sign in sign up
<<
Home , Bribery, Crime, Financial crime, Fraud

Risk Practice Financial and in the age of cybersecurity

As cybersecurity threats compound the risks of and fraud, institutions are crossing functional boundaries to enable collaborative resistance.

by Salim Hasham, Shoan Joshi, and Daniel Mikkelsen

© Cimmerian/Getty Images

October 2019 In 2018, the World Economic Forum noted that such cannot satisfactorily handle the many fraud and financial crime was a trillion-dollar threats and burdens. For this , leaders are industry, reporting that private companies transforming their operating models to obtain a spent approximately $8.2 billion on anti– holistic view of the evolving landscape of financial laundering (AML) controls alone in 2017. The crimes crime. This view becomes the starting point of themselves, detected and undetected, have become efficient and effective management of fraud risk. more numerous and costly than ever. In a widely cited estimate, for every dollar of fraud institutions lose nearly three dollars, once associated costs are The evolution of fraud and added to the fraud loss itself.¹ Risks for banks arise financial crime from diverse factors, including vulnerabilities to Fraud and financial crime adapt to developments fraud and financial crime inherent in automation and in the domains they plunder. (Most financial digitization, massive growth in transaction volumes, institutions draw a distinction between these two and the greater integration of financial systems types of crimes: for a view on the distinction, or lack within countries and internationally. thereof, see the sidebar “Financial crime or fraud?”) and malicious hacking have also intensified. In the With the advent of digitization and automation of domain of financial crime, meanwhile, regulators financial systems, these crimes have become more continually revise rules, increasingly to account electronically sophisticated and impersonal. for illegal trafficking and , and have ratcheted up the use of economic One series of crimes, the so-called Carbanak , targeting countries, public and private attacks beginning in 2013, well illustrates the cyber entities, and even individuals. Institutions are profile of much of present-day financial crime finding that their existing approaches to fighting and fraud. These were malware-based bank

1 World Economic Forum Annual Meeting, Davos-Klosters, Switzerland, January 23–26, 2018; LexisNexis risk solutions 2018 True Cost of Fraud study, LexisNexis, August 2018, risk.lexisnexis.com.

Financial crime or fraud?

For purposes of detection, interdiction, money laundering and a few other . Financial institutions have generally and prevention, many institutions draw criminal transgressions, including approached fraud as a loss problem, a distinction between fraud and financial and tax , involving the use of lately applying advanced analytics for crime. Boundaries are blurring, especially in support of criminal detection and even real-time interdiction. since the rise of cyberthreats, which enterprises. It is most often addressed As the distinction between these three reveal the extent to which criminal as a compliance issue, as when financial categories of crime have become less activities have become more complex institutions avert fines with anti–money relevant, financial institutions need to use and interrelated. What’s more, the laundering activities. Fraud, on the other many of the same tools to protect assets distinction is not based on , and hand, generally designates a host of against all of them. regulators sometimes view it as the result crimes, such as , credit scams, of organizational silos. Nevertheless, and threats, involving of financial crime has generally meant financial personnel or services to commit

2 Financial crime and fraud in the age of cybersecurity totaling more than $1 billion. The attackers, an A siloed approach to these interconnected risks organized criminal , gained access to systems is becoming increasingly untenable; clearly, the through and then transferred fraudulently operating model needs to be rethought. inflated balances to their own accounts or programmed ATMs to dispense cash to waiting As banks begin to align operations to the (Exhibit 1). shifting profile of financial crime, they confront the deepening connections between cyber Significantly, this crime was one simultaneous, breaches and most types of financial crime. The coordinated attack against many banks. The cyber is not new, exactly. Until recently, attackers exhibited a sophisticated knowledge for example, most fraud has been transaction of the cyber environment and likely understood based, with criminals exploiting weaknesses in banking processes, controls, and even controls. Banks counter such fraud with relatively vulnerabilities arising from siloed organizations straightforward, channel-specific, point-based and governance. They also made use of several controls. Lately, however, identity-based fraud channels, including ATMs, credit and debit cards, has become more prevalent, as fraudsters McK Risk 8 2019 and wire transfers. The attacks revealed that develop applications to exploit natural or synthetic Financial crime meaningful distinctions among cyberattacks, data. Cyber-enabled attacks are becoming Exhibit 1 of 6 fraud, and financial crime are disappearing. Banks more ambitious in scope and omnipresent, have not yet addressed these new intersections, eroding the value of personal information and which transgress the boundary lines most have protections. erected between the types of crimes (Exhibit 2).

Exhibit 1 The new cyber prole of fraud and nancial crime is well illustrated by the Carbanak attacks.

1. Spear phishing 2. Backdoor executed: 3. Machines infected in 4. Admin PC identied, Employee in targeted credentials stolen search for admin PC clerk screens intercepted organization receives email Upon opening attachment, Carbanak searches network Attacker watches with the Carbanak backdoor employee activates and nds admin PC; embeds admin screen to mimic admin as an attachment the Carbanak backdoor and records behavior for the bank’s cash-transfer systems

5. Balances inated and 6. ATM programmed to 7. Cash moved through inated amount transferred dispense cash channels by wire transfers, Attackers alter balances, Attackers program ATMs to e-payments pocket extra funds ($1k issue cash to waiting Attackers use online and account enlarged to $10k, accomplices at specic times e-payments to receiver banks then $9k transferred) to transfer extracted funds

Financial crime and fraud in the age of cybersecurity 3 McK Risk 8 2019 Financial crime Exhibit 2 of 6

Exhibit 2 Crime pathways are converging, blurring traditional distinctions among cyber breaches, fraud, and nancial crimes.

Fraud and insider threats Cyber breaches Financial crimes • Internal and external • Condentiality • Money laundering threats • Integrity • Bribery and and nonretail threats • Systems availability • and tax fraud • Insider threats • Market and misbehavior

Example: cyberattack on a

Bank employee’s SWIFT1 Malware surreptitiously Funds routed from bank’s Withdrawals were made Attacks may have been linked to credentials stolen with installed on the bank’s account at a branch of at the third bank through a known sanctioned entity the help of computers to prevent another country’s central multiple transactions of withdrawals bank to a third bank (on a that were not blocked weekend to ensure until too late sta­ absence)

¹ for Worldwide Interbank Financial Telecommunication.

In a world where customers infrequently contact cybercrime. Both the front line and back-office bank staff but rather interact almost entirely operations are oriented in this direction at many through digital channels, “digital trust” has fast banks. Risk functions and regulators are catching become a significant differentiator of customer on as well. AML, while now mainly addressed as experience. Banks that offer a seamless, secure, a regulatory issue, is seen as being on the next and speedy digital interface will see a positive horizon for integration. Important initial steps for impact on revenue, while those that don’t will erode institutions embarking on an integration effort are value and potentially lose business. Modern banking to define precisely the nature of all related risk- demands faster risk decisions (such as real-time management activities and to clarify the roles and payments) so banks must strike the right balance responsibilities across the lines of . These between managing fraud and handling authorized steps will ensure complete, clearly delineated transactions instantly. coverage—by the businesses and enterprise functions (first line of defense) and by risk, including The growing cost of financial crime and fraud risk financial crime, fraud, and cyber operations (second has also overshot expectations, pushed upward by line)—while eliminating duplication of effort. several drivers. As banks focus tightly on reducing liabilities and efficiency costs, losses in areas All risks associated with financial crime involve such as customer experience, revenue, reputation, three kinds of countermeasures: identifying and and even regulatory compliance are being missed authenticating the customer, monitoring and (Exhibit 3). detecting transaction and behavioral anomalies, and responding to mitigate risks and issues. Each of these activities, whether taken in response Bringing together financial crime, to fraud, cybersecurity breaches or attacks, or fraud, and cyber operations other financial crimes, are supported by many At leading institutions the push is on to bring similar data and processes. Indeed, bringing these together efforts on financial crime, fraud, and data sources together with analytics materially

4 Financial crime and fraud in the age of cybersecurity McK Risk 8 2019 Financial crime Exhibit 3 of 6

Exhibit 3 Banks often focus on only a fraction of total nancial-crime, fraud, and cybersecurity costs.

Example of nancial-crime, fraud, and cybersecurity costs, $ million

525

50 Reimbursements if any

Regulatory nes 150 and remediation 100 Regulatory nes

40 System unavailable

40 Failed

Indirect costs and 200 40 Transaction decline foregone revenue • Bank is in second quartile on 40 Customer-experience impact/attrition customer satisfaction for fraud cards • Satis ed customers are twice as 40 Incorrect risk categorization likely to spend more on their cards 16.6 Breaches than are unsatis ed customers Direct fraud losses 50 16.6 Fraud losses 16.6 Cost of FIU1

41.6 Cyber Bank focus areas • Costs of all three lines of defense Direct and indirect • Much of the cost is in the rst line 125 41.6 Fraud personal costs • Banks in this region typically spend 20 to 40 basis points of 41.6 Financial crime revenue on anti–money laundering

¹ unit.

improves visibility while providing much deeper Generally speaking, experience shows that insight to improve detection capability. In many organizational and governance design are the instances it also enables prevention efforts. main considerations for the development of the operating model. Whatever the particular choice, In taking a more holistic view of the underlying institutions will need to bring together the right processes, banks can streamline business and people in agile teams, taking a more holistic technology architecture to support a better customer approach to common processes and technologies experience, improved risk decision making, and and doubling down on analytics—potentially greater cost efficiencies. The organizational structure creating “fusion centers,” to develop more can then be reconfigured as needed. (Exhibit 4). sophisticated solutions. It is entirely feasible that an institution will begin with the collaborative From collaboration to holistic unification model and gradually move toward greater Three models for addressing financial crime integration, depending on design decisions. We are important for our discussion. They are have seen many banks identify partial integration distinguished by the degree of integration they as their target , with a view that full AML represent among processes and operations integration is an aspiration. for the different types of crime (Exhibit 5).

Financial crime and fraud in the age of cybersecurity 5 McK Risk 8 2019 Financial crime Exhibit 4 of 6

Exhibit 4 At their core, all functions perform the same three roles using similar data and processes. Identication: “Who is my Monitoring: “What transactions Response: “How do I respond customer?” are legitimate?” to a threat?”

Financial crime • Client risk rating • Transaction monitoring • Suspicious-activity monitoring • Client due diligence; • Name screening • Financial intelligence unit enhanced due diligence • Payments screening • List management • Do not bank

Fraud • Identity verication, including • Transaction monitoring and • Investigations and resolutions teams digital and nondigital presence decision making • Device and voice analytics

Cybersecurity • Credentials management • Security-operations center (SOC) • SOC and network-operations center, • Forensics which enable monitoring • Resolution teams

Synergies across • Risk scoring of customers using • Risk scoring of transactions • Common feedback loop to functions common and similar customer using similar analytics and develop a holistic view on modus data, such as nancials, digital common use cases based on operandi and drive top-down footprint, nondigital records timing, destination, source, use-case development value and frequency, device, • Pooling of resources and capabilities and geolocation intelligence

1. Collaborative model. In this model, which for of defense. Each unit maintains independence most banks represents the status quo, each in this model but works from a consistent of the domains—financial crime, fraud, and framework and taxonomy, following mutually cybersecurity—maintain their independent roles, accepted rules and responsibilities. Thus a responsibilities, and reporting. Each unit builds consistent architecture for prevention (such its own independent framework, cooperating as for customer authentication) is adopted, on risk taxonomy and data and analytics for risk-identification and assessment processes transaction monitoring, fraud, and breaches. (including taxonomies) are shared, and The approach is familiar to regulators, but offers similar interdiction processes are deployed. banks little of the transparency needed to Deeper integral advantages prevail, including develop a holistic view of financial-crime risk. In consistency in threat monitoring and detection addition, the collaborative model often leads to and lower risk of gaps and overlap. The approach coverage gaps or overlaps among the separate remains, however, consistent with the existing groups and fails to achieve the benefits of scale organizational structure and little disrupts that come with greater functional integration. current operations. Consequently, transparency The model’s reliance on smaller, discrete units is not increased, since separate reporting is also means banks will be less able to attract top maintained. No benefits of scale accrue, and leadership talent. with smaller operational units still in place, the 2. Partially integrated model for cybersecurity model is less attractive to top talent. and fraud. Many institutions are now working 3. Unified model. In this fully integrated approach, toward this model, in which cybersecurity and the financial crimes, fraud, and cybersecurity fraud are partially integrated as the second line operations are consolidated into a single

6 Financial crime and fraud in the age of cybersecurity McK Risk 8 2019 Financial crime Exhibit 5 of 6

Exhibit 5 The three models address nancial crime with progressively greater levels of operational integration.

Traditional: collaboration Ongoing: partial integration1 Future: complete integration

Model features • Independent reporting, roles, and • Each nancial-crime unit • Consolidated unit under a single responsibilities for each type of maintains independence but framework using common assets and nancial crime uses a consistent framework systems to manage risks: • Independent framework built and taxonomy with agreed-upon – Single view of the customer by each unit rules and responsibilities: – Shared analytics – Fraud and cybersecurity join on prevention (eg, on customer authentication) – Consistent processes for risk identi cation and assessment – Similar processes (eg, interdiction)

Pluses and Least disruptive: maintains the More uni ed approach with lower risk Underlying risks are converging minuses status quo of gaps/overlaps Enhanced ability to attract and Regulators most familiar with Consistent organizational structure retain talent the model with status quo Standard and common framework Less visibility into overall Limited disruption from current state on what is being done nancial-crime risk Maintains separate reporting; Bene ts of scale across key roles Potential gaps, overlap among groups does not increase transparency Largest organizational change No scale bene ts No scale bene ts While converging, risks remain Smaller units less able to attract Smaller units less able to attract diŽerentiated top talent top talent Regulators are less familiar with setup

Banks have begun by closely integrating cybersecurity and fraud while stopping short of a fully integrated unit

1Mainly cybersecurity and fraud.

framework, with common assets and systems less familiar to regulators. And even with the used to manage risk across the enterprise. The organizational change and risk , model has a single view of the customer and risks remain differentiated. shares analytics. Through risk convergence, enterprise-wide transparency on threats is enhanced, better revealing the most important The imperative of integration underlying risks. The unified model also The integration of fraud and cybersecurity captures benefits of scale across key roles operations is an imperative step now, since the and thereby enhances the bank’s ability to crimes themselves are already deeply interrelated. attract and retain top talent. The disadvantages The enhanced data and analytics capabilities that of this model are that it entails significant integration enables are now essential tools for the organizational change, making bank operations prevention, detection, and mitigation of threats.

Financial crime and fraud in the age of cybersecurity 7 Most forward-thinking institutions are working core effectiveness and efficiency in all channels, toward such integration, creating in stages a markets, and lines of business. more unified model across the domains, based on common processes, tools, and analytics. AML Strategic prevention: Threats, prediction, activities can also be integrated, but at a slower and controls pace, with focus on specific overlapping areas first. The idea behind strategic prevention is to predict risk rather than just react to it. To predict where The starting point for most banks has been the threats will appear, banks need to redesign collaborative model, with cooperation across silos. customer and internal operations and processes Some banks are now shifting from this model to based on a continuous assessment of actual cases McK Risk 8 2019 one that integrates cybersecurity and fraud. In of fraud, financial crime, and cyberthreats. A view Financial crime the next horizon, a completely integrated model of these is developed according to the customer Exhibit 6 of 6 enables comprehensive treatment of cybersecurity journey. Controls are designed holistically, around and financial crime, including AML. By degrees, processes rather than points. The approach can however, increased integration can improve significantly improve protection of the bank and its the quality of risk management, as it enhances customers (Exhibit 6).

Exhibit 6 With a ‘customer journey’ view of fraud, banks can design controls with the greatest impact. Potential fraud attacks in a customer journey, retail-banking example

Open an account Change account Make a payment Make a deposit

Customer- Customer opens a new Customer updates Customer pays self or third Customer makes a transfer or initiated actions account or adds another existing account, eg, adding party through wire, credit deposit into their account account through online, a beneciary or changing or debit card, or online mobile, branch, or ATM address transaction channels

Attack channel

ATM • • Malware • Card or trapping • Money laundering • Synthetic ID • Fake PIN pad or terror nancing • Employee-generated • Cash trapping • Malware (balance account • Shoulder surng multiplier) • Malware • Duplicate card • Malware • Transaction reversal

Cards and • Account takeover • Card-not-present fraud e-commerce • Address change • Card skimming • Secondary card • Malware • Malware • Cyberattack

E-banking • Addition of false • Cyberattack and wire beneciary • Malware • Account takeover • Employee-driven • Malware transaction

Branch • Account takeover • n/a

8 Financial crime and fraud in the age of cybersecurity To arrive at a realistic view of these transgressions, of account takeovers, and criminal money institutions need to think like the criminals. Crime movements. By overlaying such insights onto their takes advantage of a system’s weak points. Current rules-based solutions, banks can reduce the rates cybercrime and fraud defenses are focused on of false positives in detection algorithms. This point controls or silos but are not based on an lowers costs and helps investigators stay focused understanding of how criminals actually behave. on actual incidents. For example, if banks improve defenses around technology, crime will migrate elsewhere—to call The aggregation of customer information that centers, branches, or customers. By adopting this comes from the closer collaboration of the mind-set, banks will be able to trace the migratory groups addressing financial crime, fraud, and flow of crime, looking at particular transgressions cybersecurity will generally heighten the power of or types of crime from inception to execution and the institution’s analytic and detection capabilities. exfiltration, mapping all the possibilities. By designing For example, real-time risk scoring and transaction controls around this principle, banks are forced to monitoring to detect transaction fraud can bring together disciplines (such as authentication and accordingly be deployed to greater effect. This voice-stress analysis), which improves both efficacy is one of several improvements that will enhance and effectiveness. regulatory preparedness by preventing potential regulatory breaches. Efficiencies of scale and processes The integrated fraud and cyber-risk functions can The customer experience and digital trust improve threat prediction and detection while The integrated approach to fraud risk can also eliminating duplication of effort and resources. result in an optimized customer experience. Roles and responsibilities can be clarified so that Obviously, meaningful improvements in customer no gaps are left between functions or within the satisfaction help shape customer behavior and second line of defense as a whole. Consistent enhance business outcomes. In the context of methodologies and processes (including risk the risk operating model, objectives here include taxonomy and risk identification) can be directed the segmentation of fraud and security controls toward building understanding and according to customer experience and needs as of risks. Integrating operational processes and well as the use of automation and digitization to continuously updating risk scores allow institutions enhance the customer journey. Survey after survey to dynamically update their view on the riskiness of has affirmed that banks are held in high regard by clients and transactions . their customers for performing well on fraud.

Data, automation, and analytics Unified risk management for fraud, financial crime, Through integration, the anti-fraud potential of and cyberthreats thus fosters digital trust, a concept the bank’s data, automation, and analytics can that is taking shape as a customer differentiator for be more fully realized. By integrating the data banks. Security is clearly at the heart of this concept of separate functions, both from internal and and is its most important ingredient. However, such external sources, banks can enhance customer factors as convenience, transparency, and control identification and verification. Artificial intelligence are also important components of digital trust. The and machine learning can also better enable weight customers assign to these attributes varies when supported by aggregate by segment, but very often such advantages as sources of information. Insights can be produced hassle-free authentication or the quick resolution of rapidly—to establish, for example, correlations disputes are indispensable builders of digital trust. between credential attacks, the probability

Financial crime and fraud in the age of cybersecurity 9 The target fraud-risk operating model: Key questions for banks

In designing their target risk operating • What skills and how many rules, taxonomy)? How should model for financial crimes, fraud, and people are needed to support the they converge? cybersecurity, leading banks are probing activities? • What systems and applications do the following questions. • What shared activities should be each of the divisions use? Can they housed together (for example, in be streamlined? —— Processes and activities centers of excellence)? —— Governance • What are the key processes or • What is the optimal reporting activities to be conducted for • What are the governance bodies structure for each type of customer identification and for each risk type? How do they financial crime—directly to the authentication, monitoring and overlap? For example, does the chief risk officer? To the detection of anomalies, and same committee oversee fraud and chief operations officer? To IT? responding to risks or issues? cybersecurity? Does committee —— Data, tools, and technologies membership overlap? • How frequently should specific activities be conducted (such • What data should be shared • What are the specific, separate as reporting)? across cybersecurity, fraud, and responsibilities of the first and other financial-crime divisions? second lines of defense? • What activities can be consolidated Can the data sit in the same data into a “center of excellence”? • What measurements are used to warehouses to ensure consistency set the risk appetite by risk type? —— People and organization and streamlining of data activities? How are they communicated to the • Who are the relevant stakeholders • What tools and frameworks should rest of the organization? in each line of defense? converge (for example, risk- severity matrix, risk-identification

A holistic view How to proceed? The objective of the transformed operating model is When banks design their journeys toward a unified a holistic view of the evolving landscape of financial operating model for financial crime, fraud, and crime. This is the necessary standpoint of efficient cybersecurity, they must probe questions about and effective fraud-risk management, emphasizing processes and activities, people and organization, the importance of independent oversight and data and technology, and governance (see sidebar challenge through duties clearly delineated in the “The target fraud-risk operating model: Key three lines of defense. Ultimately, institutions will questions for banks”). have to integrate business, operations, security, and risk teams for efficient intelligence sharing and Most banks begin the journey by closely integrating collaborative responses to threats. their cybersecurity and fraud units. As they enhance

10 Financial crime and fraud in the age of cybersecurity information sharing and coordination across silos, utility. The bank has attained a more holistic view greater risk effectiveness and efficiency becomes of customer risk and reduced operating costs by possible. To achieve the target state they seek, banks approximately $100 million. are redefining organizational “lines and boxes” and, even more important, the roles, responsibilities, activities, and capabilities required across each line of defense. As criminal transgressions in the financial-services sector become more sophisticated and break Most have stopped short of fully unifying the risk through traditional risk boundaries, banks are functions relating to financial crimes, though a watching their various risk functions become more few have attained a deeper integration. A leading costly and less effective. Leaders are therefore US bank set up a holistic “center of excellence” to rethinking their approaches to take advantage of enable end-to-end decision making across fraud the synergies available in integration. Ultimately, and cybersecurity. From prevention to investigation fraud, cybersecurity, and AML can be consolidated and recovery, the bank can point to significant under a holistic approach based on the same data efficiency gains. A global universal bank has gone all and processes. Most of the benefits are available in the way, combining all operations related to financial the near term, however, through the integration of crimes, including fraud and AML, into a single global fraud and cyber operations.

Salim Hasham is a partner in McKinsey’s New York office, where Shoan Joshi is a senior expert; Daniel Mikkelsen is a senior partner in the London office.

Designed by Global Editorial Services Copyright © 2019 McKinsey & Company. All reserved.

Financial crime and fraud in the age of cybersecurity 11