Fighting Fraud

AML vendors deploy raw computing power to reduce false positives

2011-10-05T13:49:00.004+01:00

Watch list filtering is every compliance officer's worst nightmare. With a single name like Muammar Gaddafi, spelled hundreds of different ways, and multiple watch lists to manage and update, the work is time consuming, costly and onerous.

Banks have often complained about the number of false positives generated, all of which need to be investigated. Some firms have even outsourced false positives' investigations to offshore locations in order to cope with the workload.

Anti-money laundering vendors are under pressure to not only reduce the number of false positives, but to make the filtering process more intuitive. In a report on Achieving Global Sanctions Compliance, Neil Katkov, senior vice president, Asia, Celent, says, "Achieving consistency in global sanctions compliance involves standardising operations, technology systems, and perhaps most essentially the compliance data—watchlists—that drive sanctions filtering.”

The lists themselves can be onerous and difficult to manage. Dr Tony Wicks, director, AML solutions, NICE Actimize, says HM Treasury's sanctions list in the UK had 3652 changed entries this year alone. There are also other lists banks need to comply with depending on the scope of their activity, including the well-known OFAC list, there is also an EU and UN watchlist and a Japanese FSA list.

The so-called Arab Spring has also had an impact on sanctions activity with new sanctions coming out associated with Iran. Anti-money laundering (AML) vendors like NICE Actimize say they are trying to lessen the workload for banks and the number of false positives using "fourth generation computational linguistics" - throwing raw computing power at "transliterate" words .

Explaining how the technology works, Wicks of NICE Actimize, says it can understand 800 million names, the context of those names and their cultural significance and make a "probalistic match" against the source of the name, which he says is important in terms of reducing false positives.

Increased risk of money laundering using pre-paid cards

2011-10-05T12:32:00.001+01:00

There could be a high risk of increased fraud during the 2012 Olympic Games as a result of pre-paid cards, which could also potentially be used to launder money.

Dr Tony Wicks, director, AML solutions, NICE Actimize, sounded the warning last week, having walked into a shop in a UK high street, asking if he could buy an unlimited number of pre-paid cards which contain a stored value. According to Wicks, the shopkeeper responded by saying he could buy as many pre-paid cards as he liked.

Unlike credit cards, pre-paid cards are not linked to a bank account and no ID is required to buy them over the counter. Wicks says outside of a closed loop environment where the amount that can be spent on pre-paid cards or what they can be used for is controlled, anyone can buy a pre-paid card. He says most cards have an annual spending limit of £25,000, but there are no obvious restrictions he says on someone being able to buy multiple cards, top them up and use them to potentially launder money. "There is an increased risk of fraud with pre-paid cards as you can buy them anywhere and there are no credit checks or ID required," says Wicks.

Pre-paid or stored value cards are a relatively new phenomenon in Europe. They are also being promoted as a form of payment during the 2012 Olympics by Visa. There are different pre-paid card systems throughout Europe. In Italy most pre-paid cards are "open loop" whereas in other European markets, including the UK, they are typically part of "close-looped gift card schemes." Wicks makes the distinction between closed loop and open loop debit cards schemes, saying the greatest threat in terms of fraudulent use lies in "open loop" schemes.

Laundering money using pre-paid cards? According to AML experts, as banks deploy more sophisticated technologies to detect money laundering, fraudsters are turning to other means, such as cards, as a means of laundering money. While credit cards can be traced back to a user, pre-paid cards have no user ID or credentials.

"Double-jeopardy" threat for banks

2009-07-23T15:17:00.003+01:00

A regulatory partner at a London law firm has labeled the £3.2million fine the Financial Services Authority imposed on HSBC as unprecedented and draconian.

Yesterday, I wrote about HSBC being fined by the FSA for failing to adequately protect customer data by not encrypting computer discs containing personal information and for failing to keep personal paper files on site under lock and key. RPC partner, Jonathan Davies said fining HSBC for the latter was draconian. He said the £3.2 million fine was much more substantial than that imposed on Nationwide Building Society for similar failures back in 2007.

Back in 2007, the FSA imposed a £980,000 fine on Nationwide for ineffective information security controls following theft of a laptop from a Nationwide employee's home. "You can see that fines for financial services companies have undergone massive inflation as the FSA has instituted its get tough policy in response to the credit crunch,” said Davies.

Given the pubic backlash against data leakages and the increased threat of customer details being used for fraudulent purposes, particularly in difficult economic times, the hefty fine the FSA imposed on HSBC should come as no surprise even though it may be unprecedented.

Regulators are taking an increasingly dim and no-nonsense view of banks that fail to protect customer data and as banks trade on their reputation as trusted third parties, how can consumers take them seriously when banks fail to adequately protect customer data?

Banks could be in even more hot water from next year as in addition to FSA-imposed fines, the UK's Information Commissioner will also have the power to impose fines on companies for data breaches.

"When the Information Commissioner gains this power next year, any FSA-regulated firm may well be subject to “double jeopardy” fines for data protection breaches," said Oliver Bray, a partner at RPC specializing in data protection. "One careless mistake by a regulated firm could expose it to fines from both the Information Commissioner and the FSA. From a wider perspective, all businesses should be concerned that the Information Commissioner may be encouraged by this case to apply similar levels of fines when he starts flexing his new muscles next year."

HSBC businesses fail to protect customer information

2009-07-22T14:18:00.003+01:00

We have all heard the horror stories of customers' confidential personal and account information being accidentally misplaced or stored on unencrypted discs by thoughtless employees in both public and private sector companies.

At the public level, Her Majesty's Revenue & Customs made one of the biggest gaffes when two CDs containing the personal details of 25 million customers goes missing. The HMRC was not fined but its boss Paul Gray quit over the missing discs.

However, in the private sector, the penalties for failing to adequately protect customer data are more severe, which is borne out by the £3 million fine the Financial Services Authority (FSA) in the UK has imposed on HSBC following a series of incidences in 2007 and 2008 regarding three of its businesses; Life UK, Actuaries & Consultants and Insurance Brokers.

Back in 2007, Citywire reports that HSBC Actuaries lost an unencrypted disk containing personal information, including national insurance numbers of approximately 2,000 pension scheme members. In February 2008, HSBC Life lost an unencrypted CD containing the details of 180,000 policy holders.

The FSA said despite increasing awareness of the need to protect people's confidential details, all three firms failed to put in place adequate procedures to manage their financial crime risks.

"All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals. It is also worrying that increasing awareness around the importance of keeping personal information safe and the dangers of fraud did not prompt the firms to do more to protect their customers' details," stated Margaret Cole, director of enforcement at the FSA.

Cole said that in areas where the FSA had previously warned firms of the need to improve, people can expect to see fines increase to deter others and change behaviour in the industry. But will fines be enough, as despite previous hefty fines, data leakage and firms' failure to encrypt confidential customer information remains a major problem. When protecting customer information is as simple as encrypting information stored on discs, why do firms remain non-compliant?

Firms fail to comply with data protection standards

2009-07-10T09:50:00.004+01:00

In the fight against fraud, so much emphasis is placed on monitoring of individual transactions, that often firms forget about getting the basics right. Protecting confidential customer data is essential in the fight against fraud, yet companies continue to fail to adhere to data protection standards.

According to a survey published by BSI, the UK's National Standards Body, almost one in five businesses breached the Data Protection Act (DPA) on one or more occasions - many without even realising it. This could be because they failed to hold information securely, illegally transferred information to a third party or neglected other legal obligations.

Tim Thompson, UK Managing Director at 41st Parameter, says the cost of fraud is often thought of in terms of how much money is stolen, however, he says this is too much of a short-term view. "Now, more so than ever, organised 'fraud rings' are cashing in on an underground economy, which deals in stolen personal information."

Thompson said the BSI survey highlighted the fact that 65% of businesses provide no data protection training for their staff. Almost half of firms indicated that there was no one in their business with specific responsibility for data protection and 18% of businesses said that data protection was less of a priority in the current economic climate.

The latter is alarming given that fraud is reportedly on the rise in the current recession. Can firms afford to lose not only millions through fraud, but also a tarnished reputation with their customers, if they continue to take a lackadaisical approach to data protection?

"If a company is hit by a security breach and data is taken, not only is it highly likely that it will be hit with fraudulent actions, its reputation will quickly become tarnished, and new and existing customers will take their business elsewhere," says Thompson of 41st Parameter.

Government stimulus money vulnerable to fraudsters

2009-06-24T13:37:00.005+01:00

Governments have ploughed billions of dollars into stimulus packages to breathe new life into flagging economies, however, they could be handing fraudsters an "unintentional" meal ticket, according to the latest Kroll Global Fraud Report.

Of the $5 trillion in stimulus funding various governments have doled out, Kroll estimates that as much as $500 billion could be lost to fraudsters as the investment amount and the highly complex procurement processes involved mean these kinds of "big-budget capital projects" are often targets for corruption.

"The unprecedented amount of financial support that governments have pledged to help stabilise their economies leaves the door wide open to fraudsters," said Richard Abbey, managing director, Kroll's Financial Investigations practice. "It’s a once-in-a-generation opportunity for those engaging in corrupt practices to cut themselves a large slice of the pie and it’s important that governments and businesses alike are aware of the risk and are prepared to counteract them.”

Kroll says focusing on the "middlemen" who are entrusted with large sums of money is essential if this type of crime is to be prevented. That means procurement processes need to be highly transparent. Resources must also be made available to "root out" corruption and Kroll advises that salaries should be appropriate to discourage employees from committing fraud.

So can we be sure that government stimulus and taxpayers' money has ended up in the right hands? And will the processes around how this money is assigned and spent be transparent to the public?

FBI knew of Stanford, according to Vanity Fair

2009-06-16T21:39:00.005+01:00

According to Vanity Fair magazine, Sir Allen Stanford, who the SEC alleges ran a Ponzi scheme, was on the FBI's radar for a number of years since he was investigated for money laundering back in 1989.

The article in the July issue of Vanity Fair, quotes a former FBI agent who claims that there were a series of interagency investigations into Stanford, but none of them resulted in any legal action.

The article also claims that there were various "red flags" within Stanford International including a 70-year-old compliance officer.

First-party fraud largely goes unreported

2009-06-10T11:35:00.002+01:00

Losses from first-party credit card fraud are bigger than those from third-party fraud, and although it represents 10% to 20% of bad debt, first-party fraud often goes unreported.

First-party fraud is a new threat to the banking industry and is more difficult to detect than third-party fraud as banks often write it off as bad debt, when in fact fraudsters have given inaccurate financial and personal details in order to obtain a credit card or loan without ever intending to pay it off.

At a recent webinar held by analyst firm Lafferty Group, Martin Warwick, principal consultant, solutions management, at decision-management software vendor, FICO, said first-party fraud is different from third-party fraud in that the account for a loan or credit card is set up using a "synthetic" or false identity. The application also contains false or "misrepresented" financial information. Banks continue to write it off as bad debt, he says, because of challenges around proving intent.

Warwick says first-party card fraud can be detected during the application process and the "transactional life" of the account. Things to look out for are:

First payment defaults on cards
Cases where the customer is massively over their credit limit
Customer ends up as a no trace
Or if less than 5% of the loan is repaid.

Stand-alone scorecards and customer profiling applications can be used at the time of applying for a card or loan to detect whether an individual is likely to commit first-party fraud. However, Warwick says a holistic approach needs to be taken as first-party fraud can start with current accounts and quickly spread to other banking accounts and channels such as loans, mortgages and insurance. Both qualitative and quantitative measures need to be used to distinguish first-party fraud from bad debt.

SEC on the war path?

2009-06-05T09:37:00.004+01:00

When the tide goes out, it is amazing what you can find washed up on the beach. The latest jetsam to be found on US shores is Countrywide Financial's former chief executive officer, Angelo R. Mozilo who has been charged by the Securities & Exchange Commission (SEC) with securities fraud and insider trading.

Countrywide Financial, a mortgage provider in the US, was one of the victims of the recent credit crisis and was eventually bought by Bank of America. The Federal Bureau of Investigation has launched investigations into the collapse of a number of high profile credit crunch victims including AIG, Lehman's and Fannie Mae and Freddie Mac.

Focusing on cases it says are at the "root of the financial crisis", the SEC alleges that Mozilo misled investors about its "high-risk" lending practices, and claims he described Countrywide's loan products as "toxic" and "poison". The SEC is also querying profits Mozilo earned on selling shares in Countrywide.

Lawyers believe this is the first of many such suits the SEC is likely to bring in the wake of the financial crisis as it looks to restore its reputation which was tarnished by its failure to uncover the Bernard Madoff Ponzi scheme.

Bank sues auditor over losses resulting from card data breach

2009-06-03T11:48:00.003+01:00

An interesting test case involving a US bank suing an auditor, which it claims was negligent in certifying a payment processing company, is believed to be the first case of its kind and could set a precedent for other cases to follow.

Merchant acquiring bank, Merrick Bank, based in Utah is suing auditor, Savvis Inc., claiming that it lost $16 million as a result of fraud, fines and other costs related to a 2004 data breach at payments processing provider, CardSystems, which resulted in hackers stealing 263,000 card numbers.

Merrick says its losses stemmed from having to pay Visa and MasterCard to reimburse their issuers from the breach-related fraud, as well as other costs including legal fees. Prior to the data breach, Savvis, had carried out an audit of CardSystems. Merchant Bank now claims that report was "false and misleading" and that Savvis "failed to use reasonable care and competence in representing that CardSystems was CISP-compliant when it fact it was not.”

The Cardholder Information Security Program (CISP) preceded the PCI-DSS standard for securely storing card data. One of the basic requirements of card data security is that the data should be encrypted.

A new form of credit card fraud

2009-05-28T15:25:00.003+01:00

CHIP and PIN, Visa and MasterCard SecureCode and PCI-DSS for the safe storage of customer credit card data, are just some of the tactics deployed in the ongoing battle against credit card fraud.

All of these measures have had mixed success and while they may have helped reduce card present fraud, card-not-present fraud is on the increase particularly in online shopping and cross-border transactions.

A new form of credit card fraud called "first-party fraud" is also emerging and experts say it could cost banks and other card issuers up to $21 billion in losses this year. Instead of fraudsters stealing customer credit card details or trading credit card numbers in underground communities, "first-party fraud" involves people using false income and financial declarations to apply for a credit card, which they intend to use and never repay.

Banks typically treat these applications as bad debts and only discover much further down the line that instead they may be dealing with fraud. Lafferty Group estimates that "first-party fraud" losses this year were $15 billion for the US, $2.5 billion for Asia-Pacific, and $2.2 billion for Western Europe.

Increased focus on AML as banks look to recoup losses

2009-05-28T14:51:00.003+01:00

Financial crime is likely to dominate banks' IT spending in the months to come, experts say, as banks look to recoup millions lost to fraud every year.

I was at an event recently held by business process management vendor, Pegasystems, on the topic of financial crime and the message from most speakers at the event was that financial crime and anti-money laundering (AML) had moved up the banking agenda. According to Daniel Mayo of analyst firm, Datamonitor, 37% of banks expect anti-money laundering (AML) will drive IT project spending in 2009.

Yet, questions remain about the effectiveness of AML in detecting terrorist financing and the quality of Suspicious Activity Reports generated by banks pertaining to proceeds from crime, including fraud, AML and terror financing.

Like it or not, banks are at the coalface of fighting fraud and while the Serious Fraud Office in the UK says it is going to rely more on market intelligence and whistle blowers to unearth fraud, a lot of the onus for detection of fraud is still on the banks.

Reetu Khosla, director of financial crime solutions at Pegasystems, says the regulators want to see banks take a more enterprise-wide, multiple-siloed view of fraud across all lines of business. "Regulators are saying not only should firms be looking at fraud, anti-money laundering and KYC, they should also be looking at these aspects across all lines of business," says Khosla. Banks will also need to be able to gather information from disparate systems and analyse it in such a way that links can be made between seemingly unrelated events.

Banks attending Pega's breakfast briefing on financial crime were interested in learning whether banks could follow the example of the insurance industry which has collaborated on setting up a database enabling insurers to share claim information. The database has helped insurers successfully reduce fraud. However, banks sharing customer information may open up a can of worms in terms of data privacy issues, and banks still see financial crime as a competitive issue, particularly in terms of how long it takes them to resolve alerts and transactions held up by false positives.

False positives remains a major issue for banks, given that banks are required to demonstrate sufficient due diligence around investigating alerts. "When it comes to financial crime alerts, most firms are faced with a high volume of false positives and a low volume of true hits," says Khosla. "However, the regulators point out that the risk of not evaluating each alert at some level is extremely high.

Regulators are taking fraud more seriously

2009-05-22T11:43:00.002+01:00

The Financial Services Authority (FSA) appears to be upping the ante when it comes to insider trading by seeking to prosecute two City lawyers who are accused of illegally trading shares based on non-public information.

A corporate partner of US law firm Dorsey & Whitney and a former partner at Will & Emery are both being prosecuted for trading shares related to the takeover of Neutec Pharma by Swiss conglomerate Novartis.

Police have also arrested two men over a suspected fund management fraud worth more than £50 million after the FSA earlier froze the operations of three firms - Business Consulting International, John Anderson Consulting and Kenneth Peacock Consulting - which are alleged to have mishandled millions in investors' money.

Criminal lawyers have also warned that the Serious Fraud Office is also taking the issue of corporate bribery and corruption more seriously and we understand that legislation is pending regarding the seizing of corporate assets in bribery and corruption cases.

Disrupting fraud as it happens

2009-05-08T16:06:00.005+01:00

When the director of the UK's Serious Fraud Office (SFO) Richard Alderman comes out all guns blazing saying that his office is becoming more proactive, intelligence-led and plans on making better use of powers at its disposal, one cannot help but think, shouldn't you haven't been doing that all along anyway?

Much of the burden for detecting, policing and enforcing anti-fraud measures has historically fallen on the shoulders of banks, other financial service providers and individual victims. But with the Securities & Exchange Commission (SEC) in the US and many other regulatory bodies and government agencies caught napping in the wake of the $50 billion Madoff scandal, they are eager to challenge the publicly held notion that they are essentially 'toothless tigers'.

At the Sweet & Maxwell conference on the changing face of fraud trials, Alderman stated that the SFO was moving towards becoming an "intelligence-led organisation", assessing where the fraud risks are during this economic downturn and working with other agencies to disrupt fraud as it happens. That means the SFO is going to have to capture reliable and sophisticated intelligence if it is to stop fraud before it even happens and I am curious to know how they are going to do that.

The SFO has extended an olive branch to so-called City whistle blowers and says it is going to look more closely at hedge funds, but is that going to be enough to uncover major frauds? Take the alleged Bernard Madoff Ponzi scheme for example. There were plenty of whistle blowers warning the SEC that something was amiss, but on the whole they chose to ignore this information or did not investigate it thoroughly.

"We intend to take full advantage of all the powers that are available to us and that have been neglected by the SFO over the past years, but we also need to consider what further powers we need to make the SFO a more efficient organisation,” said Alderman. It begs the question why has the SFO neglected to use its powers and what has so fundamentally changed within the organisation that it is going to seize those powers now to keep fraudsters at bay?

Is this recognition finally that the powers that be are finally taking fraud more seriously and that the onus for detecting, policing and preventing fraud is no longer the onus of banks and individuals but intelligence-led policing? I'm not sure we can all breathe a collective sigh of relief just yet.

Banks in the firing line for misleading investors

2009-04-30T14:27:00.005+01:00

In the wake of the credit crunch a number of banks are in the firing line as investors allege that they were misled concerning the purchase of particular financial instruments or the true state of the bank's financial situation.

A class-action lawsuit was launched against the Royal Bank of Scotland (RBS) in the US earlier this year based on allegations that the bank misled investors by failing to disclose the damage caused by debt securities on its balance sheet, as well as the damage caused by the acquisition of ABN-AMRO, and its inadequate capital buffer to safeguard it against subprime losses.

RBS, which is now majority owned by UK taxpayers, suffered the biggest loss (in excess of £24 billion) in corporate history back in February, has been a high profile victim of the subprime meltdown. But it is not the only bank in the firing line over misleading investors.

Italian police are also reported to have seized $630 million worth of assets belonging to Deutsche Bank, UBS, Depfa Bank and JP Morgan as part of an investigation into an alleged fraud against Milan's city authority.

The alleged fraud dates back to 2005 when Milan's city authority was sold derivatives contracts linked to a bond issue. According to the allegations the banks failed to adequately inform the authority of the risks linked to the derivatives and "falsely claimed" the authority would save money.

Losses for the authority are estimated to be in the region of €300 million , although it could be more. The banks however pocketed more than €100 million in" illicit profits", according to the allegations.

It will be interesting to see if the authorities can prove that the banks deliberately misled the city authority, as the lack of suitable reference data surrounding some derivatives contracts and the subsequent emergence of a less favourable interest rate environment, may make it difficult to establish whether the banks intentionally set out to defraud the authority.

Due diligence in a post-Madoff world

2009-04-28T09:22:00.002+01:00

Following the exposure of the $50 billion Bernard Madoff Ponzi scheme, investors and fund managers are under increasing pressure to perform more rigorous due diligence of hedge funds. But is that easier said than done?

If you look at some of the facts surrounding the Madoff scheme; lack of clear separation of duties, an unregistered auditor and the promise of high returns; then it is clear that feeder funds and other investors in Madoff's scheme failed to perform sufficient due diligence. In fact it seems as if their only rationale for putting money into Madoff's fund was his previously untarnished reputation (he was a former Nasdaq chairman) and the spectre of high returns.

Corgentum Consulting, a hedge fund operational risk consultancy based in New Jersey, has some interesting insights into how the exposure of Madoff's $50 billion Ponzi scheme is likely to change the world of hedge fund due diligence.

"Successful operational risk management in the post-Madoff world will require hedge funds to walk a tightrope of continually boosting investor confidence in a fund’s operational risk management capabilities, while not destroying and competitive advantages or informational edges through the dissemination of this information," says Corgentum.

Instead of outsourcing operational due diligence to "hedge fund allocators", Corgentum's believes that investors will want to exert greater control over the process and that the scope and depth of operational issues covered in a due diligence review will be more exhaustive. The frequency of hedge fund reviews will also be increased, says Corgentum.

"No longer will it be sufficient for investors to rely on generic due diligence questionnaires or to be granted a meeting with a hedge fund’s senior operational professionals for a few hours once a year for an annual review," says Corgentum. "Investors will likely request much greater detail on a host of different operational issues ranging from legal and compliance issues, information technology, cash management and valuation."

The upshot of all this is that hedge fund's "already strained" resources are likely to come under further pressure, resulting in lower profit margins, says Corgentum. Only those funds that make the due diligence process run as smoothly as possible for investors are likely to attract capital.

But that does not account for the age-old problem of human greed - investors and fund managers are driven to seek high returns. So despite all this talk of more rigorous due diligence of hedge funds, will it still be easy for a Madoff-type character to pull the wool over investors' and fund managers' eyes purely by promising market-beating returns?

Cultural impediments to AML in Middle East

2009-04-24T12:38:00.007+01:00

The UK's Independent newspaper was the first to report that ransom money paid to Somali pirates was being laundered via the Middle East. The newspaper quoted shipping industry investigators who claim that approximately $80 million (£56 million) had been paid out in the past year alone in ransom money to Somali pirates, with millions being laundered through bank accounts in the United Arab Emirates and other parts of the Middle East.

Dubai's deputy police commander general has since denied any involvement by the UAE saying it has strict anti-money laundering (AML) legislation that requires all transactions above 40,000 dirhams ($10,889) to be reported.

Yet, a common laundering technique is to split large sums of money up into smaller amounts so that it cannot be detected by AML controls. I also stumbled across an interesting article posted on the web by Hany Abou-El-Fotouh, director of Policy & Corporate Affairs at CI Capital, the investment banking arm of Egypt's Commercial International Bank (CIB).

He points to cultural factors, which he says makes the strict enforcement of AML procedures in the Middle East difficult. Abou-El-Fotouh says that in some Middle Eastern countries setting up proper controls and strictly enforcing them in order to detect suspicious transactions or activities, conflicts with customer relationships and cultural customs.

He says many Middle Eastern financial institutions are adopting corporate cultures that weaken AML and anti-terrorist financing efforts. "One of the biggest problems for AML initiatives in the Middle East is cultural customs that accept deference to customers and anonymity. Accounts lacking full identification details or with misleading information are not unusual in the region," he said.

Abou-El-Fotouh says Know Your Customer (KYC) requirements are lacking at many Middle Eastern financial institutions as customers may view banks' requests for additional information as intrusive or offensive. "For example, it can be difficult for a bank to refuse to enter into or to exit a relationship with a politically connected person," Abou-El-Fotouh explained. "Doing so could mean trouble for the staffer involved."

Is mobile banking really secure?

2009-04-24T11:39:00.004+01:00

With mobile banking transactions tipped to rise from 2.7 billion annually in 2007 to 37 billion by 2011, security experts are warning of the security risks associated with new mobile banking and payment channels.

Every time a bank opens up a new channel to customers, it presents new opportunities for fraudsters. Anti-fraud software provider, 41st Parameter, claims that users have good reason to be sceptical about the security of mobile banking transactions.

Ori Eisen, founder and chief innovation officer at 41st Parameter, says transactions between a mobile device and the bank are not as well-guarded as internet transactions as they only use basic identification and verification checkpoints.

According to Eisen, mobile banking systems are not able to determine whether a device accessing its mobile banking site is a mobile device, PC or laptop.

"Mobile banking touch points are easier to gain access to as they don’t have the security layers that internet sites do. Because fraudsters are able to mimic the appearance of a mobile device as easily as they can a PC or laptop, they are capable of infiltrating an unsuspecting bystander’s mobile banking account," writes Eisen in a white paper entitled: Mobile Banking - An Easy Target for fraud?

Eisen maintains that a multi-layered approach to security incorporating a firewall, password and encryption barriers and real-time tracking that identifies devices that were initially refused admission to a site and have changed their identity to try and gain access, is the best way of securing mobile banking transactions.

In addition to the information (credit credentials and personal identity) that is typically used to authenticate an individual, Eisen says Client Device Identification (CDI) goes beyond simple user names and passwords to detect suspect mobiles at device level. CDI can differentiate a device visiting a site regardless of the credentials presented or the IP address.

Insurers struggle to keep up with fraudsters

2009-04-20T12:22:00.006+01:00

Last week, the Association of British Insurers (ABI) warned against the rise of insurance fraud in a recession and published figures demonstrating a 17% increase in insurance fraud from 2007 to 2008, with the total value of fraudulent claims (£730 million) rising by 30%.

Dishonest claims on home insurance were the most common accounting for 55,000 false or exaggerated claims. By value, however, fraudulent motor insurance claims were the highest. The rising cost of fraud adds an additional £40 a year to insurance premiums, the ABI stated.

Bart Patrick, head of insurance at risk management and business intelligence firm, SAS UK, made the following comments regarding the latest ABI figures:

"It is hardly surprising that in the current economic conditions that fraud is rising. A sophisticated approach is required to overcome the increasingly savvy fraudsters out there, and sadly insurers will always struggle to keep up with their activities while they adopt a piecemeal approach to fraud detection, using a range of disjointed systems, and unsophisticated methods.

A link analysis tool and a bunch of rules does not a fraud strategy make. An integrated system, which uses the widest range of techniques (rules, advanced analytics, profiling, visualisation and experience) is the answer when implemented in an environment which has the people and process to action the frauds discovered. You can lead an SIU (Special Investigation Unit) to the fraud trough, but without the people and process to action this, you cannot make it drink.

Accuracy is key in being effective. The SIU must focus on the biggest frauds first, however if they are chasing shadows with a high false positive rate, then much of their effort is wasted. Only an integrated set of techniques can achieve this. If you have a simple, single approach to fraud, you are almost certainly wasting your company's time and money.

While fraud is viewed as an after the claim event, insurers will always play catch up. Most realise that some insurance policies are written just for the purpose of committing fraud. However they have no way of stopping this at policy inception. More importantly is the rising spectre of claims abuse, whereby people inflate their claims by a "reasonable" amount. This type of activity lives in the thin layer between acceptable behaviour and fraud, and this is where much of the insurance industry's real problems lay.

We are reaching the stage where a vicious circle is emerging. The SIU's are undermanned and over burdened as the numbers of potential frauds increase. Without a concerted, co-ordinated and sophisticated approach to fraud, using good old fashioned investigation and the latest technology in harmony, companies will struggle.

Let's flip this argument around to something policyholders will understand - the longer the insurers ignore fraud, the longer they will persist in charging a higher than necessary premium to cover the cost of fraud. In this increasingly competitive and fickle market with policyholders buying on price, it's actually impacting on competitiveness, so combating claims abuse and fraud is now a critical commercial consideration for all insurers. Ultimately, better Fraud and claims abuse detection reduces claims expenditure, reduces combined ratios, protects market share and increases profits."

Data security standards - A toothless tiger?

2009-04-17T11:47:00.006+01:00

Some alarming statistics have been published by Verizon regarding data breaches. According to the 2009 Verizon Business Data Breach Investigations Report, more electronic records were breached in 2008 than in the previous four years combined, and banks were the worst culprits for compromising records.

The report says that the financial sector accounted for 93% of the 285 million records compromised during 2008 and that 90% of the records breached were reportedly targeted by groups involved in organised crime.

Interestingly, most (74%) of the data breaches were from external parties, and only 20% were caused by insiders. So the biggest threat to confidential customer data still appears to come from external hackers hacking into servers and applications online. Financial service providers are doing nowhere near enough to secure customer data, including implementing basic forms of protection such as data encryption.

The credit card companies introduced the PCI-DSS (Payment Card Industry Data Security Standard) standard which includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures for securing credit card data. The standard includes basic requirements such as implementing a firewall, and encrypting the transmission of cardholder data across open networks.

However, according to Verizon's report, 81% of affected organisations subject to PCI-DSS were non-compliant prior to being breached. Firms that fail to comply with PCI-DSS risk losing their merchant account, and could be subject to fines, lawsuits and bad publicity, as in the case of TJX in the US, which suffered the largest known data breach to date when hackers stole 45.7 million credit and debit card numbers, as well as personal data, including driver's license numbers of another 455,000 customers.

TJX did not comply with PCI-DSS as cardholder data was unencrypted. Penalties for noncompliance range from fines of up to $500,000 to increased auditing requirements or losing the ability to process credit card transactions. But if Verizon's stats are anything to go by, PCI-DSS appears to be somewhat of a 'toothless tiger' in terms of forcing companies to implement even the most basic of data security measures.

It begs the question, why aren't companies encrypting data? Is it a cost factor, a technology issue (what form of encryption to use) or just plain ignorance? Certainly the reputational implications, as evidenced by TJX, outweigh the upfront costs of securing and encrypting customer data.

"Mini-Madoffs"

2009-04-14T15:30:00.004+01:00

In the wake of the Bernard Madoff revelations, Ponzi schemes, on a much smaller scale than Madoff's $50 billion scam, are being unearthed.

Eager to be seen to be proactive rather than reactive, the US Securities & Exchange Commission (SEC) is charging funds left right and centre with running Ponzi schemes. Some of the latest victims on the SEC's watch list include Shawn R. Merriman, who according to reports, is accused of fraudulently obtaining between $17 million and $20 million from investors in three US states through his company Market Street Advisors. Similar to Madoff, Merriman is alleged to have promised investors "impressive" returns.

Other reports claim that "mini-Madoffs" are you using the video-sharing web site, YouTube, to promote "cash gifting" programs. According to a Los Angeles Times report, the Better Business Bureau claims to have uncovered 23,000 clips promoting these so-called 'gifting' schemes. Viewers are reportedly directed to a web site where they are asked to sign up at a cost of between $150 and $5000. A spokesperson from the Better Business Bureau is quoted as saying, "They make it seem like it's legal and an easy way to make money, but it's nothing more than a pyramid scheme."

A "smart computer" to detect insider trading

2009-04-08T10:22:00.004+01:00

Increasingly fraudsters are devising more sophisticated means of committing fraud, and for the technology companies charged with combating fraud, it always seems like they are playing catch-up. But when the nature of the fraud is more insidious, the challenge is greater, as is the case with insider fraud.

Fraud committed from the inside is more difficult to contend with than external threats. As a company how do you identify who is likely to commit fraud within your organisation? How do you give employees access to applications and systems they need to do their job, without locking everything down or introducing a 'Big Brother' culture?

At the University of Sunderland, they are working on a new "smart computer" that uses artificial intelligence and "headline analysis techniques" to try and detect suspicious share dealing. Insider trading or rogue trades have long plagued the capital markets and some stats suggest that upwards of 20% of deals in the UK, and 40% in the US, may be tainted.

The "smart computer" project at Sunderland is entitled CASSANDRA (Computerised Analysis of Stocks and Shares for Novelty Detection of Radical Activities) and it has been awarded £90,000 by Northstar Funding to investigate the merits of combining artificial intelligence and analysis techniques to combat financial fraud.

Dr Dale Addison, project manager, CASSANDRA, says the problem with current anti-fraud systems is that they generate too many 'false positives'. "As many as 75% false positive flagging has been observed by some systems," he says.

CASSANDRA on the other hand looks at news stories affecting a particular company. So for example if two companies are in the process of merging and someone finds out the merger is not going ahead, they may go out and buy and or sell that company's stock based on that inside knowledge.

According to Addison, CASSANDRA would be able to detect that based on its analysis of news events from Reuters, Bloomberg and other sources, as well as the movement of stocks and shares of a specific company. "This system will have the ability to allow users to look at news information and rank it according to how significant an impact it has had on share dealing." But how do you know which piece of news or information has altered trading in a particular stock?

Information on US and UK stock markets is being provided to the Sunderland team by Canadian company, Measured Markets,which provides an "early warning" analysis service alerting investors when a stock's trading pattern changes.

Dr Addison plans to build a bigger computer that can be used to detect market abuse or false and exaggerated news that helps traders earn more money.

Madoff "feeder" funds in spotlight

2009-04-03T13:45:00.004+01:00

Civil law suits pertaining to "feeder funds" in the Bernard Madoff Ponzi scheme continue to play out with Connecticut-based hedge fund, Fairfield Greenwich the subject of allegations that it failed to carry out adequate due diligence on Madoff.

According to newspaper reports, the fund, whose manager reportedly worked with Madoff for 18 years, is accused of being "blinded" by the hefty performance fees it earned for funneling funds into the alleged Ponzi scheme. The fund funnelled a reported $7.2 billion into Mr Madoff's company. Fairfield Greenwich is believed to be contesting the charges brought by Massachusetts authorities.

Combating AML and terrorist financing

2009-04-03T13:28:00.003+01:00

The International Monetary Fund (IMF) is reported to have announced a "donor-supported fund" that will provide $31 million over the next five years in the fight against anti-money laundering (AML) and terrorist financing. Fund donors include the United Kingdom, Switzerland, Norway, Luxembourg, France, South Korea, Saudi Arabia and Japan.

The fund will commence operations in May and is geared towards providing "technical expertise" to those countries that want to strengthen their national AML and counter-terrorist financing strategies. Currently, at least in countries such as the UK and the US, a lot of the onus for detecting money laundering and terrorist financing falls on banks, however, not all funds are laundered through banks. The diamond trade is also a conduit for laundering.

The figures speak for themselves in terms of how successful governments have been in seizing terrorist funds. Since 2001 in the UK there were £400,000 worth of cash seized under the Anti-Terrorism, Crime and Security Act, £475,000 seized under the Proceeds of Crime Act, and £477,000 frozen by HM Treasury.

One of the challenges for banks is that some of them have been unwittingly caught out by US terror financing legislation for transferring money to organisations in Palestine, for example, that the US recognises as terrorist organisations, but which other countries don't necessarily.

Online fraud is flourishing

2009-04-03T13:21:00.004+01:00

A report in the Wall Street Journal features remarks made by Katherine Hutchinson, senior director of global risk management at PayPal. She reportedly told the Web 2.0 Expo in San Francisco that the online fraud industry was so lucrative that an "underground community" existed where fraudsters offered their specialist skills to others.

She also warned that the use of IP addresses for determining a customer's location were no longer a suitable method of combating online fraud - IPs addresses can be easily masked for one thing, and fraudsters often use "zombie" computers. She also warned that all the confusion in the banking sector caused by the current economic crisis left the door open for phishing attacks by fraudsters asking customers for bank account details.