iNFRont Magazine - Oct - Nov 22 Edition

SOCIAL WASHING: AVOIDING

THE NEXT BIG ESG TRAP

Perspectives from CROs

CUSTOMER EXPERIENCE & DIGITAL BANKING USA

Leveraging innovation to improve customer experience

FIGHTING THE FRAUDSTERS Machine learning comes of age

THE CHANGING FACE OF PEOPLE RISK

Insight from Head of Operational Risk, Shawbrook Bank

NFR LEADERS 2022

Revealing the top 10 NFR trends for 2022 and beyond

HAS WFH CHANGED THE CONDUCT RISK LANDSCAPE?

Interview with Head of Internal Fraud, Standard Chartered

EXTERNAL FRAUD Experts reveal their greatest threats

REDUCING RISK IN UNCERTAIN TIMES

Philip White Senior Vice President – Head of Transformation Strategy & Reporting, Group Non-Financial Risk (GNFR) Danske Bank

As the newest member of CeFPro’s magazine Advisory Board, I’d like to welcome you to this fifth edition of iNFRont.

Philip

Danske Bank

Jeff Simmons, MUFG Securities (Europe) N.V. & Cecilia Gejke, private bank (undisclosed), Luxembourg

Alice

John Keogan, Standard Chartered

Desmond

formerly of Vodafone

Suresh Sankaran, Metro

Sean Miles, Shawbrook Bank

After a tumultuous two years, face-to-face events are very much back but Covid has not been the only thing to test our industry in recent times. The pandemic was followed by the crisis in Ukraine, unprecedented rises in energy and fuel bills, and a record-breakingly hot summer, leading to an immediate and future climate and food emergency. On top of this came the sad news of the passing of Her Majesty Queen Elizabeth II; a true inspiration to so many, including myself.

The above all serve to highlight that there is no longer such a thing as ‘normality’. Our response to Covid taught us so much about how to operate in times of great and unexpected change, requiring deep reserves of resilience. The previous issue of iNFRont featured an article on third-party management, which is critical if firms are to remain resilient. Our own ability and that of our vendors throughout the entire supply chain are of vital importance as we navigate through unchartered waters – do we understand our vendors’ capabilities sufficiently to rely on them in times of need?

This also links into aspects of ‘S’ in ESG – a key topic in both this issue and issue 4 – demonstrating the need for firms to clearly think about their responses to today’s eminent social challenges. With many people unable to pay their energy bills, for example, what will companies do to support their customers, and how can any response be gauged and judged? Our Big Conversation on pages 4-5 throws an interesting light on how companies can measure their social impact and respond to changing opinions and scrutiny.

In addition, this plays into questions of risk culture and behavior, and of internal fraud. Not only will our customers be having a hard time, but our staff will, too. How do we behave as both an organization and an individual in these times of stress and uncertainty?

I hope you enjoy the current edition of iNFRont – if you have something to share, please take the opportunity to disseminate your insights and knowledge with the wider non-financial risk community by getting in touch with our editorial team via the details opposite. Please also take full advantage of CeFPro’s extensive schedule of live events on both sides of the Atlantic, to interact with some of the best practitioners, vendors, and consultants globally in non-financial risk management – turn to p24 for full listings.

I look forward to seeing you at a future event!

We welcome contributions. If you or your organization are interested in featuring in our next issue, please contact editor@cefpro.com

If you are interested in sponsorship and advertising opportunities, please contact: sales@cefpro.com

Mateusz Chrobok, Nethone

MAGAZINE ADVISORY BOARD

(GNFR)

MAKING A MEANINGFUL SOCIAL IMPACT

Jeff Simmons, Chief Risk and Finance Officer, MUFG Securities (Europe) N.V., and Cecilia Gejke, Chief Risk Officer for an undisclosed private bank, discuss the ‘S’ in ESG and explain why organizations must ensure that making a positive social impact remains high on their ESG agenda despite the economic downturn...

Keeping the ‘S’ high on firms’ ESG agenda

Social washing (where companies merely pay lip service to social causes without any meaningful support) is set to become the next greenwashing.

How can firms avoid falling into this trap and ensure they are making a valid contribution to the wider community?

Jeff: To my mind, an organization’s social commitment usually falls into three areas: what the corporate says it’s going to do; what the corporate then says it’s doing; and finally, what the corporate is actually doing.

In practice, this means that a company might issue a fantastic statement about what it’s going to do in terms of diversity and inclusion by a given date. This initiative then gets passed down to senior management, who turn it into a set of objectives and high level KPIs. And then, what actually happens? Often, not much! There’s a feeling that the details are rarely followed up and that actions are not being taken at the right level.

One example is the way in which some organizations approach charity work. Plenty of positive statements are made and senior management are happy to sign checks – ‘We sponsor this! We stand side-by-side with that!’. But when

it comes to actually going out to do the community gardening or volunteering at a senior citizens’ home, it’s usually the same faces, often at the junior end, who are giving up their time. Senior management are largely absent other than for photo and PR opportunities. If firms want to be taken seriously about their commitment to social equality and avoid allegations of social washing, then real action needs to be evident from the top down.

Cecilia I have to agree. Senior management often say they are too busy to give up their time – but are they really too busy, or is it actually because social issues are just not prioritized? Jeff is right in that they are more actively used as a marketing tool – big promises on which companies then under-deliver.

Is part of the problem that it’s difficult for companies to effectively measure their social impact?

Cecilia: Normally, we quantify risk by looking at the downside. But when we try to quantify social impact, it’s about the upside, in terms of possible opportunities. The trouble is, the question marks are endless – how can we measure if people’s lives are improving? What part of the population are we measuring? If we judge it based on

whether salaries are higher, is this a fair measure? People might actually benefit more from a shorter working week, for example. As a risk manager examining credit risk, one would look at the default rates; again, the downside. But the ‘S’ is not about that at all, which makes it so difficult to quantify.

Jeff: Absolutely. And if you can’t quantify it, then it’s difficult to regulate and audit. So, organizations can basically say whatever they want, as they cannot be held to account. This used to be the case for environmental promises, but thankfully, this has now changed; for example, if a firm issues a green bond then normally, 12 months later it must get an audited statement of what that bond was used for and what the funds went to. But on the social side, that’s not yet the case. Saying that, governments and regulators are setting criteria for ethnic and gender diversity, which is really positive.

Until ‘S’ becomes a regulatory imperative, what are the benefits to firms of making a meaningful social impact?

Jeff: I would have said reputational, but ultimately, a company has to satisfy the financial needs of its shareholders. And if the chief executive is taking time

out of the boardroom to volunteer at a homeless shelter, for example, is that what I as a shareholder would want them to be doing? Where’s the financial advantage to me?

So, this is a question for you, Cecilia: do you think the ‘S’ pillar of ESG should be driven by the shareholders? Would it help if they were prepared to give up some profits, as long as the firm invested them in socially conscious activities?

Cecilia: Yes, in a way I think that would help, because currently it seems like the world is driven by private equity firms and hedge funds. Investors are just looking at short-term profit margins and not always doing what’s right for

the company or sometimes society. A CEO who’s really interested in making a positive social difference might not be able to do so because they would get overruled. The commitment must come from the person who is ultimately in control, which is the shareholder. If we could make a change at shareholder level, that could lead to a positive difference.

Over the next few years, what aspects of ‘S’ will companies need to be particularly aware of?

Jeff: I think diversity will be the biggest issue for firms to focus on, and the reason why is because it is getting enshrined in law and regulation.

Cecilia: I agree. However, there is a wider point to consider, and that is that social commitments are the first things to fall off the corporate agenda in times of recession. Given the current financial climate, our task now is simply to keep the ‘S’ alive. On the horizon, we’re looking at strikes, massive inflation, an increase in poverty…companies will be struggling to survive, people will be afraid of losing their job. It’s going to be even more important to keep ESG disclosures alive, keep the media alive, keep setting the tone from the top, and ensure that organizations continue to strive to make a meaningful social impact.

The commitment must come from the person who is ultimately in control, which is the shareholder. If we could make a change at shareholder level, that could lead to a positive difference.

Our dedicated ESG event – ESG Europe – will be taking place in London on April 18-19, 2023. Covering areas such as stakeholder and board engagement, regulation, and greenwashing, you can register your interest to attend here: www.cefpro.com/esg-europe

ONGOING OVERSIGHT

THE IMPORTANCE OF IN-LIFE TRANSACTIONAL RISK IN CONTRACT MANAGEMENT

International companies assume a variety of risk with every sale, lease, purchase, loan, or investment. These risks are not simply commercial, financial, or political in nature, but include a plethora of other inherent risks that encompass the technical, environmental, developmental, and socio-cultural realms.

Globally, transactional risk impacts every facet of an organization, but one risk scenario does not fit all situations. Prioritizing in-life transactional risk – i.e., working with contracts which have not expired and which are deemed acceptable for renewal – will enable a company to better understand its relationship with its vendors, clients, and regulators.

SAFEGUARDING CONTRACT EXTENSION

This article specifically looks at in-life transactional risk in contract management and the processes required to ensure risk is captured during the extension of contracts. During the due diligence process, risk experts and the procurement team can address the risk landscape and the potential impact on an organization’s ability to operate in a regulatory environment. This is also an opportunity to review risk at board or operational level, where senior management can clearly understand any pending risk posed by its critical third parties.

Implementing an in-life transactional risk process allows a business to focus on risk at a foundational level. And never has this been more essential than now. As stated by one commentator, Covid-19 has created added disruption – when renegotiating contracts, engagement with vendors has become more complex and the onboarding process more difficult. Regulators require further oversight yet resilience in the supply chain must be maintained to ensure customers receive a high level of service.

MITIGATING REPUTATIONAL AND REGULATORY HARM

Imagine the following scenario: an existing vendor within a bank has had its contract extended. However, a variation to contract is performed at the same time, increasing the risk rating from low to a high risk in criticality. If the bank does not perform secondary due diligence and extends the contract based on the former low risk rating, this would be a recipe for disaster. Who would know if the vendor, since onboarding, has engaged in any activities which could attract the attention of the regulator? If this were the case, it could prove damaging to the bank, bringing increased financial and reputational risk and potentially, regulatory fines.

REASSESSING THE RELATIONSHIP

Establishing a structured approach to in-life transactional risk during contract renewal enables the capture of any changes to a vendor’s business activities. Most organizations have welltested processes to manage vendor onboarding; however, at the renewal of contracts stage, very little risk due diligence is carried out. Yet this is a critical moment for both the business and vendor to review their position as partners, as well as perform the necessary in-depth due diligence to ensure the vendor’s risk remains as low as is reasonably possible, or that the risk appetite is appropriately managed.

CREATING A RISK-AWARE ENVIRONMENT

It is important to create an environment whereby appropriate oversight is given to in-life transactional risk in contracting, to effectively manage risk at a granular level. At present, many organizations’ visibility regarding risk around contractual scope change is not evident to the wider risk audience.

Implementing the following processes and controls will create an appropriate governance structure:

• Oversight by C-suite management and establishment of CPO/CRO forums.

• Risk management framework and controls.

• Effective screening and monitoring processes.

• Monitoring and recertification of risk appetite.

• Adequate internal controls and an audit function.

• Ensuring appropriate tool landscape is in place to manage contractual risk and reporting.

When implementing in-life transactional risk management in contracting, organizations must be aware of the overall benefits of having in place a granular-level process to support the renewal of contracts, while at the same time mitigating risk from external factors. It is also important for business departments, especially risk and procurement, to align with one another and communicate around the importance of appropriate due diligence in the supply chain. Finally, continuous monitoring should not be seen as an occasional activity, rather a continuous process for high- and medium-risk vendors.

CeFPro’s Vendor and Third Party Risk Europe event takes place in London on November 15-16, 2022. To book your place, go to www.cefpro.com/vendor-risk. Or to attend TPRM USA: Cross Industry, November 8-9, 2022, Atlanta go to www.cefpro.com/tprm-usa

Have your say!

CeFPro’s Fintech Leaders is the comprehensive global annual report on the status of the industry as voted for by financial services professionals, addressing:

• Key challenges, obstacles, and opportunities now and in the next five years

• Investment concerns, priorities, and prospects

• Regtech challenges and investment priorities

Key topics and themes featured in the report include:

• Incumbent status and challenges

• Digital currencies

• AI and machine learning

• Cybersecurity

• Mobile and digital services

• Payments

“By the industry, for the industry”

Transformations are a marathon not a sprint. A successful risk transformation includes a balance of three integral elements: the

PROMOTING A POSITIVE RISK CULTURE

WILL AN ORGANIZATION WITH A GOOD RISK CULTURE PERFORM BETTER THAN

AN ORGANIZATION WITH A QUESTIONABLE RISK

CULTURE?

Absolutely. Consider it the other way around – will an organization with a bad risk culture perform better than an organization with a good risk culture?

In the short term, quite possibly. But in the long term, an organization with a defined set of core values from a risk culture standpoint will always outperform an organization with a questionable risk culture.

HOW DO YOU DEFINE GOOD RISK CULTURE?

Before we consider the definition of good risk culture, let’s try and define culture. Culture is what people do repeatedly when no one is watching. Risk culture is a set of entrenched and acceptable behaviors, discussions, decisions, and attitudes towards taking and managing risks within an institution.

Risk appetite is governed by the culture within which an organization operates. It reflects the shared values, goals, practices, and reinforcement mechanisms that embed risk into an organization’s decision-making process, and how well risk management is integrated within operations. Risk culture is reflected in how people within an organization behave and their attitudes towards risks and risk taking.

Finally, from a definition standpoint, even if policies, risk appetite frameworks, governance structures, whistleblower systems, and risk management training are in place, malpractice and negligence can still happen if the organizational culture does not support adequate risk taking.

After the financial crisis of 2008, public trust in the financial industry suffered. Regulators reacted by increasing guidance on risk management as well as risk culture. The Financial Stability Institute issued a framework for assessing risk culture. The European Central Bank issued guidelines on risk culture and culture policies, and a supervisory statement on governance and risk capacity. Risk culture has become a point of interest in the financial services industry because it can give rise to significant reputational risks and at its worst, could lead to significant loss of trust in the financial sector as a whole. Therefore, an organization should always care about risk culture.

A sound risk culture cannot prevent all undesirable consequences because that is largely governed by human interaction and human behavior. However, it can reduce the frequency and impact of losses generated or influenced by unwanted behavior.

WHAT ARE THE IDEAL METRICS FOR EVALUATING RISK CULTURE?

To manage risk culture, an organization must first identify its target operating framework. What does it aspire to? What is the firm’s reason for being? What is its target risk culture?

After defining and understanding what kind of culture your organization is pursuing, you should then look at where you are today. To do this, your current risk culture must be assessed and measured using a series of impact assessments, surveys, questionnaires, and simple observations.

By comparing your current risk culture with your target risk culture, you can identify the gaps between the two and design corrective measures. These could begin with a firm-wide risk culture statement, before drilling down into specific risk areas. For instance, an organization could have a standardized risk culture which prioritizes transparency and accountability. This is generic, so the company would then need to focus on a specific risk area; for example, model risk. From this, individual issues can be identified, such as improper model onboarding practices, inadequate transparency in the calculation of any output that is generated by the model, insider trading, front running, rogue trading, improper financial advice based on the models created, mis-selling financial products based on model results, avoidance of tax, inaccurate financial and regulatory disclosures, etc.

This then becomes part of an allencompassing model risk framework, but it has to be a hierarchical process, sitting under the umbrella architecture of the overall risk assessment.

WHAT COULD THE CONTENTS OF A RISK DASHBOARD LOOK LIKE?

A risk dashboard is a comparison of where an organization is now and where it would like to be, including identification of any gaps and remediation steps. It should include a summary of your strategy in terms of growth areas, and priorities regarding existing customers, distribution models, organizational competencies, and establishing the risks of a lack of culture.

Target outcomes should be clearly specified in relation to each risk type, e.g., drilling down into the market risk area, specifying what that metric looks like, looking into market risk, interest rate risk, currency risk, dealer risk, death risk, and so on. You can then start to highlight what the risk culture could look like around each of these areas and develop it by training staff and ensuring they understand the consequences of non-compliance.

A risk framework should then be created that clearly references and appropriately covers the risks faced by the organization in terms of people,

processes, external events, and systems, before objectively defining the components of it across the traditional three lines of defense.

A risk culture dashboard should contain key metrics around behavior patterns, fraud, undesirable behavior, inconsistencies in regulatory reporting etc., which can be traffic-lighted for better understanding.

The risk culture right now is the first line of operation. The second line is the risk function, and the third line is internal audit. Risk culture can be improved by increasing training and knowledge, so that it becomes part of the first line. The second line can then consider the effectiveness of the risk culture, the quality of the training, and so on.

As well as internal audit, the third line can also include how well policies are structured around risk culture, and how effectively processes and controls are earmarked against the risk culture.

Organizations must also take into consideration external stakeholders and regulations. This is the so-called

symbiosis of the three lines of defense. The traditional structure holds but is modified or morphed to include risk culture, not just risk.

WHAT CHALLENGES CAN FIRMS FACE WHEN ESTABLISHING A RISK CULTURE?

Challenges could include a lack of clarity across the three lines of defense, resulting in overstepping of boundaries; poor risk governance; lack of market focus; unstructured behavior; or questionable management quality. All of these will have a significant impact on establishing a good risk culture.

These can be further broken down into challenges relating to ethics and behavior, risk intelligence, risk tolerance, risk values, or risk strategy. Ultimately, it boils down to the appetite around a company’s risk culture. Values and strategy should be centered at the top, supported by the vision provided by the senior leadership team. Without that, an organization cannot have a cultural thread running through it. There must also be tolerance, but tolerance should be minimized where strategy does not align with the value of the organization. Taking place in London on March 14-15, 2023, CeFPro’s New Generation Operational Risk Europe Summit will cover the key non-financial risk themes affecting organizations today, including the importance of a positive risk culture. To register your interest, go to www.cefpro.com/oprisk

NFR LEADERS 2022

CYBERSECURITY DOMINATES NON-FINANCIAL RISK LANDSCAPE

Released this autumn after months of dedicated research and analysis, CeFPro’s official NFR Leaders 2022 report has identified cybersecurity as this year’s number one area of importance for non-financial risk professionals across the globe.

NFR Leaders 2022 is a culmination of the responses of thousands of industry professionals who completed our comprehensive survey, as well as expert analysis following a series of one-on-one interviews with CeFPro Advisory Board members. The result is the most in-depth and up-to-date reflection of the views, investment priorities, and insights of non-financial risk professionals across the globe, providing firms with a benchmark of the key NFR focus areas for 2022 and beyond.

As well as cybersecurity, the report analyzes the relative importance of key NFR areas such as third-party risk, resilience, ESG, people risk, geopolitical risk, technology & innovation, and financial crime & fraud.

To get your hands on a free copy of this invaluable industry resource, go to www.nfr-leaders.com

CYBER RISK GROWS IN A VOLATILE WORLD

Taking first place for both risk and investment level, cybersecurity has risen up the rankings in our 2022 report, receiving more than twice as many votes as the second-placed risk area of ESG. This is a reflection of the current volatile threat landscape and the increased risk of cyber warfare because of geopolitical tensions, specifically the conflict in Ukraine, which represents potentially significant disruption to financial institutions.

Information security is a key driver for organizations, with a string of associated repercussions including data loss and reputational damage. It is clear from the report’s findings that risk professionals have spent much of 2022 preparing for cyber to be used as a weapon of war, whether via state-sponsored or individual attacks. The landscape appears to pose an imminent threat.

In total, 20% of our NFR Leaders 2022 survey respondents ranked cybersecurity as requiring a ‘very significant’ level of investment by their organization over the next 12 months, highlighting just how seriously this issue is taken by financial services firms. Cyber and IT resilience stands as a critical aspect of regulatory standards, and as organizations develop their online offerings and progress their digitalization agenda, new vulnerabilities emerge, each representing a potential breach. With geopolitical volatility only increasing the likelihood of cyber warfare, tightening defenses across both in-house and outsourced activity will be critical to stay ahead of the cyber criminals and comply with regulations.

NFR Leaders has established itself as a strategic tool to challenge conventional thinking and spot investment trends.

Craig Spielmann, Risk Intelligence Leader, CNM LLP, Non-Financial Risk Leaders Advisory Board Member, CeFPro

ESG CLIMBS UP THE RANKINGS

This year’s highest climbing non-financial risk area is ESG, which has risen from 13th position in 2021 to second place this year. ESG has wide-reaching implications and considerations across a host of risk areas. Social and governance aspects continue to gain traction and impact areas such as third-party risk as a key concern at onboarding and throughout the relationship lifecycle. In addition, organizations globally are grappling with defining expectations and setting taxonomies, while environmental concerns continue to receive increased attention across the industry, as well as from the media and customers alike.

The fact that ESG spans so many areas means that organizations are struggling with where to prioritize investment. However, NFR Leaders 2022 reveals that one investment area has emerged as the clear leader: data, specifically, finding ways of collecting data to provide insight into all aspects of ESG. Aligning data across the industry is essential to ensure comparable and measurable outcomes from ratings agencies because of inconsistent practices.

DEMONSTRATING VALUE IN A RECESSION

The new CeFPro industry-led report is timely and an extremely valuable contribution.

Jimi Hinchcliffe, CEO, NJ Risk and Regulatory Consulting, Non-Financial Risk Leaders Advisory Board Member, CeFPro

GEOPOLITICAL AND PEOPLE RISK

NFR Leaders 2022 identifies geopolitical risk as another key NFR trend, rising from 12th position in 2021 to third place this year. With tensions continuing as a result of the conflict in Ukraine, strained relations with China, political upheaval in the UK, and much more, this is perhaps unsurprising.

In addition, this year, for the first time, people risk/HR has been combined with conduct and culture risk to create a new category of People Risk. Against a backdrop of an evolution in working practices and an increase in staff working from home, people risk looks set to remain a key area of importance throughout the rest of 2022 and beyond. More specifically, when considering broader personnel challenges, the shortage of talent and staff is a clear priority, with 75% of survey respondents rating this as a very significant challenge over the next 12 months.

The collective intelligence of diverse leaders gives this report gravitas and kudos that makes it an essential read.

Sean Miles, Head of Operational Risk, Shawbrook Bank, Non-Financial Risk Leaders Advisory Board Member, CeFPro

Non-financial risk has established itself as a discipline by which to measure and monitor critical risk functions, but the financial repercussions of NFR remain limited when compared with market and credit risks. The NFR Leaders Advisory Board stated that, as a non-revenue generating function, it seems unrealistic to expect NFR to remain a priority during an economic downturn. Ultimately, NFR must continue to demonstrate value within an organization and showcase that, while not directly generating revenue, the associated financial risks are significant and unquantifiable given their direct and indirect reach.

YOUR FREE COPY

NFR Leaders 2022 is free to download for CeFPro members. Get your copy today at www.nfr-leaders.com

Gary

THE KEY NFR TRENDS FOR 2022 AND BEYOND, AS VOTED FOR BY THE INDUSTRY

To celebrate the launch of CeFPro’s NFR Leaders 2022, we’ve collated some of the report’s key findings to provide a snapshot of the global non-financial risk sector today. Reflecting the voice of the market, NFR Leaders breaks down the top non-financial risks, investment priorities, and upcoming trends and opportunities as voted for by the industry. Take a

at some of the report’s major highlights, including the official NFR 2022

INDUSTRY INSIGHT

KEY CHALLENGES IN THE DIGITAL BANKING TRANSITION

Customer experience has fast become a key driver for many financial institutions. As organizations push ahead with their digital agenda, consumers are becoming increasingly discerning, comparing competitor offerings and benchmarking services based on a firm’s digital capabilities. With this customer revolution front of mind, CeFPro undertook an extensive research project to shape a timely agenda ahead of our upcoming Customer Experience and Digital Banking Congress (November 1-2, New York City). Here, we summarize three key challenges identified by industry professionals, which are set to be discussed in greater depth at November’s event…

DIGITAL BANKING CHALLENGE

A key driver for innovation and change is the shift in customer expectations and behaviors. The goalposts continue to be moved as the benchmark for ‘good’ customer experience evolves with technological advances.

Today’s consumers are regularly exposed to services from highly advanced and agile technology companies such as Google, Amazon, and Uber, and are used to experiencing instant outcomes. As a result, they are starting to expect this level of service across all facets of their digital experience, including interaction with their banking or financial services provider.

As the market continues to evolve, increasingly agile organizations are emerging, competing against larger firms that may be restricted by legacy systems. And as the ecosystem becomes ever more technically complex, keeping up with competition is a real challenge.

In addition, while customers often demand sophisticated digital banking techniques, organizations must balance these expectations against security. It is inherently assumed that banks are protecting their customers’ assets and data, yet security measures are regularly viewed as an inconvenience. Striking a balance between sophisticated security protection mechanisms and nextgeneration digital capabilities is a complex challenge.

DIGITAL BANKING CHALLENGE #3: THE CUSTOMER JOURNEY

Alongside the introduction of open banking and changes in approach across the industry comes alignment with the digital experience or customer journey. Thanks to an increase in technology adoption and advanced analytics, intelligence is accelerating at a rapid pace, enabling products to be better tailored to meet specific consumer demands.

With customer service evolving in a remote or contactless environment, the digital experience is largely where many consumers interact with their financial institution. Enabling a seamless and accessible functionality and modernizing consumer engagement channels are both key to ensuring positive customer engagement. This is critical as consumers no longer rely on the brand of a large financial institution; many are looking towards fintechstyle banks who can remain nimble and agile in a fast-changing environment.

Digital transformation can enhance the customer journey, providing a holistic end-to-end experience. Infrastructure capabilities at an enterprise level are often lacking but technology developments can support a more digitally agile organization, as can working in partnership with a fintech company. Organizations restrained by legacy systems must embrace a forward-looking strategy to enable them to develop apps and digital platforms to remain futureproof and responsive to evolving customer demands.

RESEARCH CONCLUSIONS

The financial services industry is moving at a rapid pace, with repercussions remaining from the Covid-19 pandemic and the resulting changes to working environments, customer expectations, and behaviors. Organizations must continue to develop new digital practices and curate a unique digital experience to retain customers in a highly competitive environment. Many are looking towards fintech partnerships to bridge the technology gap, whilst others seek to overturn legacy infrastructure and reform business models. The onset of the pandemic meant that even the most unlikely of customers was forced to move to a digital or remote way of banking, and this is a trend that looks set to continue as the future of physical branches comes into question.

An area further driving change is that of open banking and the opportunities it offers to enhance the digital customer experience. Open banking has been a challenge for many financial institutions across Europe and the UK over the past several years, so it is important to gain an understanding of the hurdles faced and lessons learnt throughout the European experience.

Open banking provides a huge potential to enhance the customer experience through leveraging APIs. As consumers enjoy the benefits of multiple platforms, interconnecting through APIs can ensure a seamless experience, but also drive competition. Organizations must therefore remain vigilant with regards to data when leveraging APIs, ensuring clear guidelines are developed and monitored. Moving data between APIs can have potential implications regarding privacy legislation, particularly as new rules continue to emerge across jurisdictions.

HOW WFH HAS CHANGED THE CONDUCT AND INTERNAL FRAUD LANDSCAPE

Standard Chartered

HOW DOES FRAUD THEORY, SUCH AS THE FRAUD TRIANGLE (PRESSURE, OPPORTUNITY, RATIONALITY) COME INTO PLAY WHEN CONSIDERING WFH AND ITS IMPACT ON INTERNAL FRAUD?

PRESSURE: This is usually understood to be an unshareable hardship or financial pressure that may then provoke an individual to commit an act of fraud. The following are examples of pressure:

• Households may have a rapidly reduced income stream because of a partner or family member losing their job, working reduced hours, or a higher cost of living. This change in an employee’s risk profile may not be noticeable by their employer and any means of assessment or detection may not be recalibrated.

• In a challenging economy, restructures may require headcount reduction while retaining client base and/or sales targets. This internalized pressure to meet quotas, secure new leads, or book clients would certainly add to the challenge and in extreme incidents, create a criminogenic environment to retain performance level(s).

The global pandemic has certainly been a study in the need for organizational and personal resilience, with many firms required to cease office-based activities and empower staff to deliver while working from home (WFH).

The following responses to the key questions below will enable a clearer appreciation of how to understand the risks associated with WFH, likely causes for any increases, and what can be done to mitigate the potential for harm.

OPPORTUNITY: Working from home is not a new phenomenon, so where does the potential opportunity for internal fraud arise? Many organizations would not have been prepared for the volume of staff or type of role required to be away from the office. An absence of location-agnostic control design has the potential to increase fraud risk. A clear example of this would be the lack of simple physical oversight of activities –for example, staff may take advantage of absent physical restrictions and a lack of device location monitoring to record sensitive client information on a personal device.

RATIONALITY: Within fraud theory, rationality is not a post facto excuse for behavior, it is the reason for the undertaking of the activity and will be directed by what is felt to be acceptable to the person undertaking the fraudulent act.

Staff strongly embedded into the culture of their organization are less likely to act against these values. The less embedded an employee is into the culture and ethos of an organization, the greater the potential for them to deviate from what’s good for that company and its clients.

They may start to feel:

• ‘I deserve it, I’m not being given the opportunities I would normally get if I worked in the office.’

• ‘My value/contributions are not being recognized as I’m not physically present and am not being rewarded accordingly.’

New joiners starting during the pandemic may feel particularly unconnected. The loss of rituals, such as attending the office and being surrounded by brand values, can impact behavior contrary to the good of the organization.

AS

WE TRANSITION FROM OFFICE-BASED WORKING TO HYBRID WORKING, ARE ANY INCREASES IN INTERNAL FRAUD CAUSE OR CORRELATION?

This is a powerful question: have we seen an increase in fraud specifically because of the pandemic? If a company had 20 cases of fraud in 2019 and by the end of 2020, because of the pandemic, had 60 cases, you would be forgiven for thinking that the answer is yes. But this is simplistic – is there a conflation of causality and correlation? Companies should consider:

• Are controls ineffective and it is simply the opportunity to commit fraud unabated which has expanded the threat surface area, leading to an increase?

• Have responses to new ways of working, including but not limited to control updates and better monitoring capabilities, increased the detection rate? This is a good rationale to come back to when reviewing the efficacy of any fraud prevention program.

“Many organizations would not have been prepared for the volume of staff or type of role required to be away from the office. An absence of location-agnostic control design has the potential to increase fraud risk. A clear example of this would be the lack of simple physical oversight of activities.”

WHAT IS THE ROLE OF TECHNOLOGY IN A HYBRID ENVIRONMENT?

Technology is not a panacea, and we cannot dismiss the fact that analog controls are vital and form part of detective and preventative capability. Assessment of control efficacy reviews, risk modelling, effective/checker controls, and segregation of duties all have a role when recalibrated to a WFH environment.

However, applied use of technology does have a part to play in preventing and detecting internal fraud, more so in an environment where teams may be globally operative, oversight may increasingly be cross-border, and data exfiltration risk increases.

A great example is data analysis. Constructively applied, this can assist in building a risk profile or identifying a high-risk user group(s). This could then be utilized to model a risk framework around the probability of risk-basis identified attributes, enabling targeted remediation.

There is a real opportunity for technology to work alongside existing control frameworks and enhance them via data analytics or computational methodology to direct time and resources towards higher risks.

It also provides firms with an opportunity to demonstrate to the regulators their commitment to location-agnostic control design – an important consideration, as this is currently an area of focus for key regulators such as the UK’s Financial Crime Authority, Monetary Authority of Singapore, and Hong Kong Monetary Authority.

CONCLUSION

It is important to remember that not everyone in an institution is a fraudster. Only a very small percentage of people would be willing to commit fraud.

Increases in fraud are more likely to be down to controls not keeping up with the new working environment –poorly designed systems, ill thought-out departmental operating instructions, and a lack of location-agnostic controls, rather than WFH being the cause.

If properly managed, homeworking can be a real game-changer for many organizations looking to reduce their fixed costs and empower staff to work flexibly, helping to retain key talent. It can also provide opportunities to strengthen fraud programs and leverage tools to reduce losses and mitigate negative client impact.

Exploring new complexities in the fraud and financial crime landscape, Fraud & Financial Crime USA Congress will take place in New York City on March 22-23, 2023. To book your place, go to www.cefpro.com/fraud-usa

Europe Summit which took place on September 20-21,

PREVENTING FRAUD IN A FAST-CHANGING ENVIRONMENT

This September saw the return of CeFPro’s 5th Annual Fraud & Financial Crime Europe Summit. With live events continuing to return and flourish, over 150 fraud and finance experts from a variety of institutions and backgrounds came together in London across two days to enjoy presentations from a diverse range of speakers, in-depth panel discussions, and lively interactive Q&A sessions, as well as numerous networking opportunities. Uniquely, the agenda targeted both fraud and financial crime, acknowledging the distinctions between the two areas while facilitating collaboration for a more holistic view.

CROSS-JURISDICTION

CHALLENGES

The event began with a presentation from MUFG on the regulatory landscape. As regulations continue to evolve, organizations face an uphill battle to stay ahead and implement change. One such example is the potential reform of Companies House and the impact this will have on extending additional powers to tackle money laundering.

As well as UK-centric challenges, the session also featured an overview of the EU AML Action Plan and the impact on global organizations of aligning regulations across jurisdictions. This was underpinned by law firm Davis Wright Tremaine, who discussed the globalization of regulatory expectations and enforcement and the impact of enhancing international collaboration. Currently, many regulations are not aligned across jurisdictions, creating a disconnect and causing challenges for companies looking to implement long term change.

FOCUS ON SANCTIONS

In addition to regulations, the first day covered a range of current hot topics, including scams, whistleblowing, cloud, cryptocurrency, money laundering, payments, and digital identity. However, one theme, perhaps unsurprisingly, took

center stage: sanctions, in particular the increasingly complex landscape in which sanctions teams find themselves.

The expert panel led by Deutsche Bank, Nordea, and Moody’s Analytics discussed the changes that have taken place over the past year and considered approaches for effective implementation and oversight.

CYBER RISK

The second day opened with an interactive Q&A session on the increased cyber risk as a result of our acceleration towards a digital working environment.

After addressing current cybercrime trends, the increase in cyberattacks over the last six months, and mitigation techniques, the discussion then moved towards prioritizing cybercrime prevention and best practices to educate and train staff, the board, and customers.

BALANCING DIGITALIZATION WITH FRAUD PREVENTION

Payments and the digital customer environment were next on the agenda.

As a result of the pandemic, consumers’ expectations have evolved rapidly to include instant transactions and enhanced digital experiences. However, balancing an increasingly digital customer experience while preventing fraud remains a difficult task – even if fraud prevention tactics unintentionally impact or disrupt service to a customer, security measures are a necessity and should not be overlooked.

With increased digital exposure comes a heightened number of digital transactions, allowing for increased transaction monitoring capabilities as payments fraud continues to rise.

Standard Chartered Bank and Verafin individually discussed how transaction monitoring can best be leveraged and its future as a payment security measure. Verafin also addressed the evolution of fraudulent tactics around payments. Tactics such as authorized push payments and business email compromise are on the rise, and with a shift in liability towards banks, leveraging analytics will be key to detecting fraudulent transactions.

In a double presentation, Standard Chartered Bank and FACT360 discussed how the increased risk of internal fraud could be better monitored in a remote environment, addressing detection techniques and attempting to understand what is driving the increase.

This was followed by a deep dive into the evolving culture and conduct landscape and the importance of ensuring that organizations are clearly defining and managing culture, as well as driving conduct agendas to set minimum industry standards. Led by Deutsche Bank’s Global Head of AFC People, Education and Culture, the session provided an insight into the shift in focus internally and the impact of limited guidance and prescriptive standards to date.

Exploring

complexities in the fraud and financial crime landscape and best practices to stay ahead

SCAMS

Proactive management of scams to mitigate customer impact AUTHENTICATION

SANCTIONS

Staying ahead of an ever-evolving sanctions landscape and implications across departments

Authentication strategies and use of biometrics in securing identity

Complexities within the payment landscape and ensuring security

Ensuring

Incorporating

SPEAKERS INCLUDE

Enforcement of cryptocurrency and developing AML and fraud mitigation techniques

Staying ahead of advances in ransomware and cyber tactics and response techniques

Lead Ethical and Sustainable Practices in Your Extended Enterprise

Drive Confident Decision Making

particularly frustrating as all the evidence shows that using bottom-up, activity-based costing to determine what structure and costs are needed to deliver strategy, services, and products is the way to go. If an organization wants to reduce its cost base, it should make a commitment to understand where value is won or lost and eliminate those activities where value is lost.

ADDRESSING AUTONOMY

a question but are instead actually posing a solution. Famously, Barack Obama always spoke last in his cabinet meetings.

The job of risk professionals is to speak truth to power and to question when leaders are certain of their own judgment in the face of contradictory data. Risk professionals should never refrain from honest feedback and promoting diversity of opinion.

EVOLVING SKILL SETS

Finally, people need to be challenged in their work, giving them the opportunity to master new skills. When recruiting, look for future colleagues who have shown grit and a propensity to learn new skills as much as understanding their previous achievements and capabilities. None of us know what skills will be needed in five years’ time, let alone 10, but I can guarantee they will be different to those required today.

All risk is people risk. People can be an organization’s best asset or largest liability, and frequently both simultaneously. To manage risk, a company must therefore manage its people. According to the author Daniel Pink in his book ‘Drive’, people need three things to deliver exceptional performance: a sense of purpose, autonomy, and the opportunity to master new skills.

Next up is autonomy. I firmly believe that people do their best work when they have autonomy over their resources and decisions, with clearly defined limits of authority. To achieve this, executives should recruit people better than themselves, empower them, and then let them do their job, practising servant leadership by listening first and speaking last.

Deep listening really is a super-power. Leadership expert L. David Marquet has shown the dangers of anchoring bias, when leaders think they are asking

Whilst recognising the importance of autonomy, we should be aware that human decision-making is both biased and noisy. I would encourage everyone to discover their own biases (there are plenty of online resources to help with this) and I’d also encourage organizations to undertake noise audits; research shows that the noisiness of decision-making when colleagues review the same case is between 40-60%.

Currently, we are facing a cost-ofliving crisis, tight supply chains, hybrid working, and the Great Resignation. The organizations best placed to ride out this storm are those that listen to their people and support them through these challenging times. Individually, we can be the change we want to see, the leader we wish we’d had. Collectively, we can thrive in these current conditions if we take more time to listen; if we are truly diverse, inclusive, and equitable; and if we champion a psychologically safe culture.

People risk will be one of the topics under discussion at CeFPro’s upcoming New Generation Operational Risk Europe Summit, taking place in London, March 14-15, 2023. To register your interest, go to www.cefpro.com/oprisk

How do fraudsters become fraudsters?

There are numerous answers, but regardless of motives, there is one undeniable truth: global fraud rates are increasing. And no wonder – it’s easier than ever to commit fraud.

Fraud has professionalized. The tools and knowledge required to commit fraudulent acts can be found on the dark web, easing any logistical considerations such as manpower hours and overall effort. Put simply, fraud has become more accessible, with financial gains materializing very quickly, and in some cases, being quite lucrative.

OPPORTUNITY KNOCKS

So, who are these fraudsters? Some are connected to the criminal underworld, the online environment serving as another area of focus for their dayto-day activities. In other cases, IT professionals and people with mediumlevel tech skills may have suffered job losses, choosing to use their skills to earn money quickly through fraud. This has been apparent over the last two years, with job losses experienced during pandemic lockdowns and, more recently, the conflict in Ukraine leading to sanctions against Russia. With companies leaving Russia, many highly skilled IT workers became unemployed. The quick solution to the resulting financial pressure was to turn to fraud, which could also be used to bypass sanctions.

FOOL THE RULES WITH AVAILABLE FRAUD TOOLS

STAYING IN THE SHADOWS

How do fraudsters hide their tracks? They can purchase real logs of online users (browser cookie sessions, login details, and much more) to imitate them. They can purchase stolen accounts to impersonate the original user and buy high-value goods or transfer funds. The level of detail required to do this is vast and the tools used are impressive. Professional-looking tools such as antidetect browsers (e.g., LinkenSphere) aid fraudsters by masking their true device and network setups. Free proxy services and VPNs can also be used – just recently, 911proxy (a fraudster favorite, known for having clean IP addresses) went down. However, this is a temporary inconvenience, as similar services already exist and new ones will arise. Fighting fraud is a continuous cat and mouse game.

AVOIDING DETECTION

The desire to make quick gains can also be a fraudster’s downfall. Anti-fraud systems can detect irregular behaviors – a dormant account which becomes active again to make a high-value purchase (where previously, regular small-value purchases were made) is highly indicative of fraud. But a patient fraudster will aim to fool behavioral analyses through a ‘warming up’ process. They will make efforts over weeks, even months, to observe their victims’ behavior, impersonate them, and interact with the service, even engaging with customer support. The goal is to look natural, build trust, and avoid behavioral detection. The fraudulent act is committed in the final stage when high-value transfers are made. This can go on indefinitely, or until the company

A WORD FROM THE INDUSTRY...

GREATEST EXTERNAL FRAUD THREATS

The rise of crypto, blockchain, and online banking, combined with the increasingly critical role played by third, fourth, and nth parties, means that financial services firms face a greater risk than ever from external threats. Amidst this shifting fraud landscape, we asked six industry thought leaders what they believe pose the greatest external fraud threats today…

Amit Lakhani

Head of Third Party Risk Management, CIB

BNP Paribas

I expect the following external fraud types to pose the greatest risk to firms:

• Crypto assets, including decentralized finance (DeFI) and cryptocurrencies.

or original account holder notices suspicious activity in their transaction history.

FIGHTING THE FRAUDSTERS

Businesses targeted by fraudsters act as low-hanging fruit because they often have questionable internal security measures and ineffective rule-based anti-fraud systems in place. Word quickly spreads in dark web forums about weak targets, with individuals often gloating about their successful ventures to raise their standing within the cybercriminal community. These attacks can continue unless businesses change their security procedures and deploy advanced fraud solutions.

In the ongoing cat and mouse game, continually evolving advanced fraud solutions powered by machine learning models are used to fully understand every user: their device and network setups, and how they behave. Thousands of pieces of data are analyzed automatically, passively and in real-time, to distinguish genuine users from fraudsters and even bots. This is how to stay ahead of the game.

• Cyber-based frauds using sophisticated techniques such as deepfakes and AI.

• Fraud on customers and indirect impact on financial services providers in terms of compensation and goodwill gestures.

• Supply chain-based frauds.

• Finally, similar to the cybersecurity landscape, the fraudas-a-service model is rising and there is clear evidence of automated bots impersonating businesses and socially engineering customers to part with their money.

Brian Mullen

Threat Lead: Professional Money Launderers & Technology-enabled Money Laundering, Fraud Investigation Service

HM Revenue and Customs

I see the biggest fraud threat on the horizon as being the increasing use of technology to conceal the proceeds generated from fraud. This includes cryptoassets, alternative banking platforms, and prepaid cards. Technology can be used by organized crime groups to move large volumes of funds overseas quickly and as their use in everyday life increases, so will the use in money laundering circles, further increasing the threat. Additionally, technology is always evolving and therefore a new method, more challenging to prevent and/or investigate than the last, is always just around the corner.

To learn more about how fraudsters fool the fraud rules and how to detect and prevent them from succeeding, watch the recent CeFPro webinar hosted by Nethone. View anytime between October-December at www.cefpro.com/webinars

Bryant Moravek

Director – AML & Sanctions Compliance

Kaufman Rossin

Hackers and organized cybercrime groups are among the biggest external threats companies face as they become increasingly sophisticated, assisted by chatrooms, the dark web, cryptocurrency, specialists in data breach, and false and synthetic identification creation. Almost half of organizations have suffered from fraud or economic crimes in the past two years. Scams and online payment fraud cost consumers around the world hundreds of billions of dollars a year, as criminals continue to exploit vulnerabilities in e-commerce.

Ionela Emmett

Senior Manager, Financial Crime Controls, Risks and Policy & Advisory ICBC Standard Bank

Cryptocurrencies and blockchain technology staked their claim in the financial system a decade ago. Regulators have managed to set in place several standards; however, there are multiple layers of vulnerabilities around virtual currencies that remain unaddressed, starting with the mining and ending with the trading of these sorts of product. In addition, non-fungible tokens (NFTs) have commanded a great deal of attention in the last few years. Digital product development is therefore a fast-growing market that poses a great risk from a fraud perspective, creating a new world of opportunities for criminals to exploit.

Kathleen Peters

Experian Decision Analytics North America

As we increasingly move towards a world without passwords, it will be even more important to understand and address the multidimensional aspect of what it means to have an online identity. Incorporating capabilities that can associate all the digital elements that comprise an individual’s identity and how that person interacts across devices will be table stakes for businesses to mitigate fraud and stop bad actors. To verify identities and prevent fraud, companies will need to adopt a targeted, multi-layered approach that leverages highly predictive data, analytics, and technology to detect and treat different types of fraud in a seamless way.

Edward Longridge

Managing Director, Head of Financial Crimes Consulting

Phyton Consulting

We continue to see a rise in P2P application payments fraud, a trend that is set to keep growing. The availability of Personal Identifiable Information (PII) obtained by fraudsters, hackers, and data breaches continues to fuel digital banking fraud. The terms of P2P applications are clear – you cannot cancel a payment once it has been sent if the recipient is also enrolled in P2P and has a bank account, but fraudsters can direct payments to themselves using your PII. Ultimately, U.S. regulators may need to revise Regulation E or issue a new rule to protect consumers and address this type of fraud.

Taking place in New York City, March 22-23, 2023, CeFPro’s Fraud & Financial Crime USA Congress will explore new complexities in the fraud and financial crime landscape, including best practice on how to stay ahead. To register your interest, go to www.cefpro.com/fraud-usa

US EVENTS EVENTS CALENDAR

Tackling the latest advances in digital capabilities. Key topics under discussion include open banking, metaverse opportunities, fintech & microservices, payments, and more. See p15 for the full preview or visit www.cefpro.com/cx-digital-usa for more information.

28-29

The second Annual Treasury & ALM USA Congress returns in March, addressing market turmoil and the impact on treasury and AML teams. Visit www.cefpro.com/treasury-usa for more information.

EUROPEAN EVENTS

15-16

VENDOR & THIRD PARTY RISK

Vendor and Third Party Risk Europe looks to address challenges with continued volatility and complexity within supply chains. Visit www.cefpro.com/vendor-risk for more information.

AND

Part of CeFPro’s successful Vendor & Third Party Risk series, this event will address cross-sectoral trends and challenges related to global third-party supply chains and technology. Visit www.cefpro.com/tprm-usa for more information. NOV 8-9

America’s premier financial risk and innovation convention returns for its 12th edition, featuring four work streams and two associated masterclasses. For more information and to stay up to date, visit www.risk-americas.com

Our fifth Annual Fraud & Financial Crime USA Congress will explore new complexities in the fraud and financial crime landscape, as well as best practices to stay ahead. See p19 for the full preview or visit www.cefpro.com/fraud-usa for more information.

JUN 6-7

&

The eighth annual Vendor & Third Party Risk USA Congress returns for 2023. Expanding upon learnings from previous years, gain a well rounded view of topical industry trends and challenges. To stay up to date, visit www/cefpro.com/vendor-usa

GENERATION OPERATIONAL RISK EUROPE

Returning for its eighth year, the highly anticipated New Generation Operational Risk Summit will cover key non-financial risk challenges including cyber risk, resilience, fraud, vendor risk, and more. For more information and to stay up to date, visit www.cefpro.com/oprisk MAR 14-15

9-10

Taking place in May, Customer Experience & Digital Banking Europe will deliver a European perspective on advances in payment processes, customer expectations, and digital experiences. For more information and to be kept up to date, vist www.cefpro.com/cx-digital-europe

After the success of 2022, ESG Europe will delve into key changes in the industry and advances in requirements and investor expectations. For more information and to be kept up to date, visit www.cefpro.com/esg-europe

JUN 14-15

In its 11th year, Risk EMEA 2023 will feature three individual streams, allowing attendees to gain an in-depth insight into a specific area or move between streams for a broader oversight. For more information and to be kept up to date, visit www.risk-emea.com

For more information, including agenda, speakers, location, and registration, visit www.cefpro.com/forthcoming-events/

www.cefpro.com/magazine