Cyber crime is a reality that is exceeding with mushrooming fintech (financial technology) and increasing integration/intra-operability. Various 2018 predictions about the merging of cyber and traditional financial crimes may actually prove too conservative, as in the recent past.
Cyber attacks and cyber crimes will continue to grow. The nexus between this activity and money laundering/terrorist financing is also likely to increase.
There are three major factors driving the convergence of financial and cyber-crimes: (a) Proliferation of technology in Banking where more banking transactions will shift to digital and most channels fall beyond the control of a secure single banking environment. Cyber-security shall remain foremost among the priorities with companies locked-in an arms-race to stay-ahead of (or even catch up to) highly sophisticated cyber-criminals; (b) limited digital and process awareness across FIs which is exploited by tech savvy criminals to breach through without organizations realizing the larger impact of such breaches; and (c) the speed that technology provides to do bigger fraud in less time, provides an attractive target with large paydays for criminals to focus on this.
Traditional frauds, therefore, are dying fast and are being replaced by more sophisticated cyber frauds. However, there’s no escaping from fintech due to greater customer demand for technology-driven solutions, and the fact that manual system or hybrid system (automated but not digitized) is more vulnerable to the risk of frauds than the digitized system. Undisputedly, the fraud detection ability improves with the digitized system. Like any other financial frauds, risk of cyber-crime can merely be mitigated but may not be plugged fully.
To mitigate the risk of cybercrime, the regulators, particularly SBP, SECP and Government institutions having direct interaction/ exposure with the customers like FBR and National Savings, are required to play the foremost role to protect the interest of the customer. The regulators must play a due role to ensure that these frauds are fully mitigated and if these frauds do occur then customer must be addressed first in a most convenient and smooth way, and the whole issue resolution is made more efficient and customer-friendly.
At the tactical level, therefore, from a regulators’ standpoint, we have to look at larger perspective, and here I would suggest my 5C Theory for the regulators and the government institutions as follow:
(1) Central Cyber security Command: (i) Regulatory & supervisory initiatives should be established under SBP and SECP (together or independently) responsible for setting up the framework from identification, protection, detection, response and recovery efforts linked to Cyber-crimes. Guidelines issued by BIS in this regard are very helpful.
(ii) They must realize that cyber event occurs merely based on an “attempt” — there is no requirement that there will be an actual compromise or financial loss. Early detection of fraud is the key to mitigate the extent of the loss. (iii) There’s a need to clarify the rationale for regulation, particularly for the unregulated businesses. While Pakistan’s banking sector is relatively sophisticated and broadly accepts the need for anti-money laundering regulation, the SECP-regulated sector encompasses a broad range of various businesses, and their job is must more complex and complicated. To address this, the SECP could provide typologies of how the services of various businesses it supervises can be abused by money-launderers. (iv) A more real time approach to analysing data and other information (for example on consumer complaints) to support risk assessments, review exercises and market transaction monitoring is an absolute must;
(2) Competency Build-up Initiatives: (i) To incentivize training of ethical hackers, CISOs and security personnel, supported by Hackatons and cyber-exercises competitions to expand from talent to skilled resources. Many senior executives aren’t fully fluent in what digital is, and much less are up to the speed on the ways it can change how their businesses operate or the competitive context. (ii) Companies must create digital academies to help educate its leadership about relevant digital trends and technologies and to provide a forum where executives could ask questions and talk with their peers. The financial services provider jump-start things by holding a series of war-gaming workshops. (iii) The operating systems shall be audited and made robust and the guidelines in this respect must come from the regulators. In audit and inspection teams of SBP and SECP, there shall be system experts. While businesses are moving-ahead quickly with AI, NGOs and regulators, on the other hand, are far behind when it comes to talent and capabilities needed. RBI, for example, launched in 2014 a detailed IT examination programme to cover all banks, and set-up Cyber Security Labs across the country to assists IT examiners in conducting analysis of cyber security of the banks. The RBI also operationalized its IT subsidiary – the Reserve Bank Information Technology (ReBIT). The mandate for ReBIT, among others, is to focus on issues around IT systems and cyber security (including related research) of the financial sector and to also assist in the audit and assessment of the entities regulated by RBI;
(3) Cooperation & Collaboration: (i) Create an ecosystem of third-part suppliers to build consistent standards and structures. Supported by central supervisory initiatives, this could aid with Cyber-Events reporting to combined penetration testing to save costs. This should include not only FIs but also 3rd Party Service Providers like Cloud Service Providers for FIs. (ii) Mindset and cultural issues among the FIs to share information must change. There shall be serious penalties and actions taken in case the FIs don’t abide by the contract of secrecy amongst themselves. (iii) Collaboration with other central banks and institutions across the globe. An association (maybe at the SAARC level) may be developed across the region to share their experiences and initiatives/ infrastructure to mitigate the risk of cybercrime. (iv) Dissemination of typologies is most useful to mitigate cybercrime. The FMU’s analysis could be used not only to disseminate intelligence products to law enforcement agencies, but also to provide feedback to the private sector. In particular, sharing typologies of money-laundering Page 1 of 2 activity with the private sector could help the latter better understand higher-risk activities. (v) Displacement effects must be looked at and targeted. There is a perception among people that as regulated businesses step up AML efforts, the Government (specifically, the law enforcement agencies) needs to act in order to minimize the displacement of money-laundering activities towards unlicensed hawala/hundi operators.
(4) Communication & Coordination: (i) There shall be wider publication of enforcement statistics. There seems to be a widespread perception that SBP and SECP have stepped-up anti-money laundering enforcement after the US regulator fined HBL in August 2017. However, no enforcement statistics – such as the amount of fines levied – are currently available. The publication of enforcement actions could reinforce the need for banks and non-banking businesses to take compliance seriously. It would also be beneficial for broadcasting to international partners, show-casing Pakistan’s efforts to strengthen its response to money laundering and terrorist financing. (ii) Greater collaboration between in-house groups within the institutions will certainly be beneficial. With customers to institutional staff around baseline security and guarantees around financial transactions, for instance. Regular “war-games” for crisis communication in the case of cyber-crimes is becoming critical to have unified response and abilities to manage the scenarios which also gives confidence to the market to build resilience. The collaboration within financial institutions between anti-money-laundering compliance teams, cyber security teams and other units involved in identifying and mitigating cyber-related risks. (iii) The fraud and compliance functions need to come together and take a holistic approach to people, processes and solutions they use. There’re blurring lines between cyber and financial crime. (iv) Digitalisation may disadvantage older and other vulnerable consumers who have limited access to, or understanding of, digital delivery channels as fintech carries the potential for increasing the financial inclusion of some groups of consumers while at the same time excluding others which could only be handled through better communication and coordination and above all customer service. (v) From its side, the SBP and SECP could use the Consultative Forum, including FBR, National Savings and Law Enforcement Agencies, to encourage a conversation among financial institutions and other entities involved in fintech eco-system on money-laundering risks they face, such as higher-risk industries or indicators of suspicious activity.
5) Centralized Monitoring Command Systems: (i) At FIs to help prevent and detect financial crime. FIs need both an integrated (and timely) data set and the ability to bring sophisticated analytics focused on quality of data, Big Data analysis & visualization techniques to bear on the data to generate useful insights which allow time to react. Although tax crimes are included within the scope of predicate offenses, banks and other regulated businesses view tax evasion as less serious compared to other type of crimes. A clear message from the regulator regarding the importance of detection and reporting of untaxed funds would be useful. Reporting businesses would also benefit from typologies of tax evasion, in particular in order to effectively deal with cash-intensive businesses that are likely to pose higher risks of tax evasion. Here the involvement and interest of FBR is the key. (ii) SBP and SECP must come out with some minimum cyber security guidelines for the banks and until and unless those guidelines are met, they shall not be allowed to launch digital banking in a big way. A National Cyber Coordination Centre has been established in India and RBI also has set up an Expert Panel on IT Examination and Cyber Security drawing representatives from the industry as members. The Panel provides assistance in IT examination/cyber security initiatives of banks, review examination reports and suggest actionable items. Several countries have taken steps to improve their cyber resilience — the Committee on Payments and Market Infrastructures and Board of the International Organization of Securities Commissions (IOSCO) have issued Guidance on cyber resilience for financial market infrastructures in June 2016 after consultation with stakeholders, Financial Policy Committee (FPC) of the Bank of England launched the CBEST initiative – a Vulnerability Testing Framework. On the request of FPC, Her Majesty’s Treasury and the regulators worked with the core of the UK financial system and its infrastructure to put in place a programme of work to improve and test resilience to cyber-attack. The FPC also noted that it was important for the boards of financial firms and infrastructure providers recognize their responsibility for responding to those attacks. Recently, Hong Kong Monetary Authority launched a Cyber security Fortification Initiative (CFI).
The CFI mainly comprises following three pillars: (a) Cyber Resilience Assessment Framework; (b) Professional Development Programme; and (c) Cyber Intelligence Sharing Platform. The Institute for Development & Research in Banking Technology (IDRBT) under RBI released a comprehensive check-list on cyber security prepared by a panel of experts drawn from industry and academia in July 2016.
The checklist covers wide-ranging aspects of cyber security like enterprise control, IT infrastructure security, endpoint security, security monitoring as also outsourcing security. Similar initiatives are required to be taken in Pakistan by the regulators and the Government Institutions. On our part as community, as we move-ahead in the cyber world, we have to Confront Ignorance (no choice but to embrace technology); Confront Fear (of unknown); Confront Guesswork (educate ourselves); and Confront Diffusion (transformation to digitization).
Resource allocation at the macro/ regulatory level (and perhaps at the micro level) are the key in winning the fight against this changing world. In other words, “Regulatory Burden” whereby regulators must look for ways to expand the resources available for the battle against financial crime, and there shall be right professionals available to assist them with these matters. I must acknowledge and thank Mr. Jamal Hashmi for all his research and analysis which helped me coming out with the above write-up on this very important and unappreciated topic.
Out of the Box
Portfolio of Selected Newspaper Write-Ups
2014 — 2020
Subscribe and get a free digital copy of Zafar Masud's original and unedited newspaper write-ups since 2014.