Saturday, April 16, 2016

Pre-empting Cyber-Fraud in Investment Banks


An investment bank is a hive of activities helping businesses or banks to raise capital by issuing stocks or bonds; and finally underwriting and distributing the issue. They also sell securities, manage assets/personal wealth of high networth individuals and help in corporate mergers and acquisitions. These activities expose them to a myriad of operational risks, legal risks, market risks, credit risks and reputational risks.

A common thread among all these risks is CyberFraud, amid today's highly computerised and networked world.

CyberFraud is multi-dimensional and it is targeting citizens, businesses, and governments at an alarming rate. They can also be conduits for organised crime and terrorism, and pose a threat to national security.

Stolen financial data is now an illicit commodity. With the required data, money can be siphoned through fraudulent credit card transactions, bank transfers, or other instruments. Given the impersonal nature of the crime and that the fraudsters can be seated at a physically remote location, an underground industry for Cybercrimes have rapidly grown. To compound matters, fraud can also originate both from outside and inside the bank.

The broader aspects to contain the growth of CyberFraud have to be worked together with the police, central banks and cloud-based security services like web-application firewalls, online biometric services,...etc. Sharing of such information among banks via central authorities is key.

Within the bank, besides having a secure IT infrastructure, it is  essential to have a centalised log server, where if need be, is capable of reconstructing any transaction to provide sufficient forensic data to bring the fraudsters to court. (This is a regulatory requirement stipulated by many central banks, like the Monetary Authority of Singapore). With the wealth of data in the log server, it is possible through data analytics to predict where the fraud will come from, and pre-empt them from occurring. It would be useful to use software like Splunk to facilitate the indexing, searching and monitoring of the logs, some of which may not even be structured.

For more details on a secure banking architecture, click here.

The common patterns of suspicious activities usually exhibit abnormal transaction volumes, trading volumes, fluctuating data feeds,... etc. A rules engine will have to be agreed between the businesses, fraud management department and cybersecurity department of the bank. 

For more details on applying data analytics, click here.

There are also cognitive patterns of user behaviour that can be captured and analysed. Several cognitive biometric systems, like BioCatch, are now capable of differentiating an online bot from a human user; and for the case of a human user, the capability to authenticate his identity.

These new implementation will require more sophisticated technical and awareness training. In a world where the criminals are connected with shared expertise, banks will need to have all their staff educated in an effective manner.

Many banks have resorted to quick online multiple-choice quizzes to measure the awareness level of their staff.  But truly, how many cases in our lives work the same way as such multiple-choice tests? Hardly, to say the least. Therefore, realistic scenarios must be written and rehearsed to leverage on the participants' other cognitive senses. To be effective, the training methods must be experiential and immerse the participants in role play, to truly understand the scope of managing CyberFraud and applying the knowledge in their daily work.

For more details of how to apply role play in cybersecurity training, click here.

Naturally, the above activities will take time to implement. Senior management will have to be convinced that they are worthy to commit the necessary resources.  The savings from CyberFraud management will have to be enumerated and quantified. But it is no longer just the case of preventing or managing financial losses to Cybercrime, banks now also have the moral duty to prevent funds from reaching terrorists and organised crime, for national security.

Conversely, if you are in the Senior Management of the bank, you may like to read about the 5 types of technology salesmen out there waiting to pull the wool over your eyes. :) 
Cick here.


Last but not least, while it is crucial to have the technical infrastructure and controls, predictive analytics and  technical and awareness training; no fraud cases can be effectively closed without the good old fashion offline work of committing troops to the ground. Common detective work of recognising clues, hints and motivation of crime are equally important. So are cultural understanding and language skills. The latter being particularly useful for high tech big data keyword searches and interpretation. Ultimately, the investigator will need to be able to hear a conversation in a noisy room, has a concern for detail and a sense of urgency.