- Email: [email protected]
BASEL II: Heralding the Rise of Operational Risk
basel ii international bank. Qualified as an engineer, penetration tester and forensic analyst, he is now in charge of a small team at putting in to practice many of the views expressed in these articles.
References 1Government, or Law Enforcement,
access to plain text of encrypted data and /or the encryption keys themselves. 2As in robot woman on end of telephone, “this call may be monitored for training and security purposes.”
3Never mind more malicious html such
as 1-pixel resized, and therefore unnoticed by even the most alert user, pornographic, or worse still, jpegs! 4Nowadays, it just comes back with a HTTP 403 (Forbidden) error.The dot com is blocked by our corporate filter under “Sex”, so probably hasn’t changed much! 5The UK Employment Equality Act 1998, states that an employee is entitled not to be discriminated or harassed in the course of their employment on the
BASEL II: Heralding the Rise of Operational Risk David Porter, Head of Financial Services Risk, Detica
Basel II - a growing concern The media coverage around the Basel II Accord is steadily growing, as financial institutions engage seriously with the details of compliance. Basel II is one of the biggest financial shake-ups in recent times, which will eventually lead to new rules and regulations for banking globally. Banks will need to have their processes and systems in place by the start of 2007, which is when the Basel Committee on Banking Supervision plans to implement the Accord. The purpose of Basel II is to ensure that financial institutions manage risk so that they have the capital to cover exposure to debt. Basel II will be regulated by the FSA in the UK and through CAD-3 on a European basis. Banks will have to carry out a fundamental review and overhaul of their processes and systems in order to achieve compliance. Technology will be at the core of their strategies to meet Basel II requirements. Estimates of the investment needed to comply with the new Accord vary widely, with little consensus evident currently. What does seem certain is that significant technology investment will be required, amounting to hundreds of millions of pounds in the UK financial services industry alone.
The rise of operational risk It is interesting how the management of Basel II programmes has fallen mainly into the hands of those in charge of operational risk who are now receiving full backing from top management. This perhaps reflects the desire by banks to get a stronger grip on operational risk, credit risk being a more mature modelling discipline. Indeed, operational risk appears to be entering a golden age. Its profile has been raised — "We must get a key risk indicator (KRI) for this" and similar risk vocabulary is now being used at board level — and greater awareness is starting to trickle downwards through the corporate culture. Basel II is enabling those involved in risk to finally get risk management to permeate corporate culture and decision-making
grounds of gender, marital and family status, sexual orientation, religion, age, disability, membership of the travelling community and race. Harassment is defined as including, "the circulation of written words, pictures or other material which a person may reasonably regard as offensive" 6The draft IC guidance mandates this as one of their benchmarks. 7Oh, and in case this is news to anyone, some sales people are known to stretch the truth.
processes. What was always viewed as "nice to have but we can't afford it right now" is no longer the case. The goal of 'designing-out' risk, whenever any new product, process or system is developed, is becoming a realistic proposition. Those who work in risk are no longer seen as a nuisance factor or pointing the finger. Instead, they are increasingly viewed in meetings as being there to help and are becoming the glue that is bringing together formerly disparate islands of decision-making and data storage.
Programme management and cultural shift Basel II is more than just a very large project. Like CRM, it is a complex business change programme, comprising a series of inter-dependent projects that need to be orchestrated effectively. A programme must be structured and managed using best practice principles and techniques in order to ensure that it delivers successfully, i.e. on time, within budget and to the right quality. Basel II should be viewed in conjunction with all other programmes, be they compliance-driven, marketing-driven or otherwise. It may be possible to combine different programmes, or sub-elements of programmes, into one programme. One example is the overlap between Basel II and International Accounting Standards (IAS). Another is the potential overlap with tactical anti-money laundering and anti-fraud initiatives. 9
basel ii At Detica, as part of our own Basel II development programme, we recently commissioned independent research into the current state of play in the UK banking industry regarding Basel II readiness. Most of the Basel II programme managers we engaged were primarily senior risk executives with an operational risk background. There was no evidence to suggest that they had consulted with programme managers in other areas, such as CRM, for advice on best practice, leading techniques and methods, and lessons learned in the management of complex change programmes. One area, however, where Basel II programme managers do appear to be "getting it right" is in adopting a processtechnology-people approach. In other words, get the processes and controls right from a Basel II perspective and follow this up with technical and organizational development initiatives. This contrasts significantly with CRM programmes, where the emphasis was very much technologydriven with processes and people playing catch-up. While a high percentage of senior management has given Basel II programmes strong backing, the remainder will be harder work to convince and the cultural shift required is far from achieved. Staff will also need to be sold on the concept of "risk management in everything we do". The favoured approach from respondents is to emphasise that this is not a case of making anyone look particularly good or bad, it is simply a matter of acknowledging risk and managing it. Respondents are also trying to remove the blame culture, emphasising that risk is not the employee's but the bank's. Already staff induction programmes are being revised to incorporate more emphasis on operational and security risk awareness.
Auditing and fixing the data When asked how far they had progressed in undertaking a 'data readiness audit', almost half of the respondents stated that they had either not started or were less than halfway there, and 8% simply did not know. Tier one banks — the larger 10
clearing and investment banks — were in better shape, but even here over one third had either not started or were less than halfway there.
Banks will be required to provide an audit trail of all risk calculations back to the source systems. Under the current Basel II timeline, banks wishing to move towards the advanced IRB approach will need to begin capturing two years of history from the outset of 2005. This places banks under significant time pressure to resolve data quality issues now, to ensure that they can begin building their Basel II data store on clean, consistent data. A key issue is disclosure. Previously, a bank's own risk measurements were for internal use only, but under Basel II a bank's risk data will be published externally and will, therefore, demand a rigour similar to that expected for financial accounts reporting. For the first time, banks will be required to provide an audit trail of all risk calculations back to the source systems from which the original data was derived. As a result, data quality has suddenly become mission critical for all the major banks. The first challenge will be to actually understand the scale of the problem and establish what steps are required by when, in order to move a bank towards meeting the Basel II timeline. Banks should strive to make data quality assurance a good habit, adopted throughout the organization. It will not be enough to simply review data output: instead, data quality should be designed-in to data input processes from the outset, to prevent the problems from recurring in the future. Getting data quality right for Basel II is non-negotiable, but the benefits will be felt far beyond the Basel II programme and will provide a firm foundation for decision-making across all areas in the organization.
Getting to grips with the data architecture There is an element of confusion amongst Basel II programme managers regarding data warehouse architecture and whether a Basel II data warehouse should be separate to, or form part of, existing data warehouse infrastructure. The construction of a historical data store is a key IT initiative that must be pursued as a priority within Basel II programmes. This will collect up to three years of operational risk data and up to seven years of credit risk data and will act as a stepping-stone towards a 'single customer view' for managing risk at an individual customer level. The implication of the current Basel II timeline is that banks should have this historical data store ready for operation by the end of 2004. However, given the tight delivery schedule and the fact that the final version of the Accord will not be published until the end of this year, adopting a conventional "Analyse Requirements — Design — Build" approach is not a viable proposition. Beginning development work now will not only break the deadlock but also improve a bank's understanding of data quality when refining and agreeing the logical data model. Banks will need to adopt a method of fast-tracking physical data warehouse development work in parallel with ongoing requirements analysis and logical data modelling. This approach should integrate and re-model existing data warehouse infrastructure, thereby providing an opportunity to make considerable savings in time, cost and resources.
Practical mitigation of financial crime, disaster and security Much of Basel II compliance centres on constructing engines for calculating and predicting different forms of risk. Respondents confirmed that operational
basel ii risk is proving difficult to define, model and predict. There is an ongoing tension between solving the problem with mathematics and adopting more qualitative approaches. The general consensus is that operational risk is something that happens as soon as the doors open, and affects every financial institution and indeed organizations across all industry sectors. Events that do not occur very frequently but, when they do, have a substantial impact either in terms of financial loss or reputational damage, can be hard to predict. Measurement of the risk associated with these events often happens after they have taken place and the damage has been done. Financial crime, i.e. anything ranging from abuse and theft through to fraud and money laundering, and areas such as disaster recovery and general security, are particular areas of focus. They were described by one respondent as "the more interesting side of operational risk management". In the case of financial crime, a number of respondents are mitigating against these kinds of risks occurring in the first place by developing proactive event detection systems. These take in large volumes of operational data (e.g. financial transactions) and, on the basis of an underlying model of potentially risky or suspicious behaviour, look for tell-tale patterns in the data and so identify cases worthy of further investigation. Significantly, such systems are now being targeted at the insider threat by analysing audit trails generated by the electronic systems encountered by staff and management. In the case of disaster recovery and general security, we are seeing a revival in business impact analysis and business continuity planning, spurred on in recent years by the September 11th terrorist attacks and high profile corporate accounting, fraud and money laundering scandals.
Outsourcing: a potential blind spot Detica's research also identified a widespread lack of concern within UK banks about the potential operational risks
related to the outsourcing of business functions, such as contact centres and software development. 46% — almost half of the respondents — stated that outsourcing is definitely not an element of potential operational risk which worries them. Just 26% of those interviewed felt any concern about possible vulnerability from handing key functions over to external third parties. This is a significant potential blind spot for UK banks, as a sound grasp of risk issues in relation to a bank's operations is critical in setting up and executing an effective Basel II programme. Interestingly, outsourcing seems to have remained below the radar as a risk area, even as the number of outsourcing contracts in the financial sector has risen sharply. The fact that the Financial Services Authority recently stated that it regards outsourcing as a specific area of operational risk, shows that concern is rising. It is critical that banks protect themselves and their customers by running thorough checks on outsourcing companies, and by having clear policies and procedures in place to ensure that all activity is closely monitored. This is particularly important for Basel II compliance, where banks not showing due diligence over outsourcing will struggle to gain accreditation.
Outsourcing simply relocates the insider fraud threat, with the insiders now being located on the outside. The trend toward business process outsourcing also brings an added twist to the fast-growing issue of insider fraud. Whilst outsourcing may appear, on the outside, to offer a solution to the practice of insider fraud, it can also introduce its own set of threats. The adage that fraud is like a balloon — squeeze it in one place and it bulges out in another — is very relevant here. Outsourcing simply re-locates the insider fraud threat, with the insiders now being located on the outside.
A recently observed fraud trend related to the growth of outsourcing, is the infiltration of West African organized crime cells into financial institutions in the UK and a consequent proliferation of insider fraud schemes. Criminals are placed inside banks and financial institutions in positions where they have access to sensitive customer information. Call centres and help desks, often staffed by temporary workers contracted from agencies, are particular targets. The criminals are also identifying and corrupting existing bank workers, in order to learn about banks' security procedures and obtain customer data. Clearly, this is an area which needs to be taken seriously.
Missing a trick? Re-using CRM infrastructure to address risk When looking at how to address Basel II compliance cost-effectively, the research shows that most respondents are not taking advantage of, or are even unaware of, the cost, resource and time savings to be made by exploiting existing CRM infrastructure in order to meet the Basel II Accord. One third of respondents to the Detica research survey were unable to answer the question: "What is the extent to which the existing CRM technical infrastructure can be re-used or extended for Basel II?" Only 18% said that CRM technology could be used to mine and analyse the data held within the data warehouse. There is a lot of overlap between the techniques, skills and technologies used for CRM, and those used for Basel II compliance. Both involve substantial amounts of data integration and analytics based on a single view of the customer. The single customer view has for many years been a "holy grail" for banking technologists. Risk analysis and customer segmentation for marketing purposes are just two sides of the same coin but most organizations have yet to realise the benefits and cost savings to be gained by creating a common 11
computer crime investigation foundation for both subjects. The historical disconnect between risk and marketing is certainly a factor here. At the end of the day, the goal should be to have a single source of data and understand what happens to that data as it moves through the bank, whether it is a financial reporting process, risk reporting or a customer relationship management process. Implementing the single customer view is one of the biggest contributions that CRM can make to the Basel II effort. This includes: • Providing a single current and historical view of each individual customer's profile and complete product portfolio • Creating the same view for every household or demographic segment • Detecting, storing and tracking customer events, i.e. key changes in a customer's behaviour or position within a product lifecycle. This provides a far more useful input into analytical engines than purely "static" data
• Providing reporting and analytical tools to support common needs ranging from regular reporting and ad-hoc exploration of customer data to detailed modelling of customer behaviour • Linking analytics back to the operational environment in the form of customer treatment strategies (which translate into risk treatment strategies for Basel II)
The calm before the storm? Although Detica's research study highlighted a number of areas for potential concern, many of them technologyrelated, the overall results were generally positive. This probably reflects the timing of the study, taking place as it did in the relatively quiet period between the conclusion of QIS3 (December 2002) and the publication of CP3 (May 2003). Most financial
Arson, Archaeology, and Computer Crime Investigation
institutions, certainly the leading ones, have set up a Basel II programme, appointed a qualified leader and given full backing from senior management. However, it is still relatively early days for Basel II programmes and in-depth IT development has yet to start for many banks. It will be interesting to witness the response from banks' IT departments once the final specifications are presented to them later this year. As one respondent from a Tier 1 bank remarked: "Achieving one hundred per cent linkage of data? Is that Nirvana?"
Author contact details [email protected] The Basel II survey was conducted by Metrica Research on behalf of Detica to ascertain the current situation at 55 UK banks. Interviews were conducted in early 2003. For a copy of the research report, Basel II: please contact Lucy Bartley by email: [email protected]
Crimes of this kind [arson] are usually carried out to leave few, if any, direct clues, and proof of criminality is far from easy to establish by circumstantial evidence1.
an arson crime scene or archaeological dig. Most essentially, in all cases, people are responsible for the actions that left clues behind. Additionally, as noted in the opening quotation, we are dealing with evidence that has deteriorated significantly. An arson investigator’s task is to recover fragmentary evidence and use it to determine what occurred. Archaeologists perform similar types of analysis, studying excavated artefacts to ascertain when and where they initially existed and synthesizing the results to gain insight into the original context.
At a time when there is competition to computer crime investigation, it may come as a surprise to find an article referencing the distant past. However, when even basic grammar is disregarded (using the noun computer as an adjective and the adjective forensic as a noun) there is a clear need to revisit our secondary school textbooks. Wit aside,
Like a detective, the archaeologist searches for clues in order to discover and reconstruct something that happened. Like the detective, the archaeologist finds no clues too small or insignificant. And like the detective, the archaeologist must usually work with fragmentary and often confusing information. Finally, the detective and the archaeologist have as their goal the comple-
Eoghan Casey
12
create new terms for different aspects of it is useful to examine well-established disciplines, such as arson investigation and archaeology, to gain insight into the problems we face today in computer crime investigations. Although computer crime is a new development, there are many similarities between a computer that contains evidence and
References 1Government, or Law Enforcement,
access to plain text of encrypted data and /or the encryption keys themselves. 2As in robot woman on end of telephone, “this call may be monitored for training and security purposes.”
3Never mind more malicious html such
as 1-pixel resized, and therefore unnoticed by even the most alert user, pornographic, or worse still, jpegs! 4Nowadays, it just comes back with a HTTP 403 (Forbidden) error.The dot com is blocked by our corporate filter under “Sex”, so probably hasn’t changed much! 5The UK Employment Equality Act 1998, states that an employee is entitled not to be discriminated or harassed in the course of their employment on the
BASEL II: Heralding the Rise of Operational Risk David Porter, Head of Financial Services Risk, Detica
Basel II - a growing concern The media coverage around the Basel II Accord is steadily growing, as financial institutions engage seriously with the details of compliance. Basel II is one of the biggest financial shake-ups in recent times, which will eventually lead to new rules and regulations for banking globally. Banks will need to have their processes and systems in place by the start of 2007, which is when the Basel Committee on Banking Supervision plans to implement the Accord. The purpose of Basel II is to ensure that financial institutions manage risk so that they have the capital to cover exposure to debt. Basel II will be regulated by the FSA in the UK and through CAD-3 on a European basis. Banks will have to carry out a fundamental review and overhaul of their processes and systems in order to achieve compliance. Technology will be at the core of their strategies to meet Basel II requirements. Estimates of the investment needed to comply with the new Accord vary widely, with little consensus evident currently. What does seem certain is that significant technology investment will be required, amounting to hundreds of millions of pounds in the UK financial services industry alone.
The rise of operational risk It is interesting how the management of Basel II programmes has fallen mainly into the hands of those in charge of operational risk who are now receiving full backing from top management. This perhaps reflects the desire by banks to get a stronger grip on operational risk, credit risk being a more mature modelling discipline. Indeed, operational risk appears to be entering a golden age. Its profile has been raised — "We must get a key risk indicator (KRI) for this" and similar risk vocabulary is now being used at board level — and greater awareness is starting to trickle downwards through the corporate culture. Basel II is enabling those involved in risk to finally get risk management to permeate corporate culture and decision-making
grounds of gender, marital and family status, sexual orientation, religion, age, disability, membership of the travelling community and race. Harassment is defined as including, "the circulation of written words, pictures or other material which a person may reasonably regard as offensive" 6The draft IC guidance mandates this as one of their benchmarks. 7Oh, and in case this is news to anyone, some sales people are known to stretch the truth.
processes. What was always viewed as "nice to have but we can't afford it right now" is no longer the case. The goal of 'designing-out' risk, whenever any new product, process or system is developed, is becoming a realistic proposition. Those who work in risk are no longer seen as a nuisance factor or pointing the finger. Instead, they are increasingly viewed in meetings as being there to help and are becoming the glue that is bringing together formerly disparate islands of decision-making and data storage.
Programme management and cultural shift Basel II is more than just a very large project. Like CRM, it is a complex business change programme, comprising a series of inter-dependent projects that need to be orchestrated effectively. A programme must be structured and managed using best practice principles and techniques in order to ensure that it delivers successfully, i.e. on time, within budget and to the right quality. Basel II should be viewed in conjunction with all other programmes, be they compliance-driven, marketing-driven or otherwise. It may be possible to combine different programmes, or sub-elements of programmes, into one programme. One example is the overlap between Basel II and International Accounting Standards (IAS). Another is the potential overlap with tactical anti-money laundering and anti-fraud initiatives. 9
basel ii At Detica, as part of our own Basel II development programme, we recently commissioned independent research into the current state of play in the UK banking industry regarding Basel II readiness. Most of the Basel II programme managers we engaged were primarily senior risk executives with an operational risk background. There was no evidence to suggest that they had consulted with programme managers in other areas, such as CRM, for advice on best practice, leading techniques and methods, and lessons learned in the management of complex change programmes. One area, however, where Basel II programme managers do appear to be "getting it right" is in adopting a processtechnology-people approach. In other words, get the processes and controls right from a Basel II perspective and follow this up with technical and organizational development initiatives. This contrasts significantly with CRM programmes, where the emphasis was very much technologydriven with processes and people playing catch-up. While a high percentage of senior management has given Basel II programmes strong backing, the remainder will be harder work to convince and the cultural shift required is far from achieved. Staff will also need to be sold on the concept of "risk management in everything we do". The favoured approach from respondents is to emphasise that this is not a case of making anyone look particularly good or bad, it is simply a matter of acknowledging risk and managing it. Respondents are also trying to remove the blame culture, emphasising that risk is not the employee's but the bank's. Already staff induction programmes are being revised to incorporate more emphasis on operational and security risk awareness.
Auditing and fixing the data When asked how far they had progressed in undertaking a 'data readiness audit', almost half of the respondents stated that they had either not started or were less than halfway there, and 8% simply did not know. Tier one banks — the larger 10
clearing and investment banks — were in better shape, but even here over one third had either not started or were less than halfway there.
Banks will be required to provide an audit trail of all risk calculations back to the source systems. Under the current Basel II timeline, banks wishing to move towards the advanced IRB approach will need to begin capturing two years of history from the outset of 2005. This places banks under significant time pressure to resolve data quality issues now, to ensure that they can begin building their Basel II data store on clean, consistent data. A key issue is disclosure. Previously, a bank's own risk measurements were for internal use only, but under Basel II a bank's risk data will be published externally and will, therefore, demand a rigour similar to that expected for financial accounts reporting. For the first time, banks will be required to provide an audit trail of all risk calculations back to the source systems from which the original data was derived. As a result, data quality has suddenly become mission critical for all the major banks. The first challenge will be to actually understand the scale of the problem and establish what steps are required by when, in order to move a bank towards meeting the Basel II timeline. Banks should strive to make data quality assurance a good habit, adopted throughout the organization. It will not be enough to simply review data output: instead, data quality should be designed-in to data input processes from the outset, to prevent the problems from recurring in the future. Getting data quality right for Basel II is non-negotiable, but the benefits will be felt far beyond the Basel II programme and will provide a firm foundation for decision-making across all areas in the organization.
Getting to grips with the data architecture There is an element of confusion amongst Basel II programme managers regarding data warehouse architecture and whether a Basel II data warehouse should be separate to, or form part of, existing data warehouse infrastructure. The construction of a historical data store is a key IT initiative that must be pursued as a priority within Basel II programmes. This will collect up to three years of operational risk data and up to seven years of credit risk data and will act as a stepping-stone towards a 'single customer view' for managing risk at an individual customer level. The implication of the current Basel II timeline is that banks should have this historical data store ready for operation by the end of 2004. However, given the tight delivery schedule and the fact that the final version of the Accord will not be published until the end of this year, adopting a conventional "Analyse Requirements — Design — Build" approach is not a viable proposition. Beginning development work now will not only break the deadlock but also improve a bank's understanding of data quality when refining and agreeing the logical data model. Banks will need to adopt a method of fast-tracking physical data warehouse development work in parallel with ongoing requirements analysis and logical data modelling. This approach should integrate and re-model existing data warehouse infrastructure, thereby providing an opportunity to make considerable savings in time, cost and resources.
Practical mitigation of financial crime, disaster and security Much of Basel II compliance centres on constructing engines for calculating and predicting different forms of risk. Respondents confirmed that operational
basel ii risk is proving difficult to define, model and predict. There is an ongoing tension between solving the problem with mathematics and adopting more qualitative approaches. The general consensus is that operational risk is something that happens as soon as the doors open, and affects every financial institution and indeed organizations across all industry sectors. Events that do not occur very frequently but, when they do, have a substantial impact either in terms of financial loss or reputational damage, can be hard to predict. Measurement of the risk associated with these events often happens after they have taken place and the damage has been done. Financial crime, i.e. anything ranging from abuse and theft through to fraud and money laundering, and areas such as disaster recovery and general security, are particular areas of focus. They were described by one respondent as "the more interesting side of operational risk management". In the case of financial crime, a number of respondents are mitigating against these kinds of risks occurring in the first place by developing proactive event detection systems. These take in large volumes of operational data (e.g. financial transactions) and, on the basis of an underlying model of potentially risky or suspicious behaviour, look for tell-tale patterns in the data and so identify cases worthy of further investigation. Significantly, such systems are now being targeted at the insider threat by analysing audit trails generated by the electronic systems encountered by staff and management. In the case of disaster recovery and general security, we are seeing a revival in business impact analysis and business continuity planning, spurred on in recent years by the September 11th terrorist attacks and high profile corporate accounting, fraud and money laundering scandals.
Outsourcing: a potential blind spot Detica's research also identified a widespread lack of concern within UK banks about the potential operational risks
related to the outsourcing of business functions, such as contact centres and software development. 46% — almost half of the respondents — stated that outsourcing is definitely not an element of potential operational risk which worries them. Just 26% of those interviewed felt any concern about possible vulnerability from handing key functions over to external third parties. This is a significant potential blind spot for UK banks, as a sound grasp of risk issues in relation to a bank's operations is critical in setting up and executing an effective Basel II programme. Interestingly, outsourcing seems to have remained below the radar as a risk area, even as the number of outsourcing contracts in the financial sector has risen sharply. The fact that the Financial Services Authority recently stated that it regards outsourcing as a specific area of operational risk, shows that concern is rising. It is critical that banks protect themselves and their customers by running thorough checks on outsourcing companies, and by having clear policies and procedures in place to ensure that all activity is closely monitored. This is particularly important for Basel II compliance, where banks not showing due diligence over outsourcing will struggle to gain accreditation.
Outsourcing simply relocates the insider fraud threat, with the insiders now being located on the outside. The trend toward business process outsourcing also brings an added twist to the fast-growing issue of insider fraud. Whilst outsourcing may appear, on the outside, to offer a solution to the practice of insider fraud, it can also introduce its own set of threats. The adage that fraud is like a balloon — squeeze it in one place and it bulges out in another — is very relevant here. Outsourcing simply re-locates the insider fraud threat, with the insiders now being located on the outside.
A recently observed fraud trend related to the growth of outsourcing, is the infiltration of West African organized crime cells into financial institutions in the UK and a consequent proliferation of insider fraud schemes. Criminals are placed inside banks and financial institutions in positions where they have access to sensitive customer information. Call centres and help desks, often staffed by temporary workers contracted from agencies, are particular targets. The criminals are also identifying and corrupting existing bank workers, in order to learn about banks' security procedures and obtain customer data. Clearly, this is an area which needs to be taken seriously.
Missing a trick? Re-using CRM infrastructure to address risk When looking at how to address Basel II compliance cost-effectively, the research shows that most respondents are not taking advantage of, or are even unaware of, the cost, resource and time savings to be made by exploiting existing CRM infrastructure in order to meet the Basel II Accord. One third of respondents to the Detica research survey were unable to answer the question: "What is the extent to which the existing CRM technical infrastructure can be re-used or extended for Basel II?" Only 18% said that CRM technology could be used to mine and analyse the data held within the data warehouse. There is a lot of overlap between the techniques, skills and technologies used for CRM, and those used for Basel II compliance. Both involve substantial amounts of data integration and analytics based on a single view of the customer. The single customer view has for many years been a "holy grail" for banking technologists. Risk analysis and customer segmentation for marketing purposes are just two sides of the same coin but most organizations have yet to realise the benefits and cost savings to be gained by creating a common 11
computer crime investigation foundation for both subjects. The historical disconnect between risk and marketing is certainly a factor here. At the end of the day, the goal should be to have a single source of data and understand what happens to that data as it moves through the bank, whether it is a financial reporting process, risk reporting or a customer relationship management process. Implementing the single customer view is one of the biggest contributions that CRM can make to the Basel II effort. This includes: • Providing a single current and historical view of each individual customer's profile and complete product portfolio • Creating the same view for every household or demographic segment • Detecting, storing and tracking customer events, i.e. key changes in a customer's behaviour or position within a product lifecycle. This provides a far more useful input into analytical engines than purely "static" data
• Providing reporting and analytical tools to support common needs ranging from regular reporting and ad-hoc exploration of customer data to detailed modelling of customer behaviour • Linking analytics back to the operational environment in the form of customer treatment strategies (which translate into risk treatment strategies for Basel II)
The calm before the storm? Although Detica's research study highlighted a number of areas for potential concern, many of them technologyrelated, the overall results were generally positive. This probably reflects the timing of the study, taking place as it did in the relatively quiet period between the conclusion of QIS3 (December 2002) and the publication of CP3 (May 2003). Most financial
Arson, Archaeology, and Computer Crime Investigation
institutions, certainly the leading ones, have set up a Basel II programme, appointed a qualified leader and given full backing from senior management. However, it is still relatively early days for Basel II programmes and in-depth IT development has yet to start for many banks. It will be interesting to witness the response from banks' IT departments once the final specifications are presented to them later this year. As one respondent from a Tier 1 bank remarked: "Achieving one hundred per cent linkage of data? Is that Nirvana?"
Author contact details [email protected] The Basel II survey was conducted by Metrica Research on behalf of Detica to ascertain the current situation at 55 UK banks. Interviews were conducted in early 2003. For a copy of the research report, Basel II: please contact Lucy Bartley by email: [email protected]
Crimes of this kind [arson] are usually carried out to leave few, if any, direct clues, and proof of criminality is far from easy to establish by circumstantial evidence1.
an arson crime scene or archaeological dig. Most essentially, in all cases, people are responsible for the actions that left clues behind. Additionally, as noted in the opening quotation, we are dealing with evidence that has deteriorated significantly. An arson investigator’s task is to recover fragmentary evidence and use it to determine what occurred. Archaeologists perform similar types of analysis, studying excavated artefacts to ascertain when and where they initially existed and synthesizing the results to gain insight into the original context.
At a time when there is competition to computer crime investigation, it may come as a surprise to find an article referencing the distant past. However, when even basic grammar is disregarded (using the noun computer as an adjective and the adjective forensic as a noun) there is a clear need to revisit our secondary school textbooks. Wit aside,
Like a detective, the archaeologist searches for clues in order to discover and reconstruct something that happened. Like the detective, the archaeologist finds no clues too small or insignificant. And like the detective, the archaeologist must usually work with fragmentary and often confusing information. Finally, the detective and the archaeologist have as their goal the comple-
Eoghan Casey
12
create new terms for different aspects of it is useful to examine well-established disciplines, such as arson investigation and archaeology, to gain insight into the problems we face today in computer crime investigations. Although computer crime is a new development, there are many similarities between a computer that contains evidence and