Technology a double-edged sword for financial fraud risk management
By Alex Rad
Fraud continues to be a key concern of financial institutions (FIs). The increasing cases of fraud underscore the need to focus on processes and technologies offering mitigation and prevention, as well as the priorities stressed by regulators. Meanwhile, there are persistent gaps in the FIs’ practices that need attention.
- Fraudsters are targeting the growing adoption of digital banking and assets
- Number of reported fraud cases in APAC have been rising rapidly
- Regulators and technology providers are expanding the opportunities for fraud risk management
A review of 2020 indicates that major fraud cases have affected the financial services industry, which include insurance, investments, loans, and payments, and caused billions of dollars in losses. The COVID-19 pandemic has evidently exacerbated the incidence of fraud.
An analysis by Feedzai of two sample periods of the pandemic concluded that fraud incidents have increased. The first quarter of 2021 recorded an increase of 178% in fraud incidents compared with the last quarter of 2020. A further analysis concluded that online banking fraud and account takeovers were 250% and 650% higher respectively between the same two periods. Fraudsters were targeting system and operational vulnerabilities during the pandemic, especially in the areas of safekeeping of personal data and identity verification.
Furthermore, cyber frauds have not only created media attention and heightened public awareness but exacted significant financial and non-financial costs. Cyber attackers and fraudsters, comprising organised criminals and increasingly state-sponsored elements, go about their business using novel and sophisticated approaches to avoid detection.
Fraudsters targeting growing adoption of digital banking and assets
Financial institutions (FIs) in Asia Pacific (APAC) continue to face challenges due to their digital business models, which emphasise investments in technology to enable omni-channel interactions, 24/7 real-time services, efficient and scalable operations, as well as better customer experiences.
The increasing dominance of mobile banking apps and internet banking highlights the growth of digital banking, which accounts for at least half of the growth in new customer acquisitions. Between 2019 and 2020, digital banks expanded their customers base three times more than traditional banks.
With the digital banking trend, regulators in APAC are promoting the digitisation of business processes by adopting a more positive attitude towards the cloud, application programming interfaces and open banking that facilitate access to data to reduce friction and improve customer experience. During the pandemic, the central banks in APAC encouraged FIs to prioritise payments using digital channels and incentivised FIs to promote contactless transactions in an effort to contribute to virus containment measures implemented in other domains.
The growth in the adoption of cryptocurrencies and digital assets, especially in the mostly unregulated decentralised finance space, comes with its own risks. Hackers have launched attacks on major digital exchanges and stole large amounts of digital assets such as $94 million worth of assets from Liquid Exchange and $610 million worth of assets from Poly Network. The media attention has helped Poly Network to recoup the stolen amounts rather quickly. Despite the partial success of these hackers’ attacks, the thefts indicate the magnitude of risk the customers of such exchanges can expect.
The rise of crypto-related fraud cases has been triggered by the lax regulatory protection to investors. The growing cryptocurrency market has attracted both investors, many of which have a lack of understanding of security, and potential fraudsters. According to CoinMarketCap, the total market value of cryptocurrency reached $2 trillion as of September 2021, compared with $773 billion at the start of the year.
Increasing fraud occurrences in APAC
Fraud cases in APAC are increasing, with perpetrators deploying diverse and new contact methods. The Australian Competition and Consumer Commission (ACCC) reported that over AUD 850 million ($659 million) were lost to various forms of fraud in 2020. About a third of the amount ($248 million) is related to investment-related frauds, while romance scams and payment redirection frauds have cost Australians AUD 131 million ($101 million) and AUD 128 million ($99 million) respectively.
In her assessment of the situation, Delia Rickard, ACCC deputy chair, stated “Last year, scam victims reported the biggest losses we have seen, but worse, we expect the real losses will be even higher, as many people don’t report these scams.”
The amount of money that fraudsters and scammers obtained through the internet and social networking platforms are comparable to traditional contact methods such as phone, email, and text messages.
Singapore reported a record 65% increase and more than 15,750 cases of scam in 2020, including e-commerce, social media impersonation, loan fraud, and banking-related phishing. They cost Singaporeans SGD 32 million ($24 million) in 2020 alone. Cyber extortions increased by 260%, leaving 245 victims with losses of SGD 790,000 ($595,000).
Australia and Singapore have experienced large-scale fraud cases as well. The CEO of two affiliated Singapore-based firms, Envy Asset Management and Envy Global Trading, is under investigations for allegedly causing metal trading investors several hundred millions of dollars in losses. Also, the CEO of Singapore-based Zenrock is accused of causing some $160 million in credit losses for several lenders funding his oil trading business. In separate cases, at least two Australian citizens have been arrested in relation to identity and financial crimes to defraud the National Bank of Australia and international students of more than AUD 21 million ($16 million).
The COVID-19 pandemic has also led to the increase in fraudulent activities. To limit the spread of COVID-19, governments in APAC imposed restrictions via lockdowns, quarantines, and working from home arrangements. The restrictions accelerated the transitions to e-commerce, digital banking, and digital payments. Meanwhile, reports from APAC countries signalled a parallel increase in fraud cases. Singaporeans have reportedly lost more than $200 million to fraudsters and scammers during 2020.
Changing nature of fraud and fraud management
Fraud risk remains a persistent challenge and fraud management has become a key concern for FIs. Senior management traditionally can employ sets of controls, which range from audit-oriented practices to employee-oriented practices via recruitment, training, and development.
These practices can be characterised by their reliance on manual processes requiring people as inputs and the effective organising of people around various fraud-fighting processes. Such set-ups of controls can be inefficient by design and are negatively affected by various challenges, such as coordination. These challenges are exacerbated when fraudster use modern technology to carry out their crime. In particular, cyber-related frauds carried out via attacks present very different challenges for senior management.
Cyberattacks exploit weaknesses and vulnerabilities in systems. In July 2021, Advisen reported that data privacy and privacy violations have dominated the incident reports over the years. Network disruptions and technology errors and omissions have been on a steady rise in the last four years.
In a new emerging kind of cyberattack, US-based SolarWinds reported to the authorities that one of its softwares, Orion, had been hacked. The attacker exploited a masked traffic syndrome by creating a backdoor that potentially gave access to the company’s 18,000 clients’ systems.
The New York State Department of Financial Services disclosed in April 2021 that 94% of the reporting companies had successfully responded to the news of the cyberattack on SolarWinds and removed the vulnerabilities from their systems within three days of the announcement.
In a December 2020 filing to the US Securities and Exchange Commission, SolarWinds indicated that approximately $343 million, or about 45% of the company’s total revenue, were at risk due to the attack. Given the staggering numbers, reports from the Cornerstone Advisors indicate that, on average, affected companies may lose a third of their customer base after such an attack.
The cyberattack gain widespread attention as investigations pointed to the probability of a stated-sponsored attack. In an executive order issued on 15 April 2021, US President Joe Biden accused to the government of the Russian Federation for supporting the SolarWinds attack.
Global cyber intelligence provider, the Financial Services Information Sharing and Analysis Center (FS-ISAC), reported that the verticals of FIs are targeted differently by various denial-of-service attacks. Although, distributed denial-of-services (DDoS) are considered low-tech attacks, they can cause major disruptions.
Jerome Powell, chairman of the US Federal Reserve, commented that cyberattacks are the number one threat to the entire sector. This elevated status is partly based on the increased frequency of such cases. FIs may experience up to 300 times more cyberattacks per year than other firms. The Identity Theft Resource Center estimates that some 300 million individuals were affected globally in 2020. APAC has seen a growing share of DDoS attacks, following behind North America and Europe, Middle East and Africa (EMEA) in 2020.
Across the region, countries such as Australia, India, Japan, and the Philippines originate significant volumes of bots that create the attacks. Traditionally, attackers use digital tools such as desktops, mobile browsers, and mobile apps. However, the SolarWinds case suggests that cyberattackers can launch attacks via unexpected channels.
Teresa Walsh, global head of intelligence at FS-ISAC, stated, “Today’s cyber criminals know no borders. An attack on a bank in Asia could be a harbinger for an attack on an insurance company in the US, a stock exchange in Latin America, or a fintech in Europe.”
As the nature of fraud is shifting, different types of controls are required. To mitigate the risk of cyber-related frauds, FIs in APAC have turned to advanced technologies, including artificial intelligence (AI) and systems that have the capacity to make automated and autonomous decisions.
Kristin Rivera, global leader at PwC, said, “Fraud risks are evolving quickly, as are the technologies designed to prevent and detect them.”
By design, these technologies can provide capabilities to predict, detect, and discover fraud risk in an automatic fashion. Some of these technologies can take a set of predetermined actions autonomously. Available case studies indicate that FIs can leverage technology to make holistic analysis of transactions and real-time monitoring, the latter has become a necessity with real-time payment services.
Machine learning provides predictive analytics, and algorithms can detect fraud by matching past purchasing behaviour with current transactions speedily and warn of anomalies. Techniques such as voice recognition and biometric authentication can enhance monitoring of communication in various channels of customer interaction. The use of natural language processing provides better tools to conduct reviews of unstructured data.
The various areas of application mentioned above suggest that FIs through modern technology have diverse fraud risk management opportunities and can expect increased efficiency and possibilities to reduce the costs incurred by manual control processes in operations. To a further extent, FIs can also source third parties to manage the technology implementation. By relying on the specialisation of third parties, FIs can avoid cost increases typically arising in development and deployments.
According to PwC’s 2020 global economic crime and fraud survey, FIs in APAC reportedly budget an average of $83 million annually for technology investments to prevent fraud. In a comparative analysis of different markets, PwC found that FIs in Thailand, China, and Indonesia reported higher budget allocations than the FIs in Australia, Malaysia, and Vietnam.
Multi-layered regulatory initiatives help FIs address gaps in risk management
While, the severity of fraud can be estimated by considering the direct costs or financial losses, it can also be measured in terms of indirect costs, for example micro-economic disruptions and collateral costs that tend to take a longer time to account for. The global 2020 crime and fraud survey by PwC estimated that fraud takes about $42 billion out of global companies’ bottom line every 24 months.
New types of frauds alter cost implications. Recently, regulators have come to view the consequences of cyberattacks on par with bank runs, inflation, and financial instability.
To control the dangers of fraud, the regulatory responses are multi-layered and consist of numerous initiatives and priorities, some of which encourage FIs to continue experimenting with technology. Currently, the majority of FIs have projects to enhance their capabilities to analyse fraud risk speedily and provide actions in an automated fashion. An overall evaluation of the current state show that several gaps exist.
Moreover, there is a push from several jurisdictions to highlight and address specific gaps such as the lack of real-time transaction monitoring, organisational barriers to process automation, weak identity verification systems, obstacles to cross-functional reporting, non-integration of accounting data, data governance issues considering big data, and model risk within analytics.
The central bank of Malaysia, the Hong Kong Monetary Authority, and the Monetary Authority of Singapore (MAS) have in separate instances released technology risk management guidelines for FIs to address the gaps. The MAS guidelines comprised a set of key technology and cyber risk management principles and best practices, which FIs can to adopt given certain conditions such as the nature, size, and complexity of business.
The main expectations are for interactivity between people and technological systems and the effective design of organisational structure to ease the access to data, empower analytics and support decision making.
Tan Yeow Seng, chief cyber security officer at MAS, said, “Technology now underpins most aspects of financial services. Not only are financial institutions adopting new technologies, they are also increasingly reliant on third party service providers. The revised guidelines set out MAS’ higher expectations in the areas of technology risk governance and security controls in financial institutions.”
In 2020, the MAS released an information paper to advise FIs on enhancing the robustness of enterprise-wide risk assessment structures and processes. It highlighted gaps that include the lack of risk management and controls testing facilities, weaknesses in active monitoring. Most importantly, the paper points to uncertainties regarding management capabilities for appropriate tone setting and exercising oversight.
Regulators continue to highlight the vulnerability of cybersecurity infrastructures and underscore the criticality of measures to improve obsolete systems. In 2020, unsecured databases continued to be the number one reason for data compromises of FIs. Meanwhile, a lack of focus on end-to-end critical services involving third parties and a lack of quantification models for cyber risk suggest that gaps remain.
These concerns have been exacerbated by the working from home arrangements during the pandemic, yet FIs are required to maintain operational resilience. Among the supervisory authorities in the region, MAS stresses the critical risk where FIs may fail as employees are not working from the office.
Regulators have also expressed concerns about the changing attitude of employees towards corporate policies. As a result, regulators have initiated workshops and conferences, and through reports highlighted particular priorities for FIs to update their governance models to fit the new realities, such as traders operating from home and elsewhere.
The regulatory support for whistle-blowers as a remedy to fight fraud has found additional support in APAC. Australia, Japan, and New Zealand have recently implemented penalties and updated policies to protect whistle-blowers. However, there are gaps in the practices of FIs, as regulatory protection for a whistle-blower is a new regulation in APAC, where whistle-blowers have risked punishments in the past.
Gaps and vulnerabilities exposed by digitalisation must be addresed
Managers can expect that the continuing trend – the digitalisation of financial services – is likely to be accompanied by an increase of fraud occurrences. Regardless of the origin and nature of fraud or the prevailing operational, organisational, regulatory, or technological responses towards it, the need to counterbalance the gaps and vulnerabilities that digitalisation exposes must be prioritised, especially in four main areas: prediction, detection, discovery, and recognition.
Prediction: One key assumption in fraud risk framework is that occurrences can be predicted by statistical data analysis, such as the indexed state of development of the banking sector and the corruption tendency of regions or countries. However, reports on fraud from some of the more developed countries in APAC, such as Australia and Singapore, contradict the premise of such an assumption. This then requires FIs to take more proactive approaches towards fraud and avoid the over-reliance on statistics data analysis for fraud prediction.
Detection: The fraud trend suggests that fraud cases are expected to increase globally, putting pressure on nuanced approaches for regulation and supervision. The majority of financial market supervisory authorities as well as FIs are pursuing both joint and stand-alone technology explorations and experimentations. The upgrading of systems through the reliance on AI and focus on people via audit and people-oriented practices could improve the fraud detection capacity of FIs but require hefty investments in new technology, redesign of business processes, and recruitment of people with different skillset.
Discovery: Despite the obsession with improving processes and structures, FIs seem to have difficulties reducing the time between occurrence and discovery of fraud. Also, cybercriminals, like other fraudsters, seem to have at their disposal powerful tools to cover up their tracks. This is evident in the delayed discoveries of many cases of cyberattack and data compromises, such as that seen in the SolarWinds hack. This suggests that FIs must work harder to integrate people, analytics, and processes for more effective discovery.
Recognition: Disclosure of occurrences sometimes happens only after substantial pressure from the outside, and FIs may deny fraud to avoid potential reputation damage. This stresses the importance of an effective response and recognition process and upskilling of people to adopt open culture and mindset towards managing fraud risks collectively.
Fraud risk management continues to be a set of complicated practices that features the use of advanced technologies. FIs are expected to adopt a stakeholder perspective when managing fraud as various actors in the market such as organisations and consumers are affected by frauds and scams. As fraudsters have the potential to operate at a greater scale with better access to resources to complete their activities, decision-makers at FIs are required to take appropriate responses to thwart individual cases of fraud and make long-term and informed decisions regarding the choice of effective practices and technologies.