James Richardson, Head of Market Development Risk and Fraud at Bottomline shares his thoughts on the importance of regulation when fighting fraud in financial institutions.
The last thing any executive at a financial institution needs now is ‘difficulty factors’. After all, it’s time for year-end reporting and 2022 forecasting. Digital transformation strategies are already in the melting point and at varying stages of progress and capital expenditure. Throw in the creativity of fraudsters and we’ll agree there’s enough to deal with.
But the difficulty factors for FIs are not dropping as the year closes. In fact, we’re seeing two areas amping the difficulty factor: insider fraud and regulatory technology (RegTech). Both go hand-in-hand as many new regulations can help or hinder insider fraud challenges. A new research report, “The Future of Competitive Advantage in Banking & Payments”, considers these two issues (among others) and uncovers surprising levels of concern about solving them. While there’s no silver bullet for reckoning with fraud or RegTech, there are technology, advisory and data solutions to help.
Dealing with fraud, specifically insider fraud, first. Insider fraud happens when a current employee or contractor accesses and shares sensitive data or payments information that they don’t have access to in the normal execution of their job.
When we asked FI executives about their top overall concerns, 16 percent placed insider fraud within the top six issues. We argue that insider fraud should definitely be a higher priority than it appears to be in the report.
That’s because insider fraud has two costs, reputational and financial. The reputational damage for an employee-based data breach is impossible to calculate. According to a Ponemon Institute study, the frequency of global insider fraud incidents over the past two years spiked 47 percent. The average incident takes 77 days to contain, and when that passes 90 days, the global cost can top $13.7 million a year.
In an age of hybrid work from home environments, it’s easier for employees to access and share sensitive data, especially if companies lack proper defence technology. The effectiveness of that technology depends on whether it addresses insider fraud at the server level because if it’s not, those defences may not work in today or tomorrow’s environment.
Here’s why: Many companies rely on content filtering to stop insider fraud. Content filtering technology sits between the end-user and the outside world. It does a great job at catching sensitive data (called data leakage) and other information after being accessed. But then it’s often too late. The filter can spark the right alarms and be an essential tool in investigating exactly which employee shared the sensitive information. But in the case of a data breach, the reputational damage may already be done. What’s needed to fight insider fraud is an application layer. That layer doesn’t sit between the employee and the outside world; it sits between the employee and the application server, where 80 percent of insider fraud happens. This layer evaluates the employee’s access to and transmission of sensitive information and profiles their behaviour. It can then detect abnormal patterns that may indicate data leakage in the process. The application layer stops insider fraud before it happens.
Now for the RegTech difficulty factor. In our survey, 63.5 percent of respondents said RegTech will become more critical in the next year. My take is that this concern is as vital for fraud defence as it is for addressing the issues of interoperability and data. While RegTech is undoubtedly a challenging compliance factor to plan and execute, FIs see RegTech as a positive factor. Looking at what regulation aims to do, the most crucial factor is to sync almost perfectly with several problems that need solving to improve customer experience and security. Examples: ISO 20022 messaging format will address data interoperability. Confirmation of Payee (CoP) will help address fraud. PSD2, Open Banking and UK Faster Payments Access Models will address easier access to data. So while 25 percent of respondents appreciate the importance of regulations they are equally worried about looming deadlines and the need for business continuity. But regulations aim to create better conditions for growth and competitive opportunities for FIs. And it’s important to remember that new regulation is there to fight fraudsters, who are one step ahead of the game. They don’t wait for regulations to play fair.
However, broader challenges exist when fighting financial fraud, inclusive of insider fraud. Despite a positive attitude toward their outcomes, the biggest challenge in executing fraud and financial crimes strategy is keeping up with regulations (31%). The second challenge is increasing fraud threats (30%), and the third (at 11%) is the alert investigation time and false positives. These results illustrate a big challenge as FIs try to comply with regulations and manage assets on one side but remain strict enough without creating false positives and alienating customers. The fraud issue also tracks back to ISO 20022. Because the messaging yields more data, there’s more information to analyse in ensuring that all parties involved are legitimate, thereby reducing the potential for false positives
The solution to these challenges has its foundation in technology. We’ve already offered examples of how innovative technology can help fight insider fraud. But let’s consider other fraud tactics that can profit from technology adoption. For instance, keeping track of sanctioned countries and organisations is not an inside, manual job in today’s complicated cross-border business environment. Nor is it a job for outdated technology. For example, legacy watchlist screening tools can be tripped up by spelling errors, typos, and data quality issues. That’s an easy get for clever criminals who use aliases or even steal identities.
Modern technology for watchlist screening will be SaaS-based and provide a real-time, automated look across the journey of each payment. This technology will reduce false positives and speed-up investigations, which is where data comes in. By using machine learning and artificial intelligence, systems can proactively detect and prevent financial crimes. It’s no longer a box-ticking exercise.
So yes, our research shows the difficulty factor for FIs goes up in the short term. But continued focus on digital transformation and the judicious use of technology makes fighting financial fraud a bit easier and will ultimately make corporate and consumer customers happier in the long run.