James Fanning is a Director at FTI Consulting, London
As someone who spends most of his life helping banks in the fight against financial crime, I always enjoy stories of hapless criminals caught in the act trying to get money into the system.
There was the man who arrived at a building society with a bag of £50 notes, and exclaimed “I’m definitely not a drug dealer!” when questioned by staff. Then there was the gentleman who visited his safe deposit box in the city twenty times a day, whisking in and out on his motorbike to dispense with his illicit wares.
These crooks were, to put it kindly, unsophisticated. Or to put it bluntly, they were idiots. For every Vito Corleone there will be a hundred Del Boys. The real challenge for law enforcement, regulators and compliance professionals will always be the smart crooks, particularly those using new technologies and tools to disguise their behaviour.
Depending on your opinion, virtual currencies represent either the vanguard of a utopian future, or the latest speculative bubble just waiting to burst. Despite uncertainty about the future of virtual currencies, criminals have been quick to seize new technology, and benefit from the perceived anonymity, speed of transactions and ease of access to international markets.
So what do crooks get from virtual currency that they don’t get from banks?
Let’s take a worked example. I’m a politician in a country with a high degree of corruption and I’ve been plundering the public purse. I want to buy a property offshore as an investment to house my collection of Bentleys, Kalashnikovs and football clubs.
I might struggle with getting my money into a bank in the UK. This is because any bank worth their salt will be carrying out Enhanced Due Diligence checks to determine my source of wealth and funds. The same is true for any lawyers or estate agents that might be involved in the transaction. Failure to carry out the measures could mean fines, business restrictions and public censure. Whilst there is no guarantee the bankers, lawyers and agents will do the right thing – and a significant of the world’s money laundering still goes through London – at least there is a framework in place to stop it from happening.
Currently, there are no such requirements for virtual currency traders. So I could place funds into an account in my country. I could then use the funds to purchase some Crypto Currency, let’s call it DodgyCoin. I then go to a currency exchange and convert it to CrookCoin, and on to Baddiecoin and Villaincoin before converting back to Dodgycoin.
I then approach a virtual currency exchange service, converting my virtual coins into hard currency. The result? I have successfully obfuscated the original proceeds and disguised the original funds.
The current state
The above may seem unnecessarily disparaging of the Virtual Currency world. Certainly, there are many exchanges that conduct AML checks to ensure that the above does not happen. But a recent study into Bitcoin Money Laundering, indicated that “this is out of choice rather than obligation…there are some who choose not to, possibly to attract business from criminals1”.
Of course, we know that regulated institutions will often flout the rules where there is money to be made. So it is likely that unregulated institutions will not take AML and sanctions controls as seriously as they could do.
Is the money launderers dream over?
This brings us to the Fifth Money Laundering Directive (5MLD). The EU has determined that anyone converting virtual currency into hard currency, will now be subject to the same rules and regulations as other financial institutions. This is due for implementation by member states by October 2019.
The UK Government has indicated that the new Directive “may…be transposed in full, by the UK during the post-Brexit period2”. In addition, just this month the FCA has published a dear CEO letter, advising financial institutions on measures to apply where dealing with crypto-exchanges. It seems virtual currencies are on the regulatory radar, and it would be surprising if the 5MLD requirements were not adopted by the UK government in full.
So maybe the dream isn’t over – but certainly governments and regulators are taking steps to tame the Crypto Wild West.
I offer cryptocurrency to fiat exchange services, what should I be doing?
The new legislative framework for crypto exchanges will mean adhering to the established rules laid down in the Fourth Money Laundering Directive, which has been incorporated into UK law in the Money Laundering Relations 2017.
It’s easy to reel off a list of Money Laundering Requirements, and simply state that Currency Traders now need to adhere to them. The basic measures involve:
- i) Customer screening for PEPs and sanctions;
- ii) Carrying out a financial crime risk assessment for each customer;
iii) Identifying individual and corporate customers and verifying that they are who they say they are;
- iv) Carrying out regular reviews of due diligence to confirm it is up to date, and carrying out additional reviews where anything about the relationship has changed;
- v) Carrying out enhanced checks for customers that pose a higher risk of Money Laundering or Terrorist financing, including more stringent checks on customer Source of Wealth and Source of Funds.
- vi) Monitoring accounts for unusual activity;
vii) Reporting any suspicions of Money Laundering or Terrorist Financing to the NCA.
The problem with this, however, is that this framework was largely designed with financial institutions in mind. Virtual Currencies are by their very nature different, and a tailored, specific approach is required.
The key starting point therefore is the Business Wide Risk Assessment. This means understanding the inherent financial crime risks across your business, in order to inform the designing of controls to mitigate those risks. Virtual currency risks may be entirely different to those in a retail banking, commodities trading or wealth management context, and so the controls designed need to reflect this.
Currency Exchanges should ask themselves the following:
- i) Are we converting coins for cash, for individuals or corporates? What is the proportion of individuals vs. corporates? Does the existence of corporates in our portfolio make it harder to understand who we are dealing with? Are the individuals PEPs? Are they based in high-risk locations, is there any negative information about them in the news?
- ii) What virtual currencies do we convert? Is it just well-known coins like Bitcoin, or do we trade in more unique, start-up offerings. Is there evidence any of the currencies have been used for criminal purposes?
iii) Are any of the currencies based in jurisdictions with a high risk of money laundering or terrorist financing? Can we determine where the currency was established and how?
- iv) What is the volume and value of the trades? How quickly can someone use us to convert virtual currency into cash? Does the speed of service make it difficult to monitor unusual or suspicious transactions?
- v) Can we always see a clear audit trail to the individual’s initial purchase of virtual currency?
- vi) Can our customers’ identities be clearly identified in the public blockchain? Do we have measures in place to confirm customer identity at the point of conversion to cash?
vii) What are our delivery channels?
The above framework should assist in developing an understanding of the core financial crime risks. It is then a case of developing the pre-existing MLREGS 2017 controls, in line with the identified inherent risks.
This is no easy exercise, and much of the published guidance will relate to more mainstream financial products and contexts. A good example of this is Source of Funds. For a retail bank, this is easy. You simply identify the account money has come from, and how that money was initially generated.
With virtual currency, the initial payment from a bank account might have happened years ago. The customer might have traded hundreds of times in different virtual currencies, before deciding to make the exchange to real money. In higher risk cases, currency exchanges may wish to see verifiable records and a clear audit trail of all transactions to confirm the initial source of funds.
This is not easy to do, but if the crypto exchanges can’t do it, they will be in the same position as the building society approached by the man with a bag of cash. If you can’t tell where your client’s money has come from, then you shouldn’t be doing business with them.
There are no easy solutions, and new technologies mean new types of crime and new regulations. The application of existing regulation to new service providers will be a source of challenge for many years to come.
How payments can help streamline operations and boost customer satisfaction in the vending industry
By Darren Anderson, Business Development Manager, Self Service, Ingenico Enterprise Retail
The COVID-19 pandemic has had an astounding impact on the payments industry, causing cash usage to plummet as contactless and card-not-present volumes soared. Of course, this phenomenon was not unforeseen by payments professionals, who had predicted such a movement away from cash, but not at the speed the virus guidelines facilitated. In fact, due in part to the hygiene perks of contactless payment methods increasing its adoption, 50% of customers think that cash will disappear completely at some point in the future.
The unattended market was ahead of the pandemic in terms of contactless alternative payment method (APM) adoption, and it continues to upgrade its offerings to suit a wider range of industries. Nevertheless, the pain point for vending operators is that they’re often not sure exactly how these technologies work, or how to implement them. And with payments offerings constantly evolving, it’s becoming harder for vending operators to know which solution would be the best fit for their business.
As such, one easy way for vending operators to ease this load is to partner with a knowledgeable payments advisor who can not only provide the best solutions for their business, but guide them through the process and any need-to-knows. It’s also important to investigate the payments trends across the vending market, what the future might bring and what vending operators need to know about newer payments technology and the value it can bring to their unattended retail business operations.
Vending through the pandemic
Coronavirus has impacted the unattended market in various ways. In some cases, vending machine use has decreased as a result of lower footfall and closed premises. However, the nature of vending being self-service, for many it’s just been a case of upgrading systems to meet new guidelines and hygiene recommendations to start boosting their usage again. As cash usage decreased over the course of the pandemic, cards and APMs stepped in to provide a host of benefits, and as customers use and enjoy these seamless technologies, they are fast becoming the preference.
These developments have provided the opportunity for vending operators to embrace newer technologies which, although ultimately positive, can prove daunting if such retailers are not accustomed to working closely with payments. Fortunately, the vending market is in a great position to take advantage of new contactless technologies, being already low on human interaction and having 24/7 capabilities.
What’s more, the market can not only cater to consumers’ evolving needs, but it can also provide the flexibility and reliability that consumers are relying on as the world around them is changing. Many new technologies can also improve the general operations and management of vending, offering features such as easier on-the-go stock management and maintenance notification technology.
Keeping the consumer in mind
Consumers today want to enjoy the latest innovations and best-in-class customer experiences. These shoppers believe that self-service is a time-saver, and they also view cashless and contactless as faster and more seamless ways to pay – a fact which is reflected in the recent consumer demand for a wider variety of APMs. Customers now expect even more options to pay for their goods and services, from QR codes, to in-app payments and more.
Alongside the cashless trend, data-security and customer experience are two other factors driving the vending market evolution. With constantly evolving fraud developments in the online world, good security is more pertinent than ever, and has to be a central consideration to vending operators – as well as ensuring a seamless customer experience.
From a customer usage standpoint, mobile payments are becomingly increasing popular, as driven by the Gen Z market. According to our research, 63% of Gen Zers have said they would pay more for a mobile experience.
Trust and a good experience are also considerable factors across all customer groups, with 95% of customers claiming their loyalties lie with a company they trust, and 86% willing to pay more for a positive experience.
To appeal to ever-hungry consumers, vending operators need to provide the options they want. In the unattended market, this is relatively simple – not only do they provide a convenient and reliable method of payment for customers, but they also avoid face-to-face interaction. They can also supply a range of different products and accept a variety of payment methods to appeal to all customers, no matter their preference.
Using payments to drive revenue
Driving revenue is a two-pronged approach – you need to appeal to customers to keep them coming, and streamline operations to reduce overheads. In order to meet both parties’ expectations, it’s important to respond well to new vending challenges, taking note of the solutions that enable merchants to provide their customers with the payment methods they prefer.
Payments are complicated, so there’s no need to worry if you’re not hugely familiar with the offering out there, or unsure where to start – that’s where a payment service provider (PSP) can assist. With the expertise that a PSP brings, along with the technological solutions they offer, vending operators can improve customer journeys in all unattended environments.
Such technological solutions are flexible and can cater to specific business needs, while providing easy, quick, and secure payment methods that protect both the business and the customer’s personal data. They can also improve operational efficiency, increasing business performance with features such as real-time reporting and smart transaction management, to provide a best-in-class customer experience.
With smart devices, a secure gateway and advanced acquiring capabilities, PSPs can help vending operators design a flexible vending solution tailored to their individual and specific needs. To find out more about unattended retail and how your company can benefit from Ingenico’s unique expert knowledge, get in contact with Ingenico Enterprise Retail today at www.ingenico.com/smartselfvending.
ISO 20022 migration: full speed ahead despite recent delays, says new Deutsche Bank paper
Today, Deutsche Bank has released the third installment in its “Guide to ISO 20022 migration” series, which offers a comprehensive update on the industry shift to the de facto global standard for financial messaging: ISO 20022. This paper comes at a critical time for the ISO 20022 migration, with a number of changes to existing timelines and strategies from SWIFT and the world’s major market infrastructures having been announced this year.
The paper explores the latest developments, including SWIFT’s year-long postponement of the migration in the correspondent banking space. The decision meets industry calls for a delay and also provides ample time to build the new central Transaction Management Platform (TMP) – a core feature of SWIFT’s new strategy that will allow the industry to move away from point-to-point messaging and towards central transaction processing.
It also details the wave of action that has been seen by market infrastructures around the world – with many, including the ECB, EBA CLEARING and the Bank of England, announcing revised migration approaches.
“Now more than ever, with shifting timelines and strained resources, it is vital that banks and corporates alike do not view the ISO 20022 migration as just another project that can be put on the back burner,” says Christian Westerhaus, Head of Cash Products, Cash Management, Deutsche Bank. “The delays in the correspondent banking space, and across several market infrastructures, should not be seen as an opportunity for banks to take their foot off the pedal. The journey to ISO 20022 is still moving ahead at speed – and internal projects need to reflect this.”
The Guide also highlights the implementation issues on the migration journey ahead – most notably surrounding interoperability between market infrastructures, usage guidelines and messaging formats. This is achieved through a series of deep dives, case studies, and points of attention drawn from Deutsche Bank’s internal analysis.
“As this year has proved, nothing is set in stone, “says Paula Roels, Head of Market Infrastructure & Industry Initiatives, Deutsche Bank. “The ISO 20022 migration involves a lot of moving parts and keeping abreast of the latest developments is critical for banks and corporates alike. As the deadlines near, and the ISO 20022 story develops, this series of guides will continue to highlight key points for consideration over the coming years.”
The Psychology Behind a Strong Security Culture in the Financial Sector
By Javvad Malik, Security Awareness Advocate at KnowBe4
Banks and financial industries are quite literally where the money is, positioning them as prominent targets for cybercriminals worldwide. Unfortunately, regardless of investments made in the latest technologies, the Achilles heel of these institutions is their employees. Often times, a human blunder is found to be a contributing factor of a security breach, if not the direct source. Indeed, in the 2020 Verizon Data Breach Investigations Report, miscellaneous errors were found vying closely with web application attacks for the top cause of breaches affecting the financial and insurance sector. A secretary may forward an email to the wrong recipient or a system administrator may misconfigure firewall settings. Perhaps, a user clicks on a malicious link. Whatever the case, the outcome is equally dire.
Having grown acutely aware of the role that people play in cybersecurity, business leaders are scrambling to establish a strong security culture within their own organisations. In fact, for many leaders across the globe, realising a strong security culture is of increasing importance, not solely for fear of a breach, but as fundamental to the overall success of their organisations – be it to create customer trust or enhance brand value. Yet, the term lacks a universal definition, and its interpretation varies depending on the individual. In one survey of 1,161 IT decision makers, 758 unique definitions were offered, falling into five distinct categories. While all important, these categories taken apart only feature one aspect of the wider notion of security culture.
With an incomplete understanding of the term, many organisations find themselves inadvertently overconfident in their actual capabilities to fend off cyberthreats. This speaks to the importance of building a single, clear and common definition from which organisations can learn from one another, benchmark their standing and construct a comprehensive security programme.
Defining Security Culture: The Seven Dimensions
In an effort to measure security culture through an objective, scientific method, the term can be broken down into seven key dimensions:
- Attitudes: Formed over time and through experiences, attitudes are learned opinions reflecting the preferences an individual has in favour or against security protocols and issues.
- Behaviours: The physical actions and decisions that employees make which impact the security of an organisation.
- Cognition: The understanding, knowledge and awareness of security threats and issues.
- Communication: Channels adopted to share relevant security-related information in a timely manner, while encouraging and supporting employees as they tackle security issues.
- Compliance: Written security policies and the extent that employees adhere to them.
- Norms: Unwritten rules of conduct in an organisation.
- Responsibilities: The extent to which employees recognise their role in sustaining or endangering their company’s security.
All of these dimensions are inextricably interlinked; should one falter so too would the others.
The Bearing of Banks and Financial Institutions
Collecting data from over 120,000 employees in 1,107 organisations across 24 countries, KnowBe4’s ‘Security Culture Report 2020’ found that the banking and financial sectors were among the best performers on the security culture front, with a score of 76 out of a 100. This comes as no surprise seeing as they manage highly confidential data and have thus adopted a long tradition of risk management as well as extensive regulatory oversight.
Indeed, the security culture posture is reflected in the sector’s well-oiled communication channels. As cyberthreats constantly and rapidly evolve, it is crucial that effective communication processes are implemented. This allows employees to receive accurate and relevant information with ease; having an impact on the organisation’s ability to prevent as well as respond to a security breach. In IBM’s 2020 Cost of a Data Breach study, the average reported response time to detect a data breach is 207 days with an additional 73 days to resolve the situation. This is in comparison to the financial industry’s 177 and 56 days.
Moreover, with better communication follows better attitude – both banking and financial services scored 80 and 79 in this department, respectively. Good communication is integral to facilitating collaboration between departments and offering a reminder that security is not achieved solely within the IT department; rather, it is a team effort. It is also a means of boosting morale and inspiring greater employee engagement. As earlier mentioned, attitudes are evaluations, or learned opinions. Therefore, by keeping employees informed as well as motivated, they are more likely to view security best practices favourably, adopting them voluntarily.
Predictably, the industry ticks the box on compliance as well. The hefty fines issued by the Information Commissioner’s Office (ICO) in the past year alone, including Capital One’s $80 million penalty, probably play a part in keeping financial institutions on their toes.
Nevertheless, there continues to be room for improvement. As it stands, the overall score of 76 is within the ‘moderate’ classification, falling a long way short of the desired 90-100 range. So, what needs fixing?
Towards Achieving Excellence
There is often the misconception that banks and financial institutions are well-versed in security-related information due to their extensive exposure to the cyber domain. However, as the cognition score demonstrates, this is not the case – dawdling in the low 70s. This illustrates an urgent need for improved security awareness programmes within the sector. More importantly, employees should be trained to understand how this knowledge is applied. This can be achieved through practical exercises such as simulated phishing, for example. In addition, training should be tailored to the learning styles as well as the needs of each individual. In other words, a bank clerk would need a completely different curriculum to IT staff working on the backend of servers.
By building on cognition, financial institutions can instigate a sense of responsibility among employees as they begin to recognise the impact that their behaviour might have on the company. In cybersecurity, success is achieved when breaches are avoided. In a way, this negative result removes the incentive that typically keeps employees engaged with an outcome. Training methods need to take this into consideration.
Then there are norms and behaviours, found to have strong correlations with one another. Norms are the compass from which individuals refer to when making decisions and negotiating everyday activities. The key is recognising that norms have two facets, one social and the other personal. The former is informed by social interactions, while the latter is grounded in the individual’s values. For instance, an accountant may connect to the VPN when working outside of the office to avoid disciplinary measures, as opposed to believing it is the right thing to do. Organisations should aim to internalise norms to generate consistent adherence to best practices irrespective of any immediate external pressures. When these norms improve, behavioural changes will reform in tandem.
Building a robust security culture is no easy task. However, the unrelenting efforts of cybercriminals to infiltrate our systems obliges us to press on. While financial institutions are leading the way for other industries, much still needs to be done. Fortunately, every step counts -every improvement made in one dimension has a domino effect in others.
Half of UK’s finance sector confirms diversity should be more of a priority in the workplace, with calls for action across the industry
Almost half (45%) of Britain’s banking/financial services workforce think their employer could do more when it comes to diversity, according to a...
American Express and Amazon Business Launch Co-branded Credit Cards for Small Businesses in the UK
The co-branded Cards offer flexible benefits and payment optionality by allowing small businesses to decide between earning rewards or adjusting...
Go Global To Expand Your Revenue Stream
By Christian Spaltenstein, Managing Director, AFEX Americas Banking and financial operations have evolved immensely in the past few years. Innovation...
Local authorities and business networks play a key role in small business success, and must be protected during COVID rebuild
23% of UK’s top performing businesses have been supported by local enterprise partnerships and growth hubs Similarly, 30% of Britain’s...
What Does the FinCEN File Leak Tell Us?
By Ted Sausen, Subject Matter Expert, NICE Actimize On September 20, 2020, just four days after the Financial Crimes Enforcement...
Investment Roundtable: Live with Jim Bianco
With Q4’s macro picture still looking grim amid the return of exponential coronavirus waves in Europe and the U.S. and...
Equity markets react to a rise in Covid-19 cases, uncertain Brexit talks and the upcoming US election
By Rupert Thompson, Chief Investment Officer at Kingswood Equity markets had another choppy week, falling for most of it before...
October furlough changes – what you need to know
By Alan Price, employment law expert and CEO of BrightHR The Job Retention Scheme is coming to an end on...
Do we really need banks? Yes, but digital transformation industry-wide is vital
By Charley Cooper is Managing Director at enterprise blockchain firm, R3 The Coronavirus crisis has taught us that we are...
Turning a Critical Eye on Impersonation Scams
By Mike Kiser, security strategist and evangelist at SailPoint “The criminal is the creative artist; the detective only the critic.”...