Thomas Mangine, former Director, AML and MLRO, BMO shares his insights ahead of Non-Financial & Operational Risk USA

Reviewing the changing FFC landscape

Thomas Mangine, former Director, AML and MLRO, BMO

Below is an insight into what can be expected from Thomas’s session at Non-Financial & Operational Risk USA 2023.

The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.

How can financial institutions consistently stay on top of the changing landscape of techniques and tactics within fraud and financial crime?

Three things – Build an internal training program that includes reviewing current cases (noting key developments, challenges, and lessons learned); assess your program’s weaknesses and war game what actions fraudsters may take; and Institute a Public Sector – Private Sector Program.

  1. Look at current cases: Your quarterly internal training program should include a review of significant cases – where significance is determined by cases that involved new challenges, identified weaknesses in your current program, or saw your team leverage new techniques, tactics, or procedures.
  2. Assess your weaknesses and war game: In conjunction with colleagues outside your team, conduct an honest assessment of your team/program weaknesses – What are your areas for improvement? What have you put off previously (whether due to time or budget constraints)? After that, put yourself in the shoes of someone trying to commit fraud against your firm and/or clients – what would you do and why? Evaluate schemes based on those that you are most likely to encounter and those that would be most dangerous.
  3. Public/private sector engagement: Strengthen your public/private sector engagement plan. Consider where your program has assisted you and where it has not. Review with which regulatory and law enforcement partners you have not engaged (think in terms of all jurisdictions where you operate). Identify forums where you can and should participate. Determine what information you can share, what assistance you can provide, and what questions you need answered. Identify which team members will participate in what efforts (be sure to invite colleagues like AML, Cyber, Legal, and Sales representatives).
What social engineering techniques and scams are being used against financial institutions?

The techniques are quite similar to what has been used to this point. Folks can see the rise in both Business Email Compromise and Ransomware in the media. However, what is new is multi-phased operations – techniques designed to collect information via social media that will be incorporated into a phishing email that is part of a business email compromise effort.

What I regard as particularly serious are smishing campaigns, social media platforms (both corporate pages and individual pages), and synthetic ID fraud (particularly the theft of credentials). I think, at the moment, AI will be used as part of some less-sophisticated techniques – attacks with AI will focus on mass (like smishing for new Covid-19 threats and advanced fee fraud schemes). AI needs about a year to mature, and we will see more attacks where AI is enhancing phishing and smishing by replicating more realistic messages.  LinkedIn is facing serious problems right now – tell your people.

How can institutions use forward-looking reporting metrics to monitor emerging risks? What benefits will this bring?

The goal should be to confirm what data you are collecting and verifying the value this data has relative to assessing your risk. Consider when you are collecting metrics and when you should review them next. For example, if you have metrics examining Fraud alerts BUT have incorporated new systems, you need to consider the validity of the data – what information did you pull when you collected metrics, and what did your new systems/new software/new training do? How does this impact the value of your metrics?

Clearly define what you expect to see in your metrics and when you expect to see it. You must avoid the overly vague “we would expect fewer false positives” and then throw out a percentage (this requires real time and effort for the process to have any value). Review what your data provides – is it telling you what you thought it was telling you? You need to carefully consider the data points that your software uses and what information you collect for your metrics – is there any relevance?

Can you outline the FinCEN Anti-Money Laundering Act requirements and why it is important to review this within financial services?

Banks are not required to incorporate the AML/CFT Priorities into their risk-based BSA compliance programs until the effective date of the final revised regulations. Nevertheless, in preparation for any new requirements when those final rules are published, banks may wish to start considering how they will incorporate the AML/CFT Priorities into their risk-based BSA compliance programs, such as by assessing the potential related risks associated with the products and services they offer, the customers they serve, and the geographic areas in which they operate. Finally, the AML Act requires that the review by a bank of the AML/CFT Priorities and the incorporation of those priorities, as appropriate, into its risk-based BSA compliance program be included as a measure on which a bank is supervised and examined.

This interagency statement confirms that State bank and credit union regulators and FBA examiners will not examine banks for the incorporation of the AML/CFT Priorities into their risk-based BSA programs until the effective date of final revised regulations.  Requirements regarding Beneficial Ownership as well as Art and Antiquities will increase KYC responsibilities – are your clients doing what they are supposed to do?