In a world of rapidly evolving technology, how do financial services firms keep up with the criminals? asks Mike Harris
The financial services industry has long been the target for criminals; whether it’s banks, insurers or fintech companies, bad actors have always found nefarious ways to attack the system and make ill-gotten gains.
But now, in a world that revolves around technology, criminals have become even more sophisticated in their methods of attack, leaving financial firms more exposed than ever. So how do financial services firms keep up, and what attacks do they need to be most aware of?
The current landscape
Criminals have launched an unprecedented volume and diversity of attacks against financial institutions in the last 12 months.
Lexis Nexis Risk Solutions’ Future Financial Crime Risks Report reveals that just over two thirds of firms have been exposed to ‘money mules’ whose bank accounts were targeted to launder proceeds of crime.
A significant proportion of financial institutions surveyed also reported exposure to the criminal use of third parties such as law firms, accountancy firms and estate agents; trade-based money laundering schemes; the proceeds of trafficking; the abuse of corporate structures; the misuse of digital currencies; and the misuse of prepaid cards.
Worryingly, these attacks are not being launched indiscriminately either. Criminals are now adapting their approach depending on which industry is being targeted in order to exploit the specific weaknesses inherent within that given sector.
For example, while just under half of banks (45%) reported exposure to money mules during the previous 12 months, this rose to 56% among building societies and to 60% for challenger banks.
This suggests that challenger banks are simply not capable of identifying and deterring money mules as competently as retail banks. As a result, criminals are increasingly targeting different organisations with specific methodologies, where their controls are seen as weakest.
These statistics are likely to be just the tip of the iceberg. As financial crime has grown in complexity, so too has detecting it. Reports show that most financial firms are not confident in their ability to detect many of the most prevalent crimes cited.
Around half of those surveyed admitted failure to detect the proceeds of trafficking, trade-based money laundering schemes, the misuse of corporate structures, and the misuse of digital currencies, with some highlighting that they simply don’t have the data points to be able to detect these types of offences.
To make up for these weaknesses, firms have been pumping funds into compliance measures, causing the cost of compliance to mount. For mid to large UK firms, the average annual cost of compliance is now £45.1 million, while for small UK firms the average cost is £8.8 million. Much of this spend is geared towards labour, with firms typically spending twice as much of their compliance budgets on people, as compared with technology.
Firms will always need to spend money on the processes required to demonstrate compliance, of course, but they must also think about how they can make better use of the technology available to help them proactively fight crime. After all, criminals are using the most advanced technology for their attacks, so firms will need to match these efforts in order to prevent them.
Overhaul of defences
By analysing their data more effectively, organisations can obtain greater insights into the individuals and transactions involved in the complex, inter-connected and evolving financial crime ecosystem. As a result, they can gain a much clearer picture on a number of risks that traditional methods of crime detection would have missed. However, financial services firms on the whole, have been slow to implement such techniques.
It’s not that firms don’t understand the benefits that technology and data can bring; many firms are aware of their own outdated technologies, ineffective tools, IT gaps and system shortfalls. The problem is that many firms believe that their legacy infrastructure restricts their ability to invest in newer and more agile technologies and solutions. Many also believe that the cost of stripping out and replacing existing technology would greatly outweigh the benefits, certainly in the short term.
There is no getting away from the fact that a complete overhaul of a business’ financial crime defence mechanism will be a costly project, but it’s vital that businesses move beyond just focusing on ensuring compliance. Instead, firms need to consider how they can detect, deter and disrupt financial crime more effectively. While solutions like these can be costly, the costs of not getting it right are far higher.
Can regulation save the day?
The authorities continue to bolster the AML regulatory regime following the integration of the 5th EU Money Laundering directive into UK anti-money laundering legislation earlier this year. Among other things, the move brought cryptoassets into scope which continue to be a worry for financial crime, as the report shows. Time will tell if more regulation is the answer while the costs of compliance continue to rise as firms meet their regulatory obligations. The key question is how effective is all this activity; are we focussing on getting to the criminals or merely satisfying the regulator?
Latest government statistics indicate that at least $100bn is still being laundered annually through the UK, with only around 1% being detected. If financial crime continues to rise exponentially and firms continue down the path of appeasement and inaction, the problem is only set to get worse.
Mike Harris, director, financial crime compliance and reputational risk, Lexis Nexis Risk Solutions