- Email: [email protected]
As Regulators Assess Risks, the Industry needs to take Responsibility
id theft following: easily lost or stolen, expensive and difficult to deploy. In an attempt to address these issues, Swivel has developed a new method of authentication which Meredith claims is a completely new approach. Designed to counter the keyboard sniffing type programmes, Swivel’s solution eliminates the need to use numeric keys to type in a four digit PIN. It is able to do this through a special user interface that has been developed which is a horizontal line of numbers from one through nine to 0. As each number in the line illuminates the user hits the spacebar or clicks the mouse to select the four digits of his PIN. After it is entered the PIN is converted into a one-time-code (OTC) before it is transmitted back to the server which means if it is intercepted during the transmission process it is worthless as it cannot be later reused. For even greater protection from being monitored Swivel has a more advanced ‘dual-channel’ system that uses the
mobile phone to generate the OTC and the Internet to connect back to the server meaning that anybody wanting to steal the ID would need to monitor all cellular network traffic and all Internet traffic to have even a remote chance of collecting all the elements of the ID required. In the case of applications for financial loans, credit bureaus like Experian use systems that compare application data with historical data held on a database to identify anomalies. However, technology alone is never going to solve this problem because no technology can take account of a dishonest employee. To combat this, Detica strongly recommend that organizations examine the potential for insider fraud and insider identity theft and said that there are now some sophisticated tools available that can monitor and detect anomalies in employees behaviour. This sort of software takes log data from relevant company systems, puts it into a historical data warehouse and then
As Regulators Assess Risks, the Industry needs to take Responsibility Don Temple, Bank Secrecy Act and Anti-Money Laundering Expert, Mantas
For the financial services industry, the results of the 11 September tragedy have been personal and professional, and the professional impact includes a series of new compliance requirements combined with the perception of an increased level of attention to these issues from elected officials, regulators, and the public. At the same time, US corporate financial scandals are now front-page news. The term “money laundering” comes up in coverage of the collapse of the energy firm Enron as often as it does in coverage of Al Qaeda. Some US columnists are
suggesting that individual investors who lost money during the market turmoil of the last few years are considering legal action and news reports suggest that a number have. So even in areas where the regulations haven’t changed and may not
analyses patterns of employee behaviour over periods of time. “The thing about insider identity theft is that it's usually quite subtle. The person is in a position of power, if you're working in a bank for example you have access to lots of identities so you can steal a large number over a long period of time. Those people tend to do that quite subtly so you have to be quite subtle in the way that you try and detect it,” said Sutherland. What’s more, an insider knows the organization’s processes and systems and is in a position to take their time to work out ways around them. “Organized crime have cottoned on to the value of stealing identities and will often work in collaboration with somebody inside an organization. They will bribe or pay somebody working inside the organization to sell them stolen identities. A very senior police officer recently told me that the reason organized crime is getting into this is that they see they can make massive gains for very little risk,” said Detica’s Porter.
change, the industry is seeing an increased level of focus from regulators and the public. Compliance is also a global issue. While the USA PATRIOT Act impacts any covered firm seeking to do business in the US, global firms are also facing new regulations around the world, stemming from the decisions of individual countries as well as international initiatives such as the promotion of the Basel Committee on Banking Supervision’s customer due diligence for banks report. This calls for the implementation of strong "Know Your Customer" policies which is most closely associated with the fight against money laundering, and is essentially the province of the Financial Action Task Force. In addition, pending changes to the Basel Capital Accord, which establishes international capital requirements and 7
feature updates the rules to reflect each institution’s credit and operational risk profiles, financial institutions will need to manage and provide the best definition they can of their credit and operational risk in order to guide their capital requirements. The more sophisticated and comprehensive their approach, the lower their capital requirements will be. Broker-dealers, banks, insurance companies, money transfer/payment agencies, in short every financial services firm across the globe, has doubtlessly spent a lot of time this year evaluating these changes and this heightened level of scrutiny. I’d be surprised to find any financial services firm that lacks a compliance program, but of course, the issue confronted by each firm was whether its existing program is good enough for new regulations, new levels of oversight, and the firm’s own desire and conviction to do the right thing. And of course, the costs of non-compliance increased along with new regulations and higher scrutiny. Today, mounting fines are only part of the story as compliance becomes increasingly associated with law enforcement.
The future direction of regulation There is a clear and common direction among regulators in Europe and the US toward providing regulated entities with strong incentives for using best practices in their own compliance programs. This relatively new approach to regulation offers financial services firms an opportunity to demonstrate their own management control, as well as calling on them to take that responsibility. Instead of simply requiring firms to comply with specific regulations — and taking upon themselves the full burden for ensuring that compliance — regulators are calling on businesses to put in place the best compliance systems they can with the offer that the level of regulatory oversight and review and the resulting firm responsibilities and 8
processes will depend to some extent on the quality of the firm's own internal controls. In the case of the proposed revisions to the Basel Capital Accord, firms can actually earn a lower capital requirement by implementing sophisticated and comprehensive internal systems for risk management. This trend does not and should not in anyway be taken to imply that regulators take their role any less seriously. In fact, regulators have made clear through specific regulatory action that they are prioritizing their activity and paying close attention to issues such as the implementation of anti-money laundering programs. For example, in December, the Financial Services Authority (FSA) fined the Royal Bank of Scotland (RBS) for failing to comply with anti-money laundering regulations. The Times described the RBS penalty of 750 000 GBP as “less important than the embarrassment that it causes to the bank”. The FSA released an official statement that left no doubt that it intended to send a loud and clear message to the industry that the FSA will be scrutinizing how firms comply with these new regulations and any shortcomings will be dealt with strongly — and publicly. “We have made clear that we expect all financial firms to have strong and effective anti-money laundering procedures in place and — equally importantly — to ensure that they are properly implemented," the statement read in part. "This requires firms to monitor the effectiveness of those procedures to ensure an appropriate standard of compliance. Firms that fail to do this lay themselves open to increased risks of being used for money laundering.” In the US, an official of the US Securities and Exchange (SEC) recently explained that the SEC will increasingly look to industry internal controls to helps the agency meet its statutory responsibilities for oversight of Investment Advisors and Investment Companies using limited resources. In a speech last autumn, Lori Richards, the
Director of the SEC's Office of Compliance Inspections and Examinations, noted that many advisers have implemented internal controls and compliance systems that include the increased use of automation. Richards said that the OCIE is replacing its previous "one size fits all" policy with a new approach that uses a risk-based profile to establish inspection schedules and that also incorporates advisers' risk management and internal control systems into the inspection process. "Our whole approach here is to rely on sound controls to a more significant extent, and to incentivise firms to create, implement and demonstrate sound controls," Richards explained. In the UK, the FSA's new regulatory regime, outlined in 2000, said that it seeks to "[create] incentives for firms to manage their own risks better and thereby reduce the burden of regulation." Toward that end, the FSA established a new division called the Risk Assessment Division. Perhaps the clearest sign of the strength of this approach, its international appeal, and the potential benefits to firms for not just accepting but truly embracing the call to emphasize their own internal controls are the proposed changes to the Basel Capital Accord. This new approach, which is scheduled to take effect beginning in 2006, is designed to incentivise firms to implement sophisticated and comprehensive tools to measure credit and operational risk. Firms that can demonstrate that they have strong internal systems for measurement and control in place will be rewarded with a lower capital requirement and in turn, the ability to use more of the capital they have to generate additional revenues.
How firms are proceeding? As a result of new regulations combined with new approaches, new focus, and new scrutiny applied to existing regulations, the industry has heard the call to examine its own policies and
feature procedures. Many firms spent a good part of 2002 evaluating their existing compliance and risk-management systems, often finding that they didn’t fit the bill. Many firms, for example, were using manual processes to look for evidence of money laundering. But a manual process forces analysts to spend all their time compiling information and scanning mountains of paper. In addition, the sheer volume of information means that any manual system can only look at a sample percentage of customer and account activity (normally less than 3% of the transactions) identified as high risk. The result is that analysts have little time for analysis, and firms are vulnerable both to human error and, because they’ve reviewed such a small amount of activity, vulnerable to the inability to detect the majority of suspicious transactions that occur in their data. In contrast, automated systems can be designed and programmed to hunt for a range of issues and support effective investigations. Technology enables firms to provide 100% coverage of all activities and the system has a perfect memory so that events and accounts can be tracked and compared against other records, as opposed to relying on human memory to examine and recall millions of records. While some larger, global firms made a decision this year to implement new compliance monitoring systems, drawing on the new technology that is available, a number of other firms are still evaluating their needs and analyzing the different resources available to them. Over the course of the last year, I have talked with compliance officers from large and small institutions in the US, the European Union, and elsewhere. In addition to their focus on money laundering and terrorist financing, these officials are even more concerned about protecting the reputation of their institutions. I have advised them to carefully consider compliance needs and implement a system that is comprehensive, flexible, intelligent and efficient.
During my two-dozen plus years in the field, tracking the bad guys, financial institutions were using mostly lowtech and home-grown tools to detect money laundering. Money launderers continually developed new methods to launder funds, looked for unregulated institutions and became increasingly more patient. As a result, the firms were increasingly under attack and unable to meet the crooks head on with strong and effective measures. One of the ways this was shown was in the decline in the quality of suspicious transaction reports filed by these institutions. I am confident that if I had been able to use the kind of technology available today to look for money laundering then, I would have been able to catch a lot more criminals and prevent a lot more money laundering. The fact is, today's technology gives firms the ability to detect a lot of suspicious behavior that may indicate someone is trying to hide a money trail. The volume of business that goes through any firm today and the complexity and continual evolution of the schemes used by these criminals mean technology is crucial to any effective compliance system. Of course, not all automated systems are alike. The system must be comprehensive enough to analyze everything, including such seemingly simple, but hard to find issues as hidden account relationships or combinations of wire transfers structured to avoid detection. The system has to be flexible, because regulations change, and fraud and money laundering schemes change even faster. The system also has to be intelligent enough to focus on what’s important to a particular financial institution and, because any IT investment has to earn its keep, it should also provide value to positive business activities. Finally, the system has to be efficient enough to focus the attention of compliance officers and business people on the most important issues, whether its compliance alerts or business objectives.
As firms prepare to select and implement a new compliance system, there’s a challenge common to any firm that has a variety of information technology systems — as most firms in the industry have. In order to integrate these different systems and different data formats into any platform, the systems and the data need to be prepared. This is a big challenge but it’s one firms will face in order to implement any kind of comprehensive and effective compliance system. This challenge is also one of the reasons why firms should – and do – take this decision seriously. It’s also a good reason to look for a solution that has been tested and one that’s being implemented by a firm with a solid track record.
Conclusion: the most important part of the compliance solution Clearly, I believe technology is a crucial part of the compliance process. But it's certainly not the entire answer. As a former law enforcement official, I firmly believe that financial institutions need to combine the right technology with the necessary internal process and commitments from the highest corporate levels to do the right thing. Taken together, these pieces can and will dramatically enhance our ability to guard against fraud, money laundering, terrorist financing, and other abuses. In turn, firms can develop total solutions that will support and protect not only compliance efforts, but also customer relationships, shareholder confidence, corporate integrity, and system efficiencies. In the year ahead, policymakers and regulators will be looking more closely at what systems have been put in place in response to new laws, regulations, and public pressure. Firms will have the opportunity to demonstrate the effort with which they met this challenge and answer the call to better serve their customers and investors, thereby meeting their own business objectives. 9
mobile phone to generate the OTC and the Internet to connect back to the server meaning that anybody wanting to steal the ID would need to monitor all cellular network traffic and all Internet traffic to have even a remote chance of collecting all the elements of the ID required. In the case of applications for financial loans, credit bureaus like Experian use systems that compare application data with historical data held on a database to identify anomalies. However, technology alone is never going to solve this problem because no technology can take account of a dishonest employee. To combat this, Detica strongly recommend that organizations examine the potential for insider fraud and insider identity theft and said that there are now some sophisticated tools available that can monitor and detect anomalies in employees behaviour. This sort of software takes log data from relevant company systems, puts it into a historical data warehouse and then
As Regulators Assess Risks, the Industry needs to take Responsibility Don Temple, Bank Secrecy Act and Anti-Money Laundering Expert, Mantas
For the financial services industry, the results of the 11 September tragedy have been personal and professional, and the professional impact includes a series of new compliance requirements combined with the perception of an increased level of attention to these issues from elected officials, regulators, and the public. At the same time, US corporate financial scandals are now front-page news. The term “money laundering” comes up in coverage of the collapse of the energy firm Enron as often as it does in coverage of Al Qaeda. Some US columnists are
suggesting that individual investors who lost money during the market turmoil of the last few years are considering legal action and news reports suggest that a number have. So even in areas where the regulations haven’t changed and may not
analyses patterns of employee behaviour over periods of time. “The thing about insider identity theft is that it's usually quite subtle. The person is in a position of power, if you're working in a bank for example you have access to lots of identities so you can steal a large number over a long period of time. Those people tend to do that quite subtly so you have to be quite subtle in the way that you try and detect it,” said Sutherland. What’s more, an insider knows the organization’s processes and systems and is in a position to take their time to work out ways around them. “Organized crime have cottoned on to the value of stealing identities and will often work in collaboration with somebody inside an organization. They will bribe or pay somebody working inside the organization to sell them stolen identities. A very senior police officer recently told me that the reason organized crime is getting into this is that they see they can make massive gains for very little risk,” said Detica’s Porter.
change, the industry is seeing an increased level of focus from regulators and the public. Compliance is also a global issue. While the USA PATRIOT Act impacts any covered firm seeking to do business in the US, global firms are also facing new regulations around the world, stemming from the decisions of individual countries as well as international initiatives such as the promotion of the Basel Committee on Banking Supervision’s customer due diligence for banks report. This calls for the implementation of strong "Know Your Customer" policies which is most closely associated with the fight against money laundering, and is essentially the province of the Financial Action Task Force. In addition, pending changes to the Basel Capital Accord, which establishes international capital requirements and 7
feature updates the rules to reflect each institution’s credit and operational risk profiles, financial institutions will need to manage and provide the best definition they can of their credit and operational risk in order to guide their capital requirements. The more sophisticated and comprehensive their approach, the lower their capital requirements will be. Broker-dealers, banks, insurance companies, money transfer/payment agencies, in short every financial services firm across the globe, has doubtlessly spent a lot of time this year evaluating these changes and this heightened level of scrutiny. I’d be surprised to find any financial services firm that lacks a compliance program, but of course, the issue confronted by each firm was whether its existing program is good enough for new regulations, new levels of oversight, and the firm’s own desire and conviction to do the right thing. And of course, the costs of non-compliance increased along with new regulations and higher scrutiny. Today, mounting fines are only part of the story as compliance becomes increasingly associated with law enforcement.
The future direction of regulation There is a clear and common direction among regulators in Europe and the US toward providing regulated entities with strong incentives for using best practices in their own compliance programs. This relatively new approach to regulation offers financial services firms an opportunity to demonstrate their own management control, as well as calling on them to take that responsibility. Instead of simply requiring firms to comply with specific regulations — and taking upon themselves the full burden for ensuring that compliance — regulators are calling on businesses to put in place the best compliance systems they can with the offer that the level of regulatory oversight and review and the resulting firm responsibilities and 8
processes will depend to some extent on the quality of the firm's own internal controls. In the case of the proposed revisions to the Basel Capital Accord, firms can actually earn a lower capital requirement by implementing sophisticated and comprehensive internal systems for risk management. This trend does not and should not in anyway be taken to imply that regulators take their role any less seriously. In fact, regulators have made clear through specific regulatory action that they are prioritizing their activity and paying close attention to issues such as the implementation of anti-money laundering programs. For example, in December, the Financial Services Authority (FSA) fined the Royal Bank of Scotland (RBS) for failing to comply with anti-money laundering regulations. The Times described the RBS penalty of 750 000 GBP as “less important than the embarrassment that it causes to the bank”. The FSA released an official statement that left no doubt that it intended to send a loud and clear message to the industry that the FSA will be scrutinizing how firms comply with these new regulations and any shortcomings will be dealt with strongly — and publicly. “We have made clear that we expect all financial firms to have strong and effective anti-money laundering procedures in place and — equally importantly — to ensure that they are properly implemented," the statement read in part. "This requires firms to monitor the effectiveness of those procedures to ensure an appropriate standard of compliance. Firms that fail to do this lay themselves open to increased risks of being used for money laundering.” In the US, an official of the US Securities and Exchange (SEC) recently explained that the SEC will increasingly look to industry internal controls to helps the agency meet its statutory responsibilities for oversight of Investment Advisors and Investment Companies using limited resources. In a speech last autumn, Lori Richards, the
Director of the SEC's Office of Compliance Inspections and Examinations, noted that many advisers have implemented internal controls and compliance systems that include the increased use of automation. Richards said that the OCIE is replacing its previous "one size fits all" policy with a new approach that uses a risk-based profile to establish inspection schedules and that also incorporates advisers' risk management and internal control systems into the inspection process. "Our whole approach here is to rely on sound controls to a more significant extent, and to incentivise firms to create, implement and demonstrate sound controls," Richards explained. In the UK, the FSA's new regulatory regime, outlined in 2000, said that it seeks to "[create] incentives for firms to manage their own risks better and thereby reduce the burden of regulation." Toward that end, the FSA established a new division called the Risk Assessment Division. Perhaps the clearest sign of the strength of this approach, its international appeal, and the potential benefits to firms for not just accepting but truly embracing the call to emphasize their own internal controls are the proposed changes to the Basel Capital Accord. This new approach, which is scheduled to take effect beginning in 2006, is designed to incentivise firms to implement sophisticated and comprehensive tools to measure credit and operational risk. Firms that can demonstrate that they have strong internal systems for measurement and control in place will be rewarded with a lower capital requirement and in turn, the ability to use more of the capital they have to generate additional revenues.
How firms are proceeding? As a result of new regulations combined with new approaches, new focus, and new scrutiny applied to existing regulations, the industry has heard the call to examine its own policies and
feature procedures. Many firms spent a good part of 2002 evaluating their existing compliance and risk-management systems, often finding that they didn’t fit the bill. Many firms, for example, were using manual processes to look for evidence of money laundering. But a manual process forces analysts to spend all their time compiling information and scanning mountains of paper. In addition, the sheer volume of information means that any manual system can only look at a sample percentage of customer and account activity (normally less than 3% of the transactions) identified as high risk. The result is that analysts have little time for analysis, and firms are vulnerable both to human error and, because they’ve reviewed such a small amount of activity, vulnerable to the inability to detect the majority of suspicious transactions that occur in their data. In contrast, automated systems can be designed and programmed to hunt for a range of issues and support effective investigations. Technology enables firms to provide 100% coverage of all activities and the system has a perfect memory so that events and accounts can be tracked and compared against other records, as opposed to relying on human memory to examine and recall millions of records. While some larger, global firms made a decision this year to implement new compliance monitoring systems, drawing on the new technology that is available, a number of other firms are still evaluating their needs and analyzing the different resources available to them. Over the course of the last year, I have talked with compliance officers from large and small institutions in the US, the European Union, and elsewhere. In addition to their focus on money laundering and terrorist financing, these officials are even more concerned about protecting the reputation of their institutions. I have advised them to carefully consider compliance needs and implement a system that is comprehensive, flexible, intelligent and efficient.
During my two-dozen plus years in the field, tracking the bad guys, financial institutions were using mostly lowtech and home-grown tools to detect money laundering. Money launderers continually developed new methods to launder funds, looked for unregulated institutions and became increasingly more patient. As a result, the firms were increasingly under attack and unable to meet the crooks head on with strong and effective measures. One of the ways this was shown was in the decline in the quality of suspicious transaction reports filed by these institutions. I am confident that if I had been able to use the kind of technology available today to look for money laundering then, I would have been able to catch a lot more criminals and prevent a lot more money laundering. The fact is, today's technology gives firms the ability to detect a lot of suspicious behavior that may indicate someone is trying to hide a money trail. The volume of business that goes through any firm today and the complexity and continual evolution of the schemes used by these criminals mean technology is crucial to any effective compliance system. Of course, not all automated systems are alike. The system must be comprehensive enough to analyze everything, including such seemingly simple, but hard to find issues as hidden account relationships or combinations of wire transfers structured to avoid detection. The system has to be flexible, because regulations change, and fraud and money laundering schemes change even faster. The system also has to be intelligent enough to focus on what’s important to a particular financial institution and, because any IT investment has to earn its keep, it should also provide value to positive business activities. Finally, the system has to be efficient enough to focus the attention of compliance officers and business people on the most important issues, whether its compliance alerts or business objectives.
As firms prepare to select and implement a new compliance system, there’s a challenge common to any firm that has a variety of information technology systems — as most firms in the industry have. In order to integrate these different systems and different data formats into any platform, the systems and the data need to be prepared. This is a big challenge but it’s one firms will face in order to implement any kind of comprehensive and effective compliance system. This challenge is also one of the reasons why firms should – and do – take this decision seriously. It’s also a good reason to look for a solution that has been tested and one that’s being implemented by a firm with a solid track record.
Conclusion: the most important part of the compliance solution Clearly, I believe technology is a crucial part of the compliance process. But it's certainly not the entire answer. As a former law enforcement official, I firmly believe that financial institutions need to combine the right technology with the necessary internal process and commitments from the highest corporate levels to do the right thing. Taken together, these pieces can and will dramatically enhance our ability to guard against fraud, money laundering, terrorist financing, and other abuses. In turn, firms can develop total solutions that will support and protect not only compliance efforts, but also customer relationships, shareholder confidence, corporate integrity, and system efficiencies. In the year ahead, policymakers and regulators will be looking more closely at what systems have been put in place in response to new laws, regulations, and public pressure. Firms will have the opportunity to demonstrate the effort with which they met this challenge and answer the call to better serve their customers and investors, thereby meeting their own business objectives. 9