Thursday, January 20, 2011

The World is Flat for Fraud

This blog entry describes a very common fraud pattern in which criminals, using the internet, can very easily and cheaply collaborate globally to reach halfway around the world ... and right into your customers' pockets.

If you're a Fraud Prevention Exec at a financial institution (FI), this story should sound like a thousand others you hear every day from your investigative staff. If it isn't, you might want to have a look at your defenses.

If you're NOT a bank Fraud Prevention Exec, this blog post is for you! As I discussed in a recent blog post, risk management must comprehensively address all types of risk, including identity theft, unauthorized access, and financial fraud. Read the story below and ask yourself whether your FI is addressing this holistically as a risk to the enterprise.

  1. A teenage hacker in Alabama (or Shenzhen China, for that matter) downloads the code for a Zeus, URLzone, or Champi trojan virus. He experiments and figures out how to secretly place it on a computer via email.
  2. He brags online about his feat, and soon is contacted by a more seasoned fraudster, who buys the virus for $100. The teenager is ecstatic! Party on!
  3. The fraudster sends it out to 1,000 random email addresses from an anonymous account. The virus takes hold on several hundred computers. It is structured to avoid most common virus scans.
  4. The fraudster then places an ad online offering to sell access to the infected computers (yes, there are Craigslist-like sites just for criminals) for about $30 to $300 for one month. He knows he has broken some laws, but feels his exposure is limited.
  5. A criminal in Eastern Europe buys access, allowing him to activate the trojan and receive the victims' balances, account numbers, usernames, passwords, pins, identifying info, and even secret questions.
  6. The criminal uses this real customer info to set up a series of "mule" accounts at FIs he knows are vulnerable. The real customer doesn't even know these accounts exist.
  7. The criminal then uses all the usernames and passwords he has gathered to set up funds transfers from the unsuspecting customer accounts to his mule accounts. He knows to do it quietly over a period of time in order to stay under everyone's radars. He probably knows, from anecdotes of other criminals (yes, there are fraudster blogs and chatrooms), exactly what patterns or thresholds the FI is looking for.
  8. The criminal opens anonymous or mule offshore accounts in countries with weak laws Anti-Money Laundering and Know-Your-Customer laws so he doesn't have to provide any of his own identifying info.
  9. The criminal places an add on or Craigslist for a "work-from-home payroll analyst" who can naively move money for him without raising any alarms.
  10. He hires a person in the US who, based on the criminal's legitimate-looking instructions, transfers money from the mule accounts to offshore accounts over a period of weeks. By the time the "payroll analyst" realizes they're not getting paid for their work, it's too late. The criminal is gone and his tracks are covered. Once FIs and police investigate the fraud, the "payroll analyst" looks like the prime suspect.
  11. Meanwhile, the criminal launders the funds through a series of transfers, checks, debit card transactions, bill pays, and stored value card purchases. Once the money is clean, he puts it right in his pocket and takes a 6-month vacation with YOUR paycheck.

Monday, January 3, 2011

A Risk by Any Other Name Would Burn as Bad

Risk management is bread-and-butter for Corporate-level execs, Line-of-Business leaders, and Risk Managers. Crises like 2008 provide hard evidence that rock-solid risk management is an integral part of the business of finance. Those financial institutions (FIs) that had a comprehensive, objective, and disciplined risk management framework survived. Those that outsourced their risk management to their business partners, trading desks, LOB leaders, or customers found their balance sheets pushed into risky and turbulent waters. Most did not survive the voyage.

What follows is a brief and anecdotal discussion of the evolution of how FIs view, and therefore address risk. My objective in trawling this history is to demonstrate:
  1. That risks mutate as rapidly as ( the evolution of the business model * the increase in the complexity of the industry )
  2. That, before managing risk, it is necessary to clearly define and measure it (but that failing to measure it doesn't mean it doesn't exist)
  3. That the industry is always at least a step (or 3) behind
  4. That Financial Crime (including topics like Money Laundering, Identity Theft, Fraud, Unauthorized Access, and Data Theft) is the next frontier in the evolution of Risk Management
In the 60's and '70's, and thanks in part to the likes of George Soros, FIs discovered that credit risk was a relative measure. A whole market could go up ... or down, taking even good credits with it. FIs realized they were in a race to catch and control a previously-unidentified form of risk: Market Risk. Thanks to Latin American dictators and Mideastern ayatollahs, FIs learned that sudden political shifts can lead to unexpected moves in currencies, tax regimes, and regulatory structures, which in turn ruin individual customers or whole markets. Hello, Sovereign Risk.

The '80's started with rampant inflation, which deeply submerged many loans, bonds, swaps, and other fixed-income instruments. FIs realized they needed to be able to manage the risk related to the overall prevailing interest rates. In order to manage it, they had to identify and measure it. Thus emerged Interest Rate Risk. By mid-decade, Volcker had tamed rates, leading to an explosion in leveraged trading activity by a rapidly-growing list of firms across an ever-diversifying spectrum of markets. Every once in a while, one of those firms couldn't pay up when their margin call or loan came due, or couldn't deliver the securities which they had sold. It was time again to start managing new types of risk: Settlement Risk, Counterparty Risk, Liquidity Risk, Concentration Risk.

The rip-roaring '90's grew business size and complexity to levels which far outstripped managers' ability to even understand the risks to the business, much less manage those risks. Authority was implicitly devolved to the front office, for whom risk management is just a hurdle between them and their sale. Rather than deeply and objectively analyzing risks to new products and services, they outsourced the effort to the market; if a competitor did it, it must be OK. If a smart customer bought it, it must be OK. If the risk management rules and models flashed red with warnings, they were "re-calibrated" to shut up. Welcome to the era of Operational Risk.

For quite some time, there was no consensus about what Operational Risk was, how to measure it, or what to do about it. The Basel Committee defined it as "The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events." This was far too abstract for most people to convert into real-world risk management strategies, but at the highest level, most understood that the way they ran their business might come back to bite them. The news provided a steady stream of examples of bone-headed moves by large companies which sent their stock prices into free-fall. Investors got burned. Managers got fired. Risks continued to be piled on. Risk Management was absent.

The first 10 years of this century proved that fact. FIs, governments, academics, and talking heads in the news spent a lot of time talking about all the risks a business face: headline risk, bad business model risk, rogue employee risk, reputational risk, legal risk, political risk, act-of-God risk. Without finishing the task of defining what it was, the industry shifted focus to building "something" to manage Operational Risk. Risks were inventoried, abstracted, debated, categorized. Laws (such as Sarbanes-Oxley) were implemented saying that "something" had to be done. "Someone" had to be held accountable. Regulators began prodding their FIs for evidence of compliance. For most FIs, their best evidence was not in results, but in large amounts of money they were allocating to large, ambitious projects, the details and timing of which were TBD.

Unfortunately, 2008 showed that, for most firms, the risks beat the projects to the finish line, to tremendously expensive effect. We learned about a new type of risk: Systemic Risk.

House prices, over-indebted Americans, Chinese exchange rates, and greedy bankers got most of the headlines, but embedded within the rubble of that crisis were a vast array of crimes. These crimes led to hard-dollar losses which contributed to the gravity of the crisis. The economic downturn, coupled with the globalization effects of the Internet, have led to an increase and diversification in financial crime.

While not yet fully emerged from the previous crisis, FIs are once again in a race to head off the next crisis: Welcome to Financial Crime Risk. While many FIs see this as an operational problem, or a law-enforcement problem, it is indeed a risk management problem, just like all the other types mentioned above. It is an intrinsic part of the business of finance, just as the others are. To prevent 100% of Financial Crime is to stop doing business. FIs must instead manage and mitigate it as a risk, making informed decisions about the resources they allocate to the task. FIs must recognize and measure the cost of residual risks which they choose not to mitigate. This is not a one-time decision, but an ongoing process of objectively assessing the cost and benefit of their choices.