Don’t Forget Your Umbrella: How to Protect Your Bank From Financial Crimes

risk-management-6-13-17.pngWith banks of all sizes facing significant challenges in the management of financial crime risk, senior management and bank board members need an unambiguous understanding of the strengths and weaknesses of their organizations’ financial crime compliance strategy.

The escalation of mobile banking, the burgeoning role of fintech in banking and the spread of cybercrime are only a few of the key reasons for banks to establish a process that views financial crime risks in the aggregate—under one umbrella. Further, in our view, directors must have a firm grasp with respect to how the program has been designed and implemented.

An integrated view of financial crime compliance risk can give board members a sense of confidence that management has a robust financial crime compliance program in place. A view of issues in the aggregate provides management the ability to understand the entirety of the financial crimes landscape at their firm.

At their core, these programs require a dynamic and agile mindset at the board level. Directors must possess a level of confidence that management has established a strategic, well considered approach to detecting, preventing and reporting financial crime. A carefully managed, well designed, and integrated plan can also create considerable governance benefits across internal silos.

For banks currently without an integrated plan, the creation of such a plan requires:

  • A strategic vision of a future program that engages senior management in the first line of defense (lines of businesses and operations) in the design of the vision—and has buy-in by the entire board.
  • The integration of teams that in the past have approached such risks in a separate manner, such as compliance programs for anti-money laundering, anti-bribery and corruption, and Office of Foreign Assets Controls.
  • A vision for how to change or enhance the bank’s information technology (IT) infrastructure.
  • The designation of an individual as the bank’s financial crimes compliance officer.

Building an integrated financial crimes program under an umbrella structure presents opportunities for collaboration, improved data aggregation and analytics capabilities, heightened board awareness of the bank’s control environment, and the possibility of cost savings and enhanced regulatory compliance.

The establishment of a centralized financial crimes compliance unit, however, requires a multi-faceted approach. Employee roles and responsibilities will likely shift, policies and procedures many need to be consolidated to reflect the new approach, and compliance reporting mechanisms and IT responsibilities will be altered.

Recognizing that the landscape will shift, we offer a roadmap to an integrated financial crimes compliance program. Here’s a synopsis of our five-step plan for your board’s consideration:

  1. Compliance leaders recognize the importance of cultivating partnerships with business-unit leaders across the bank—as well as their internal audit teams. Thus, building a cross-functional working team is a must across the bank’s “three lines of defense:” the front office and lines of business, the support functions such as compliance and finally, audit. These members should consider perceived benefits, anticipated costs and potential obstacles. Dialogue and trust is essential.
  2. The team should strive to gain a clear view of the bank’s current risk management efforts and assess the underlying financial crimes risks. Too many institutions stumble at this stage by adopting models that may work for larger or more-regulated institutions, or conversely for smaller institutions with a different product mix or jurisdictional presence.
  3. The cross-functional team should draft a working plan for the centralized compliance unit, and the team should provide the draft plan, which would include the recommended step-by-step approach to establishing the unit, to board members and executive leadership for review. The plan would identify the individuals who will design and roll out the changes, the governance and oversight structure of the transformation program, and the unit’s staffing model.
  4. Perhaps as much as any these steps, clear and frequent communication to bank personnel about the program’s intentions, benefits and impacts is vital. Board members should be satisfied that management has established a plan for the timing and cadence of communications, has identified which audience will be targeted at each step, and has created specific messages to the bank staff regarding why the establishment of the unit is necessary and how it will benefit the organization.
  5. Once the bank has embedded its Financial Crimes Compliance Program, management must be certain that monitoring and testing mechanisms are working continuously, and that the firm is equipped to deal with changes as regulations change or are introduced.

A final reminder is worth noting: The journey is never over. Financial crime compliance risk, as a board agenda item, should be a constant.

Using Data Science to Combat Internal Fraud


It’s no secret that fraud prevention is a hot button topic in banking, and an increase in internal cybercrime has spawned a new wave of regulations to prevent violations like money laundering and insider trading. One need look no further than the recent allegations of Wells Fargo’s cross-selling misconduct to see the potential for financial and reputational loss.

Banks have long used monitoring and data analysis technology to flag potential instances or transactions related to internal fraud. Now, data science is being used as a tool both to prevent and predict fraud on accounts before it occurs. Here’s how financial institutions are joining forces with data science innovators to help monitor internal behavior to prevent and predict fraud.

Detecting Suspicious Patterns
One of the major areas that companies are looking at is analyzing spending and transaction patterns to detect fraud. This means analyzing the payment and purchase history of each customer on a granular level, and determining if any of those transactions appear to be out of the ordinary. Data science is now pushing the envelope into analyzing these activities for targeted marketing of rewards programs or other products in the future.

In addition, companies like RedOwl are using data analytics to spot internal fraudulent patterns to prevent employee malpractice before it happens. The RedOwl Analytics platform is specifically designed to predict whether an employee is likely to commit certain acts such as insider trader trading or intellectual property theft. Instead of simply monitoring employee emails and messages, RedOwl goes a step further by detecting and analyzing abrupt shifts in communication patterns or behaviors. Behavior such as suddenly changing to different languages, an increase in external messaging or emailing outside of normal work hours are some of the behaviors that may predict fraud and that RedOwl Analytics takes into account.

Monitoring Transactions and Flagging Activity
After suspicious patterns have been detected, the next challenge for big data is to monitor or flag specific transactions in order to step in at the appropriate time. At what point is the likelihood of fraud great enough for bank management, regulators or law enforcement authorities to step in and investigate? Palantir is one of the big players in the space, working with big banks like JP Morgan Chase & Co. to help identify rogue traders, for example.

Such needles in the haystack are tough to find, and that’s why Palantir’s technology is so useful. The Palantir Anti-Fraud platform, which originates from data science technology designed for U.S. Intelligence services, initially monitors and flags attempted hacks into client accounts or ATMs. Today, Palantir’s software monitors a variety of activities to prevent internal fraud as well. This includes a combination of trading data, email communications and keywords used in company phone calls.

Fraud Prediction and Investigation
The key to minimizing financial and customer loss due to fraud is quick detection and resolution. But the challenge is not just to accurately predict fraudulent actors—it’s to investigate and intervene accordingly. That’s where big data companies like Splunk are stepping in, to aid banks in pivoting from monitoring suspicious activity to taking action. One of the unique advantages to Splunk software for fraud prevention is the ability to analyze data from disparate, siloed sources to better predict who may perpetuate fraud.

What Splunk’s anti-fraud software does is establish a risk profile baseline for certain user groups. It then applies statistical analysis to employee activities–stock trading for example–to determine if they are acting within the baseline risk profile. Users whose activities are seen as anomalies by Splunk are then able to be flagged for further monitoring and investigation. Alerts for these anomalies can then be configured in real-time, or over a certain period to further validate potentially fraudulent patterns. Once potential fraud is detected, investigators will then have access to historical data to quickly determine who is involved and what they might be trying to accomplish. Splunk and other fintech companies that use data science techniques are also trying to add another layer to fraud investigation, cross-referencing patterns with other users in the company to determine if that person is acting alone or could be part of a larger ring.

Unfortunately, as of today there is no silver bullet in technology or big data that could prevent each and every instance of internal fraud from taking place. But as fintech innovators like Splunk, Palantir and RedOwl continue to push the boundaries in making sense of big data, banks can at least be more proactive in countering fraud before it happens.

Will Cybercrime Erode Confidence in Banks?

cybercrime-risk-6-8-15.pngRecently I was reviewing some material about cybersecurity which contained, among other things, an explanation of how thieves successfully used remote access Trojans and keystroke logging at bank ATMs around the world to steal customer information and ultimately rip off banks for tens of millions of dollars. I was familiar with the incident because we wrote about it in our 1st Quarter 2014 issue, but here’s the thing: I was about to deposit a couple of hundred dollars in checks and cash at one of my bank’s ATMs, and it made me stop and wonder if I should do that. I hadn’t been in a bank branch in a couple of years (and in fact rarely even use ATMs anymore), but I considered whether I should make the deposit in the branch instead to avoid putting myself at risk by using a machine that conceivably has been hacked.

Technology has had a transformative impact on banking over the last couple of decades—and the revolution actually seems to be accelerating with the explosive popularity of mobile access and new concepts like the cloud, and also the emergence of nonbank financial technology companies that rely almost entirely on technology for their user interface. The advance of technology in banking is exciting because of the cost and customer service benefits it promises to deliver, but this same technology has also become something of a Trojan horse (tortured metaphor intended) from a risk perspective. Cyberattacks are occurring with an increasing frequency that is alarming, and banks are hard pressed to keep up with the advanced tactics of the attackers. In fact, if we were to characterize this as an arms race between hostile parties—the banks versus the hackers—the banks are losing.

Eighty-two percent of the respondents to our 2015 Risk Practices Survey identified cybersecurity as the risk category they are most concerned about, compared to regulatory compliance at 52 percent, and credit quality at 37 percent.

Cybersecurity will have an important place on the agenda at our 2015 Bank Audit & Risk Committees Conference scheduled for June 11-12 in Chicago. Any bank board of directors that isn’t worried about its institution’s vulnerability to a cyberattack is asleep at the table. What should directors be doing to make their banks as safe as possible? The first step is to educate themselves on the nature of cyberrisk so they understand the threat well enough to ask good questions. This undertaking will be the very definition of continuing education because the threat is constantly evolving. Boards also need to make sure that they are spending enough money on cybersecurity. Fifty-two percent of the respondents to our risk survey increased their cybersecurity budget by less than 10 percent for 2015, and 21 percent saw no increase for the year—spending levels that probably aren’t enough given how quickly the threat is escalating. Cybersecurity should be a standing topic on every regularly scheduled board meeting so that directors gain an understanding of the topic while keeping themselves well briefed on the latest security developments at the bank. And the board needs to have an incident response plan in place when a cyber intrusion does occur, because it’s simply a matter of when, not if.

As I write this blog, I still haven’t decided how I will deposit those checks and cash that I have.  And that points to one of the most damaging effects of cyberattacks: They have the potential over time to erode confidence in a banking system that relies increasingly on technology. I have read comments of late from people who say they’ve stopped using their debit cards for small purchases, but use cash instead because they’re afraid of having their checking accounts drained if a hacker steals their customer information. That sounds like a step backwards to me at a time when banks should be helping their customers step forward with the help of technology.