With the global outbreak of the coronavirus, businesses are facing heightened fraud risks. Fuelled by the availability of technology, AI, data and a hyper-connected world, first-party and identity frauds leveraging on social engineering techniques are fast escalating.
With the global outbreak of the coronavirus, businesses are facing heightened fraud risks. Fuelled by the availability of technology, AI, data and a hyper-connected world, first-party and identity frauds leveraging on social engineering techniques are fast escalating. Due to the fast elevation of financial crimes, social engineering frauds are becoming more innovative, while numerous data thefts are powering the growing identity frauds.
The financial fraud continues to increase, for example The Monetary Authority of Singapore (MAS) has banned six individuals “former bankers and insurance agents” for fraud and dishonest conduct as well as reported fraudulent messages and calls request for personal bank account information. The International Criminal Police Organisation (INTERPOL) released a statement stating that financial fraudsters are using the COVID-19 outbreak as an opportunity for scammers to send inaccurate information into the marketplace. In addition to China, Vietnam and Australia caution against fraudulent claims and scams. Accordingly, how can financial institutions build their fraud prevention readiness and manage these growing threats more effectively?
In this RadioFinance session, our top-notch guests Richard Carrick, regional head, financial crime assurance, APAC, Barclays ; Roeland van Zeijst, senior cybersecurity specialist, politie Nederland (Dutch Police) and former digital crime officer, Interpol; and Michelle Weatherhead, operations director, GBG will cover some of the burning issues in financial frauds and global best practices to prevent and manage emerging financial crimes during the COVID-19 pandemic.
Their main points are::
Here is the full transcript of the session:
Grace : Good afternoon from Singapore. Welcome to RadioFinance This is Grace Chang, your host and moderator for the next 30 minutes. Our topic for today is dealing with fraud during COVID-19. I'm pleased to introduce my co-host today, the managing editor of the Asian banker Foo Boon Ping.
Grace : So, Richard, let me turn to you as you are our cybercrime expert, what has been the impact of COVID-19 on the financial scene today? how is the shift towards digital transactions, created vulnerabilities and security risks that criminals can exploit?
Richard : We see that for instance, a lot of folks are doing cash-based money laundering using a wall, which is kind of prevalent in this region. They've been actually forced up into more digital channels, which one kind of exposes them, but I think what we're seeing as well is that we're getting a lot of new digital bank accounts that you didn't previously. So, given the fact that we have different types of criminal activities out there, there is a need to definitely innovate both. The challenge is a lot of mainstream banks haven't traditionally done that previously. It was always a requirement to have the person come in, sit down, and kind of go through the details to see them. Now, it's a lot of banks, I think are going to be caught out and has to reach tool so that they can almost operate similar to some of these new age banks, like the Revoluts or the crypto exchange, doing the whole thing electronically and being able to do that quickly. That would probably expose some kinds of gaps because it's something that's not in your DNA.
Grace : Can I just turn to Roeland and ask what are the emerging trends you see specifically in areas like identity and data theft and money laundering and payment fraud?
Roeland : we already saw in criminals that they were, more and more getting interested in digital frictions and dealing with digital crime. This goes back like 10 years even where we had our top tier criminals in jail, that you know, I want to pivot from violent crime to cybercrime because it's easy to take money. So already that incentive existed And one often overlooked group in this, our kids, especially in countries like mine, and also like Singapore, where there are a lot of digital tools available and kids might be a little bit bored after school they tend to experiment online, and they tend to sometimes do things that are technically cybercrimes. And what we're doing in the Netherlands is that we actually devised a whole program as the Dutch National Police, for kids, who want to kind of try their own hacking skills and do it in a way where they don't commit any crime. So that's an additional benefit because actually, honing their IT skills and then hopefully still being able to use those for the good of society later on. Now when we talk about types of crime what we're seeing in the Netherlands is that your wallets are related via phone scam, WhatsApp scam and fraud has tripled as compared to a year ago. So, we're seeing three times as many people filing police reports about the type of crimes being defrauded in that. And our friends in Europol, The European Union Agency for Law Enforcement Cooperation they figured that they're seeing around 120,000 new websites that are related to COVID So that’s quite a growth. And finally, we already saw some statistics about ransomware and other types of blackmail where actually people being threatened through digital means with the virus. Basically, if you don’t pay me a bitcoin, I will infect you or your family, so that's quite technical. I mean, some people might be a little bit susceptible to that and they must be living in fear just because people think this way to make money. we have actually had some cases in the UK, where there're some apps, where it's quite easy to get the access code to join a conversation. It was a case of a journalist from the Financial Times who actually listened into their competitor’s things that way. And I noticed just now in the poll that actually people are quite worried about account take over and hacking into transactions,etc.
Boon Ping : Roland, you mentioned about this emerging trend of kids who are born at home and trying their hands at hacking. Now to law enforcement and for financial crime departments of banks, how worrisome is this? What are the chances of them being recruited by you know bigger crime syndicates?
Roeland : it's an important point that you're making. So obviously just randomly brute forcing accounts nowadays where most banks have two factor authentications in place, that isn't the issue, in Asia we see a little bit more defacement, I would say. Here in Europe and especially in the Netherlands, we still have kids who think it's really cool and it's also relatively easy of course to DDoS those organizations just to make a statement to see Oh, wow, the whole country is being annoyed by this and I'm doing this. I personally don't consider that to be a hacking skill but it is a type of cybercrime. It is something we got to deal with. And finally, your point about being recruited? Yes, I actually I have a younger colleague who has a friend, etc, etc and they were once having a drink and the friend actually received an offer, from, somebody who said, Oh, I like that you're very skilled at working blackberries and programming apps for them. And would you not be interested in programming a very security tight app for the BlackBerry so that people communicate very securely. He decided not to do that. years after this had happened for this specific kid, we actually found a whole gang who were dealing in the circle of black phones and the people who are providing the services, more importantly for them, as soon as their operation came to the attention of the police, we arrested some of them and the criminals found out that Oh wow, my data might not be fully secured there, This just goes to show your point is very valid, that if you let the criminals into your life, they might take it over.
Boon Ping : I would like to have a follow up question to Richard’s earlier point about institutions today as crime is moving to the cyberspace through digital, there's a need to redo and to re skills right. And also, in terms of new form of players coming into the market, they also open up greater vulnerability because they're not traditional, if we are traditional banks, AML, compliance and KYC is bread and butter. To the newer institutions is all about customer experience having a better experience on security. How are you dealing with that? And where do you see in terms of the regulatory expectations between incumbent players and new players, is it a level playing field when it comes to security?
Richard : I think a lot of the regulators are actually being quite cooperative and providing some pretty good guidance. The good thing in Singapore, for instance, things like e-KYC, kind of not having that kind of remote KYC or meeting, the requirement to meet your customer is kind of in the way. So, it's a framework that has always been in place. So, I think some banks have been prepared for that. I think in a lot of countries, that's not the case they were always needing to meet the person. Now they have to kind of scramble and put in place the means to do kind of contactless KYC. The other thing that you're going to struggle with in the KYC side is the fact that there are new typologies popping up with relationship to COVID. And that means we have to be in a position to detect those. And that is something kind of difficult for a lot of institutions to do. And you also have a large bureaucratic process as well, sign offs. So as the criminals read tool, and you get a whole flood of new topologies coming from various bodies, like, you know, European Banking Association, or putting some of these out, a lot of the law enforcement agencies are putting these as well. I think its very difficult for banks to keep up with.
Boon Ping : So, Anzar you work in an interesting environment in Indonesia Now, with social distancing and lockdown, you have close out some branches, they are lesser physical cash transactions today, but the mainstay of money laundering and some of the emerging markets are really physical movement of cash, how has the financial criminals been moving their cash during COVID-19?
Anzar : We are facing the COVID-19 right now and in some banks, they already have closed some branches, especially in Jakarta. For my bank as well, in Jakarta, already open 30% of our branches, but out of Jakarta, about 40 or 50% only branches who open the operations. And for the financial criminals right now, I think it's not really different when they are doing the crime, moving their money because many banks offer services like mobile banking, internet banking and also in these situations when there is a limitation for them to come to the branch to make a transaction. So, some banks make a relaxation for them to do the transaction, the (transaction) limit for mobile banking, let’s say, is only hundred million rupees per day for the doing remittance. But some banks right now, have relaxed the (transaction) limit to 200 or (up to) 400 million rupees per day for mobile banking. It means for the criminals they can still move their money which is projected from the criminals by using the internet banking or mobile banking. I think banks in Indonesia have already implemented AML system. Such as in my bank, we can trace the movement of the transaction, also maybe large transaction rapid movement and we can catch them, but it is quite challenging for us to see the transaction.
Boon Ping : And we'd like to also invite Michelle, to join the conversation. Based on GBG experiences in working with banks around the world, can you share, how are they preparing themselves? And in the context of COVID-19, how are your banking clients responding to the crisis?
Michelle : from a financial crime manager perspective, there are really four key things that our customers are preparing themselves for today. I think the challenge for fraud managers today is to really predict and pinpoint what's going to come up next. And make sure that they've got countermeasure defense ready for that.
my pick is that there's going to be an increase in misused identities in the form of identity theft, first party fraud, synthetic identity fraud and new lookouts. The second area that kind of relates to the new emerging threats is the alternative revenue streams. So, we are seeing businesses pivoting to meet the changing consumer behaviors, the move to digital and mobile and to become creative and open up new revenue streams. And the challenge for fraud managers is that they need to support this business pivot. And they need to be able to onboard customers and support the new business revenue streams in a safe and compliant way. The third and fourth one, are actually being considered right now. And the fact that customer behaviors have changed, if you take card fraud or card for instance, it's all moved online. We're at home we're doing at home purchases. There's a lot of code not present and you know Not doing the traditional overseas transactions and so on. So, what this means is that the fraud operations teams need to go and recalibrate all of those detection models, the machine learning models that are based on behavior deviations. And in particular, it's really important for the fraud operations and investigations teams who are now working remotely, models recalibrated, and alerts refashioned based on those remote working practices.
So, the tips and how can we deal with these sorts of changing operational considerations, pointed out here is that is great news that the fraud managers have got some great capabilities and technologies available to leverage to help them optimize their operations to deal with these things. Now that we have moved to digital and mobile banking offerings, we can use and leverage this data. We can enrich customer onboarding, for example, with mobile and device attributes to make more informed for decisioning. And we can use analytics to really understand that customer's persona, and we can look at the data and the consistency to really make the accurate decision about that customer and a lightning speed way. So, with technology now we can layer it and we can, customize the detection capabilities for the customer. So, fraud operations and they're putting the customer at the center of everything really. And I can show that customer experience is great. But they're also protecting the customer and maintaining compliance for the bank. So, I've got an example here, or a customer, and he's making a loan application via a newly launched mobile loan service. Now, because he's an unbanked customer, it means that there may not be a rich credit history and lots of data attributes available to be able to assess him for credit and fraud risk. But through enriching his application with this data that I talked about before and layering the different defense around the customer needs, the fraud team can then actually support the business strategy of going mobile. So, they might actually want to relook at him in a different way, which might enable the bank to on board, this customer offers him a loan, but do it in a protecting and safe way. So, example of result that I talked about earlier.
if you're just looking at application data, you probably say No, we'll probably reject it. We don't have enough information available, there isn't a credit file there. And you know, we can't match up against enough information, but hey, look, if we can layer in additional data such as the device information, the social information, the email information, how long would they get this email for? Is this email connected to social media connections, we can start building up a better fraud risk assessment? There’re other ways of looking at credit risk as well for underbanked customers. So, we can now start using mobile metadata to look at things around how creditworthy this customer is. So, if we start looking additional data, we might actually offer this chap a loan. But because we don't have as much information, we might want to lower the loan amount and we might want to push them on and enhance activity monitoring. So, by doing this, we can we can onboard a good customer in a safe and secure way. And we can make sure we've got a really good customer experience but then also support the business as if pivoting towards different revenue streams.
Boon Ping : So, you are using a mobile data to further enhance weak assessment of customers but at the same time, we hear some of these criminals who needs some of this information on your mobile phone the balance between risk assessment, and the customer acquisition!
Michelle : So, in terms of how do you strike the balance, I think the key thing really is to ensure that you've got enough data points layering them in and having a flexible approach to how you are risk decisioning a customer. Because there isn't one failsafe silver bullet available out there, you really do need to look at different attributes and combine them together to get an accurate risk assessment. it's really important for technology, and to really have that capability to be real time and instantaneous. And there's two key things that really, absolutely critical for technology in this space. The first thing is scalability to be able to handle these vast amounts of data that we've got about we are bringing a digital, we're bringing in device customer application transactional data attributes. Second thing is we're now looking at an omni channel approach to event. It's not just looking at one channel. So, scalability and flexibility is imperative in a real time mode.
Grace : Roland for a long time in Singapore that a few years ago, there was a reluctance to share information among institutions, you know, threat information or attack information. But you set up the cyber fusion center in Singapore which is a private public initiative. Did you find that the trends have changed, and people are more interested in collaborating to fight cybercrime?
Roeland : when I was in Singapore, it was mainly to do with the fight against cybercrime working together with private industry. we had collaboration agreements with Kaspersky Lab, McAfee, NEC corporation, for example. And what they did is they actually, you know, Interpol is staffed by hiring staff but also by people who are seconded that from law enforcement and what we added to that was that actually companies could second somebody to Interpol, And they would have a quite a specific role in that they would be part of the team. And actually, there will be like, certain meetings and certain types of police information that they were naturally not allowed to see. At the same time building on that we wanted to expand and to also add financial institutions. So, I think that Barclays was one of the first banks actually to also join this unique situation that looks specifically at threat intel, threat information that can be safely worked up to information that Police internationally can use to combat crimes. But from building on that we remember some meetings we had, we were actually invited most of the Singapore banks to see if they know what their branches and their regulations would allow them to do. And the issue with that is that Singapore is quite strict on its laws, I would say against getting market dominance for one of the banks, I think that's one of the things that plays into that. And actually, the Interpol organizing these meetings, and just putting all these banks on the table together, allowed for them to have a conversation about security and to, at least, not compete on that because it's in everybody's interest to exchange this type of information. And this kind of brings me to what we have in the Netherlands, where we have a similar situation of a few big banks that are not allowed to, make a lot of agreements amongst themselves, but they also have an incentive not to compete on a matter of security. And what we found. There was a risk that individual banks would not go to the police when they had like a hacking case or something because one or two years later, maybe there will be a news article, and people say, oh, that bank got hacked, whereas the threat is real for all of them. So, what we did is we devised the electronic crime taskforce and our minister, the Minister of Justice and Security, he signed off on it and they made like what we call it a confident. So, it means that you can exchange more information than you're maybe normally allowed to, for this specific purpose.
Grace : So as the sharing of the information of threat information in fact is important, right?
Roeland : It is and if I can add like a final some institution that works very well for the Netherlands, especially around this time of crisis. It's what we call the Information Sharing and Analysis Center or ISACs. And with us, it's our anti-crisis and anti-terrorism agency that is actually coordinating for all the vital infrastructure sectors to come together per sector, if you will. So the energy companies or the telecom companies, or the financial industry, and each of them will have regular meetings of their CIOs and CSOs, and specifically to share information that they can share it either on a level where they can be shared onwards to other sectors, but sometimes even through the traffic light protocol, the information where you're actually you know, there's in the back of your head, you go back to your imagination, just see, okay, let's just see if we have the same problem. And of course, officially, we're still in a time of crisis now and we see these things Those software networks that are built on trust they are working quite well and quite effectively to combat different also COVID related cyber threat vectors.
Grace : Anzar, in Indonesia, maybe you can tell us whether this there is a sharing of information among the banks and financial institutions and with the cybersecurity companies. What is the situation that in Indonesia?
Anzar : Yes. In Indonesia, we are on the way to implement for the public private partnership especially for the intelligence (sharing). Because right now for the sharing information, we still have the regulation for the Secrecy Act where there's every information of the customer and information of their savings is a secret for everyone. But in 2019, our OJK they already issued the regulation that the vision for the regulation for the AML and CFT implementation for information sharing between was that between the common operations. So, they can share the information for the customer due diligence implementation between conglomerations. In bank Mandiri we have 12 subsidiaries we are trying to manage what kind of information we can share to our subsidiaries. But to other banks if we have item or issues that we need to discuss or we need to information from other banks, we can discuss in working group within the compliance director forum I think in the future, we need the public private partnership because it will connect between police, FIU of banks, private sectors or every reporting parties that we need to implement for the AML CFT.
Grace : Richard, could you take us through the challenges that a global bank like Barclays faces, in managing evolving regulations, sharing of information for one are different from country to country?
Richard : As far as data sharing a lot of banks are reluctant to do that. Places like Singapore, Hong Kong have very strict expectations around personal information. And that's because they have a very strong private banking industry. what they do is within the Singapore public private partnership is they provide the typology. Now, the big challenge of doing that is, a lot of the traditional banks have currently static type systems, it's very difficult to change these rapidly and add new topologies in on a regular basis. But I think there are examples with some of the kind of the FinTech and TechFins out there that actually do manage this quite well. They use data analytics that can take in all of the screens, such as sanctions, reading, transaction monitoring, adverse news media, you can just take all that data in and they can create an assessment on the back of that. And it's all digitized. It's very quick. It's cheap, and it's very flexible. Sometimes it's doesn't even require rules engine, they have an AI element to it. And I think that is the direction that banks are going to have to go into.
Boon Ping : we would like to get Michelle into the conversation, managing financial crime requires a more integrated approach across strategy, data process technology, yet, and as Richard said, most institutions operate according to functional silos. How can solution build stronger and more integrated response? Whichever method more edge responds.
Michelle : Over the past few years, I've seen a convergence across those silos actually. So, if we're talking about a info security fraud, I really have seen a convergence particularly on the AML and fraud case over the past few years with the setting up of financial crime centers of excellence and so on. More recently, I'm seeing a real convergence, particularly in the infosec and foresight. And because we are seeing the perpetration of cyber related fraud, there is a necessary need there to bring them together. And if you can share cyber threat Intel, with your fraud defense mechanism, and you can then move further up the fraud value chain so you can start it Identifying precursors to fraud before it happens so that you can stop it from occurring. Protect your customers and stop fraud losses from being incurred by the bank, for example. So yeah, there's a real need there. It's happening and these obvious business benefits to it, particularly in the Digi space.
Boon Ping : Is there a difference in terms of how banks operate all of this public private partnership, and don't sharing information? It's that different. We're sharing information security intelligence information versus actual fraud details?
Michelle : if we look at the banking sector in particular, where I focus on there is a lot of information sharing happens informally. But it also happens quite formally as well. So GBG, for example, provides shared fraud insights and identity verification solutions, which are federated where we are providing insights across the industry. There's a lot of reporting to regulators designs in shared before from an AML Compliance perspective and insights being shared back out. So that collaboration insights are going on at various different levels within the industry and within organizations as well.
Boon Ping : Okay, great I will put this question to Roeland and get Richard. Richard, How can the effective application of technologies such as AI, machine learning, data sciences, stronger intelligence-based defense against financial crime?
Richard : I guess the big change, and it's a necessary change that's coming through, is to be able to use technology such as machine learning, but also things like entity resolution network analytics, being able to go through larger amounts of data than what is done today and looking at all of the data at the same time. And that contrast with I guess a lot of banks do KYC checks. One guy looks at adverse news media and other guy looks at sanctions, personal screening, somebody else tries to validate the source of funds and it's a very lengthy process. But it takes in all of the information that you need to build a risk profile for a customer at once. So, take all these silos, put them into funnel it all into one system. And then you can use data analytics across all of the different sources. And then that should be able to give you a very comprehensive view with a reduction in the ever-present positives. And that would be also backed up with the kind of electronic KYC systems.
Boon Ping : Are there opportunities that are there to no leverage of a FinTech especially now with new technology architecture? So, what have we now with open banking API's and what not?
Richard : Whether it's a FinTech or reg tech, some banks are following some of the FinTech examples, what some banks, I guess, are doing that, I guess fairly cleverly I can drop one is like DBS, for instance, simply buying some of these fintechs. Now, we're reachable. We can think like a kind of a small bank with that particular area. And we've also got some really good sort of compliance processes that we can build up the benefit. So, I think that is what banks want. The traditional banks want to serve life, they got to do something like that. They got to start buying up some of these Fintechs and the Regtechs as well.
Boon Ping : Anzar, your thought on this? For Bank Mandiri, how are you addressing the technology that is required to give you a few steps ahead of the financial criminals in terms of integrating our data across the organization?
Anzar: Data is very important. So that is why we are trying to build the database in our bank. So, we can use the data analytics in between our data in demand as well as in our data with our subsidiaries. So, we will know always the risk of our customer, when they on board to our subsidiaries. vice versa, something like this.
Boon Ping : Are you working more with RegTech or FinTech? Are they an acquisition opportunity or target?
Anzar : So far, yes. We are using the Regtech and FinTech. So, I guess we are getting to the technology era right now. we give a product as well with the online onboarding. So, the customer doesn’t need to come into the branch to open the account. They just use their mobile phone and they can open the account. But still the steps for the customer identification process. KYC everything and online, we screen everything and we use the AML also to manage their transaction. So, we still can monitor them, even though using the technology.
Boon Ping : Okay, great. Okay. And final question to Michelle. So, as Richard mentioned, a lot of this enabling technology is there. But the issue or some of the incumbent banks is not just in terms of boating a new system or solution is more to do with the whole organization, internal structure, and also legacy system, which kind of sometimes restrict what you can do on the technology side? So, is there more viable option looking at a FinTech possibly writing off the capability of a FinTech or reg tech, and, you know, an onboarding new technology onto the existing system.
Michelle : Yeah, I think technology is a technology vendor, I'd say this is a huge in supporting financial crime. And so, if you take machine learning, for example, it's been using for years around detecting fraud, financial crime, and you know, it really does help you through those vast amounts of data that we're seeing today and find that needle in the haystack. But silver bullet, and that's why You know, I think it's really important that there is an organization you do have a lot of tools available to you that you can pick and choose from within your system. You want the type of customer the type of models, the policy, the business strategy and product in that you can really tailor it to your needs. And I think it's really important to not forget about the human factor involved in all of us, and that the technology is really only as good as the humans that are implementing it that are optimizing it and turning it you can't just leave it and set and forget and expect to do something. On the flip side, you know, there needs to be humans that are operating these systems and looking at the intelligence that comes out and doing something with it. And humans really, you know, the investigators and the triage analysts are such an important part of it. as well. So, it really is an ecosystem approach that needs to be brought together to fight fraud and financial crime.
Boon Ping : in the past one hour, we've discussed how Financial Crimes has evolved. New crime typology is emerging as an increase, for example, from traditional typology to more digital ones that prey on covering vulnerability. as the financial services has become more digital, it has enabled greater customer convenience, but at the same time also enable cyber criminals to also exploit some of vulnerabilities. regulators do have a role to play in terms of facilitating and encouraging more sharing of intelligence. Already police regulation requires regulatory reporting when it comes to fraud when it comes to AML and sharing for example, but obviously, much more can be done. There is also the need for technology today in terms of data analytics, artificial intelligence, machine learning that can sift through all the data within the organization that can reveal and help detect patterns of customer behavior that can identify fraud or financial threats.
So, these are some of the things that we've discussed today.
Grace : Well thank you very much to our four experts. We are grateful for your insights and for your time. We also appreciate all the listeners who are here with us and taking part in our polls. We hope to stay in touch with all of you and do look up for the next RadioFinance episode. Thank you
Senior Cybersecurity Specialist,
Politie Nederland (Dutch Police) and Former Digital Crime Officer, Interpol
Managing Editor, The Asian Banker