Wednesday, November 28, 2007

Making financial crime a priority

Well it seems the HM Revenue & Customs (HMRC) incident where millions of customers personal and financial details stored on an unencrypted CD went amiss, has opened a veritable can of worms.

My inbox is suddenly being inundated with emails questioning how well customer data is protected not just by government departments, but banks and other companies.

The HMRC incident prompted the British Bankers Association (BBA)to publish these rather terse words for law enforcement officers:

"Looking at the wider context in which this unacceptable lack of sensible data protection took place, it is clear that the Government has not yet accepted properly the case for making fraud and financial crime a priority for law enforcement in its own right," says the BBA.

Not only are government departments it seems letting the side down by not adhering to the strictest data protection principles, but the very same government that requires banks to spend millions on anti-fraud and money laundering measures, is apparently not even bothering to allocate sufficient resources to law enforcement to tackle both money laundering and fraud risks, says the BBA.

“It is quite extraordinary that the industry does so much on anti-money laundering, on fraud prevention and on identifying suspicious transactions, and yet this doesn’t feature among the priorities the police has been given by the Home Office.”

Those of you who read this blog regularly will know that we have been particularly vocal about the cost/benefit of banks investing millions in AML solutions, when there is a very clear lack of transparency as to the success of these systems in accurately identifying suspicious transactions, and the percentage of transactions that lead to successful prosecutions.

Not only are the banks unwilling to talk about how many suspicious transactions they are actually reporting (although we hear the number of Suspicious Activity Reports have increased exponentially as compliance officers are reporting everything to cover their backs), but it appears the due diligence of law enforcement officers does not match the time and money being invested by banks in generating SARs.

Not only that it appears government departments appear to be giving potential fraudsters a hand-up by failing to adequately protect consumers' personal details. Surely the government needs to be made as accountable as the banks?

Tuesday, November 27, 2007

Thwarting fraudsters

I have purposely avoided writing anything about the HM Revenue & Customs'(HMRC) data breach of millions of UK consumers personal and banking details, but I felt compelled to say something when I started seeing information security vendors leaping on the bandwagon.

While it may be true to say that "fraud is already firmly on the banking industry agenda," when information security vendors say that consumers should not lose sleep over the HM Revenue & Customs' debacle because banks have risk management systems in place, it does not really provide me with much comfort.

The fact remains that despite these systems, fraud and identity theft still occur on an ever increasing scale, and it is arguable whether banks' systems are adequate. Even if thieves cannot access a person's bank account directly, they could still use their name and address details to apply for a credit card or other forms of financing.

What is the most alarming thing about the HM Revenue & Customs data leak is that it reflects well entrenched practices within government departments of posting customer data on unencrypted CDs.

It strikes me as rather odd that on the one hand you have a government wanting ISP providers and banks to take more responsibility for protecting consumers' identity and personal details, but yet government departments which hold reams of information on millions of people, are not subject to the same levels of scrutiny or compliance.

According to Jeremy Smith, managing director of Jardine Lloyd Thompson’s Financial & Professional Risks division, the HMRC incident has prompted security experts to renew their request for the current law to be urgently reviewed for, unlike our American counterparts, the Data Protection Act does not currently compel companies to notify those affected by the loss of data.

Smith points to the almost £1 million fine levied by the FSA on the Nationwide Building Society for a laptop theft from an employee’s house. Yet, no such fines will be levied on government departments which do not face the same regulatory scrutiny as banks. Arguably however, as the government steps up its "Big Brother" campaign to collate as much information as possible on individuals, one has to seriously question the lack of government department accountability.

On the technology side, there has been so much focus on authenticating a customer's identity at the point of sale using chip or pin, but very little focus on securing the storage and transmission of customer data between government departments and banks that share this data and training employees to abide by the strictest codes when it comes to managing that data.

At this point, information security experts are going to proffer some kind of comment about the latest and greatest solutions that can help banks identify fraud before it occurs. One such comment in the wake of the HM Revenue & Customs' debacle was:

"By understanding customer behaviour across multiple payment channels in real time, banks will be able to identify irregular account activity that could potentially thwart fraudsters before they have even committed a crime.”

Sounds great in theory, but show me a bank that has the systems and business processes in place that they can accurately monitor and understand customer behaviour across multiple channels and product silos in real time. Even if such a bank exists I don't think they would be game to put their hand up for fear that they will be proven wrong.

The banking industry and government cannot afford to rest its laurels on the fact that banks have implemented a nice piece of software kit with bells and whistles, which is going to make everything alright. With banks, government departments and web sites collating unprecedented levels of personal information on consumers, is it any wonder that identity theft is on the rise. And no amount of banking software is going to change that.

Thursday, November 01, 2007

Don't forget to switch off the lights

"Have a green day," said BT Global Services CEO Francois Barrault as he introduced The Green Bank event at the Tate Modern in London yesterday. His remark is perhaps an indication of how far industry CEOs have come in embracing the environmental sustainability agenda.

After all, Barrault conceded when he first met environmental campaigner Al Gore, who proceeded to show him pictures of Arctic ice caps melting, he thought he was a little "crazy".

John Williams, head of group sustainable development at HSBC, which lays claim to being the world's first "carbon neutral" bank (whatever that means), said he was perceived initially as being somewhat of a "hippy", which is how the corporate world has always liked to portray those that express concern about business' impact on the environment.

One would have hoped that the so-called "Green Debate" had moved on from such redundant stereotypes, but it appears that the corporate world, while on the hand it is waking up to it environmental responsibilities, does not want to be associated too closely with the 'hippies' and 'tree huggers' who do not need a cost/benefit analysis, brand protection or new business opportunities to justify their passion for the environment.

So when a CEO of a major company says, "Have a green day" or HSBC says it is a "carbon-neutral" bank, what does that actually mean? There is no question that HSBC is a major investor in renewables, has project financing guidelines based on environmental principles and has constructed solar-powered buildings.

Yet they have also been accused of being one of the myriad number of banks that leave their office lights on all night at Canary Wharf, and they do not totally rule out providing project financing for environmental "dinosaurs" such as the coal industry.

So does being 'green mean saying one thing and doing another, or being 'green' part of the time and not for the rest of the time. There is no question that the industry has come a long way in terms of its support for "sustainability", but business and banking by its very nature contradicts a lot of sustainable principles.

After all banks are in the business of making money, and if it did not make business sense, win them customers or save them money, then they wouldn't 'green' their IT or use recycled paper, just for the sake of environmental sustainability.

At yesterday's event, HSBC and Morgan Stanley spoke about the dilemma of what to do about executives that need to travel. Both are looking at telepresence and the latest videoconferencing technologies as a way of reducing executive air travel, but I am dubious when banks say that for those carbon emissions they cannot reduce easily, they can merely offset it by buying carbon credits.

In that sense the "carbon-neutral" title is somewhat misleading as it appears to suggest that the bank has a zero carbon footprint, which is not entirely true.

A lot of yesterday's debate at the Tate Modern was spent showing graphs and theoretical proofs of concept around what is sustainability and what does it mean, when the reality of why banks and industry should be doing this was more succinctly put by the CIO of Morgan Stanley who said that if oil and commodity prices continue to rise, reducing energy consumption and their data centre footprint, was pretty much a 'no-brainer'.

A guy sitting next to me from Barclays Capital said he was a bit disappointed by yesterday's presentation. He wanted to hear what other banks were doing when it came to "greening" their IT and data centres, and thought the industry debate had moved on to more concrete tangibles rather than debating the vagaries of what sustainability means.

After all there are things firms can do now that will cut costs and save energy; turning office lights off, printing on both sides of the paper, using teleconferencing, virtualising servers, grid computing; without having to debate what sustainability means. That is just good business sense.

Yet while there certainly is an impetus amongst banks to sign up to being "green" for whatever reason, once they ascribe that label to themselves, it is not merely something that you can throw money or technology at and say you have done your bit.

"Being green" is an ongoing responsibility, after all if you are reducing the carbon footprint of your data centre, but then continuing to issue paper bank statements and faxes every day, forgetting to switch your office lights off or project financing major oil and coal projects, doesn't that mean companies are only being 'green' when it suits them?