Cyber attacks against financial services firms and other sectors have increased in number, size and sophistication. Globally, cybercriminals have launched large-scale attacks against banks and other financial institutions, siphoning billions of dollars from bank accounts as well as stealing millions of credit card records.
The financial services sector is a prime target for cybercriminals because of the tremendous value of information they hold. As attacks increase and regulators take more notice, the pressure for financial institutions to act is mounting. Recently, South African Deputy Reserve Bank Governor Francois Groepe urged financial institutions to be aware of cyber threats as they embrace advancements in technology.
While the financial services sector may be ahead of many industries in terms of prevention and detection of financial crimes, more can and should be done by financial services companies. This is according to the report – Building a united front on financial crimes - issued by PwC on cyber security in the financial services sector.
Cyberattacks, fraud and money laundering are generally thought of as distinct financial crimes. However, this is misleading. A dishonest transaction or a cyber-related heist is the front end of a money laundering scheme, because the illegally obtained funds are being moved to other accounts. Defrauding a financial institution of large sums could include the manipulation of a vulnerability in the bank’s cybersecurity, such as a malware infection on the user device or a phishing attack to steal user credentials.
A case in point is the 2016 cyber-attack on Bangladesh. The attackers first exploited cyber weaknesses by designing custom malware to bypass controls and network logging systems. They then abused gaps in fraud controls by using the Bangladesh Central Bank’s credentials to gain unauthorised access to networks and by setting up fraudulent banks accounts to receive and transfer the stolen funds. These funds were then moved to accounts in Sri Lanka and the Philippines. But it turned out that Bangladesh Bank hadn’t authorised the transfers. Although financial institutions are concerned about cybercrimes, they often don’t know how best to prevent them.
According to PwC’s 2018 Global State of Information Security Survey (GSISS) and our 21st Annual Global CEO Survey, CEOs and boards named cyber-attacks as the business threat they were most concerned about, yet in the GSISS survey, 44% of respondents said they did not have an overall information security strategy. PwC’s 2018 Global Economic Crime Survey also showed that about half of global firms have fallen victim to fraud in the past two years – a 13% increase since 2016. Both of these developments present concerning trends. We believe that for financial institutions to get a clearer view of threats, better detect suspicious transactions, and streamline investigations, they will need improved coordination across cybersecurity, anti-fraud and AML controls.
Cybersecurity, anti-fraud and AML programmes often have common elements and controls, as well as synergies across people, processes and technology. Most firms are going to find that certain processes should be combined and others should remain separate but share information more closely.
One example of how converging will help financial institutions is in managing crime prevention at the same time that they explore new technologies, such as faster payments and open banking. Firms will need to push back on suspicious transactions a lot faster, because customers expect their payments and other requests to be processed quickly.
The report suggests that the convergence of a financial crime programme or processes can be accomplished by creating a clear operating model to serve as the backbone for the overall approach. An effective operating model consists of the following building blocks: structure, oversight and capabilities.
Financial institutions should define an enterprise-wide governance model that consists of financial crimes risk committees and charters, escalation protocols, organisation structures, human capital, and staffing and interaction models. This includes formalising the roles, responsibilities and communication channel across an organisation’s lines of defence.
The path to convergence is not simple or quick, particularly for large and complex organisations. Some opportunities are ripe for convergence immediately, others should integrate in the future and still others should remain separate.
Financial firms should think about starting a conversation on convergence now. Criminals have capitalised on exploiting new opportunities made available through technology and have been able to rapidly adapt to traditionally siloed risk management controls. Organisations need to consider meeting counterparts in other financial crimes pillars and initiate discussions around the idea of convergence; uncover short-term benefits, solicit feedback and maintain the dialogue. They also need to identify the various technologies and tools being leveraged, and determine the steps required to move forward toward more effective solutions.
By Kris Budnik, Cyber Lead for PwC Africa & Kent Kirkwood, Financial Crime and Compliance Risk Services Lead for PwC South Africa
© 2010 - 2018 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.