The FSA's Agenda for Fighting Financial Crime in 2009
Speech by Philip Robinson, Financial Crime & Intelligence Division Director
BBA – Annual Financial Crime conference
25
November 2008
Good afternoon ladies and gentlemen. If anyone needed a reminder about the effect of the so-called credit crunch on financial crime, they may want to refer to the OFT’s recent notice about a Dutch-based company which has been prohibited from publishing adverts in the UK. The company claimed to offer a number of ‘psychic products’, which included personalised lottery numbers. The scammers targeted people between the ages of 39 to 76. At least 30,000 people responded, and nearly 7,000 of those paid out £20 to £40 for a ticket. That may sound like a small price, but collectively UK consumers are estimated to lose about £40million each year to these scams. And in the search for a higher return, we all know that consumers may become vulnerable to fraud. But what about firms? How will their response to the credit crunch effect their vulnerability to financial crime?
It has been two years since I last spoke at the BBA’s Annual Conference and, in that time, it would be something of an under-statement to say that there have been some memorable changes in the global financial landscape. But there have been constants too.
- Criminals still want to steal from your firm, your customers, (and perhaps even you!);
- Getting agreement from your bosses to spend money on preventing Financial Crime is as difficult as it always was; and
- Demonstrating a successful outcome from all your prevention activity remains challenging.
Things just aren’t getting easier!
I said two years ago that the need for commitment from the industry to tackling criminal activity had never been greater; and that need remains as relevant now as it did back then. According to CIFAS, the largest banks have made in the first 10 months of 2008 10% more reports than for the whole of 2007. Since we asked last July for more lenders to commit to providing alerts to FSA’s mortgage fraud “Information from Lenders project” reports to FSA have increased by 25%.
Operational Risk and Financial Crime
We’re all too familiar with the headlines about the credit crunch and the endemic financial crisis. We’ve all seen both the difficulty and importance of maintaining confidence in markets, (one of the FSA’s four statutory objectives). We’ve also seen the monumental steps being taken to restore this by governments, central banks, regulators, and firms across the globe. Bold measures have been taken to provide capital and liquidity where they are needed, to stabilise the market, and to protect depositors.
However, this does not mean that all other work in the FSA has stopped. Preventing financial sector firms from being used for a purpose connected with financial crime is also one of our four statutory objectives. It is a responsibility that we are given by law. We will certainly reprioritise our efforts when a firm is in crisis, but we cannot and will not, simply set this responsibility aside during periods of market turbulence. Nor do we think we should we try to do so. Our strategic aim is to promote efficient, orderly and fair markets and this cannot be achieved if we ignore financial crime.
We said in our Financial Risk Outlook at the start of the year that tighter economic conditions could increase the incidence or discovery of some types of financial crime. The CIFAS figures certainly suggest that is happening. The motivations of and temptations on some people in the market may be affected by declining income streams and internal pressures to hit targets that have become harder and harder to meet; and we can add to this deteriorating personal circumstances, caused by increased mortgage or loan payments with less income. The resulting pressures can, and in the past have, pushed honest people over the edge and can increase the possibility that people may be tempted to manipulate figures or accounts to project the image of false revenues, or actively steal money – or customer data – from the company. Are you sure this could not become a major fraud?
And we know that banks are a big target – they’re the source of money and they have (or used to have) deep pockets. According to KPMG’s Fraud Barometer, over £630m of fraud came to court in the first six months of the year – significantly higher than the previous six months – and of that more than half (£350m) was against the financial sector. The size of the frauds is also increasing substantially. £220m and £70 are two instances quoted in KPMG’s report.
Perhaps one of the most dramatic recent examples of a breakdown in operational risk management happened at Societe Generale in January. In this case, unauthorised open futures positions of about €50billion were discovered on three European stock market indices. Before the positions could be closed out, Soc Gen incurred net losses of €4.9billion. All of this is believed to have been the work of one single 'rogue-trader'. The fact that the trader seems to have conducted unauthorised trading for such a long time without being detected by the bank’s systems and controls underlines the importance of strong internal governance.
In Market Watch 25, we set out 17 questions that we would expect a good internal governance structure to have satisfied themselves on. This covered areas such as:
- Culture and governance, in particular are individuals encouraged to take two-week continuous holidays, and is there appropriate segregation of front office staff from middle and back office functions;
- Reconciliation and confirmation;
- The quality and relevance of management information,; and
- Segregation of duties and IT security.
Of course, no list of questions can ever be exhaustive and whilst the questions we have outlined can aid in maintaining a strong control environment, it is ultimately up to each firm to satisfy itself that internal governance procedures are strong enough.
Following the events at Soc Gen, FSA supervisors spoke informally to some 50 of the largest trading banks in London. We were pleased to hear that many of those we spoke to had already put in place reviews to identify and correct gaps that may have existed in their trading controls. But are these questions of wider relevance than simply to these trading banks? A quick look at the BBA’s own Fraud Managers reference guide Chapter 1 reveals the following text in section 1.4.2.3:
“Producing the organisation’s threat profile:
Analysis of an institutions threat profile needs to include the identification of fraud threats specific to the products and services provided and, additionally of general factors which make the institution more susceptible to fraud.
Back to top
It is important to perform this analysis in all sections of the organisation, as each will have its own fraud-susceptible products and services, and each may have its own set of influencing general factors. Such factors include:
Organisational change
Change often introduces uncertainty and temporary destabilisation, which can affect levels of risk.
Employee’s experience and knowledge
Stable, experienced employees can generally contain risk levels, whilst regular or major employee changes can have an impact on levels of motivation
Changes to the product range
The fraud risk of long established products will generally be well-known while new or changed products bring increased levels of fraud risk.
Systems changes
Changes to IT systems, and indeed to manual procedures, can unwittingly introduce additional fraud risk.
Level of fraud-averse culture
An organisation without a fraud averse culture is likely to have higher levels of fraud risk.
It seems to me that the above areas of concern, identified in the BBA guide, are likely to be part of your everyday experience in these changing times. It is vital, therefore, that firms continue to take the action to prevent themselves becoming a victim, by analysing the changed risks of the new environment and by avoiding the temptation to cut back on operational risk management, especially financial crime risk management. Some examples are: do authentication and approval procedures remain robust after you have downsized? Are you carrying out staff vetting when you move displaced staff into sensitive positions? Is increased use of temporary staff a source of infiltration risk? Is access to sensitive customer data on a need to know basis?
Which leads me onto another key financial crime risk: A failure to protect customers’ personal data
We know that a key defence against financial crime is good data security, however, many firms still continue to fail to take the risk of data loss seriously. Our review of firms’ practices, which we published back in April, showed that poor information security controls represents a serious, widespread and high-impact risk to our objectives.
We’ve warned that this risk continues to increase, so it’s disappointing that many firms continue to underestimate the risk of data loss and identity fraud to their businesses and customers. One of the key problems we found with some of the larger firms was not the level of resources applied to tackling the problem, rather it was the lack of coordination among relevant business areas. There is too much focus on IT controls and too little on office procedures, staff recruitment and vetting, monitoring and due diligence of third parties.
In today’s climate, criminals will know that members of staff may be more vulnerable to corruption. Professional gangs are relentless in their efforts to exploit the weak links in the chain, so that they can get their hands on your customer’s personal details. Worryingly, we know from studies that UK bank account details are the most advertised ‘product’ on black market internet forums used to trade compromised data.
Our review found that firms place greater emphasis on vetting staff in senior positions, as you might expect due to the trust placed on them. However, studies show that the recorded instances of lower level employee fraud are greater in terms of volume and size. This suggests that companies should ensure that suitably designed internal controls to prevent and detect fraud at lower levels within the organisation are in place.
Increasing numbers of data loss incidents involve outsourcing. It’s a perfectly rational decision to look to cut costs in today’s climate, however, we found that firms generally rely too much on assumptions that contractual terms are being met, without adequately checking how third parties vet their employees or the security arrangements in place to protect customer data. In addition, firms were failing to consider the risk associated with granting third-party suppliers such as cleaners and security staff access to their premises. We currently have a team reviewing the controls of firms which have overseas outsourcing operations, which will report early in 2009, but we are seeing data security failures in domestic outsourcing as well.
The Enemy at the gates
Another aspect of our aim to promote efficient, orderly and fair markets is that we seek to satisfy ourselves that persons of doubtful integrity do not manage, own or control firms active in the financial markets. This is the FSA’s gatekeeper function. And I know that for many of you this role is seen as crucial. Many in the industry have encouraged us to maintain the effectiveness of our approved person regime. This regime relies on disclosure and we do check the disclosures people make. Over the last year we have subjected a large sample of people applying for approved person status to a Criminal Records Bureau check. Last week we exercised our criminal powers against a mortgage advisor who made misleading statements and used forged documents in repeated applications to become an FSA approved person. He was sentenced to 18 weeks imprisonment suspended for 18 months; this is the first time we have prosecuted an individual for providing false information in an application for approval or authorisation. I suspect it won’t be the last.
This is part of our strategy of ‘credible deterrence’ to ensure that we make people realise that they will suffer meaningful consequences if they break the law and if they fail to improve standards of behaviour. We’ve made a conscious decision that if people have to go to prison for us to achieve our objective of cleaning up the market – that’s what will have to happen.
We have seen a small increase in the number of people of doubtful integrity attempting to purchase controlling stakes in smaller firms.
I would certainly suggest that vendors, and professional advisers, should be clear about the source of funds of any potential purchaser. Market conditions have created opportunities for legitimate businesses to invest. However, there can also be opportunities for criminal businesses – they’re cash rich and may be looking for a way to ‘clean’ criminal proceeds. We have been and will continue to carry out enhanced due diligence on applications for change of control and authorisation where there are concerns.
Financial sanctions
An underlying theme in the last few years has been the growth of the use of Financial Sanctions to prevent the financing of terrorism or nuclear proliferation. These have been issued by the international community acting collectively and also by individual governments acting unilaterally. HM Treasury is responsible for the Sanctions regime in the UK. FSA’s role is to ensure that firms have appropriate systems and controls in place to meet their financial crime requirements.
At this point I can say that one key weakness our review identified was that, when dealing with customers who were already clients of another FSA-authorised firm, many firms assumed their counterparties had conducted effective screening, without taking any steps to satisfy themselves that this was in fact so. We found that some small firms in particular believed that financial sanctions checks weren’t even necessary, because they did not hold client money. or make third party payments.
Another weakness we found, and it’s one which we’ve come across before during our reviews of anti-financial crime systems and controls, and which was true of our last major thematic review on data security, is that while firms have the appropriate high-level policies in place, there is sometimes a lack of detailed procedures and therefore poor staff understanding of how to comply with them. Firms need to take steps to ensure that staff members in the front-line understand what is expected of them; and that an appropriate culture of compliance is embedded throughout the organisation.
Mortgage Fraud
A key risk you will have heard FSA talking about in the past year concerns organised mortgage fraud. The mortgage industry has, without doubt, taken an unprecedented hit because of the downturn in the markets. However, we know that tighter conditions have led to a more cautious pace in mortgage lending, so should we naturally expect then that the problem has gone away?
The incidence may have reduced for the moment, but current market conditions present us with a unique opportunity. An opportunity to prepare for the future by tackling weak practices now and to clear up the debris of the past, by finding and removing corrupt professionals from the market.
The FSA will play its part in helping to prevent this problem re-occurring again in the future, by working with key stakeholders through the Government’s fraud review and the National Fraud Strategic Authority.
However, firms have a crucial role to play in this cycle. By supplying us with the intelligence we need now, working work with the police, and other regulators, we can bring the corrupt players to task. Working in partnership, through the “Information from Lenders” project, we have already successfully removed suspect mortgage intermediaries; there has been a steady stream of regulatory and criminal actions in the past year. We have taken a number of steps to alleviate the concerns raised by firms during the pilot. So why aren’t all lenders participating? Are those still hanging back really prepared to address mortgage fraud?
If you needed any more evidence of the benefits of intelligence sharing then you might want to look to the latest CIFAS annual report. CIFAS reports that its member organisations avoided losses during 2007 totalling almost £1billion. Since 1990 the total figure is said to be £5 billion. This is a commendable example of industry-led solutions delivering real and tangible benefits, so why are over 180 CIFAS members not using and contributing to its staff fraud database? Surely in times where internal fraud is likely to be on the increase and with 130 CIFAS members already contributing there must be a good reason why these 180 firms are not using it, especially as I am told that it is included in their CIFAS membership fees. Perhaps they have another source to carry out their own equivalent due diligence on new staff?
Consumer protection
Customers can be better protected when they know how to avoid getting caught out by fraudsters and act on this information. Put yourselves in their shoes– and everyone in the room today can do that, as we are all customers – we all share a sense of frustration that our identities are being exploited, our funds lost and our accounts violated.
We recognise that much is being done; industry-led initiatives such as Chip and Pin have taken us a dramatic leap forward, and it’s surely no coincidence that fraud on lost and stolen cards is now at its lowest level for ten years. But we only need to look at the latest card fraud figures from APACS, which show that online banking fraud losses are up nearly 200%, to know that the criminals don’t stand still. They constantly look for new methods to defraud, and so much more needs to be done to ensure that consumers take adequate steps to protect themselves, and to create a culture where consumers are one-step ahead.
We heard recently at an FSA-hosted boiler room conference, about the steps one firm, HBOS, is taking to prevent their customers becoming a victim of boiler room fraud. They have a dedicated team, which monitors suspicious overseas transactions and will make a phone call to the potential victim to question them about the nature of the transaction. When it’s clear that their money is going to a boiler room they ask their customers to reconsider. The results? They’ve stopped around 50% of funds being lost – that’s £3m of savings. It is a praiseworthy example of proactive thinking. But this is just a tiny part of the boiler room problem. We estimate that the size of the boiler room problem is in the region of £150-£300 million, and has human consequences beyond that in suicide, depression and divorce. We are working hard in this area to alert investors to avoid being caught.
But we are all going to have to do more. We are going to see more people searching for greater returns, and with the changes predicted in employment across the UK, especially in the financial sector, we may see more people with lump sums to invest. In this economic environment we can expect to see more people falling for scams, or losing money due to account takeover fraud, which is the growing threat. And we can expect to see more fraudsters being drawn to the opportunity.
The FSA, along with many other organisations, has a comprehensive site explaining the frauds that consumers are exposed to. But finding out that you have been defrauded after the event does not stop fraud. An interesting finding from the exciting HBOS example I gave earlier is that 50% of the people specifically warned by the bank continued with their investment. Perhaps the culture of thinking that we can get a good return without worrying about the risk has been driven out by the credit crunch. I doubt it.
What we can do is to work together more effectively, Government, Industry, Law Enforcement, Regulators and Consumer representatives, to improve our joint communications to consumers. If each organisation individually communicates its concerns to the public, there is a chance that they won’t hear any of us. So I think we need to get together, early in the New Year, to talk about what can be done.
Partnership working
I hope I’ve given you a good idea of some of the key challenges and risks that we believe the industry faces in the year ahead. As always, our approach when we identify a risk is to look for a solution that harnesses or enhances market forces, to work in partnership and go with the grain of the market, and avoid regulatory intervention until those avenues have been fully explored.
I’ve spoken today about some truly encouraging examples of what partnership working can achieve. Never more so, than in the financial crime arena, has partnership working been so important in overcoming obstacles. Key to reaching our goal, is to create a culture of sharing: sharing of intelligence and of best practice, so that we can learn from each other. The BBA plays a key leadership role, by bringing together their members they can provide the means to ensure that their members work in a collaborative and collective fashion. And of course, it is also down to the senior managers to set the culture, engage with the process, to work with other banks, and with firms in other sectors.
These are undeniably testing times, and senior management have a difficult role to play to balance the many competing demands. But we can be sure that if we de-prioritising financial crime the criminal won’t do the same.