An interview with Stephen Strickland, former head of anti-bribery and corruption, Barclays - an exerpt from the Financial Crime & Operational Security 2016 report.

Interviewer: Maire McGuire, Publisher, Clear Path Analysis

Maire McGuire: Exactly how prevalent has cyber fraud become in the last five years?

Stephen: When we consider the occurrences of cyber fraud we must remember that much of what we see is no different than that of the crimes of 10, 20 or 30 years ago, it is only the method or medium by which the criminal communicates with their victims that has changed. There are of course different types of cyber criminality, cyber enabled and cyber dependent. The majority of cyber fraud in the UK falls into the first category, cyber enabled, the Bangladesh Central Bank heist is a perfect example of cyber dependent attack, although it could be argued this is nothing more than a virtual bank heist and therefore cyber enabled.

The use of technology has clearly provided criminals with the means to communicate more efficiently with high volumes of potential victims but this alone is not responsible for the increase we have seen in cyber fraud, the UK is leading the way in the reporting, analysis and dissemination of crime reports for both intelligence and investigation (via Action Fraud); this has contributed greatly to the UK’s understanding of cyber fraud, it is only when you understand the problem can you develop an effective strategy to counter the threat. It is not always possible to pursue those responsible and seek redress through the criminal justice system, but there are alternatives in the form of disruptive interventions. As we become more efficient and effective in the development and deployment of disruptive interventions we may eventually reduce the benefit to the criminal to a level that the criminality is no longer viable; at least, that has to be our goal.

Maire: It has been reported that most financial crime is discovered accidentally, how is this possible and what are businesses doing to protect themselves?

Stephen: There will of course be instances where financial crime is discovered by accident but in my experience the majority of occurrences are identified as a result of tried and tested monitoring and controls. Often a situation will need to occur before it can be identified, if the procedures for monitoring are effective this may identify preparatory acts, prior to the offence taking place, again, this has to be the ultimate goal for any financial institution.

Unfortunately in most cases, at present, the act is identified when the substantive offence is committed; when this is discovered, what then becomes important is the speed in which this is escalated and counter measures implemented to both prevent the exposure to this occurrence and to implement the learning across the organisation to prevent further crimes taking place.

Maire: What lessons can we draw from the Bangladesh Central Bank heist incident, what measures need to be put in place through partnerships to prevent this from happening?

Stephen: The Bangladesh Central Bank heist is a perfect example of how criminal entities, in this case hackers, are exploiting technology and financial platforms; I believe investigations are still in hand to establish the origin of the malware and how the banks systems were compromised. The investigation has identified that the hackers were located outside of the country but as we are all know, we can unknowing become parties to the act and assist the criminals in this process when we fail to adhere to appropriate cyber security protocols.

In this case, what is more important is that without the effective oversight of the Federal Reserve Bank the impact of this attack would have been much greater, in the region of $1b (The Fed blocked 30 transactions worth $850m). The Federal Reserve became suspicious because of a simple spelling mistake in the SWIFT data; they escalated this to the Bangladesh Central Bank who did not respond, identifying a potential weakness in the escalation of suspicion and the monitoring / scrutiny of transactions by the Bangladesh Central Bank. Although the technology / cyber aspect of this attack is significant the more important question is ‘would this have been successful if the controls environment had operated correctly and how has the controls environment changed as a result’.

Maire: What effect will Brexit have on current partnerships in Europe and how will it affect future relationships?

Stephen: There is probably too much focus on the Government and their ‘hard Brexit’; although the Government and their negotiations are important to the financial services we need to remember the part that the City of London has to play and how over the years it has helped to shape the face of global finance. From the opening of the Royal Exchange in 1571 the City has continually reinvented itself, the Royal Exchange itself has been raised to the ground twice, like a phoenix, The Royal Exchange and The City has been reborn, reinventing itself each time.

From the south Sea Bubble of 1720 to Black Monday in 1987 (and all of the bubbles & crashes in-between); from the emergence of Eurobonds in 1960’s to the big bang in the 80’s the City has mastered the art of staying one step ahead of its competitors, some of the changes were reactive, some proactive, the time is right now for us to be proactive and to reinvent ourselves once again.

This is why we need to position ourselves and our place in Europe for where we want to be tomorrow, not necessarily how we maintain the status quo of where we are now. The world of finance is changing; this could be our opportunity once again to lead the market and maintain our position as one of the great financial centres of the world. If we get this right we will take our partners and our relationships with us as we realise the next incarnation of the The City of London.

Maire: In your view, what risks still need to be addressed?

Stephen: For me, the greatest risk is in doing nothing, or in continuing to do what we have always done; what we have not always been good at is pushing the boundaries and taking the fight to the criminals. A lot of what has been achieved in the financial crime space has been responsive rather than proactive; in this regard I think we could learn more from our colleagues in the US Treasury and their use of special measures under article 311 of the Patriot Act. Although the majority of the actions taken by the Treasury relate to rogue states or the entities supporting them, the principles and learning can be applied just as effectively to domestic and international criminal enterprises.

In the UK great work has been done with the Joint Money Laundering Taskforce (JIMLIT), although this is still in its infancy it has become an international example of best practice in what can be achieved through partnership working. Building on the work of JIMLIT, I would like to see the day when globally, the world of financial crime compliance and its partners from across the public and private sector come together and acts as one and takes the fight to the criminals, putting them on the back foot, taking the profitability out of their illicit activities. For the UK, going back to my earlier point, this is going to be a challenge, we must embrace change and reinvent ourselves for a post Brexit future with a reinvigorated strategy for our role as a global financial centre.

This interview was conducted as part of the Financial Crime & Operational Security 2016 report - download the full version for free here.