By Brian Dilley, Group Director, Fraud and Financial Crime Prevention, Lloyds Banking Group.
Brian, can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is
I am the Group Director of Fraud and Financial Crime Prevention for Lloyds Banking Group. That means that I am responsible for the prevention of fraud and financial crime across all Lloyds brands, including Halifax, Bank of Scotland and Blackhorse. In the past I have been a KPMG partner, where I was Global Head of AML Services, Global Head of AML in the investment bank at UBS and a Head of department in the Enforcement Department of the Financial Services Authority.
My main focus
Bringing together our fraud and financial crime capabilities, which have been operating separately in the past, and ensuring that we work hand in glove with our cyber team. There is a large overlap between fraud and cyber, with a lot of confusion in the industry on the boundaries (eg for cyber-enabled fraud). The proceeds of both fraud and cyber ransoms is laundered through bank accounts, so all three join up in the criminal world. It is imperative that the intelligence and investigations aspects of fraud, cyber and financial crime are joined up, and working together to deter, detect and disrupt criminal activity. The criminals do not distinguish between the three, so why should we?
We are looking forward to your participation on a panel discussion “Understanding the interactions between cyber-crime prevention and fraud prevention in a fast changing environment” at the upcoming Fraud and Financial Crime Summit. Why do you feel this is an important talking point?
Yes it is very topical. You will hear a lot of talk, particularly from law enforcement, about the need to join up fraud and cyber activities, yet many financial institutions still run them separately. Some argue that cyber is more aligned to IT, which is true when talking about the controls, but when it comes to strategy, including being intelligence-led, there must at least be close collaboration between the teams. That is why we have joined up our intelligence capabilities to cover all crimes.
One of the issues is that people get confused about what cyber really means. Does a traditional crime that is carried out using technology suddenly become cyber? I don’t think so, but there are undoubtedly overlaps that need to be carefully managed. I prefer to use the government definitions, which make the distinction clear:
Cyber dependent crime – Crimes that can be committed only through the use of Information and Communications Technology (ICT) devices, where the devices are both the tool for committing the crime, and the target of the crime (eg developing and propagating malware for financial gain, hacking to steal, damage, distort or destroy data and/or network activity).
Cyber-enabled crime – Traditional crimes which can be increased in scale or reach by the use of computers, computer networks or other forms of ICT (such as cyber-enabled fraud and data theft).
Generally, I would advocate that cyber teams should be responsible for cyber dependent crime and that, for cyber-enabled crime, the team responsible for the underlying crime should take the lead, working with the cyber team and other technology experts, as required.
In your opinion, how should financial institutions be managing the impact of third party data loss?
The impact to date on financial institutions has largely been large data breaches at third parties, where the data can be used to access banking information or to dupe a customer into believing that a call is from their bank. In these circumstances, the best response is to work with the party that was subject to the data loss, to establish which customers of the financial institution have been impacted, and to adapt the monitoring of their transactions accordingly.
Unfortunately, what we have experienced is that the party subject to the data loss often feels unable to disclose full details to financial institutions due to their interpretation of the Data Protection Act and the risk of litigation by the customers impacted. This means that financial institutions are often in the invidious position of knowing there has been a data loss, suffering increased fraud losses as a result, but unable to adapt its prevention techniques or formally attribute the increased fraud to the data loss.
Changes are needed to data protection legislation to enable this sharing of information, which is, after all, done to protect the people whose data has been compromised.
How can FIs ensure data is protected and made unusable if compromised?
The main vulnerability is caused by an over-reliance on static data. Many historic systems of authentication are reliant on static data such as date of birth and even the security questions often ask for information that is easily obtained eg mother’s maiden name. The best way to make the data unusable, is to move away from these types of authentication onto biometric authentication such as voice recognition, facial and iris scanning, and tokenisation such as one time passwords. Though there have been some high profile stories of compromise of these tools, they have been very specific situations (such as the twins on the BBC who trained each other with voice coaches to sound the same). Overall, these preventative measures prevent far more fraud than using static data, and the isolated examples of compromise are not scalable for fraudsters.
The residual risk that remains, however, is the use of the compromised data to make pretext phone calls pretending to be from a customer’s bank. A small amount of information is often enough to fool a customer into trusting the caller, and either authorising transactions on their account, or handing over passwords and pin numbers to allow the fraudster to do so, whilst appearing to the bank to be the genuine customer The preventative controls that banks can use for these frauds, known as Authorised Push Payments, are extremely limited because all of the indicators suggest that it is the customer who is conducting the transaction.
Even when the transaction is challenged by the bank, the customer often confirms that it is genuine, having been coached by the fraudster in what to say if the bank questions the transaction.
What are some of the challenges of the increased inventiveness of attacks in recent years?
Fraudsters are continually adapting their techniques to commit fraud. Whenever there is a new innovation, they find a different approach to get around it.
As mentioned above, APP fraud is a rising fraud trend, driven by improvements in the controls to prevent unauthorised access to accounts. In November last year, Financial Fraud Action UK published data on the scale of this type of fraud for the first time. This revealed that, in the first half of 2017, over £100m was lost to APP fraud.
The impact of this type of fraud is devastating for customers. Often they lose life savings with little chance of recovering them. Fraudsters use stories such as telling the customer that their account has been compromised and they need to move it to a secure account, which is actually controlled by them. They tell the customer that the branch staff are complicit and will tell them that it is a fraud. The bank is required by its mandate to process the transaction if the customer disregards the warnings.
A significant success in this regard has been the Banking Protocol. This allows branch staff to dial 999 when they suspect a customer in a branch is being defrauded. The police will attend and often prevent the fraud and/or arrest the fraudsters. By the end of November 2017, 42 police forces were live with the protocol and £11,444,438 in prevented fraud and 116 arrests could be directly attributed to the Banking Protocol, with 1,437 emergency calls placed and responded to.
Finally, what challenges do you foresee within the Fraud and Financial Crime landscape over the coming years?
The continued development of technology, combined with ever faster payments and new entrants into the payments market will combine to make fraud prevention even more challenging in the future. New technologies can be of benefit to prevent and detect fraud, but can also increase the speed with which the proceeds of crime can be dissipated, reducing recovery opportunities.
The desire for immediate payments, further reduces the thinking time, and increases customer resistance to interventions on genuine payments, in the search for criminal assets. Developments such as Open Banking bring a new population of third parties into the arena with access to banking data, creating additional risk of data loss from less well controlled third parties, but also increasing confusion with customers, who may be tricked into handing over passwords and pins by rogue third parties.
In this environment, the need to ensure that fraud, financial crime and cyber teams are working in alignment, and using intelligence to direct their efforts, becomes even more important.