Debate: Are financial institutions forever playing catch-up with criminal methods and cyber- security evolution and how can they overtake to develop proactive, robust prevention measures? With Chris Leatherland, Head of Financial Crime, NewDay and Allen Anthony, Head of Financial Crime, NEST.

Noel Hillmann: What are the areas you feel most behind the bad actors on and what steps are you taking to address these shortfalls?

Chris Leatherland: I would call it the ‘E’ space, whether it be social media interaction, data control, data governance and responding to customer needs, as they want their responses a lot quicker and it is important that we keep up with that. At the same time, we want to put the right controls into place. Where I feel that is awkward, is in either the financial crime teams responding reactively or proactively and putting effective controls in place.

It is the understanding of this E space that is critical. Where we are as a sector is one that is trying to join up the needs of business and law enforcement. There is still some joined up thinking to do here.

A lot of the financial services industry is focused on financial service products. Law enforcement have their own areas of focus which leaves a bit in the middle that needs merging.

We are trying to respond to this by recruiting the right specialists to help in preventive terms, as well as to enable us to present better cases to law enforcement for better resolutions.

Traditionally, we look for financiers or financial service skills. It is now imperative, in certain areas, that we look for skills that are predominantly held by a different generation to those who are running financial crime prevention units, on how to use Intellectual Property (IP) addresses and those types of tools. It is about filling a void.

Allen Anthony: We adopt the attitude that we are always behind those with criminal intent and are always playing catch up in a whole host of areas, some that we haven’t even thought of.

We put our emphasis on training staff and recruitment of subject matter experts, as best as we can. This is not always straightforward.

Those with criminal intent have no holds barred attitude when it comes to what they are capable of. The scale that we have seen, at its most extreme could be state nation attacks.

Our industry is primarily pensions provision. Pensions Freedom was introduced a few years ago, which has opened an entirely new range of pension related frauds. This is basically where individuals over the age of 55 are being targeted with the temptation of accessing their pension pot early.

They aren’t talked through the tax implications of this and essentially, they can potentially lose the entire pot or a significant portion of it.

We raise awareness of these scams with our members, so that should they be approached with these types of offers, they can take advice from trusted sources.

Noel: In terms of the nature of attacks, what are the commonest types of attacks that you see and how have these attacks evolved?

Chris: Our I.T areas deal with IP or Malware attacks, as these are new in terms of hijacking companies and their data or intelligence.

In terms of attacks from a fraudulent perspective, this area remains unchanged. The only element that is different, is how perpetrators are getting that data which is a little bit newer and technically evolving in the E space.

The biggest issue at the minute is in terms of targeting our websites etc. to harvest data and trojans, etc.

Noel: Allen, in terms of the role that NEST has played in educating consumers, what role have you taken and what responsibility do you feel you need to take to stop individuals from falling into the common traps?

Allen: We take it seriously and put a lot of effort into the publicity and awareness side of things. We send communications in every welcome pack, so when a member registers with us they receive that pack and within it we have a well-designed set of communications to put them on notice.

We appreciate that people have limited absorption for this kind of information, because they are bombarded daily with warnings of one sort or another. We coordinate with The Pensions Regulator (“TPR”) to ensure a clear coordinated message is relayed and provided. They have a safety scheme called the Scorpion scheme, which plays on the sting in the tail element of fraudulent threats. More info here, www.thepensionsregulator.gov.uk/pension-scams.aspx. We reinforce this publicity campaign, because mixed messages or too many messages go over most members heads.

Noel: You work with 230,000 employers and so you obviously have dual responsibility with the employers to protect their staff who you are providing the pensions for. What linkage is there with the employers, when it comes to financial crime education?

Allen: As part of the employer participation, i.e. setting up their accounts, we carefully design our onboarding processes to not overwhelm the user with too much information in one go. We found that it encourages click through behaviour, where the messages aren’t really read and absorbed but just clicked through to get to the end.

We put forward information in droplets, which is a little bit of information at each stage of interacting with the scheme. This way we hope the messages are received as they go through the process of inputting their information.

We have almost half a million employers right now that we have on boarded from scratch. We launched the scheme in 2011 so it has been quite a learning curve for us.

Noel: Chris, in terms of the NewDay business model, you deal with the ‘near prime’ sector. Does this mean that you are dealing with those who perhaps have poor credit histories?

Chris: Yes, this is true but we also have partner relationships with the likes of House of Fraser, Amazon and Debenhams.

Most of our near prime clients are looking to build a credit growth profile or there are those who are looking to repair a credit profile.

Noel: For a profile of customer who may be new to using financial service products, like a credit card, or maybe haven’t been watchful of the credit that they are taking on, what level of education do you feel you need to be providing to them?

Chris: In terms of those new to credit or wanting to build a credit profile, they do respond quite positively to instructions we send out with the cards or the online instructions, because it is all new to them.

Of course, there are those who don’t believe that it applies to them and who may feel that they are overly familiar with how to look after their data. With these customers, constant reminders are required in the form of text messages, email alerts and postal letters, providing warnings and for us to stay on top of their account activity.

With the bigger firms, what I do like about their approach is the use of television adverts, like the one recently produced by Barclays which relates to how people can manipulate passwords and offers practical and real-life guidance.

The more that we can produce that kind of material, as an industry the better.

Noel: What are your thoughts on the possibility of the industry working together on financial crime alertness, Allen?

Allen: The Barclays range of adverts really did bring it home as to how important the issue is. One of those videos touched on the social engineering issues, with teenagers posting to social media and the profiles that can be collated from the information taken from the background of these.

Another was someone mimicking a bank employee and deciphering the security information that was needed to access the account of a customer.

They are very well designed and relay the message in a way that sometimes professionals find hard to communicate.

It would be good to see more than this, as across the whole population it is just a drop in the ocean of where we would like to be. If the general understanding of fraudsters, what their intentions are and how they go about doing their activities, the heart-breaking consequences for innocent people could hopefully be minimised.

I chair a financial crime liaison group, which includes representatives of other organisations in our sector. Normally day-to-day we are competitors but the respective heads of financial crime or heads of fraud meet on a quarterly basis to share notes of what we are seeing. It is a completely cards on the table type of situation and there are no commercial sensitivities. It is about sharing best practice and sharing intelligence of the types of frauds we are seeing, which allows us to keep our fingers on the pulse of what is going down and the new attempts and techniques that are being used.

Financial education and appreciation of personal data and the General Data Protection Regulation (“GDPR”) may increase awareness of such scams.

Quite simply, the average man and woman on the street aren’t as appreciative of just how careful they need to be.

Noel: Thinking therefore about future technology developments that are slowly, but surely, gathering momentum towards reaching the mainstream: what security steps need to be in place before you would deem virtual currencies to be acceptable forms of payment and for use in other transactions?

Chris: It would be wrong to say that we are pushing the boundaries in this space but we are currently partnering with Amazon and we do underwrite their Affinity credit card.

In terms of virtual or normal currency, we do have some rigorous authentication log-ons in the E space to try and insure that we have the right protective markers in place. It is taking the contactless technology and other approaches to the next level.

Anything that we brand non-face to face is all about rigour and control. That is easier said than done, as on the back of all of this you have development costs and managing and meeting customer expectations.

Noel: Is it fair to say that virtual currencies are far enough away from mainstream use now, that mainstream financial providers don’t see a need to spend much time on figuring out the security issues for their respective organisation?

Chris: Until we get an industry or consumer generally accepting of what a virtual currency is, only then will most firms start trying to achieve it.

Noel: Allen, what are your thoughts on this area?

Allen: We are monitoring it and it has come up in a couple of meetings but in all honesty, I can’t see any change to our products or propositions where we incorporate any Bitcoin type payments or transactions.

It may at some point become a mainstream player in the market but now it isn’t a realistic consideration.

Noel: New threats are constantly emerging. What forecasting actions do you take and are you planning to develop for the future, to combat crime before it occurs?

Allen: We take a multi element approach. One of the ones we spent the last few weeks doing was re-procuring our insurance policies, so that if we do need to make a claim, we just review our risks on a regular basis. We review them internally and externally to benchmark against the insurance sector, who tend to go from business-to-business and are a valuable consultancy to moderate our risks based on their experiences of dealing with others, so that we are aware of them.

I cannot emphasize just how useful the liaison forum is, to just learn about what other people are tackling and to share our own experiences.

We try to get out and not to think of ourselves as an island and stay in the office all day, as the chances that you will learn about the emerging threats just by having them land on your desk is slim.

Chris: In terms of the future threats, it is difficult to predict. The E space will continue to receive a lot of attention. I personally don’t believe that any modus operandi will drastically change: theft is still theft and fraud is fraud. Where the bigger focus will be is on how data is harvested or used to perpetrate the frauds, as this will become a little bit more technical and evolved.

Allen mentioned the Barclays advert that talked about social engineering, which is a very real example. It is much easier for fraudsters then it used to be, to harvest that data. It is about becoming alert to the real impact of data concerns.

I also sit on an industry financial crime forum that meets quarterly down at the Finance and Leasing Association, where we share some of these ideas. We are very mindful that most of our conversations are reactive because unfortunately as an industry we are behind the curve.

It is fair to say that none of us in this space are in the position we would like to be in.

Noel: One area that has been coming up an awful lot in capital market operations is the role of Artificial Intelligence (AI) in removing the need for human interaction in certain operations. Do you see any increasing roles for AI in the financial crime space?

Chris: Yes, when it is working and people can respond to it, then it’s beneficial use is clear. The challenge will always be the education of consumers to be able to work with AI, given that we are not at the stage of true biometrics yet. A lot of security is still password driven and via secure authentication log in.

From a prevention point of view, the use of AI could be great but the amount of time it takes is challenged by general consumers who struggle to get through certain protocols. Many consumers don’t understand why they are there. There will always be that conflict of interest as to whether it is a hindrance or a protection. It is about striking that balance between risk and customer experience.

As a principle, it is fantastic but in practice it does rely upon credentials being known or understood or automated from both the consumers and firms perspective.

Until we get to a true face to face biometric space or fingerprint recognition where there is no need to memorize certain things, then it would be awkward.

Noel: My thought was more about the behavioural analytics, in the same way that if you withdraw a certain amount of money in a new country when you are travelling, then you can sometimes be barred because the analytics view it as irregular behaviour.

The idea of the machines not just recognising people’s irregular buying and cash withdrawal patterns, but also the way they speak to a phone operator, the stress in their voice and behaviour that goes beyond a fraudster just knowing a person’s personal information, as a way to help make them feel safer, is a way that AI could have a role?

Chris: There will always be new roles for AI that haven’t been explored yet but a lot of it does come back to investment.

Allen: In the various conferences and forums that I have been to in the past year or so, the mention of AI, the promises and capabilities, is much discussed. For me, we haven’t seen enough of it in this space yet and there will be quite a long optimisation period, to get it to a point at which it can work effectively and efficiently.

We are open to the opportunity and see what comes of it. We are not pinning all our hopes on it, as it may or may not be the silver bullet that it claims to be.

The sheer scale of the transactions that we will be managing in the future means that there is no way that we can be reliant solely on humans. We will need some form of automation and there could be elements of AI to support this.

We have been debating this conceptually more than anything rather than any considering any practical solutions. Money laundering and fraud are essentially humans working their way around machines and processes to try and infiltrate ways and means that others haven’t thought of before.

AI may be helpful to support that, in the sense that it is outside the realm of what traditional machines are capable of achieving right now with strict logic processes. However, it is early days and I would be careful not to pin too much hope on it yet.

Download the full 2017 report on Financial Crime & Operational Security.