Financial Crime, Security and the Internet of Fins

I was struck by the recent, rather fishy story that criminals had obtained information by hacking a casino’s fish tank. You can read the full story using this link, but rumours that this was part of a crime wave from the notoriously elusive “cod father”, codenamed Nemo, have been denied. Also exact details of what information was taken is not clear, but it does appear that the perpetrators managed to escape before the cyber security net was closed. Maybe a simple awareness of plaice increases vulnerability when the financial crime chips are down.

Beyond the obvious puns, there is a serious message that the growth of Internet of Things devices without adequate security offers growing opportunities for innovative financial criminals. It is also an obvious hook to a more serious blog I wrote on this topic for Finextra which also outlines some of the potential countermeasures.

Posted in Uncategorized | Leave a comment

Beware the financial crime bite of the back book

When people start looking for solutions to financial crime, regulation and compliance there is a natural tendency to start with new customers, known as the ‘front book’. 

These new customers already expect to have to go through some onboarding processes, and are typically coming in at a manageable volume. They seem to offer a natural starting point.

But the uncomfortable truth is that, for established financial institutions, the vast majority of financial crime and fraud originates from pre-existing customers. It is the ‘back book’ that hides the biggest problems.

Why is this the case? For a start, there are just many, many more customers in the back book than front book. If a firm grows its customer base at says 5% a year there will be around 20 times as many existing customers in the back book. Given this difference in volumes it’s not difficult to understand where the majority of financial crime will take place.

Also back book customers will typically have been brought on board at a time when the relevant regulations and checks where less robust. Regulators haven’t missed this uncomfortable truth, and there is an increasing pressure for institutions to address this area.

Dealing with the back book entails a huge amount of work. Being able to analyse quality of its base data is an essential way to make achievable what could otherwise be a potentially overwhelming task. Given the large volume and potential for multiple, often long running, issues involved this task is not to be taken lightly. The key is to understand where and how to start.

For those expecting a discussion of complex Bayesian statistical techniques on big data supersized specially constructed data stores at this point, I am afraid I will have to disappoint you. In my experience of running these types of programmes, the way to address the back book is to start with simple, but highly relevant business driven tests on a set of key data elements. These tests will likely include elements for Anti Money Laundering and Sanctions, unique identification and potential red flags driving levels of due diligence. By running these tests across the whole back book you will get insights into not only its current quality, but also where to start improving it.

The exact plan to address these issues will vary from firm to firm, not least due to availability or not of external data for comparison and an ability to prioritise subsets for remediation, but a key mandatory step is to initially look across the whole back book to gain a fully informed view. Unfortunately, just because remediation of back book data is complex, difficult, time consuming and has a tendency to lead to requests to some customers for information you should already have does not mean it can be ignored.

If banks and other financial institutions have not realised it already, they are being forced by regulators to discover that an untamed back book can bite.

Posted in Uncategorized | Leave a comment

Would you ask someone else if they Know Your Client?

With eye watering fines and the threat of deferred prosecutions, many banks have been working hard to solve the problems of correctly identifying and screening clients for financial crime purposes over the last few years. As they have done so, it is clear that a number of parts of this process are common across banks and so potentially could be provided on a centralised basis.

This has prompted a growing number of providers to offer Know Your Client (KYC) services in this space:

The challenges of KYC differ significantly between entity/company customers and individuals with more public domain being readily available for entities than for individuals. This is why most providers are concentrating their efforts on the simpler problem of KYC for companies – although in most big banks the greater benefit would be through solving the problem for individuals. Also, regulators in some countries are much less likely to allow data on individuals to be shared outside their countries. So, it is not surprising that the States of Guernsey are looking at providing a solution for its high net worth customers, and being based in Switzerland may be an advantage for KYC Exchange. Also there is the issue that the information available to and from these third party operations is only part of the overall solution – there is still a significant part for each bank that is institution specific.

So overall some interesting innovation to help reduce a difficult problem even if it can only be a partial solution to a bigger problem.

Posted in Regulation | Leave a comment

Has the high speed trading tide turned?

For many years, the only thing that high speed/frequency trading (HFT) operations needed to worry about was to continue reducing the “time to trade” by ever more milliseconds in some form of technological arms race between the major players. The key turning point, that we have covered in this bulletin before, was the flash crash of May 2010. Although in a thoroughly mixed metaphor we can say it has taken a number of years of building pressure to show its full impact, it is clear that the regulatory and to some extent the market tide has turned against this form of trading.

Recently, we have seen regulators signal changes in an attempt to curb this practice, the FBI announcing a specific probe into possible abuse in this area and a new book from Michael Lewis entitled “Flash Boys” which claims that high-frequency traders hurt other investors by being fast enough to preempt which shares investors plan to purchase, buying them first and then selling them back at a higher price. 

Whilst some of the noise from the “Flash Boys” book might just be very artful pursuit of publicity by the author, it does appear to have become the catalyst for other critics of some HFT practices such as Blackrock to break cover. This combined with the growing regulatory pressure from both sides of the Atlantic – such as the recent EU Parliament vote – and the FBI investigations mentioned earlier makes it highly likely that there will be structural changes to reign in this trading model. However, it is not clear what changes they will make as possible delays have been rejected and the same techniques can be used to implement multiple approaches some beneficial for clients and some potentially abusive as pointed out by Blackrock. To differentiate requires knowledge and judgement which are often tricky areas to regulate effectively.

Posted in Equity, Technology | Leave a comment

Have you bought a new iPad for work?

Have you succumbed to the hype and bought a new iPad or indeed one of the excellent Samsung tablets as I have? Are you frustrated by not being able to use a device like this at work?

This topic that we have covered in previous bulletins and blogs, continues to exercise analysis and excite comment. The trend for use of these essentially retail gadgets (stronger tablets blog) for commercial purposes is being driven from both the boardroom who like the ease of use and personalised experience and more junior tech savvy staff who are looking to use tools and apps and the more visual and social media approach of tablet computing to make their jobs easier and more enjoyable. Some firms have adopted a policy of limited roll out of company provided tablets – typically to more senior staff, almost as a status symbol or management benefit. Others have gone down the Bring Your Own Device route we discussed last month which reduces the capital cost of providing the devices but is balanced by an increased complexity of integration and security of a wider range of less controlled devices. If this is an area of interest, you can join the active discussion on one of our LinkedIn groups.

Posted in Technology | Leave a comment

A simple question, but an intriguing answer

Over recent weeks, I have been running polls looking at what appears to be the relatively simple question of “How important is having accurate Retail Distribution Review (RDR) proposition information on your public website before its implementation in January 2013?” This was run in a number of LinkedIn groups and whilst not particularly scientific, appeared to generate a more complex response. I deliberately chose different types of group to poll, and this yielded a stark difference in responses. I intend to run more polls of this type on this regulatory topic but for now let’s look at the immediate results.

In the specialist RDR discussion group there was almost unanimous support for the view that being an early adopter is an advantage. This is in contrast to the more general Financial Sector group where the response was far more mixed with support that clients are not yet interested. There is an obvious difference in the level of knowledge about the regulation in the RDR specialist group which suggests that those who understand its impact see more advantage in being well prepared and getting website information (e.g. whether the firm is independent or restricted, and a transparent mechanism of calculating the new advice charges) in place before the formal regulatory deadline. The full trend should emerge as I conduct yet more research at the same time taking some input from RDR implementation programmes that MPI is running. If there are specific areas or questions that you think we should investigate, please get in contact 

Posted in Regulation | Leave a comment

Die a little harder

It is often said that film sequels are never quite as good as the original, but this trait has yet to be definitively proved for financial regulation. One reason for this, probably, is the lack of effective measures of success for regulation: there is no ready equivalent of box office takings. What financial measures there are appear to be ambiguous. Take receipts from fines for example. On one hand larger fine receipts could be seen as a success – an indication that the regulation is biting. However, it might also be argued that large fines are a sign of regulatory failure, as surely the purpose of regulation is to prevent or deter people from particular behaviour and not simply to turn their continued transgressions into a ready revenue stream. Also preventing a similar market failure – new regulation almost always follows a failure – is not a clear indicator of whether it is a blockbuster hit. It always seems that the latest regulation is aimed at preventing the last crisis, but seems incapable of predicting and hence preventing the next. It is a bit like casting actors for King Kong but then they end up struggling through Othello.

So this is the murky world into which MiFID II is being introduced. It follows the original MiFID which was seen as a partial success, in that it acted as a catalyst for the restructuring of Europe’s equity markets and driving greater transparency around execution policies, but failed to deliver the promised level playing field for securities trading. The European Commission states that MiFID II sets out to make financial markets more efficient, resilient and transparent, and to strengthen the protection of investors by increasing the supervisory powers of regulators and provide clear operating rules for all trading activities. Amongst the expanded areas this wide ranging regulation tackles include clearing, derivatives, as well as automated trading. It also seeks to introduce on a Europe wide basis the removal of commissions for retail products similar to that being introduced on a UK only basis with the FSA’s Retail Distribution Review. These significant changes in regulation and the differing speeds of implementation mean that Europe will continue to be a complex regulatory arena for many years yet, despite the Commissions efforts to bring all constituent to the same level. We will see how this develops over the coming months with key votes due over the summer, with a final vote in September.

Posted in Regulation | Leave a comment

BYOD – Bring Your Own Device?

If you work for a large corporation, it is highly likely that you will carry both a corporate mobile device (often it seems, despite recent problems, this will be a Blackberry) and a personal smartphone (an iPhone or Samsung Galaxy II seem to be popular choices in the UK). The corporate device needs to be secure and reliable with often some of the less secure device features, such as the camera or ability to play music/video or download apps, being disabled – often the very features that attract people to their personal device. However, some firms are exploring the ability for people to use their own personal devices to access corporate networks and data. For example, a number of recent clients I have worked with, allow me to connect one of my PCs to their corporate network for email and file access, so long as I use the software and security token they provide. This improves mobility and connectivity and from my experience works well. It also means that firms can avoid buying staff or consultants laptops that all too often (I am told) go walkabout complete with their confidential data on trains or in pubs. It is a win in terms of flexibility, cost and security.

So, should firms take the next step and allow smaller personal mobile devices, with their myriad of operating systems and apps, to connect to the corporate network? Well, some firms have already decided it is and are doing this, with software firms such as Citrix keen to promote solutions that allow it to be done securely. Citrix point to their survey evidence that there is strong demand from both users and firms for this type of BYOD flexibility – if the security concerns can be addressed. On the other hand, there is also evidence of a backlash from people who are keen to retain the divide between work and personal life and the flexibility to simply switch off the corporate Blackberry at weekends or holidays. Despite this, it does seem likely that there will be an increased blurring of work and personal mobile usage which may drive us towards a single device.

Posted in Uncategorized | Leave a comment

Regulation outside financial sector is a piece of cake

We can often become obsessed – okay, I can often become obsessed – with the contradictions of financial regulation and then assume they are somehow unique. I was, however, reminded the other day that finance does not have a monopoly on regulatory confusion. It starts with the question, what is the difference between a cake and a biscuit (or cookie for our US readership)? This is not simply some pub quiz speciality with little or no relevance to the business world. The relevance is that there is a different Value Added Tax (VAT) treatment between a biscuit and a cake in the UK. We have talked about the impact of inconsistent VAT or sales tax treatment for financial services in previous bulletins, most recently its impact across Europe for commission sharing agreements that was covered recently in our companion bulletin. Also the UK investment sector is currently struggling to understand the VAT impact on the advice charges being introduced as a result of the Retail Distribution Review given the less than totally clear guidance from HMRC, the UK tax authority.

However, the financial sector is not the only special cake, sorry, case. In 2008 as the BBC reported the UK Treasury faced a £3.5m bill, because the European Court of Justice ruled the UK tax authorities had wrongly imposed VAT on a supermarket teacake, for some twenty years.  The sums of money involved may not be as large as in Financial Sector, but the complexity of the situations created by regulations with multiple exceptions certainly get close.

Posted in Management, Regulation | 1 Comment

Enterprise headaches need extra strength tablets

Over recent months we have become used to every new solution to a financial sector issue including the key elements of cloud, social media and mobile. Regular readers will remember our analysis on financial sector clouds and will be well aware of many of the growing uses of social media. However, we are now seeing a change in the mobile aspect of this fashionable troika with the move from the use of smartphones to the ubiquitous adoption of the tablet touch based computer. As with the adoption of the cloud, the widespread use of tablets started in the consumer space as successfully pioneered by the iPad and the late Steve Jobs. Even non-Apple fans must admit that the iPad does a very slick job of delivering entertainment and personal functionality in an attractive format, but just as the iPhone has not taken over the corporate smartphone world, is the iPad up to serious corporate business use? Well if you scan the iTunes app store, then undoubtedly there are a larger number of iPad business apps available. However, many of these can be categorised as document or media browsers providing a convenient way to find and view public domain/web available content on the tablet. This is probably the case as the use of retail targeted devices for corporate presents challenges for the user, business and technology alike, as there are multiple operating systems, formats and also that retail users are less willing to pay for heavyweight business necessary features such as strong security.

So it was with interest that I saw this month the announcement from ConvergEx  that it has made its order management system, the Eze OMS accessible through an iPad. To do this, they have had to employ specific software techniques to overcome security issues with this retail device e.g. automatically wiping sensitive data. They say, firms will be able to control how often these automated data wipes occur and will also have the ability to remotely disable users. Other more device oriented approaches are also emerging for example the Cisco Cius tablet  which provides an enhanced Android operating system based device with support for full business strength security, connectivity and supportability coupled with built in Cisco industry standard video, webex and collaboration/social media functionality. Having had a “hands on” demo of this device recently it is impressive and it has all the features and pedigree to succeed, but as other tablet platforms (e.g. HP) have found, the application providers and user take up will be key to its success.

Posted in Management, Technology | 1 Comment