chartered Bank.

Howes explained the emerging challenges and pointed out that threat environment is shifting and the industry response needs to be intensified, “As the speed of transactions have increased, the industry gets less time to adjust to possible frauds. Second, as the ubiquity of technology grew, so has the scope of poor digital hygiene to infect across multiple organisations. There are Internet of Things (IoT) and inter-connected devices across the industry with vulnerabilities. Third, we have more new entrants to the payment industry and digitisation of payments.”

Jaede Tan, head of Asia-Pacific Operations at UK-based regtech company ComplyAdvantage, added that institutions need to spot suspicious behaviours quickly as money moves very quickly across multiple jurisdictions. As the real time payments increase, money launderers are using more ‘money mules’ that serve as conduits to transfer money between different payment accounts and often in different countries. Fraudsters stay below the radar by using multiple accounts for small value online transfers. For money launderers, wallet players and crypto currency exchanges now make it easier for money launderers to get into the system.

According to UK fraud prevention group Cifas, the number of young people acting as ‘money mules’ rose by 26% in those aged 21-and-under between 2017 and 2018.

Bank initiatives and remedial measures

Regulators are increasingly tightening their stance and bigger penalties are being handed out to force banks to improve their financial fraud security and controls.

Standard Chartered Bank was fined a significant $1.1 billion by the authorities in the United States and United Kingdom earlier this year for violating sanctions, AML laws and shortcomings in its counter-terrorism finance controls in the Middle East. These were for various failures of the bank from 2009-2014.

A significant investment of the bank has now gone towards data and tools to prevent money laundering risks. The bank spent $1.6 billion this year and plans to spend $1.7 billion next year in technology and innovation. It also invested in parallel across countries in transaction monitoring, due diligence, data cleaning and building the data infrastructure towards a stronger platform so that it should not need to go into a remedial mode in future. “Another initiative is through a machine learning-based technology partner that is recommending conclusions to analysts in name screening space. In 35% of cases, it can confirm that the customer is not in the watch list issued by the regulator. This lets us refocus investigators on more useful activity,” Howes explained.

Managing cybersecurity threats

Theo Nassiokas, former director of APAC Cyber and Information Security at Barclays, explained that, “Cyber is a geopolitical and foreign policy issue, not a technology issue.”

The attacks are getting more organised, sophisticated and state sponsored. Hackers write new codes to evade traditional security controls. Fraudsters are also becoming more innovative by staying undetected for a longer time in the systems. According to a study by Microsoft, on an average, attackers reside within a victims’ network for 99 days before they are detected. In 2018, leading European banks like Santander, Royal Bank of Scotland, Tesco Bank and Bank of Spain were reportedly attacked. Unprecedented ransomware attacks like WannaCry and Petya affected hundreds of thousands of people globally. WannaCry, a weaponised version of “eternal blue” stolen from the National Security Agency, is considered one of the most sophisticated state-sponsored ransomwares with the capability to self-propagate.

“While banks have become mature in their own cybersecurity and cyber resilience, they continue to face supply chain attacks. This is due to their third-party service providers whose cybersecurity may not be as mature, effectively becoming the weakest link in the bank’s cyber capability,” pointed Nassiokas.

Institutions need to upgrade their security to meet the new requirements of cyber-physical world, human-machine interaction and growing API interfaces in interconnected world, keeping in mind the security levels of the partners.

“Cybersecurity processes and controls need to be considered more proactively by design at the start when new services are developed. When banks consider security proactively, they can increase speed to market as they will not need a security check at the last minute. This saves time and money, increases speed to market and supports positive branding through the delivery of ‘secure-by-design’ services to customers,” opined Nassiokas.

While banks build their security measures, there is a lot that can also be gained through shared intelligence and industry collaboration in fighting financial crime dynamics and cybercrimes. There is now greater public and private information sharing by some of the leading countries in the region like Singapore and Australia.

As threat patterns change, no single approach will be effective. Banks need to be proactive with holistic risk management framework and multi-pronged initiatives to manage these evolving threats.