By Alex Fagioli, Tectrade CEO
In the wake of huge amounts of down time across many of the country’s key financial institutions, the Bank of England and the Financial Conduct Authority has had enough.
The joint initiative has set a 5 October deadline for banks to report their exposure to risks and response measures for outages. It has already been suggested that two days should be the ‘maximum outage time’, though the pair will make a final decision based on the outcome of the reports.
The figures already released have been damning. In mid-August, Britain’s five biggest banks (Barclays, Lloyds Banking Group, HSBC, Santander, and the Royal Bank of Scotland) disclosed that they had experienced 64 payment outages in the second quarter of 2018. The majority of these outages affected online banking (Lloyds reported 19 of these incidents, Barclays 18, RBS 16, HSBC seven and Santander four), but phone and mobile banking had also been affected. The banks didn’t say what caused the outages, but some pointed out that the incidents only affected internal systems or a limited number of customers.
A large-scale outage that occurred earlier this year at TSB reflects the massive disruptive effect that outages can have. In April, 1.9 million customers were locked out of their accounts for up to a month, leaving the bank’s reputation crippled and the public furious. Similarly on Friday 1 June, 5.2 million transactions using Visa failed as a result of an IT collapse.
Further afield in the US, at time of writing Sun Trust – a bank with 1,400 bank branches and 2,160 ATMs across 11 south eastern states and Washington, D.C. – has seen its online and mobile banking services down. This, like in the case of TSB, was due to a software update that went awry.
Crucially in a world where the finger is often pointed at malware when any downtime is experienced, in all three situations cybercriminals were not to blame. Instead the downtime was due to IT failings. TSB’s meltdown came as a result of a botched IT upgrade, while the panic that led to abandoned purchases around Europe was caused by the failure of a single switch in one of Visa’s data centres. These incidents, along with 64 outages referred to above, illustrate that there is more for IT departments at banks to be wary of than just cybercrime.
The common line of thinking these days is that it’s not if you’ll be affected by outages, it’s when. Any organisation that thinks they’re not going to be taken down is acting with an air of naivety. Businesses should be prepared for these kinds of malfunctions to hit them – but they also need to make sure that they can do everything in their power to be as secure as possible to make it as unlikely as possible. When it comes to storage, data requirements are only ever going to grow and achieving high performance at an affordable cost while reducing risk is any operation’s key objective. To do this you need to understand your data storage needs and ensure that you use the most appropriate place to store and backup your data, whether that is for compliance or regulatory reasons or to run your business more efficiently.
One of the things that is always undervalued, not looked after properly and needs to be treated with transparency is the backup and recovery environment. A startling fact is that the majority of organisations that do not have a system fully managed with external support see almost 25 percent of their nightly backups fail. That’s a massive number, and in most cases the business will have no idea what’s in that lost or unavailable data. If, for example, that was a finance database and the nightly backup doesn’t successfully happen, you’d be forced to go back potentially 48 hours or more back, depending on when that last backup failed.
On top of hardware or software malfunctions, other environmental factors can cause downtime for banks. This is commonly referred to in the legal profession as an act of God – an instance of uncontrollable natural forces in operation. For example,in areas that experience severe weather, network outages can become routine procedure. In places like the Southern States of the USA where the summer months are dominated by hurricanes and tropical storms, large disruptions are a normal part of life and everything – from houses to banks – have to be built with this in mind. In these situations the banks must ensure their branches can perform critical functions even if the primary network connection is lost.
It is surprising just how many organisations don’t do any form of disaster recovery testing on their data. Although they might have implemented a lot of the right technology, many have never tested and found any faults in the solution. Testing is essential to managing the effectiveness of the recovery environment and ensuring that the data is available whenever and however it is needed. Without testing in a controlled and simulated environment, it is impossible for IT and security teams to fully understand their system’s integrity. It’s exactly the same reason why we’re always told to regularly test fire alarms. You don’t want to discover your fire alarm doesn’t work when you most need it, just like how you don’t want to find out your disaster recovery system is ineffective in the event of an outage.
While the UK is seldom subject to the sort of severe weather conditions that cause blackouts and network shortages, there always exists the risk of freak accidents. A burst pipe in a shared building or road workers drilling through electrical or network cabling, for example, could see a bank offline for an indeterminate period of time outside of its control. Whether it’s the external forces of nature or the knock-on effects of routine maintenance elsewhere, banks need to consider the effect that the environment can play on their operations.
This is not to say that malware and ransomware are not a factor at all – far from it. Over the past 12 months the financial services and insurance sector was attacked by ransomware more than any other industry, with the number of cyber-attacks against financial services companies in particular, rising by more than 80 percent. This vulnerability to attacks is due in part to the breadth of customer information stored, making these organisations prime targets.
If such an organisation were to be hit by ransomware, all online systems for banking and insurance transactions will need to be taken offline, rendering that organisation unable to operate. As a result, there is a 50 percent chance of employees in this industry suffering productivity loss, a 30 percent chance that the financial and insurance services will shut down temporarily, and a 20 percent chance of revenue loss and adverse effect on customer perception.
All of these factors mean that if an organisation is faced with the choice of paying a ‘ransom for data’, then most financial and insurance professionals feel forced to pay the attackers. Especially as the large amounts of data they keep is stored in a variety of disparate systems making recovery of that data difficult.
When a bank goes offline – regardless of if it’s due to environmental factors or malicious actors – operators need a way to get the system back and fast. This focus on speed of recovery is exactly the reason why organisations should adopt a zero day approach to architecture. Customers are willing to accept that any operation will have downtime, but a prolonged period of outage will drive them way. Zero day architecture allows organisations to minimise downtime and recover from backups without having to worry about lost data.
Essentially, what a zero day recovery architecture offers is a service that allows you to be able to quickly bring work code or data into operation without having to pay a ransom or without having to worry about whether or not that workload is still compromised. An evolution of the 3-2-1 backup rule (three copies of your data stored on two different media and one backup kept offsite), zero day recovery enables an IT department to partner with the cyber team and create a set of policies which define the architecture for what they want to do with data backups being stored offsite, normally in the cloud. This policy could, for example, mean that a particular workload needs to be brought back into the system within 20 minutes while another workload can wait a couple of days.
With the proposed maximum outage time potentially resulting in fines for those financial organisations that are sloppy in recovery, banks now more than ever need to invest in a solution that will minimise the amount of time and money that will be lost and give them the ability to control and prioritise workloads. Ultimately, when downtime is out of the control of bank operators, they depend on a system getting up and online as quickly as possible. Whether it’s hackers demanding a ransom or a hurricane causing flooding, the wise bank will look to an architecture and approach that it knows inside and out – and one it knows it can utilise at speed.
Mastercard Delivers Greater Transparency in Digital Banking Applications
- Mastercard collaborates with merchants and financial institutions to include logos in digital banking applications
- Research shows that ~25% of disputes could be prevented with more details
As more businesses turn to digital payments, and the number of connected devices grows, one thing is becoming increasingly clear: consumers are demanding more clarity around what they bought and who they bought it from.
Most everyone has experienced the frustration of trying to decipher confusing and brief purchase descriptions when reviewing online statements. This confusion forces cardholders to contact their banks unnecessarily to dispute unrecognized transactions, adding extra steps for consumers and generating an array of costs for merchants and banks.
A new initiative from Mastercard and managed by Ethoca, the company’s collaborative fraud and dispute resolution technology, aims to eliminate this confusion and improve the customer experience. All merchants are encouraged to visit www.logo.ethoca.com and upload their logos for inclusion in online banking and payment apps. The merchant logos will be linked to corresponding transactions, adding clear visual cues to help cardholders quickly identify legitimate purchases. Participating merchants are provided an opportunity to simultaneously extend their brand presence as well as eliminate expensive and time-consuming chargebacks. This program is also available to all financial institutions.
A recent Ethoca-commissioned Aite Group study of the US market revealed that 96% of consumers want more details that help them easily recognize purchases, and nearly 25% of all transaction disputes could be avoided by delivering these details – including logos. It’s estimated that global chargeback volume will reach 615 million by 2021, fueled in large part by frustrated consumers turning to the dispute process unintentionally.
“With greater digital dependency, having real-time purchase details is critical for consumers, merchants and card issuers alike,” said Johan Gerber, executive vice president, Cyber and Security Products at Mastercard. “We continue to collaborate with industry partners to bring clarity and simplicity before, during, and after transactions. By enriching transaction details, merchants can alleviate friendly fraud, reduce chargebacks and improve the customer experience.”
This endeavour is part of comprehensive efforts to deliver the most efficient, safe, and simple payment experience from the minute a consumer begins browsing to once they’ve made the purchase. This includes Click to Pay, Mastercard’s one-click checkout experience, to the integration of biometrics to secure both digital and physical transactions, and Ethoca’s full suite of consumer digital experience solutions.
AML and the FINCEN files: Do banks have the tools to do enough?
By Gudmundur Kristjansson, CEO of Lucinity and former compliance technology officer
Says AML systems are outdated and compliance teams need better controls and oversight
The FinCEN files have shown that it’s time for a change in AML. We must take a completely new approach in order to catch up with the speed of innovation in financial crime.
Despite what you’ll read in news headlines, we can’t lay all of the blame for anti-money laundering failures at the doors of the banks. The majority of compliance teams are doing what they can, and what they are being asked to do.
Historically, AML has, in large part been a box-checking exercise. Banks have weaved through mountains of false alerts, investigated cases, sent SARs, and then got on with business as usual. In some jurisdictions, banks can‘t even interfere with customers under investigation, in fear of jeopardizing cases.
But the sentiment towards banks’ responsibility in AML is changing. They are increasingly looking at AML as a corporate social responsibility issue and even a competitive advantage. Banks are looking to protect their brands from the horrors of an AML scandal, and as such are taking a more proactive approach.
They are also throwing a lot of money at the problem. Deutsche Bank claims to have invested close to $1 billion in improved AML procedures and increased its anti-financial crime teams to over 1,500 people. Most big-brand banks have a similar story to tell.
With reputation on the line, better AML controls can become good business.
So where does the problem lie?
From the thousands of SARs discovered in the FinCEN files, lack of customer oversight is evident. Banks need to establish a method of knowing their customers through their actions across the organization and beyond the organizational walls. By doing so, banks can better understand AML and compliance risk, which gives them the necessary tools to bar customers from doing business or limiting their activity.
While banks are striving to better enforce regulations by pouring money and resources into CDD and transaction monitoring, forming this type of intelligent customer overview might be the real solution. Proper Customer Due Diligence and customer risk monitoring can only be achieved by continuously tracking customer behaviour and transactional networks. With the latest developments in Artificial Intelligence – that is now possible.
But, the reality for compliance teams is they are hindered by outdated technology in their risk assessment and transaction monitoring systems and because of this, banks are fighting a steep, uphill battle against serious organised crime.
In 2019, the Bank of England issued a statement that claimed: “existing (money laundering) risks may be amplified if governance controls do not keep pace with current advancements in technological innovation.”
I know from my time working as a senior compliance technology officer that many traditional AML systems are inefficient, slow and labour intensive, and often lead to inaccurate outcomes. In fact, most of the systems pre-date the iPhone, so they are using last-generation technology and techniques to detect criminal activity.
In short, legacy AML systems are not fit-for-purpose. Legacy vendors built them for the box-checking world of the past, and they are focused on one suspicious transaction at a time – rather than looking at ‘bad actors’ in the financial system, and patterns in their behaviour.
As launderers constantly evolve their techniques to circumvent rule-based or simple statistical detection, the AML systems market has not kept up. There is a dire need for innovation.
Unless systems are updated, banks can continue to file suspicious activity reports (SAR), but if bad actors can conduct their business ‘as usual’ and shuffle money around the globe to hide its malicious origin, the effectiveness of a SAR is significantly diminished.
What’s the solution?
I believe we need to rethink our entire approach to AML. We need to empower compliance departments with better controls and oversight, and move away from outdated, traditionally rule-based systems and towards a modern, AI-enabled, behavioural approach.
While the bad guys have learnt how to evade rule-based systems, they find it extremely difficult to get around AI algorithms that search for anomalies in behaviour. The advancement of AI algorithms, especially in the field of deep learning, provide an opportunity for banks to detect more complex and evasive money laundering networks.
So the answer is to establish continuous automated risk monitoring and implement a workflow system that provides money laundering risk scores for customers.
The latest AI software could kickstart a new age of customer AML risk-based overview. Instead of relying on static and self-reported KYC data, AI systems can analyse behaviour over a period of time and compare it with peer-groups and past actions. It provides compliance teams with a continuous risk-rating of their customers, actor insights and summaries to facilitate efficient and thorough investigations, and an organizational-wide overview.
Recent advancements in AI have not only made the above possible, but also practical. Our latest Human AI models contextualize and explain the appropriate data, making it easier for banks to spot sophisticated crime.
By looking at AML not simply as a box-ticking exercise, but as a competitive advantage that can increase customers’ trust in their financial institutions, banks have a lot to gain. Moving towards behaviour-based AML systems is a move towards making money good.
Local authorities and business networks play a key role in small business success, and must be protected during COVID rebuild
- 23% of UK’s top performing businesses have been supported by local enterprise partnerships and growth hubs
- Similarly, 30% of Britain’s strongest businesses have obtained external finance in the last 3 years
- New findings come as part of an independent, holistic study into small business success, commissioned by Allica Bank to support British businesses
A new study, commissioned by business bank, Allica Bank, shows that a high level of engagement and interaction with external institutions and resources, is central to SMEs’ prospects of success.
The study analysed data from over 1,000 companies and ranked their success on a scale that evaluated factors including productivity, growth, consistency and outlook. To measure SMEs’ external engagement, survey respondents were asked whether or not they had engaged with local enterprise partnerships, growth hubs, or external financial advisers, as well as whether they had obtained credit or sought re-financing advice, in the last three years.
The benefit to small businesses in making the most of external resources are clear to see, with a quarter (23%) of the UK’s top performing SMEs – those in the top tenth percentile – actively engaging their local enterprise partnership or growth hub in the last three years. This compares to just 16% of all other small businesses. With such a clear benefit to businesses, these external networks must not only be protected but prioritised by any Government plans to rebuild the economy post-COVID.
Similarly, of the top performing SMEs in the country, 30% have obtained external credit in the past three years, compared to less than a quarter (24%) of all other businesses. This figure drops even further for the weakest performing businesses – those in the ninetieth percentile – where just 12% of businesses have obtained external financial support in recent years.
Chris Weller, Chief Commercial Officer, Allica Bank, said:
“At Allica Bank we understand that no two businesses are the same. We also know that no-one knows a business as well as its owners and managers. But they can’t be expected to be experts on everything.
“In the UK there is a wealth of external advice and support for small businesses and we urge each and every business out there to tap in to the external resources around them. Third-parties, such as business clubs, chambers of commerce, local enterprise partnerships and trade bodies, can be invaluable sources of advice and further resources. And although they have excelled in their given field, business owners may still lack knowledge in many other areas of running and growing a business. Therefore, engaging with third parties can give business owners the kinds of insight – and fresh perspectives – they need to succeed.
“As the economy and the country comes to terms with the impact of the COVID-19 pandemic, it is important these vital SME resources are protected and given the funding they need to continue providing invaluable insight and support to small businesses up and down the country.”
Allica Bank’s SME Guide to Success identified six ‘rules to success’ that were more likely to be displayed by top-performing SMEs compared to their counterparts. The full report contains a wealth of additional data and insight into each of these topics.
As part of its mission to empower small businesses, Allica Bank is making the findings freely available and running a series of free online workshops with relevant partner organisations for businesses to attend.
Mastercard Delivers Greater Transparency in Digital Banking Applications
Mastercard collaborates with merchants and financial institutions to include logos in digital banking applications Research shows that ~25% of disputes...
Success beyond voice: Contact centres supporting retail shift online
As the nation continues to overcome the challenges presented by COVID-19, customers have shifted their channel preferences, and contact centres have demonstrated...
7 Ways to Grow a Profitable Hospitality Business
Hospitality requires charisma and innovation The hospitality industry is a multibillion-dollar industry with lots of career opportunities in hotels, theme...
AML and the FINCEN files: Do banks have the tools to do enough?
By Gudmundur Kristjansson, CEO of Lucinity and former compliance technology officer Says AML systems are outdated and compliance teams need better...
Finding and following your website’s ‘North Star Metric’
By Andy Woods, Design Director of Rouge Media The ‘North Star Metric’ (NSM) is one of many seemingly confusing terms...
Taking control of compliance: how FS institutions can keep up with the ever-changing regulatory landscape
By Charles Southwood, Regional VP – Northern Europe and MEA at Denodo The wide-spread digital transformation that has swept the financial...
Risk assessment: How to plan and execute a security audit as a small business
By Izzy Schulman, Director at Keys 4 U Despite the current global coronavirus pandemic and the uncertainty it has placed...
Buying enterprise professional services: Five considerations for business leaders in turbulent times
By James Sandoval, Founder and CEO, MeasureMatch The platformization of professional services provides businesses with direct, seamless access to the skills...
Wireless Connectivity Lights the Path to Bank Branch Innovation
By Graham Brooks, Strategic Account Director, Cradlepoint EMEA As consumers cautiously return to the UK high street in the past...
Financial Regulations: How do they impact your cloud strategy?
By Michael Chalmers, MD EMEA at Contino How exactly do financial regulations affect your cloud strategy? It’s a question many of...