Banks fold climate, pandemic and cyber risks into CCAR

By Steve Marlin | News | 30 October 2020

OpRisk North America: anchoring idiosyncratic risks to macro scenarios a challenge, say experts

Banks have long faced an uphill task to accurately gauge the financial risks posed by climate change, pandemics and cyber attacks, and to put a dollar value on them for the purpose of capital planning. But while such risks have previously been treated as tail events, the coronavirus has made clear they can significantly affect the losses firms have to project as part of regulatory-mandated stress-testing.

“We’ve incorporated a lot of these risks into our scenarios from a CCAR [Comprehensive Capital Analysis and Review] perspective. We are thinking about both the likelihood and the increased risk, particularly outside the bank, in the infrastructures we deal with,” said Rick Brobst, head of CCAR for operational risk at UBS Americas, during a panel at OpRisk North America on October 22.

Understanding the linkages between operational events and a firm’s risk drivers was especially important in the current climate, he added. Cyber threats have been elevated during the pandemic, with the vast majority of many financial firms’ workforces operating remotely, exposing network vulnerabilities and providing new avenues of attack. A major area of concern, Brobst noted, was the risk associated with third-party vendors not being able to keep up with testing and controls.

The question of how idiosyncratic scenarios were integrated into CCAR went back to the fundamental point of stress-testing operational risk for capital planning, argued Evan Sekeris, head of model validation at PNC Financial Services Group, to expand the stresses that an institution was facing beyond those embedded in the macroeconomic scenarios provided either by the US Federal Reserve or the bank’s own economists.

This involves considering what the world might look like if an additional stress materialises from a tail event that’s idiosyncratic to the institution and operational in nature, and then linking it back to the macroeconomic scenario. Covid-19 had made clear that risks arising from a pandemic was a scenario most banks needed to do more thinking about in their scenario inventories, Sekeris suggested.

“No institution had a pandemic [scenario] that triggered a macroeconomic crisis like the one we observe. Going forward, we will have to think more seriously about how we are going to integrate idiosyncratic risk events that can have a feedback loop into the macroeconomic forecast,” said Sekeris, who was speaking during the same debate.

One of the biggest problems with modelling idiosyncratic risks is the inapplicability or outright lack of historical data that can be used to forecast losses. Brobst noted that, while UBS Americas had experience with previous climate disasters – in particular, Superstorm Sandy – when it came to climate risk in general, “we haven’t had a lot of experience in seeing how this will lead to additional operational risk”.

Regulators have become more attuned to the linkage between climate risk and stress-testing. The Bank of England is consulting on a proposal to require banks to develop scenarios for climate risk, arising from both physical risks such as floods and hurricanes as well as transition risks from global warming and the move away from carbon-intensive industries. The European Central Bank has launched a public consultation on a draft guide on climate-related and environmental risks, with the potential to integrate these risks into the supervisory framework as early as 2021.

As idiosyncratic risks become integrated into stress-testing, the likelihood increases that post-stress capital results will vary between banks depending on whether each bank is more or less conservative in its assumptions. In an effort that could forestall such an eventuality, a group of banks under the aegis of the American Bankers Association are working on standardised scenarios for operational risk that can identify the drivers of future losses. The project’s goal is to understand the losses that can be generated for each scenario based on each bank’s business activities and exposures.

Sekeris said: “The best way to do this will be to find a way that when we have an idiosyncratic event, not have it as an add-on, but as a driver of the macroeconomic scenario. We are on an unavoidable path toward impact from climate and pandemics, so we have to start quantifying it. In severe scenario outcomes, it will have major macroeconomic consequences.” 

Editing by Tom Osborn

AML bill will swamp financial crime teams, banks warn

By Steve Marlin | News | 26 October 2020
US Capitol Building

Proposed US legislation could force firms to run new and old systems in parallel, stretching resources

A draft bill in the US Senate designed to toughen anti-money laundering laws could lead to a dangerous duplication of effort in the fight against financial crime, experts warn.

The Illicit Cash Act aims to stem the flow of dirty money by forcing US financial institutions to share information on shell companies and help authorities trace beneficial ownership.

The bill, sponsored by senator Mark Warner, pushes banks to update their anti-money laundering (AML) systems to make greater use of machine learning technology. The new technology would run in parallel with existing systems to ensure it works correctly, the legislation states.

Financial crime heads argue that while banks need to demonstrate the technology is not introducing new risk, this can be done without the added burden of running old and new systems simultaneously.

“[The legislation] imposes heavy requirements on a financial institution that’s seeking to roll out innovative technology by mandating parallel runs in certain cases. That is not supportive of innovative technology,” says Patricia Sullivan, global co-head of financial crime at Standard Chartered.

The proposed law would codify previous regulatory guidance encouraging banks to embrace artificial intelligence-based techniques for combating money laundering.

The bill comes at a time when financial institutions around the world are facing hefty fines from regulators for AML failings. The industry has been rocked by September’s leak of thousands of suspicious activity reports sent to the US’s Financial Crimes Enforcement Network, which critics seized on as evidence of banks’ poor practices in tackling the flow of illicit cash.

In effect, the bank is doubling the volume of alerts generated, as both old and new systems are running and spitting out alerts

Phil Rolfe, P2 Consulting

Separately, FinCEN has issued a proposed rulemaking calling on banks to develop AML policies that target the specific risks they face, rather than the previous blanket approach that saw authorities inundated with largely ineffective crime alerts.

However, observers point out that the new bill would require banks to run two AML systems in tandem, creating a deluge of duplicate alerts.

“In effect, the bank is doubling the volume of alerts generated, as both old and new systems are running and spitting out alerts,” says Phil Rolfe, CEO of P2 Consulting and a former head of AML at Royal Bank of Scotland.

The proposed text of the bill states that a bank may disregard parallel runs as long as the bank has: gained permission from its regulator; adequately tested the new technology; and laid out procedures for replacing the existing tech.

The bill’s sponsors believe this will enable financial institutions to adopt the new technology in a controlled way without burdening the industry.

Proponents of the bill might also argue that a cautious approach to introducing new technology is necessary, given the difficulties experienced by some AI-based fraud detection systems during the Covid-19 pandemic.

Banks are able to use anonymised data for some of the testing, and they can safely discard the output of these tests. But to properly calibrate the systems, firms must use real data. The longer the parallel run with real data, the greater the burden of duplicated alerts, experts say.

“If it must be run over a significant period of time, such as six to 12 months, that can strain a compliance department,” says Josh Heiliczer, managing director at risk consultancy Protiviti.

Some bankers agree that parallel runs are a good way of testing and calibrating new technology, but believe the law may go too far in mandating this approach.

“A rule which would require banks to just consider parallel running as one way to get assurance of the effectiveness of the new system is not completely odd or undesirable, but we should not make it mandatory,” says Philippe Vollot, Danske Bank’s chief compliance officer. The bank, which is Denmark’s largest lender, faces a large fine for AML breaches dating back to 2007.

Banks have been training machine learning-based systems to identify false positives, which can be caused by something as simple as a misspelling on a form, while at the same time being able to spot truly suspicious behaviour.

But many believe that the machines should not be left on their own. A combination of human expertise and artificial intelligence – known as ‘augmented intelligence’ – can help firms detect fraudulent activity in a more targeted way, says a senior financial crime executive at a large international bank.

“Augmented intelligence increases your capacity to focus attention on the real alerts, rather than wasting time looking at alerts which are false positives,” the executive says.

The Illicit Cash Act has not yet faced a vote from both houses of Congress, and the bill may be slowed by the forthcoming US presidential election, due to take place on November 3.

Editing by Alex Krohn

Does the source of information influence depositors' withdrawal intentions?

By Suné Ferreira, Zandri Dickason-Koekemoer | Technical paper | 26 October 2020

Fed set to unveil operational resilience proposals

By Steve Marlin | News | 22 October 2020

OpRisk North America: banks expected to design idiosyncratic stress scenarios to test resilience

The US Federal Reserve will next month set out its long-awaited stance on operational resilience, outlining the approach it expects banks to take when demonstrating their ability to maintain critical business operations during severe disruption.

The work, outlined by Arthur Lindo, deputy director at the Fed, in a speech at OpRisk North America on October 21, will set out guidance on the use of scenario-analysis techniques when determining their ability to weather disruptions from operational risk events. In designing scenarios, companies will need to map interdependencies of core business lines and critical operations.

Rather than prescribe a new set of rules, however, the Fed’s approach will leverage existing frameworks, regulations and guidance for operational resilience and business continuity. This approach has been strongly influenced by the financial sector’s response to the Covid pandemic, Lindo said, which has produced operational resilience challenges to third-party providers, support functions and a shifting of processing to the IT infrastructure for which it was not designed.

“We started to question whether the costs and benefits that would be imposed by a prescriptive set of requirements that we had been considering would be commensurate with the benefits,” Lindo said. “The available evidence indicates there are significant benefits of making use of frameworks already in place rather than introducing a new set of prescriptive requirements.”

The Fed’s move follows the issuance by the Basel Committee’s working group on operational resilience, chaired by Lindo, of an August consultative paper, setting out high-level guidance for firms to conduct self-assessments of operational resilience. Basel has so far stopped short, however, of proposing metrics by which regulators could judge firms’ compliance with resilience expectations, such as mandating that critical operations be up and running within a specific period of time – an approach other watchdogs, notably the Bank of England, remain keen on.

We went down the impact tolerance route, but we pulled back for a more higher-level construct. We decided now is not the time to take a Basel standard-setting approach

Arthur Lindo, Federal Reserve

The UK, in its initial consultation on operational resilience, has set out plans that would require firms to set specific impact tolerances for critical business services. In the wake of Covid, however, it has signalled it may shift towards a less prescriptive approach to setting impact tolerances.

The Basel Committee had considered following the earlier UK approach, Lindo said – but, with the benefit of time afforded by the pandemic, decided to scrap it in favour of the one it outlined in its consultation.

“We were well aware of the UK proposal. We went down the impact tolerance route, but we pulled back for a more higher-level construct. We decided now is not the time to take a Basel standard-setting approach.”

Lindo noted that the pandemic has tested the ability of banks to maintain operations during a crisis to an extreme degree, arguing the Fed doesn’t want to add to lenders’ burdens. As a result, the US stance on operational resilience will place a great deal of emphasis on making effective use of existing frameworks, he said.

“We believe that leveraging and building on what is already in place will be beneficial from a supervisory perspective, in that we’ll be able to assess resiliency in a much more effective matter. More importantly, this approach will accelerate a level of maturity that we see in operational resilience and business continuity,” he said.

Lindo emphasised the resilience scenarios firms will be expected to deploy will only be used by the watchdog to assess a firm’s risk relative to its appetite and tolerance for disruption, and will be kept separate from those used as part of its regulatory capital submission under the Fed’s Comprehensive Capital Analysis and Review and Dodd-Frank Act stress tests. The Fed believes that through this approach, the US financial sector could achieve operational resilience outcomes that will be aligned with other jurisdictions.

Editing by Tom Osborn

Fight against dirty money falters in blizzard of SARs

By Steve Marlin | Feature | 22 October 2020

Authorities are swamped with suspicious activity reports, many of which are never investigated

A leaked trove of secret bank documents – known as the FinCEN files – shows how some of the world’s largest financial institutions were party to billions of dollars of shady transactions over the last decade. At least, that’s the narrative in the flurry of international press reports covering September’s bombshell revelations.

The explosive ingredient in the exposé is thousands of suspicious activity reports, or SARs. Banks routinely file these reports to government agencies to flag irregular financial activity. US agency FinCEN, or the Financial Crimes Enforcement Network, received more than 2.3 million such reports in 2019 alone.

Only a small fraction of these reports are ever investigated. Even fewer lead to prosecution. Bank financial crime experts say this low hit rate is largely attributable to a lack of manpower in government enforcement agencies.

“You put the onus on banks to report, but enforcement authorities don’t have the capacity to handle this volume of reports. It’s a monumental waste of resources,” says a financial crime executive at a large global bank whose reports were among those leaked.

Banks have the power to freeze payment flows by halting transactions and seizing assets, but they don’t have the authority to pursue criminals or compel law enforcement agencies to take action. Rather, they are dependent on the agencies for feedback that can help them provide law enforcement with the information they need.

Too often, however, they claim they aren’t getting it.

“If the FinCEN files indicate anything, it’s that the SAR regime is on a path where it needs to pause so that information sharing isn’t a one-way street from a bank to law enforcement,” says the head of financial crime at a large global bank.

​You put the onus on banks to report, but enforcement authorities don’t have the capacity to handle this volume of reports. It’s a monumental waste of resources

Financial crime executive at a large global bank

To open up this one-way street, banks are pushing regulators to offer more guidance on what to include in SARs. They are also seeking greater co-operation in determining how to target potential hotspots for money laundering.

The signs are that regulators are listening. Forthcoming rule changes in the US and Europe will introduce what’s hoped to be a more targeted approach to detecting dirty money. Firms will be required to identify specific risks and address them directly, instead of the current, blanket approach that leaves authorities swamped with reports, many of which are not an enforcement priority.

The industry has already made attempts to improve lines of communication. The Financial Action Task Force (FATF), an international financial crime body, updated its standards a few years ago calling for greater co-operation between agencies responsible for anti-money laundering and data privacy. And 13 global banks have formed the Wolfsberg Group, a forum with a mission to share and publish information on best practice in anti-money laundering.

For banks, the stakes are high: in 2019, fines for violations of anti-money laundering rules in the US and Europe totalled $8.2 billion, according to ORX News. The figure includes an appealed €4.5 billion ($5.3 billion) fine for UBS for alleged tax evasion, and a £102 million ($133.6 million) fine for Standard Chartered for poor money laundering controls and breaching sanctions against countries including Iran.

A SAR is born

The process leading up to a SAR filing begins with monitoring of clients and transactions that trigger red flags, such as a customer doing business in countries or sectors linked with money laundering or terrorist financing. Banks create scenarios to identify whether a transaction is outside normal boundaries, at which point it is escalated, reviewed and investigated.

Law authorities talk of a SAR “conversion rate”. This refers to the proportion of reports that lead to official action. The action could be further analysis, or use within an existing investigation, or the basis for a new investigation. In simple terms, if a report doesn’t “convert”, it is effectively ignored.

The conversion rate for SARs filed in the European Union is just over 10%, a Europol report in 2017 found. Many insiders believe the conversion rates are, in reality, lower.

“Banks report that less than 5% of SARs filed are pursued for further investigation. If there’s no follow-up on the SAR for supporting documentation, that SAR is probably not being used in a prosecution,” says Patricia Sullivan, global co-head of financial crime compliance at Standard Chartered.

US banks alone filed 1.1 million SARs in 2019. “There’s quite a large number of SARs being filed in the US that may not be yielding an effective outcome,” she adds.

The system doesn’t work well because there are so many SARs filed and there’s not enough information coming back from law enforcement to the banks in order to build cases

Matt Ekberg, Institute of International Finance

While banks have large numbers of staff reviewing automated transaction monitoring alerts and preparing SARs, financial intelligence units are poorly staffed. FinCEN in the US has around 300 staff members. And a 2018 review of the UK’s anti-money laundering capacity by the FATF reported that the UK government’s financial intelligence unit had 80 full-time staff.

With relatively few government officials to assess reports and engage with financial institutions, the lines of communication between banks and agencies are sporadic, experts say.

“The system doesn’t work well because there are so many SARs filed and there’s not enough information coming back from law enforcement to the banks in order to build cases. So a fundamental element is to have that feedback loop closed between the public and private sector,” says Matt Ekberg, senior policy adviser at the Institute of International Finance.

This feedback loop – where authorities tell the private sector what information is needed in the SARs they file – has proved elusive, however. Banks claim they are being told to interpret what useful information looks like from the reports that do end up getting prosecuted, giving them a very small sample with which to work.

“A former federal prosecutor told me: ‘The closest you’re going to get to a feedback loop is referring to indictments or negative news articles on different patterns that were identified and trying to point [to] that as a positive SAR,’” says Jason Somrak, chief of product and strategy for anti-money laundering analytics at Oracle.

Danske Bank SARs climb

Denmark’s largest lender, Danske Bank, has seen a threefold rise in the number of SARs it has filed over the past two years, says chief compliance officer Philippe Vollot.

The bank has had recent troubles detecting and preventing dirty money from flowing through its network of banks. In September 2017, the bank was fined Dkr12.5 million ($1.9 million) by the Danish state prosecutor and ordered to set aside Dkr10 billion to cover future penalties for anti-money laundering violations. The enforcement action followed the discovery of billions of dollars in suspicious transactions diverted through its Estonian arm over preceding years.

In September 2018, the bank published a report detailing “major deficiencies” in anti-money laundering processes in its Estonia operations. The chief executive, Thomas Borgen, subsequently resigned. And the following February, the European Union’s banking watchdog launched a probe into supervisory failings at Danish and Estonian national regulators relating to the case.

Formal investigations in the US and Europe are still ongoing, and the timing and size of fines are yet to be announced.

The response at Danske Bank has been a heightened focus on money laundering. Vollot says frontline employees are more aware of how to spot potential fraud and what action to take. This has led not only to more SAR filings, but it has increased the effectiveness of the ones that are filed.

“A bank is effective at combatting financial crime when you have employees thinking about it,” says Vollot. “We have more escalation coming from branches than before. The branch calls the financial crime department, and [reports a] person depositing a large amount of cash. This is proper intelligence [needed] to potentially file a SAR.”

To some, Covid-19 provides an example of how regulators, law enforcement and financial institutions can align priorities. During the early stages of the pandemic, regulators provided guidance supporting a risk-based approach to financial crime risks. Companies were encouraged to pinpoint elevated risks from the pandemic and to understand how operational processes may suffer with a reduced workforce.

Regulators shared with the private sector red flags related to fraud – for example, activity in cash-intensive businesses that had ostensibly been shut, yet were still receiving mysteriously large volumes of cash. Authorities made clear they accepted that heavy volume processes such as monitoring and screening may be affected.

“It’s difficult to stop a live fraud if you’re not working in close partnership with law enforcement. Covid is a great example of shared priorities and the value of public-private partnerships,” says Standard Chartered’s Sullivan.

Who’s the boss?

A key weapon in the fight against financial crime is reliable, transparent and accessible information on beneficial ownership, insiders say. In other words, authorities need to know who pulls the strings in the company.

The FinCEN files reveal the ability of criminals to hide behind shell companies. Conflicting rules and regulations often make it impossible to ascertain beneficial ownership with any degree of certainty.

“There are lawyers and accountants who are actively working with criminals setting up vehicles for laundering money. They create schemes that [make it] incredibly difficult to identify the laundered funds,” says the first bank’s financial crime executive.

New European Union rules aim to harmonise beneficial ownership information across member states. The fifth Anti-Money Laundering Directive (5AMLD), which came into effect at the start of the year, calls for increased co-operation between national regulators and an EU-wide overhaul of bank account registers and retrieval systems.

“The big thing is getting international standards of conformity,” says Kyle Phillips, director of corporate and financial crime at law firm Fieldfisher. “Whilst there is a requirement to say who the person who has significant control of the business is, and who is the beneficial owner, there is very little policing. We have clients who have judgements in their name, and when they go to enforce the judgement, the company has no money because it’s been moved around.”

Legislation pending in the US would require corporations to disclose to law enforcement and banks information on who owns and controls the entity. The bill states that updates be filed annually, and allows FinCEN to determine if more frequent reporting is necessary.

In the UK, banks must ensure they obtain a company’s publicly available beneficial ownership details from a government register and compare this against the information they receive from the company itself during the onboarding process. Any material discrepancies must be reported to the government.

“Both the US and EU have requirements for disclosing beneficial ownership based on national registers, but there are differences between the two approaches. It will be interesting to see if the US changes how beneficial ownership information is collected and supplied,” says Brad Cohen, an associate at law firm Mayer Brown.

Targeted intervention

Lawmakers are also aiming to tighten up how banks develop internal policies to tackle financial crime. FinCEN has issued a proposed rule calling on banks to develop “effective and reasonably designed” anti-money laundering programmes based on their own assessments of the risks they face.

In the EU, banks are required to review the countries in which they operate to make sure there are no gaps in their onboarding procedures and transaction monitoring for cross-border customer business. In the UK, the government has pledged to spend an extra £100 million a year to improve co-operation between UK agencies and international partners.

“We expect a greater volume of information requests from regulators, so banks should have sufficient resources and robust record-keeping systems to manage these,” says Andrew Lee, a partner with law firm Debevoise Plimpton.

FinCEN’s recent proposed regulatory changes would bring the US approach to designing banks’ anti-money laundering programmes more in line with European practices under 5AMLD and earlier regimes.

For a number of years, a fundamental plank of EU anti-money laundering rules has been to require banks to carry out risk assessments and then implement controls that are tailored to mitigating and managing the risks they have identified. Although many US banks will already apply a risk-based approach to their AML programmes, FinCEN is now explicitly recognising the importance of this.

“This is a sensible and proportionate approach that encourages banks to address real AML risks, rather than simply engage in ineffective box ticking against generic criteria,” says Lee.

FinCEN’s proposal also requires banks to provide information “with a high degree of usefulness” to law enforcement authorities. In other words, banks are encouraged to be more selective in their reporting, in a bid to reduce the ticker tape of SARs inundating US authorities.

This is in contrast to the EU, which still requires banks to report all suspicious transactions. Although interpretations of “suspicious” differ among EU countries (the UK in particular sets a very low threshold for suspicion), the EU approach is to place the onus on national authorities to review reports and determine what information is useful to them, rather than leaving this assessment to the banks.

Editing by Alex Krohn

OCC warns on cyber and fraud control lapses during Covid

By Steve Marlin | News | 21 October 2020
Office of the Comptroller of the Currency

OpRisk North America: Covid-induced changes in operations and working practices creating openings for bad actors, says senior regulator

Banks are being urged by federal regulators to ensure their risk control environments are able to withstand the heightened operational risks brought on by a combination of rapid changes in working practices and increasing fraud and cyber threats during the Covid-19 pandemic.

“Risk and change management capabilities are needed not only to address the operational and credit risks associated with many of the pandemic response programmers, but also to manage reputation, compliance and – looking at the long-term impact of the current pandemic – strategic risks associated with these efforts,” said Kevin Greenfield, deputy comptroller for operational risk policy at the US Office of the Comptroller of the Currency (OCC).

Effective change management processes are a key component of any operational resilience framework, Greenfield said during a keynote speech at the OpRisk North America conference. During the pandemic, banks have had to rapidly redesign many controls to adhere to Covid-19 restrictions, such as permitting front-office staff to trade remotely, and also quickly develop processes to support government stimulus programmes.

Adaptations in control environments have often failed to keep pace, however, leading to lapses in some cases. Last month, JP Morgan reportedly fired several staff for fraudulently diverting Covid relief loans designed to help struggling businesses. 

While the pandemic has heightened the risk of operational outages, errors and fraud, banks also need to maintain controls to manage ongoing cyber security threats that were impacting the financial industry prior to Covid 19 and continue to plague the industry, said Greenfield. Banks continue to be targeted by malicious actors whose attacks are shifting to the use of more destructive tools, including an increase in malware and especially ransomware.

“I cannot emphasise enough the importance of having controls to detect, protect and respond to these attacks,” said Greenfield.

Bank examiners are in the process of reviewing the actions banks have taken to implement controls for new and modified operational processes, the OCC and other prudential regulators said in guidance issued in June. These reviews would take into account steps “taken to adapt fraud and cybersecurity controls to manage heightened risks related to the adjusted operating environment”, the watchdogs said.

Examiners are also assessing the pandemic’s impact on service providers, many of which operate offshore and are consequently outside the scope of US regulators.

To make matters even more challenging for risk management and control structures supporting operational resilience, there is a heightened risk of fraud, as criminals are taking advantage of people’s fears and seek to exploit control gaps to commit fraud. Criminals have been actively targeting financial institutions to take advantage of weaknesses exposed due to the rapidly changing environment.

Covid-19 has been used by cyber criminals for phishing emails. The US’s Department of Homeland Security, Federal Bureau of Investigation and other law enforcement agencies have been recording emails and text messages using Covid as lures to get people to open messages.

“Whether it be malicious actors attempting to cash fraudulent stimulus checks, steal sensitive information through phishing, or establishing fraudulent websites, banks need to remain vigilant as fraud and cyber risk increases. Controls and monitoring processes need to adapt to this new operating environment,” said Greenfield.

Earlier this year, the OCC and the Federal Deposit Insurance Corporation in a joint statement highlighted the need to maintain incident response and cyber resilience capabilities as part of an operational resilience framework. In order to safeguard against destructive malware, banks should have cyber resilience capabilities that can recover against attacks through offline backups, segmented networks and other critical capabilities, they said.

Bringing operations back safely without compromising data is especially problematic during a cyber attack, as banks noted in response to a never-implemented plan put forward in 2016 that would have mandated a two-hour return to operations.

Greenfield said: “Many business continuity plans use systems and data-mirroring technologies that allow for rapid recovery with minimum data loss. While these technologies greatly aid in the seamless recovery and continuity of operations against most operational threats, they can have the opposite effect during a cyber event, quickly propagating malware through both production and backup systems, compromising and encrypting critical data.”

After FinCEN leak, banks want more help from regulators

By Costas Mourselas | News | 13 October 2020

OpRisk Europe: Suspicious activity reports are going into a “black hole”, banks complain

Banks are asking regulators to share more of the information they glean from suspicious activity reports (SARs), to aid them in the fight against money laundering and other financial crimes.

SARs are filed with regulators and law enforcement agencies whenever unusual transactions are detected. Compliance officers at banks say they receive little feedback on these reports, despite filing thousands every year.

“I think at the moment there is definitely a view that it’s a bit of a black hole, and a bit more transparency from regulators could only be a good thing,” said Richard Snookes, chief compliance officer at Sberbank CIB.

Lester Joseph, a manager in the global financial crimes intelligence group at Wells Fargo, echoed that view: “We file all these reports and very seldom do we hear back.”

Snookes and Lester were speaking at the OpRisk Europe virtual conference on October 8.

Last month saw the leak of more than 2,100 SARs filed with the Financial Crimes Enforcement Network (FinCEN), covering roughly $2 trillion of suspicious transactions between 1999 and 2017. The reports revealed large global banks had processed several illicit payments over that period.

FinCEN is the US Treasury’s anti-money laundering unit. Banks file similar reports on suspicious transactions with other law enforcement agencies and regulators, including the UK’s Financial Conduct Authority and National Crime Agency.

Snookes said this information could be put to better use. “I would like to see some sort of regular kind of updates [on the reports],” he said. “If they’re seeing SARs being reported across all banks and all kind of sectors of the financial community they surely must be able to see certain patterns developing in the retail market or certain patterns developing and new typologies arising.”

The FCA and the US Treasury did not respond to a request for comment in time for publication.

The FinCEN leaks also highlighted the scale of the task facing law enforcement agencies that must analyse millions of SARs to determine whether crimes have been committed.

Joseph said banks may be able to help. “FinCEN in the US, our financial intelligence agency, has about 350 people, and of course we have a lot of law enforcement agents, but Wells Fargo has about 500 very experienced financial investigators who do great work,” he said. “If we can partner more with the government, I think we could really make a big contribution.”

I think at the moment there is definitely a view that it’s a bit of a black hole, and a bit more transparency from regulators could only be a good thing

Richard Snookes, Sberbank CIB

Igor Sumkovski, a senior manager in financial crime compliance advisory at Santander, said banks should also have a bigger role in shaping anti-money laundering rules. “What I would like to see more of is more interaction between regulators and banks. That is really helpful in particular when there is a change in the regulation,” he said. “That is a much better approach, rather than acting post-event.”

A series of articles on the FinCEN leaks published by Buzzfeed News and the International Consortium of Investigative Journalists also linked several suspicious transactions to offshore tax havens, such as the British Virgin Islands.

Joseph said the use of shell companies made it difficult for banks to identify the parties involved in suspicious transactions. He called on governments and regulators to tackle the problem.

“Corporate formation is something that the US has a problem with,” Joseph said. “In the UK, you have the same issue with some of their jurisdictions. So this is a huge problem that is aiding financial crime and money laundering.

“Until governments get serious about that, the banks are just trying to plug the holes but not getting at the real problems,” he added.

Santander’s Sumkovski also suggested banks had been the target of some unfair criticism following the FinCEN leak. “I think certainly there are gaps that are highlighted and the banks will need to work harder to fix the issues that are identified. But equally I think the compliance functions are not getting the deserved credit really for their hard work,” he said.

Banks warn of rise in ransomware attacks

By Steve Marlin | News | 9 October 2020

OpRisk Europe: Banks must improve resilience of remote-working staff, says Wells Fargo financial crime expert

Cyber threats from ransomware and other types of attack have risen since the onset of the coronavirus pandemic as criminals look to exploit gaps in defences magnified by remote working, banks say.

“The pandemic has caused an epidemic of financial crime around the world. Over the past few months, ransomware has really taken off,” said Lester Joseph, manager of the global financial crimes intelligence group at Wells Fargo.

With a majority of bank employees working from home, experts say the number of entry points for hackers has increased. Staff are also having to adjust to unfamiliar systems and processes, leaving them vulnerable to cyber attacks such as phishing.

Joseph warned of the growing need to educate staff on the dangers of unsolicited or fake emails that could introduce ransomware to company systems.

“Criminals have quickly taken advantage of the situation – in some cases, tailoring old schemes to Covid,” said Joseph. He was speaking during a panel debate on financial crime at OpRisk Europe on October 8.

The Financial Crimes Enforcement Network, a unit of the US Treasury, has issued an advisory note on ransomware, detailing how attacks are perpetrated and how banks can identify suspicious activity, including the laundering of payments by victims in virtual currencies.

The note includes warning signs for banks to look out for, such as a sharp increase in the use of virtual currencies by cyber insurance companies, which could indicate that a business covered by cyber insurance has been targeted by ransomware.

Any rise in the flow of criminal money through the financial system could leave banks at greater risk of breaching anti-money laundering rules. Financial institutions globally have faced fines totalling nearly $1 billion for anti-money laundering failures in 2020, according to operational risk data provider ORX News.

The situation has changed since March, and criminals appear to be a step ahead. The compliance function, in my view, needs to try [its] best to be a step ahead

Igor Sumkovski, Santander

The increase in coronavirus-related attacks has placed banks on the defensive, as AI-based systems used for detecting fraud have been churning out large numbers of false positives, owing to changes in customer behaviour. With cash-only businesses that have been traditional conduits for illicit cash being shut down, criminals are seeking new avenues through which to funnel funds.

“The situation has changed since March, and criminals appear to be a step ahead,” said Igor Sumkovski, a senior financial crime manager at Santander, during the financial crime panel discussion.

“The compliance function, in my view, needs to try [its] best to be a step ahead. Technology plays a big part in tackling financial crime. In the UK, we are seeing increased cyber crime-related cases.”

Panel speakers also highlighted coronavirus-related financial assistance packages as a fertile area for fraudsters. In September, JP Morgan fired a number of employees who were found to have abused the US emergency loan programme, the Financial Times reported. And Brazil’s Caixa Bank was forced to block thousands of accounts in July, after hackers attempted to steal coronavirus relief payments.

With the pandemic continuing, cyber risk looks set to remain high. An August report by Interpol shows an “alarming” rise in cyber attacks during the pandemic, including phishing emails, malware and data compromise. Experts warn that risk managers and security professionals must remain alert for future threats, in addition to firefighting today’s attacks.

“We’re too focused on things that have happened as opposed to educating people to identify the next attack,” said Evan Sekeris, head of model validation at PNC Financial Services Group, during another panel debate, on cyber risk, at OpRisk Europe on October 6.

Banks have been working to develop a common understanding of the drivers behind cyber risk through efforts such as that sponsored by the American Bankers Association, in which banks are creating scenarios for stress-testing and resilience purposes. The Federal Reserve Bank of Richmond last year launched an initiative aimed at creating a shared language for recording cyber losses and incidents.

Scenarios had been the central feature of capital planning under the Basel Committee on Banking Supervision’s advanced measurement approach for operational risk. The advanced approach is being phased out in favour of a standardised approach that calibrates risk capital to a bank’s size and historical losses. Scenarios have become a linchpin of cyber resilience, helping firms devise planning exercises to prepare for unforeseen events.

Sekeris said: “Scenarios bring value from an understanding of the drivers of the risk. The adverse event might be different from the one you had created the scenario for, but going through the scenario forces you to think of systems and controls in the case of a severe event.”

Editing by Alex Krohn

Op risk data: what a whopper – record $920m fine for JP metals ploy

By ORX News | Opinion | 8 October 2020

Also: counting the cost of Covid cons; Citi audio dynamite. Data by ORX News

JP Morgan paid a huge $920 million in September’s largest op risk loss – and the largest penalty order ever issued by the US derivatives watchdog. Three separate regulators found the firm’s traders had engaged in spoofing and market manipulation of precious metals futures and US Treasury markets from 2008 to 2016.

Traders would place large orders on both sides of these markets – one of which they had no intention of executing – to manipulate prices and benefit the firm over its competitors.

The Commodity Futures Trading Commission (CFTC), the Department of Justice (DoJ), and the Securities and Exchange Commission (SEC) all found that JP Morgan traders had engaged in misconduct during the eight-year period.

The CFTC ordered JP Morgan to pay restitution to the amount of $311 million, representing the damage done to other market participants by the spoofing scheme; a disgorgement of $172 million, representing the profits it had made from the scheme; and a civil monetary penalty of $436 million. The DoJ and SEC also ordered the bank to pay penalties for the spoofing scheme, but these amounts were offset by the CFTC’s order.

 

In September’s second-largest loss, investors in London Capital & Finance sued its executives for £178 million ($227 million) over an alleged fraudulent mini-bond scheme.

LCF’s administrators claimed that company directors had induced thousands of retail investors to purchase bonds in the group, purporting to invest in a series of arm’s-length property loans. Instead, investors alleged, almost £136 million ($174 million) was channelled to the firm’s executives, either directly or via loans, to companies they controlled or were connected to.

LCF collapsed in 2019 after the Financial Conduct Authority found the company’s marketing of unregulated mini-bonds misleading. The company’s collapse left 11,000 investors with a loss of around £237 million ($303 million).

September’s third-largest loss, incurred by Dutch lender Rabobank, was a historic one, in which up to €160 million ($186 million) of physical collateral was appropriated and subsequently devalued. In 2014, the Mexican government seized nine ships, pledged to the bank as collateral on loans of around €236 million ($274 million) to offshore vessel operator Oceanografia, dating back to 2007.

When Rabobank eventually regained control of the ships, they had fallen sharply in value through lack of maintenance. The sale of the fleet generated only a small portion of the €220 million ($255 million) the operator owed. As of September 4, 2020, Rabobank had registered a case to recover around €150 million ($174 million) in damages from the Mexican government.

In September’s fourth-largest loss, the Mutual of Omaha insurance company agreed to pay $6.7 million to settle a class action suit filed in January 2018. The suit alleged that the firm had breached the Employee Retirement Income Security Act (ERISA) and its fiduciary duty towards its 401(k) investors. Court documents revealed that the firm selected investment funds from its subsidiary, United of Omaha. The subsidiary had invested all investors’ money in publicly available investment funds, managed by an unrelated third party, for which investors had paid a fee to the subsidiary on top of the fees charged by the funds.

In agreeing to the settlement, Mutual of Omaha did not admit any wrongdoing. As of 21 September 2020, the settlement is awaiting final approval from a federal judge in Nebraska.

Macquarie Group suffered September’s fifth-largest loss, paying A$7 million (US$5 million) to settle an investor’s claims that its advisers had caused them to invest in a worthless company. An investment adviser at Macquarie Private Wealth advised its client to buy shares in Cleveland Mining Group, which had acquired Brazilian iron ore mine Ferradura. The mine was expected to deliver more than 10 billion tonnes of iron ore, with an initial valuation of A$34 billion ($24 billion). But even after the mining group received confirmation that its prognostication had been wrong, the adviser continued to advise clients to buy its stock. The mining group’s stock price fell and in May 2018, it called in voluntary administrators.

Macquarie did not make any admissions about broker conduct in the confidential settlement, but agreed to pay the complainant A$6 million ($4.3 million) and A$1 million (US$700,000) in legal fees.

 

Spotlight: Citi cited for wiping subpoenaed audio

In September 2020, the Commodity Futures Trading Commission (CFTC) ordered three Citigroup entities to pay $4.5 million over a design flaw which allowed subpoenaed recordings to be deleted from the bank’s audio system.

In December 2017, the regulator had subpoenaed audio recordings pertinent to its investigations of the bank. But the flaw in the bank’s audio preservation system had caused it to delete recordings that were two years old as soon as the system reached 95% of storage capacity. In December 2018, when it was obliged to repeat its request for the recordings, the regulator was informed of the deletions.

The resulting investigation found that senior management responsible for the audio preservation system had been aware of the design flaw since at least 2014. The regulator also found Citi’s management responsible for not adequately staffing the company with trained employees and for not documenting changes to the system, which led to the recordings being deleted.

Citi was found to be in violation of CFTC Regulation 166.3 for not adequately supervising its subsidiary and fined $4.5 million.

In Focus: Covid relief loans catch a cold from crooks

Since the Covid-19 outbreak, governments around the globe have rolled out relief packages to aid enterprise and individuals in weathering the economic twister. But fraudsters began to seize the opportunity to abuse or scam such programmes for their own gain, as Risk.net has reported, with implications for operational losses at a systemic level.

In Europe, lenders were heavily encouraged to allow borrowers moratoriums on loan, mortgage and other debt repayments. In April, the European Banking Authority published guidelines on the implementation of coronavirus-related credit moratoriums. The EBA’s report, which was updated advice in August, said that the repercussions of Covid-19 could have implications for the incidence of operational risk events, with an impact on credit exposures, and that such impacts are at the “boundaries with credit risk”.

In the UK, even as the government rolled out three schemes to help employers pay wages, rent and other business costs, firms expressed fears about the rapid roll-out of these relief packages while terms and controls were still being put into place.

The UK tax agency HM Revenue & Customs has already made its first arrest for fraud relating to its government’s Covid-19 relief packages. The BBC reported in September that criminals in the UK have begun to set up fake businesses on an industrial scale to fraudulently claim relief funds.

The German State of North Rhine-Westphalia was targeted by phishing attacks aimed at acquiring data provided by applicants to the state’s coronavirus aid website. The state has reportedly lost up to €100 million ($116 million) from such fraud, according to the ORX database.

And in Brazil, Caixa Bank was ordered by the Brazilian Ministry of Citizenship to block 1.3 million accounts after reports that those individuals had fraudulently claimed coronavirus relief funds. On July 21, thousands of accounts had to be blocked after hackers had broken into some accounts and redirected the emergency aid.

EIDL hands

At least one firm has also seen internal attempts to defraud the relief packages it was handling. JP Morgan dismissed several employees who allegedly took bailout funds that were supposed to help businesses dealing with the crisis. The Financial Times reports that several of its employees had fraudulently received money under the US Economic Injury Disaster Loan (EIDL) programme. The bank found the former employees had deposited suspicious EIDL funds into their proprietary checking accounts. However, the FT noted that those cases account for a “very small” percentage of suspicious activity uncovered by the bank in relation to Covid-19 relief funds. According to the report, the bank had circulated a company-wide memo warning that it had discovered “conduct that does not live up to our business and ethical principles”. This misconduct allegedly includes customers misusing loans from the US Paycheck Protection Program, unemployment benefits and other government programmes.

According to US lawmakers, the various economic packages offered to businesses and employees have widespread potential for fraud. Democrats say the US Small Business Administration and the US Treasury have been inadequate in reviewing the US government’s handling of relief packages. They cite instances of companies receiving multiple loans, loans to companies that should have been blocked from federal contracts, and applications that are missing names, addresses and other basic data.

It begs the questions as to how these potentially fraudulent applications were able to slip through the controls and procedures in place to prevent fraud. All lenders are required to test their new loan products to meet suitability criteria, such as whether a client needs the product in question. Controls are put in place to protect customers – and lenders – but the speed with which the relief packages needed to be rolled out has put an inevitable strain on operations.

Not only is there a risk of banks and government relief packages falling victim to fraudsters, but there is the risk that lenders could be fined or sued if relief funds are given out in a way that does not follow due procedure or diligence.

Editing by Louise Marshall

All information included in this report and held in ORX News comes from public sources only. It does not include any information from other services run by ORX, and we have not confirmed any of the information shown with any member of ORX.

While ORX endeavours to provide accurate, complete and up-to-date information, ORX makes no representation as to the accuracy, reliability or completeness of this information.

BoE may update resilience guidance, post-Covid

By James Ryder | News | 6 October 2020
Bank of England

OpRisk Europe: Granular targets on minimum service provision after outages could be revisited, adviser suggests

UK regulators may revisit one of the thornier aspects of their guidance to firms on resilience planning to take account of the impact of the global coronavirus pandemic, a senior adviser at the Bank of England has suggested.

Giving the keynote address at Risk.net’s annual OpRisk Europe conference, Nick Strange, senior technical adviser for operational risk and resilience at the UK’s Prudential Regulation Authority, said some of the “detailed guidance” proposed in the BoE’s consultation on op resilience – aimed at ensuring firms have capacity to absorb shocks and continue providing critical services through periods of stress – could be changed as a result of the coronavirus.

“We don’t envisage any changes to the underlying principles, but there is some detailed guidance in the consultation paper which we’d need to have a look at and see whether or not that’s still appropriate,” he said.

The BoE’s consultation period on the paper it issued jointly with the UK’s Financial Conduct Authority in December 2019 has already been extended once in response to the outbreak. Responses were originally due on April 3, 2020, but in spring this year the central bank announced an extension to October 1. The BoE is now working through the responses it received, said Strange.

Pressed on which aspects of the BoE’s proposed framework might have to be adapted to account for an era in which financial firms face large numbers of both their employees and customers working from home indefinitely, Strange pointed to areas where the BoE gives specific examples of minimum service levels that firms may be expected to maintain following a critical incident – “the kind of level that we intend to look for firms to set [for] important business services”. He added: “We’re mindful of the need that we don’t set that at too granular a level.”

“One of the examples that we give in the consultation is the ability of customers to get money out of an ATM. If they can get money out of somebody else’s ATM, or they can get money in some other way, then perhaps putting it down at that level is too detailed. That’s my personal view. But we do want to look at what the results of the consultation have been and make sure we get that guidance at the right level,” said Strange.

There is some detailed guidance in the consultation paper which we’d need to have a look at and see whether or not that’s still appropriate

Nick Strange, Prudential Regulation Authority

Commenting on the pandemic’s impact on working practices more broadly during his speech, Strange pointed out that, while the move to remote working meant firms were less vulnerable to issues affecting their physical offices or disaster recovery sites, any outage affecting global communications platforms could have severe ramifications.

“If firms regularise forms of remote working, given the perceived benefits beyond the crisis, would that make them more resilient, or increase technology risk as a single point of failure?” he said.

The proposed date of implementation of the UK’s op resilience framework has also been pushed back. The regulator’s initial plan was for the rules to come into effect during the “second half” of 2021. Now, they won’t take effect “before the end” of that year.

Strange argued the BoE’s core principles “really stand the test of Covid”, adding: “We said that we were ‘cause-agnostic’ when we issued the consultation paper.”

“For all practical purposes, [firms should] assume that the operational resilience policy will be very similar to that within the consultation paper,” said Strange.

“But don’t hold me to that, in case there are some serious objections that we haven’t had the chance to get around to yet.”

Early responses to the consultation indicate firms remained generally supportive of the BoE’s efforts, largely in favour of the bank’s stance, which encourages firms to assume that disruption will occur inevitably, and keen on receiving regulatory advice on good practice.

Firms responding to the consultation also asked for an update on the BoE’s aim to achieve alignment between the policies proposed and various competing sources of regulation, most notably the Basel Committee of Banking Supervisors’ (BCBS) ongoing consultation on operational resilience principles – which closes on November 6 – and the BoE’s own Operational Continuity in Resolution (OCIR) framework, which is related to but separate from the operational resilience policy strand.

The BoE’s OCIR framework, Strange explained, was designed to ensure that a failing firm was able to offer critical functions for as long as feasible throughout the resolution period. The longer those functions could be maintained, the more orderly the resolution was likely to be. The bank would not expect the “critical functions” described in OCIR and the “important business services” described in the operational resilience policies to be mapped in divergent ways.

“We will expect firms to have a coherent narrative between what is ‘critical’ – or would support a firm’s viability for OCIR – and what is ‘important’ for important business services,” Strange concluded.

Resolution frameworks have attracted greater scrutiny recently, as market participants contemplate the possibility of an important firm toppling as a result of coronavirus-induced market turmoil.

On achieving harmony with the BCBS’s approach, Strange emphasised that, despite some differing language, regulators are aligned on general principles. He added that “perfect alignment” among international regulators, however, should not be expected, given different jurisdictions and priorities.

Other regulators – notably the US Federal Reserve, in its own stance on operational resilience – have been more hesitant to set granular impact tolerances for firms suffering outages in certain circumstances.

Editing by Tom Osborn