Banking Under Pressure: Top Concerns Around Cybersecurity, Fraud, and Regulatory Compliance

Anti Money Laundering - AML

Following the revelation of alleged embezzlement from Malaysia’s state-owned 1MDB investment fund, financial regulators in SouthEast Asia have greatly increased their focus on banks’ anti-money laundering systems, as well as on measures to detect and prevent terrorist financing. In June 2016, the Monetary Authority of Singapore announced dedicated departments to tackle money laundering and enforcement, while in May 2017, the Hong Kong Monetary Authority partnered with banks in the territory to form the Fraud and Money Laundering Intelligence Task Force. In May 2018, Singapore’s Anti-Money Laundering and Countering the Financing of Terrorism Industry Partnership (ACIP) increased its drive against money laundering with the publication of a series of best-practice papers for financial institutions, aiming to reinforce defences against trade-based money laundering and the misuse of company structures for illicit purposes.

The initiative sits alongside an ACIP working group on the use of data analytics to improve detection of suspicious client profiles, activities or transaction patterns, and to identify areas where closer collaboration between industry and government would be beneficial. As AML regulations have been tightened, banks have been required to perform more rigorous due diligence on both customers and customers’ customers, including obtaining disclosures of beneficial ownership.

The number, variety and sophistication of cyberattacks ‘have all increased exponentially’ over the past two years, according to EY

The regulators’ increasingly aggressive approach to AML has highlighted weaknesses in banks’ existing supervision and surveillance functions, requiring much stronger internal controls and improvements to their transaction monitoring systems to reduce the high incidences of false positives, which push up the headcount and compliance and risk-management costs. Tighter AML regimes have placed huge additional burdens on banks in recent years, requiring big increases in spending to combat increasingly sophisticated money laundering techniques. International money laundering syndicates now provide “laundering as a service” to criminal organizations, renting access to accounts through which funds can be moved by the hour.

Cyber Security

As financial services digitalize, transaction volumes increase enormously, and new points of vulnerability emerge in banks’ systems and processes. As a result, the number, variety and sophistication of cyber-attacks “have all increased exponentially” over the past two years, according to EY’s Asia-Pacific Fraud Survey 2017. At the same time, poor awareness among staff and customers of cybersecurity best practices increases the risk of breaches, for example due to the widespread habit of using personal devices for work-related activities. The chief areas of concern include:

Phishing

This is the biggest single problem across the region, says Scott Bales of Innovation Labs Asia, and although based on email scams it can also involve fake call-centers. These have been used to execute so-called ‘man in the middle’ social-engineering scams in which a telephone caller persuades the account holder to request a one-time password that is then used to gain illicit access to the customer’s account.

Fake Identities

Social-engineering techniques, including harvesting personal data from poorly protected social-media accounts, as well as stolen personal information that is sold on the dark web, are used to create synthetic identities for use in fraudulent finance applications.

Mobile Apps and Games

Bank customers who download apps and mobile games that contain security Cybersecurity loopholes or malware have their banking credentials stolen, allowing criminals to access their accounts.

SWIFT Security

Concerns over the global inter-bank messaging system increased after the breach at the Bangladesh Central Bank in February 2016, when hackers were able to create false SWIFT messages requesting withdrawals worth US$1bn from the Federal Reserve Bank of New York. Although most of the transfer requests were flagged for verification, $101m was sent to accounts in Sri Lanka and the Philippines. More than $60m is still unrecovered. Then in October 2017, criminals compromised the SWIFT system at NIC Asia Bank in Nepal and issued transfer requests for about $4.5m, most of which was recovered. In April 2018, the Malaysian Central Bank said it had prevented a similar attack. Cyber-attacks can go undiscovered for months. An investigation of unauthorized access to online trading accounts at a global bank turned up user-access anomalies dating back more than a year before the hacking was detected, according to EY.

Fraud and Collusion

Fraud is a major problem for banks across the region, with interviewees for this research indicating that collusion by bank insiders is by far the biggest area of concern. The prevalence of internal fraud and collusion is fuelled by relatively low wages among many junior bank employees that make them vulnerable even to modest inducements, as well as widespread acceptance of bribery and kickbacks as normal business practice.

However, internal fraud is not restricted to junior staff. In July 2017, Maria Victoria Lopez, a vice-president in the corporate banking department of Metrobank, the Philippines’ second-largest bank, was charged with attempting to steal P1.75bn (US$33.3m) by creating fake loans from one of the bank’s corporate customers to her. The major threats from internal fraud include thefts from customer accounts, fraudulent card applications – in regional surveys banks report that between 5 percent and 10 percent of all card applications are fake – and fraudulent loan approvals that result in high levels of non-performing loans (NPLs) on bank balance sheets.

Current monitoring processes generate huge numbers of false positives - up to 99% of alerts fall into this category, according to some market participants.

In 2017, the Vietnamese central bank said NPLs at commercial banks and the Vietnam Asset Management Company could be close to 9 percent, and pledged to cut that to less than 3 percent by 2020. Arguably the biggest problem that banks face in tackling financial crime and fraud is the huge proportion of false positives that their monitoring and detection processes generate - up to 99% of alerts fall into this category, according to some market participants. The inefficiency and inaccuracy of banks’ existing monitoring systems mean that these activities are extremely costly to run, and waste the time of skilled and expensive staff, who are unable to identify and concentrate on the cases that require their expertise. Optimizing transaction monitoring to reduce the extremely high proportion of false positives is therefore a key priority.

?