Tuesday, December 27, 2011

Employee Fraud Thanks to the Cloud

Peer-to-peer and cloud-based file sharing may have been designed by punk kids to get free music, but now some of those punk kids are punk employees of the world's financial institutions. They have not forgotten their craft, according to the Federal Trade Commission:

"when P2P file-sharing software is not configured properly, files not intended for sharing may be accessible to anyone on the P2P network. ... we found health-related information, financial records, and drivers’ license and social security numbers--the kind of information that could lead to identity theft."
 -- FTC Chairman Jon Leibowitz on the FTC's website.
A very small fraction may intentionally use these technologies to steal sensitive or private information about the institution or its clients, but a far larger number are unwittingly exposing this information to the open Internet.

Coverage also at the Washington Post.
Many of my clients block P2P clients and websites as well as related traffic on company-owned PCs within the institution's firewall. PCs on desks in offices are probably safe. But before you pat yourself on the back, though, make sure you're looking at all potential exposure points. Wherever there's a hole punched in your corporate firewall, there's a potential loss. Ask yourself two questions:
  1. Is the same level of protection and surveillance being placed on VPN, email, webmail, virtual web conferencing, mobile email, and all other devices which span across your firewall DMZ?
  2. Is your monitoring / blocking technology based solely on the sources and destinations of traffic (ex. "safe" and "prohibited" IPs) or does it also monitor content? Perfectly benign channels such as email or virtual web conferencing usually allow files to be transmitted outside the institution in order to facilitate essential communication and collaboration. Can you, without killing these valuable tools, control WHAT data is transmitted?
 If not ... time to make a little space on the roadmap for new controls.

Saturday, November 19, 2011

What the C-suite Needs to Know about Fraud: Elevator Pitches

Over the coming weeks, I'll be using this blog to suggest a set of "elevator pitches" relating to bank fraud management. This episode gives some background, as well as Pitch #1.

For most of my colleagues in banking, this is a stressful time of year. Yeah, the holidays are upon us. Yeah, the kids have holiday shows and final projects to prepare for. Yeah, there is a long list of presents to buy. Yeah, the home team is one game away from a bowl. For bankers, atop all of that, this is prime-time budget and planning season. Their fate is determined for at least the next 12 months through a gauntlet of analysis and discussion about prioritization, roadmaps, and funding.

The same is equally true for my colleagues in the software industry as they determine what the future holds for their products. Even us consultants get together for tealeaf-reading sessions, trying to anticipate the coming needs of our clients.

This period can be exhausting, but one great side-effect is that a bunch of senior people put their heads together. This is a perfect opportunity for people across the organization to educate each other and especially the C-suite on "whats hot" in their area.

In between discussions, in halls, elevators, conference rooms, and on conference calls, there is inevitably some idle time. If you find yourself in one of those moments with your boss's boss's boss, don't blow the moment by hiding in your Blackberry to avoid the awkward silence. Tell them something that will stick with them ... give them your elevator pitch!

Thursday, August 25, 2011

Just in: Market Share Stolen by Hackers!

A Wall Street Journal article today carries the following quote:
Chinese state television has broadcast footage of what two experts on the Chinese military say appears to be a military institute demonstrating software designed to attack websites in the U.S.
DailyTech blog captured screenshots including the image below.

We've felt, feared, or suspected as much for years now, but evidence is becoming undeniable that we are engaged in a new Cold War which is being fought in cyberspace. This new Cyber Cold War is the most unconventional and asymmetric war the world has ever seen. Control is extremely decentralized. Weapons are easily acquired. The risk of retaliation is low. Battles are waged remotely. The prosecutors and victims of the war can be anyone or any group of people. Governments, individuals, and businesses are all players, like it or not.

The WSJ article shows, however, that more conventional power structures are now on the battlefield. Whereas many in the LulzSec group may have simply been bored, over-caffeinated students who wanted some celebrity, my clients and I are increasingly seeing evidence to support the WSJ's case: governments, particularly those of Russia, China, and the US are quietly backing attacks.

Many people would laugh at the notion that a foreign military might wage an online attack on a US financial institution. Consider, however, two factors which might give them motivation:
  1. Sovereign Wealth Funds (SWFs) increasingly own debt and equity of governments AND businesses. This gives them a financial interest in the success (or failure) of certain companies as well as economies. Hack a bank, leak a headline, and watch the share price drop until a buying opportunity has emerged.
  2. Many emerging market countries have discovered that they don't have to create an economy as big as the US in order to have companies which compete on a global scale. These companies can be jump-started with some quiet government support. As a result, it has become common policy to support "national champions" which successfully compete against the largest and most mature global (though still mostly US-based) companies. Government-sponsored hackers might help these champions by hacking the competition and stealing trade information or by creating bad headlines.
Like it or not, we have to acknowledge that certain governments have the means, the motive, and the opportunity to commit cyber attacks against financial institutions. In all likelihood, this has been going on for at least several years. Consider a March 2009 Telegraph.co.uk article:
"A vast Chinese cyber-espionage network, codenamed GhostNet, has penetrated 103 countries and infects at least a dozen new computers every week, according to researchers ... [GhostNet] is the latest sign of China's determination to win a future 'information war'... In 2003, the Chinese army announced the creation of 'information warfare units'."
Fox News added to the story:
"The Chinese government on Monday denied it was behind GhostNet"
Banking has the notion of security at its core. Think of a bank branch and you'll instantly visualize vaults, armed guards and video surveillance. Behind the scenes, banks all have hardened ATMs, teller stick-up procedures, passwords and permissions. In other words, security is tightly integrated with their physical channels.

It is also tightly integrated into their physical products through watermarks, microdot printing on checks, serial numbers on other financial instruments, signature specimens, etc.

Ironically, banks have been dangerously slow to understand how this relates to the online world. Today's banks are dot-coms. Online banking is now a core product. Moreover, it is the "face of the bank" for many customers. It is the gateway or channel through which all other products and services are offered.

Dot-com execs have an advantage in the realm of security and fraud inasmuch as their core product is a piece of technology which intrinsically has a set of permissions and security controls built in. The tools their engineers use also have permissions and security controls at their core. Bank execs need to think like dot-commers. Online security and fraud prevention are just as intrinsic to their core products as signature cards, credit scores, personal relationships, and armed guards once were.

The logical conclusion is that banks need to be organized, staffed, and run more like dot-com businesses to survive in the current Cyber Cold War. Security must be "baked in" to everything they do, just as credit scores and ratings have been baked into lending and trading decisions for decades. Executives should make no mistake: on the current battlefield, market share is not stolen by a bank down the street who might lure customers away with better rates and free toasters. Market share is "stolen" by hackers who ruin the bank's reputation or steals clients' identities and thus causes customers to flee.

It is no longer a sci-fi fantasy that these hackers may be shadow agents of a competitor or even a government intent on manipulating markets, economies, or even specific businesses.

Monday, June 13, 2011

The Convergence of Data, Identity, and Regulatory Risks

This blog started 2011 with a post arguing for the inclusion of financial crime as a type of risk:
"Financial Crime (including topics like Money Laundering, Identity Theft, Fraud, Unauthorized Access, and Data Theft) is the next frontier in the evolution of Risk Management." 1/3/2011
Halfway through the year, this has been borne out in the headlines. While no institution is immune, headlines this week have given one clear example of what I was talking about:
"Citibank has revealed that it detected a data breach last month that exposed fully 1% of all its North American credit card customers’ account details. Citi has about 21.2 million credit card customers in North America according to its annual report, implying that close to 210,000 accounts may have been hit." Andy Greenberg, Forbes Blog.
Only 11 months ago, the remnants of Countrywide Financial settled a class-action lawsuit by setting aside $56.5 million (not including court costs) to cover claims of anyone impacted by an alleged data breach of 2.5m identity records. They, like Citi, were particularly criticized for delaying disclosure. This presumably allowed them time to assess vulnerability, fortify security controls, and perhaps get their legal arguments in order. At the same time, their delay gave identity thieves extra time to use the stolen data to defraud Countrywide's unsuspecting customers.

Countrywide's negotiated settlement puts the average hard-dollar cost of losing an identity record at $22. Many analysts estimate that the all-in number is four times as much once you factor in the soft costs such as reputation damage, lost business, and cost of additional controls. As a result, the rule of thumb I and many of my clients use to size up the cost of a data breach is $100 per identity. That makes Citi's breach quite costly!

In fact, Citi's latest incident comes atop a tide of recent compromises at a number of global firms, including a particularly disturbing breach of the "gold standard" RSA SecurID tokens which are used by many firms as an enhanced security measure for things like sensitive network access and large-dollar online banking transactions.

To pretend that these events "won't happen here" or "are black swans" and thus don't need to be factored into the price of doing business is as negligent as saying that mortgages never go underwater. Blithe assumptions like these are precisely why big, smart firms end up in catastrophe.

Finstitutions need to view financial crimes including data theft, identity theft, and fraud as risks which:
  • are intrinsic to their business, just like credit and market risks
  • are not outlier events, but rather are inevitable (and growing more frequent)
  • must be mitigated, monitored, and controlled
That's lesson one of 2011.

Today, 47 states have data privacy laws. It's the Internet, people! State-by-state laws don't make sense in this context. The good news is that, without a doubt, legislators and regulators alike have noticed these headlines and have stepped up their efforts to develop additional regulatory requirements to address the issue.

The Forbes blog goes on to say:
"The White House’s proposed cybersecurity policy outlined last month would include a mandatory federal breach disclosure law, and another bill proposed by Senator Patrick Leahy would similarly make concealing a data breach a federal crime."
These legislative proposals are atop upcoming FDIC regulations and FFIEC standards on authentication which will likely contain provisions addressing:
  • More frequent risk assessments focusing on authentication and related controls at least every 12 months and prior to implementing new electronic financial services
  • More robust controls as the risk level of transactions increases.
  • Layered security to detect and effectively respond to suspicious or anomalous activity both at initial login access and at initiation of online transaction
  • Multi-factor authentication, well beyond simple device identification and easily answered challenge questions
  • Increased customer education and awareness
Therefore, lesson two of 2011 is that regulatory compliance is another risk which should be incorporated into every FI's risk management framework, policy, and practice.

Wednesday, April 13, 2011

You Get What You Pay For: Building Business Cases for Risk Management Investments

In 1993, I visited a factory in the (recently) former Soviet Union.

On the books, the place had a staff of 5,000 making 10,000 lenses a month. In reality, only about 1,000 turned up on any given day. That was fine with management. See, a few years back, Moscow had some extra budget and they let the factory buy some incredibly cheap used lens polishing machines. This meant that the army of 1,000 human polishers were no longer needed, but since nobody "up the chain" cared, the management just kept these folks on the payroll. It made the operation look bigger on paper, and therefore they got a bigger budget from Moscow.

Sadly, they could never get the machines to work quite right, so they kept a few hundred human polishers to "touch up" the lenses before they were shipped. They apparently assumed the machines were good, since they had previously been owned by a well-known Japanese lens manufacturer. In fact, they were heavily used, out-of-date models producing lenses so low in quality the Japanese couldn't sell them at any price point. After installing these machines at the Russian factory, quality went down overall, but was at least consistent, which made managers happy. Nobody at the factory asked if this would help them sell cameras, since their only customer was the Central Government in Moscow. What this intermediary did with the cameras afterward was not their problem.

Until the Soviet Union collapsed.

Their first question to my group was: Who will buy these lenses which are twice the price and half the quality of the competition?
Answer: Nobody.

Second question was: OK, we learned our lesson. Never again. We want to become state-of-the-art. How? Who will give us the money?
Answer: Fuggedaboutit. By the time you catch up, the competition will have improved again. Nobody bets on a losing horse.

Third question was: If we were to give you the factory and a 3-year supply of aluminum for free, would you at least keep paying our staff of 5,000?

It was a desperate situation, a totally reactive management, and a totally losing business case. After some analysis, my delegation told them to make car antennas with the aluminum and we walked away. Instead, the factory closed, the staff stopped getting paychecks, and the managers became "full-time pension administrators" since pension liabilities were all that was left of the once-bustling company.

Wait, what does this have to do with risk management in financial services?

If we in the Financial Services industry don't want to become "full-time pension administrators" presiding over gutted, non-productive zombie firms, we shouldn't act like Soviet factory managers.

Unfortunately, in certain ways, we do. Look at your organization's decision-making process through the lens of my anecdote. How similar is it? Does the annual budgeting process rule? How are those budgets determined? Then look at your process through a different lens. Imagine your department as a standalone business. Would you turn a profit? Would you be competitive? Would it change the way you spend? Would your customers be satisfied, or would they go elsewhere?

If you don't know the answers, read on...

I don't know the answers either, but here's how I think about the problem when I talk to my clients. Viewed very simplistically, FIs make risk management decisions in response to events and losses, either at their own institution or at a competitor. In other words: they're reactive. They don't want to waste money to manage a risk which is never going to happen. When it comes to incorporating risk management into their business cases, they rarely go much further than the camera factory managers did: "won't happen" or "can't happen here" meaning that their firm is somehow special or smart enough to avoid that risk.

Few organizations bother to invest enough time for a comprehensive cost-benefit analysis (CBA) of internal investment projects. Many manager don't even want a CBA because that would require them to familiarize themselves with each individual investment proposal. They prefer to operate at an overall budgetary level. As long as they have unspent budget and you can win the political fight for money, they'll let you have it.

Just like Moscow did for the camera factory managers. They had to change, and so will FIs.

Structurally (ie: permanently) smaller margins are already forcing FIs to be more discerning in their investments. Value for money can no longer be taken for granted. CBA is already taking over.

That may leave your head spinning with questions. How can I do a CBA in risk management? What is the "price" of a risk? How would I quantify the benefit of preventing something from happening? All good questions.

Start with what you already know. You can't assess what you can't measure, so make sure your operational metrics are up to the task. Enhance your processes as necessary to have comprehensive and high-confidence numbers on the all-in average cost per type of work item. Make sure this is broken down into roles. Investigators' time is important, but don't forget about their team leaders and managers, the QA review team, the auditors, the analytical team, etc. Make sure your per-item metrics add up to 100% of your total labor costs for the function or department.

Layer on technology costs, not by vendor or by solution, but by investigative work item. How much does it cost all-in to get an AML alert? or a card fraud alert? Again, this has to add up to 100% of your spend on technology. Often, shared technology costs are tough to measure, so work with your technology partners to really understand your use of those shared pieces as a percentage of the whole.

If, due to your company's budget allocation methodology, your department gets some or all technology services for "free" don't think you're off the hook.

Those services are paid for by someone, somewhere. Find out who. Get them on board. They also need to think in terms of business cases. If you can reach across organizational boundaries and collaborate with other departments to reduce overall IT costs, you're likely to appear on the promotion radar at high levels of the organization. Senior managers view this type of behavior as alchemy and tend to reward it well.

Now look at your impact on the institution's profitability. What business do you stop/prevent? What business do you monitor? What business is outside your scope? For each of those categories, what are the historical losses and recoveries?

Similarly, look at customer impact. What is the current attrition/retention rate of business? Talk to customers to find out why. Collaborate with your lines of business to assess customer satisfaction, especially among those who are "touched" by your group. On the fraud side, find out how many defrauded customers leave the institution within 6 months. How happy are they by your handling of their fraud event? On the AML side, the "customer" might be a regulator. Find out what their risk assessments say. What are they concerned about? What kinds of fines or orders are they hitting competitors with?

Get your statistical gurus to slice and dice the results and find differences. The end of this effort should be a "marginal contribution to profitability" percentage.

In other words, how many basis points do your activities add to (or remove from) overall profitability of each line of business?

Benchmark these stats against industry (or at least peer) numbers. Analyst reports and consulting firms are good at helping with this cross-industry view.

By following a framework like the one described here, the "benefit" side of the CBA can be fully understood. The initial effort might be high, but this work is reusable for every subsequent CBA. Individual metrics might change, but the overall benefit-assessment framework will not.

Monday, March 14, 2011

What Amazon Can Teach Banks About Fraud May Surprise You

While they do not always succeed, FIs constantly fight a very expensive battle against fraud attack. Across the US industry, FIs spend $250-300M a year on IT alone. Spending on Fraud Prevention Operations averages 6x-10x this number. That's nearly 1% of industry revenues (using numbers from Fortune Magazine). Sadly, despite this significant investment, fraud losses are estimated by Gartner Group to be 5-8% of revenues. This goes straight to the bottom line as a write-off, especially painful in an industry that hasn't turned a profit in 3 years.

Let's focus for a moment on the ratio of spending between IT and Ops. Across the industry, FIs spend far less than a third of their Anti-Fraud budget on technology and projects. If you include actual fraud losses in the numbers, that percentage drops well below a tenth of all spend.

This tells me that FIs don't trust their technology. When the rubber hits the road, they fall back on laborious manual processes. Step onto the floor of an FI's Anti-fraud department and you'll see why: reams of paper, hundreds of phone conversations, managers prowling the aisles, quants debating math on whiteboards, and armies of data-crunchers building ad-hoc reports in Excel. Look more closely and you'll see that the investigators have multiple PC monitors so they can switch among the dozens of bank systems, each of which contains a few small pieces of the client's overall behavior puzzle. I call this "swivelware" or "alt-tab-ware" and I see it as a clear symptom of a larger problem in the industry.

Swivelware is simply the human response to a failing of technology. Investigators need a full picture of the client's profile: "one-stop-shopping" access to all the client's identifying details, relationships, transactions, historical behavior, and other info. To put all this info on one screen requires a deep and comprehensive level of IT system integration. That's not easy or cheap even under stable conditions. It's nearly impossible in the real world of booms and busts, economic cycles, industry consolidation, new products, new client segments, new fraud patterns, new IT systems, and constant transformation. In fact, this is a never-ending initiative. Unfortunately, most IT spending is driven by corporate budgeting cycles, not by business objectives. This leads to a myopic, fire-fighting, quarter-by-quarter approach in which managers try to constrain the life of these initiatives by breaking them into discrete, well-bounded projects. Unfortunately, the sum of those parts does not add up to the whole business objective, and the result is swivelware.

When I hear a client say they have a "never-ending project" I know that, like it or not, they're really talking about a mis-categorized permanent business process, just like Accounts Payable, HR, or Accounting. It is often a tough sell, but my objective in these cases is to convince my client that they must create a permanent capability to address the business need, including permanent staff, permanent funding, and permanent management with permanent objectives, authority, and accountability.

FIs which have the foresight to do this will lead the industry in establishing competitive advantages through unique and advanced capabilities. Said another way, if you stand up a department whose objective is ongoing integration in order to develop a holistic view of each client, that department will develop capabilities and skills required to fulfill their stated objective. They will also quite likely find other creative ways to use those capabilities and skills to create additional unanticipated value for the institution.

One telling example of this is Amazon, which started as a bookseller, but realized its ingenious supply-chain was a competitive advantage. It leveraged this capability to become a marketplace for all sorts of products, and grew exponentially as a result. More recently, the Amazonians have realized that the infrastructure they built to link millions of customers to thousands of merchants is another competitive advantage. They are now leveraging this to offer "cloud computing" services to businesses.

Sunday, February 13, 2011

Are You a Proud Dad?

My dad gave me one dollar bill
'Cause I'm his smartest son,
And I swapped it for two shiny quarters
'Cause two is more than one!
And then I took the quarters
And traded them to Lou
For three dimes -- I guess he don't know
That three is more than two!
And then I went and showed my dad,
And he got red in the cheeks
And closed his eyes and shook his head--
Too proud of me to speak!

- Shel Silverstein
People working in anti-fraud live and breathe money: losses, recoveries, write-offs. If it costs $1,000 to investigate and recover $500, we all intuitively know that would be a waste of time. We might as well just write off the $500 and move on. And yet...

The following conversation is hypothetical, but its strikingly similar to what I've heard from several clients in recent weeks:

Client: "Our detection systems are solid, but we're always on our back foot! We want to prevent fraud, not just detect and chase it! We need some sort of prevention system to cut our losses.”

Me: “You might not need a new system. Does your existing technology really ensure your team looks at the biggest risks first?”

Client: “Of course! We do the big transactions first. We have a ‘red’ queue for stuff that requires immediate action.”

Me: “So I imagine if there was a $50k wire, way out of normal for the customer, it would pop into the ‘red’ queue and get looked at right away.”

Client: “Right.”

Me: “And if, at the same time, your systems saw a different account with a series of unusual log-in and balance inquiry events, it would put that in a lower-priority queue?”

Client: “Yeah, unless it was linked to a financial transaction.”

Me: “What if those logins were for the CFO of a very profitable business banking client?”

Client: “Well, the system wouldn’t really know that. We’d see it during investigation.”

Me: “What if the CFO had online access to draw on a $1m revolving line of credit without secondary approval? What if he hadn’t logged in since 2008, but then one day logged in several times, browsed all over your Business Banking portal, and changed wire instructions for an approved beneficiary?”

Client: “Hopefully that would set off alarms! Probably not a ‘red’ alert, but we’d notice for sure. I know we get reports from the wire room every morning. We could call the client and verify the change.”

Me: “What if, at 3:55pm Eastern Time that same day, the CFO logged back in, drew down the line of credit and wired $1m out?”

Client: “NOW there would be a ‘red’ alert!”

Me: “And you'd be on your back foot. How much would you have to spend to drop everything and investigate in order to get the money back?”

Client: “Well it might not be our loss. We can't prevent the client from having a criminal at the CFO spot.”

Me: “How much would you spend to determine if it was really the CFO or an identity thief? No matter what, the client's not going to be happy. Odds are, they're going to close their account. What kind of heat would you get from the banker in charge of the client? Maybe they even drag you to court. What would that cost? ”

Client: “Welcome to my daily nightmare! It's the hassle of a lifetime!”

Me: “Wouldn't it be better if your systems could just prevent the wire in the first place? What if my team could get your existing technology to do that?”

Client: “When can you start?”

Just like Silverstein's "proud dad" in the poem, this client was a bit red in the face with frustration. His technology and teams clearly had some growing-up to do.

The problem is that, just like Silverstein's "son," nearly all of today's anti-fraud technologies and business processes misunderstand the real objectives ... through no fault of their own. They've been tasked with monitoring a narrow set of intermediate metrics like transaction size, out-of-profile behavior, or unknown IP address.

The key is to take the blinders off and refocus the technology on the true business metrics. Tell them what you're really trying to achieve. Is it minimized losses? Is is minimized operational cost? Is it minimized customer defection? Is it some balance of these? Then empower them with enough contextual data to make an intelligent determination of what's at stake, and what to do about it.

In upcoming blogs, I'll go "down in the weeds" to examine how technologies and business processes can be transformed in this way. Stay tuned!

Thursday, January 20, 2011

The World is Flat for Fraud

This blog entry describes a very common fraud pattern in which criminals, using the internet, can very easily and cheaply collaborate globally to reach halfway around the world ... and right into your customers' pockets.

If you're a Fraud Prevention Exec at a financial institution (FI), this story should sound like a thousand others you hear every day from your investigative staff. If it isn't, you might want to have a look at your defenses.

If you're NOT a bank Fraud Prevention Exec, this blog post is for you! As I discussed in a recent blog post, risk management must comprehensively address all types of risk, including identity theft, unauthorized access, and financial fraud. Read the story below and ask yourself whether your FI is addressing this holistically as a risk to the enterprise.

  1. A teenage hacker in Alabama (or Shenzhen China, for that matter) downloads the code for a Zeus, URLzone, or Champi trojan virus. He experiments and figures out how to secretly place it on a computer via email.
  2. He brags online about his feat, and soon is contacted by a more seasoned fraudster, who buys the virus for $100. The teenager is ecstatic! Party on!
  3. The fraudster sends it out to 1,000 random email addresses from an anonymous account. The virus takes hold on several hundred computers. It is structured to avoid most common virus scans.
  4. The fraudster then places an ad online offering to sell access to the infected computers (yes, there are Craigslist-like sites just for criminals) for about $30 to $300 for one month. He knows he has broken some laws, but feels his exposure is limited.
  5. A criminal in Eastern Europe buys access, allowing him to activate the trojan and receive the victims' balances, account numbers, usernames, passwords, pins, identifying info, and even secret questions.
  6. The criminal uses this real customer info to set up a series of "mule" accounts at FIs he knows are vulnerable. The real customer doesn't even know these accounts exist.
  7. The criminal then uses all the usernames and passwords he has gathered to set up funds transfers from the unsuspecting customer accounts to his mule accounts. He knows to do it quietly over a period of time in order to stay under everyone's radars. He probably knows, from anecdotes of other criminals (yes, there are fraudster blogs and chatrooms), exactly what patterns or thresholds the FI is looking for.
  8. The criminal opens anonymous or mule offshore accounts in countries with weak laws Anti-Money Laundering and Know-Your-Customer laws so he doesn't have to provide any of his own identifying info.
  9. The criminal places an add on Monster.com or Craigslist for a "work-from-home payroll analyst" who can naively move money for him without raising any alarms.
  10. He hires a person in the US who, based on the criminal's legitimate-looking instructions, transfers money from the mule accounts to offshore accounts over a period of weeks. By the time the "payroll analyst" realizes they're not getting paid for their work, it's too late. The criminal is gone and his tracks are covered. Once FIs and police investigate the fraud, the "payroll analyst" looks like the prime suspect.
  11. Meanwhile, the criminal launders the funds through a series of transfers, checks, debit card transactions, bill pays, and stored value card purchases. Once the money is clean, he puts it right in his pocket and takes a 6-month vacation with YOUR paycheck.

Monday, January 3, 2011

A Risk by Any Other Name Would Burn as Bad

Risk management is bread-and-butter for Corporate-level execs, Line-of-Business leaders, and Risk Managers. Crises like 2008 provide hard evidence that rock-solid risk management is an integral part of the business of finance. Those financial institutions (FIs) that had a comprehensive, objective, and disciplined risk management framework survived. Those that outsourced their risk management to their business partners, trading desks, LOB leaders, or customers found their balance sheets pushed into risky and turbulent waters. Most did not survive the voyage.

What follows is a brief and anecdotal discussion of the evolution of how FIs view, and therefore address risk. My objective in trawling this history is to demonstrate:
  1. That risks mutate as rapidly as ( the evolution of the business model * the increase in the complexity of the industry )
  2. That, before managing risk, it is necessary to clearly define and measure it (but that failing to measure it doesn't mean it doesn't exist)
  3. That the industry is always at least a step (or 3) behind
  4. That Financial Crime (including topics like Money Laundering, Identity Theft, Fraud, Unauthorized Access, and Data Theft) is the next frontier in the evolution of Risk Management
In the 60's and '70's, and thanks in part to the likes of George Soros, FIs discovered that credit risk was a relative measure. A whole market could go up ... or down, taking even good credits with it. FIs realized they were in a race to catch and control a previously-unidentified form of risk: Market Risk. Thanks to Latin American dictators and Mideastern ayatollahs, FIs learned that sudden political shifts can lead to unexpected moves in currencies, tax regimes, and regulatory structures, which in turn ruin individual customers or whole markets. Hello, Sovereign Risk.

The '80's started with rampant inflation, which deeply submerged many loans, bonds, swaps, and other fixed-income instruments. FIs realized they needed to be able to manage the risk related to the overall prevailing interest rates. In order to manage it, they had to identify and measure it. Thus emerged Interest Rate Risk. By mid-decade, Volcker had tamed rates, leading to an explosion in leveraged trading activity by a rapidly-growing list of firms across an ever-diversifying spectrum of markets. Every once in a while, one of those firms couldn't pay up when their margin call or loan came due, or couldn't deliver the securities which they had sold. It was time again to start managing new types of risk: Settlement Risk, Counterparty Risk, Liquidity Risk, Concentration Risk.

The rip-roaring '90's grew business size and complexity to levels which far outstripped managers' ability to even understand the risks to the business, much less manage those risks. Authority was implicitly devolved to the front office, for whom risk management is just a hurdle between them and their sale. Rather than deeply and objectively analyzing risks to new products and services, they outsourced the effort to the market; if a competitor did it, it must be OK. If a smart customer bought it, it must be OK. If the risk management rules and models flashed red with warnings, they were "re-calibrated" to shut up. Welcome to the era of Operational Risk.

For quite some time, there was no consensus about what Operational Risk was, how to measure it, or what to do about it. The Basel Committee defined it as "The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events." This was far too abstract for most people to convert into real-world risk management strategies, but at the highest level, most understood that the way they ran their business might come back to bite them. The news provided a steady stream of examples of bone-headed moves by large companies which sent their stock prices into free-fall. Investors got burned. Managers got fired. Risks continued to be piled on. Risk Management was absent.

The first 10 years of this century proved that fact. FIs, governments, academics, and talking heads in the news spent a lot of time talking about all the risks a business face: headline risk, bad business model risk, rogue employee risk, reputational risk, legal risk, political risk, act-of-God risk. Without finishing the task of defining what it was, the industry shifted focus to building "something" to manage Operational Risk. Risks were inventoried, abstracted, debated, categorized. Laws (such as Sarbanes-Oxley) were implemented saying that "something" had to be done. "Someone" had to be held accountable. Regulators began prodding their FIs for evidence of compliance. For most FIs, their best evidence was not in results, but in large amounts of money they were allocating to large, ambitious projects, the details and timing of which were TBD.

Unfortunately, 2008 showed that, for most firms, the risks beat the projects to the finish line, to tremendously expensive effect. We learned about a new type of risk: Systemic Risk.

House prices, over-indebted Americans, Chinese exchange rates, and greedy bankers got most of the headlines, but embedded within the rubble of that crisis were a vast array of crimes. These crimes led to hard-dollar losses which contributed to the gravity of the crisis. The economic downturn, coupled with the globalization effects of the Internet, have led to an increase and diversification in financial crime.

While not yet fully emerged from the previous crisis, FIs are once again in a race to head off the next crisis: Welcome to Financial Crime Risk. While many FIs see this as an operational problem, or a law-enforcement problem, it is indeed a risk management problem, just like all the other types mentioned above. It is an intrinsic part of the business of finance, just as the others are. To prevent 100% of Financial Crime is to stop doing business. FIs must instead manage and mitigate it as a risk, making informed decisions about the resources they allocate to the task. FIs must recognize and measure the cost of residual risks which they choose not to mitigate. This is not a one-time decision, but an ongoing process of objectively assessing the cost and benefit of their choices.