HOW BANKS ARE USING TECH TO AVOID FINES AND THEFT
*This an excerpt from our Future of Banking report - download your free copy here...
When robbers made off with $81 million from Bangladesh’s central bank in 2016, they didn’t hold up staff with shotguns or break into the vault - they simply used a computer.
That sent an alarming message to the global financial industry: criminals are becoming much more sophisticated at exploiting chinks in bank cyber defences. Last year, cyber criminals stole $10 million from Banco de Chile and around $20 million from a number of Mexican banks by hacking into payment transfer systems.
While the Bangladesh theft remains the largest individual cyber heist on record, the annual cost of all cyber fraud impacting banks continues to rise. In the UK, unauthorised financial fraud jumped by 16% in 2018 to £845 million—nearly all of which stemmed from payment card and remote banking crime, according to UK Finance, a trade association. A further £354 million was lost to scams where account holders had been tricked into authorising payments to fraudsters.
Banks are therefore under pressure not only to bolster cyber security but also to improve transaction monitoring. That is creating an opportunity for fintech companies such as Switzerland-based NetGuardians, which uses artificial intelligence and machine learning to help banks more accurately spot fraudulent payments.
“The problem with payment fraud is that you end up stopping a lot of payments for nothing because it’s very hard to say if it is fraud or not, so with machine learning you can learn from the customer’s behaviour, making it easier to flag suspicious transactions and reduce the number of payments that you stop unnecessarily,” said Joel Winteregg, chief executive officer and founder of NetGuardians.
Winteregg says that while banks have been taking steps to improve IT security and prevent cyber attacks like the Bangladesh hack—what he calls their first line of defence, or the camera watching the door—a far more pressing issue is the rise in scams that are targeting individual customers. These can range from love scams—where fraudsters cultivate online relationships with their victims and convince them to transfer money—to sending companies fake invoices.
In the US, for example, so-called ‘business email compromise’ scams hit $1.2 billion in 2018, almost double the number seen in 2017, according to the FBI’s annual Internet Crime Report. Such scams might involve a fraudster hacking into an email account and asking for, say, an invoice to be paid into a different bank account—something that would go undetected by the bank’s first line of defence.
“That’s a very easy way to do fraud,” Winteregg said. “You need heavy investment and expertise to penetrate a bank but there is plenty of opportunity for fraudsters to do small email hacks that even a teenager could do. It’s easy to guess the password of someone by looking on Facebook or other social media. Fraudsters are always looking for the weakest link—you don’t need to hack the bank, you hack the customer.”
This is why Winteregg calls NetGuardian’s software a bank’s second line of defence. It can catch if an invoice is being paid to a different account number than usual, alerting the bank to a potentially suspicious transaction.
“We are like the inside walls of a bank that in the old days would have stopped the robber and made sure he didn’t leave on his horse with a bag of coins,” he said.
It is not just the costs of cyber fraud that banks have seen escalate, but compliance costs too. Since the 2008 global financial crisis, the regulatory environment has become increasingly complex and onerous for banks to manage. According to Thomson Reuters Regulatory Intelligence, global regulators published 56,321 regulatory alerts in 2017, up from 8,704 in 2008. Banks are also facing heftier penalties for non-compliance. Over the past decade, financial institutions have paid more than $300 billion in fines globally, according to KPMG.
“Regulation is increasing so much that banks have to run to keep up with all the new requirements that are imposed on them and that’s a real challenge,” said Jane Jee, chief executive officer of Kompli-Global, a due-diligence search platform that helps banks onboard new customers. “The other worry for the banks is we’ve seen situations where they’ve not only been fined but some of them have been told they can’t actually take on clients for a certain period, so the penalties are increasing as well—not just the level of fines but also the types of sanctions imposed on them.”
That growing mountain of regulation—coupled with the risk of harsher penalties—has resulted in a boom for regulatory technology, or regtech, companies to help banks manage their increased compliance burden. Kompli-Global is one such regtech firm that has emerged to make it easier for banks to meet their know-your-customer (KYC) and anti-money laundering (AML) obligations. Unlike traditional methods for vetting new clients—which typically involves manually searching through static databases or commercial search engines—Kompli-Global’s software allows banks to perform automated searches quickly and in real time from a broader range of sources. That ensures the data provided is up-to-date and relevant, helping onboarding teams make more informed decisions about taking on new customers.
“There has to be an element of human judgement about onboarding,” said Jee. “You can’t completely use a machine to determine your risk appetite, but it does enable banks to do their job more efficiently.”
That speed is crucial if traditional banks want to compete with the new wave of digital-only challenger banks that can approve new accounts in a matter of minutes, says Kelvin Dickenson, president of Opus, a risk management and compliance company that also helps banks to perform faster and more accurate KYC checks.
“Fintechs don’t have the same burden of infrastructure that traditional banks have to work through, so those banks increasingly have to become more efficient and offer more of a seamless digital journey,” said Dickenson. “If you’re doing manual due diligence, that’s going to add so much potential for error and delay in the onboarding process, so customers will just go somewhere where it is easier to open an account. The digital revolution is really pushing that even further as it changes customer expectations about how quickly and easily they should be able to obtain financial services.”
Dickenson says Opus’s automated due diligence technology cuts out about 60-70% of work that would otherwise have to be done manually, significantly reducing the time it takes to rubber-stamp new customers.
The increase in compliance demands is also creating opportunities for regtech companies that help banks to monitor for and implement new regulations. One such firm is CUBE, whose software alerts banks to regulatory changes and then uses artificial intelligence and machine learning technology to map out how and where those changes would apply to a bank’s governance framework, helping them to quickly review and plug any compliance gaps.
“Traditional methods of managing regulatory change take a bank weeks and weeks, and cost them tens of thousands of pounds to carry out in terms of time and internal and external resource costs, just to implement one change,” said Ben Richmond, chief executive officer and founder of CUBE. “We can do all of that in near real time at a fraction of the cost and take them straight to the point they need to focus on, which is ensuring they have appropriate controls in place to deal with this change.”
With financial institutions already spending around $270 billion a year on compliance—a figure some market watchers suggest could double within the next five years—regtech is going to play an increasingly critical role in keeping compliance costs from spiralling further out of control.
“If you take it that regulatory requirements are going to continue at the velocity they are currently, then it’s going to be unsustainable for banks to continue managing regulatory change manually,” said Richmond. “Their margins are squeezed, they are under pressure to make money, and yet their compliance spend continues to rise. They have to look at new ways of managing this.”
Another company that is using technology to improve regulatory compliance is ClauseMatch, whose platform enables financial institutions and other regulated industries to manage internal policies in real time, and maintain a full audit trail for regulators.
“While the rest of the world has already moved into digital, the financial industry is only starting to embrace innovation,” said Evgeny Likhoded, chief executive officer and founder of ClauseMatch. “Using outdated methods when working with documents creates gaps and silos where information gets lost or is not used properly, putting organisations at high risk.”
That can become even more disjointed in large global financial institutions that are operating across multiple jurisdictions, he says. ClauseMatch’s software helps smooth this wrinkle by enabling compliance professionals from different departments and locations to collaborate on policy documents simultaneously, allowing financial firms to more effectively monitor and track how policies and procedures are being implemented. At the same time, artificial intelligence-based algorithms allow firms to map those internal governance documents to their regulatory obligations, demonstrating the status of compliance to regulators.
“We are now seeing sizeable fines for failures in conduct, and conduct is primarily communicated to employees via policies and procedures, and enforcement of those,” said Likhoded. “That’s ultimately what we help banks with.”
Given the budgetary pressures on banks to rethink how they manage compliance, the regtech industry is expected to grow significantly over the next five years. KPMG predicts regtech will make up more than a third of all regulatory spending by 2022, up from less than 5% in 2017.
For that to happen, however, there are still some hurdles to overcome. Likhoded says one of the main obstacles for wider adoption of regtech among banks is not existing IT infrastructure—which has hampered other digital transformation efforts—but a culture within some financial institutions that is reluctant to embrace change.
Yet there are signs the mood is turning, says Richmond.
“We’re starting to see more interest at board level now, and that’s been a real step change in the past year,” he said. “Senior buy-in is crucial because if you haven’t got somebody sitting at the top of the bank giving a mandate to invest in this technology, it’s not going to happen.”