Tech Platforms and Banks are ignoring regulators

In April 2021 data belonging to more than a billion people hit the dark web available to be bought by anyone willing to pay to download it. The source of the data comes from three very similar attacks on Facebook, LinkedIn, and Clubhouse. However, none of these attacks have garnered that much press attention as the tech platforms have been allowed to get away with the claiming that data has been scraped and was therefore publicly available and therefore this not an actual breach.

The ICO in the UK states that a data breach is:

"A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data."

If as in the case of Facebook and LinkedIn it is possible for hackers to steal data such as mobile numbers that do not appear publicly on the site, but instead are hidden and only used as part of the login process, it is difficult to see how the tech platforms are able to construe that they have not been subject to a data breach.

The tech platforms spend more money on PR and legal experts coming up with a frame of words to head off an investigation and to try and prevent any reputational damage, than they do on monitoring user data. If they spent slightly more on the monitoring of user data, it would not have taken Facebook 13 months to understand that their user data was available to buy on the dark web.

Data scraping is not new, and there are plenty of tools which have been engineered to mine data from public pages from the internet, and it is the failure to do anything about these tools that should be most concerning for users of these platforms as it falls into the category of where multinationals let down their clients or users. All too often these companies do the absolute minimum, and there is no thought of best breed when it comes to cyber security, because ultimately, these companies do not care about your data, as to them once it is consumed by them, and safely stored in their own secure database the raw data no longer serves a purpose.

The myopic stance toward user data by tech platforms is as nothing when compared to how bank’s view user data. Know Your Client is the first line of defense for regulated firms in preventing fraudulent activities and is designed to work by obtaining all original account opening documentation from customers and potential customers and conducting the analysis and documenting of applicable due diligence and other regulatory requirements are met. It has become mandated and essential for confirming the identities of customers during onboarding and throughout their ‘customer lifetime’, as well as verifying their suitability and any financial crime risks, they might pose.

KYC is deemed as a success by regulators as it has transformed Anti-Money Laundering monitoring, governance, oversight, and regulatory reporting activities not least because of the fantastic work done by many compliance teams.

Yet a significant internal threat has emerged within European Banks. In London we have seen 3 examples of the failings of KYC already this year, all resulting in 6 or 7 figure frauds being committed. 

It has long been known that organised gangs of criminals are infiltrating European banks to carry out large-scale frauds. With criminals applying for jobs in banks and wealth management firms to gain access to sensitive customer data. Organised criminals use highly talented and extremely qualified IT support staff who are deliberately placed inside banks and wealth management firms to commit crime, particularly identity theft, and learn how to circumvent systems and controls to commit future frauds.

As with any successful operation, organised criminals also work on the principle of land and expand, once they have their own gang members recruited into banks or wealth management firms they attempt to turn previously exemplary employees as came to light in 2019 when the Dedicated Card and Payment Crime Unit (DCPCU) which targets the organised criminal gangs responsible for fraud, arrested a number of members of a criminal gang behind a series of frauds and attempted fraud worth over ￡1.2 million. The case involved a sophisticated organised criminal network with their own members placed inside the bank and recruited bank staff who were paid to knowingly transfer stolen funds through a series of ‘money mule’ accounts and then into the accounts of the criminals.

The new target for criminal gangs is no longer IT staff; it is now inside the anti-money laundering or compliance teams. KYC Analyst roles are now available within both banks and wealth management firms on 3-month contracts, paying ￡25 an hour.

One current contract at a UK challenger Bank offers the “flexibility of working from home“ and is looking for an individual who “does not require supervision” their role will be to “conduct KYC and AML checks on all low, medium and high-risk client types” That firm will undoubtedly have policies and procedures, as well as tools to verify the efficacy of the KYC and AML checks.

However, the three known frauds that have successfully seen payments made to money mule accounts with these accounts then forwarding the monies onto the organised crimes, all three of these have included money mule accounts set up in 2020, by individuals who either do not exist or have never set foot in the UK. The only way to circumvent KYC procedures in a way to make this possible is for criminal gangs to have their associates placed in the KYC analyst roles and become responsible for conducting the KYC checks.

From a cyber security perspective having that amount of data accessible to anyone working from home is extremely concerning, and it would be difficult to, and take time to, identify the insider threat if they were a permanent employee, but to identify a contractor on a short term contract, working from home who understands and is trained in a banks systems and knows they are being monitored, it would be almost impossible to identify the internal threat. Organised criminals know this, and banks know this, what is baffling is that banks are willing to take the risk with client’s money in this way and are making it more difficult for cyber security firms to do anything about this.

Regulations and laws are forever playing catch up with organised crime, and that is why the cyber security obligations that will impact organisations often tend to be open to interpretation regarding how organisations must approach compliance and cyber security. This can be seen with the recent MAS regulations, which whilst primarily enforced in Singapore impact UK funds who share technology and data with funds in Singapore, however rather than implement tools and services in the UK which would ensure that UK funds exceed the regulations in Singapore, many funds are spending many thousands on exploring the legal minimums that they can get away with.

What should not be allowed to happen, and what is unfortunately begun to happen is that tech platforms and banks have started to pay lip service to what they consider to overly prescriptive regulation. It is this that has led to a general malaise within tech platforms and an increase in internal threats to financial institutions which means that clients and users are put at risks, by those who should be able to protect us.

The regulators need to be given more powers of enforcement, and tech platforms and banks need to be held to account. Only then will the tech platforms and banks take cyber protection more seriously.   

Until then there will be no return to best of breed solutions and instead cyber security will be left to fingers crossed.

www.stega.com