Governments, regulators, financial services providers and police forces around the world face enormous challenges tackling financial crime. The Review reports on how law enforcers can work with private sector partners to turn the tide
by David Burrows and William Monroe
Technology has been a huge enabler for both consumers and businesses, but there is a trade-off, with economic crime costing the UK alone nearly £7bn a year, according to an estimate by UK Finance, the trade association for the UK banking and financial services sector.
Globally, the cost of financial crime is up to US$3.5tn per year, according to a report by EY and the Association of Chartered Certified Accountants, published in January 2020. Criminals are using increasingly complex corporate structures and sophisticated technology to commit fraud.
City of London Police Assistant Commissioner (AC) Angela McLaren, national lead for Economic Crime and Cybercrime in the UK, says: “Fraudsters are cruel, callous individuals who will exploit every and any situation. This was observed during the pandemic with numerous scams relating to fake PPE and the NHS.”
Types of financial crime
There are different types of financial crime, including cyber-dependent and cyber-enabled. Cyber-dependent, as the name suggests, requires use of the internet to penetrate companies’ or individuals’ systems through hacking or to carry out distributed denial-of-service (DDoS) attacks.
High-profile examples of criminals breaching defences include cyber attacks in 2020 on several banks in Hungary, including OTP Bank, which was hit by a DDoS attack launched from servers located in Russia, Vietnam, and China.
Cyber-enabled crime involves use of the internet to carry out what would have been done ‘physically’ in the past – such as bank heists. Criminals can, for example, now hack into an online banking facility and transfer money to fake accounts. A notable example is the 2019 attack on the Bank of Valletta, one of Malta’s largest banks, which saw cyber criminals initially steal around £13m.
Identity theft is a well-documented problem, with criminals obtaining access to people’s data that is then sold on the online black market.
"Left unchecked, financial crime could be a substantial threat to the development and stability of economies"
In some cases, state actors are responsible for hacks and attempted hacks. In February 2021, US prosecutors charged three North Korean state-sponsored hackers, from a military intelligence agency, with conspiring to steal more than US$1.3bn from financial institutions and companies around the world.
Money laundering has continued despite the pandemic, with criminals adapting their methods to avoid detection, according to the UK government’s 2020 National risk assessment of money laundering and terrorist financing. Criminals have also taken advantage of the pandemic to spoof official information, as reported in our previous Review article. Given the volume of Covid-19 information released, the public has struggled to spot the fakes.
The FBI reports its Internet Crime Complaint Center (IC3) received 791,790 complaints, a record number, in 2020, representing a year-on-year increase of 69%. The number of phishing and identity theft crimes more than doubled in just a year.
The numbers show that the war against financial crime is getting harder, demanding not only colossal spending from companies – a report by tech market advisory firm ABI Research suggests global cyber security spending on critical infrastructure will increase by US$9bn over 2021, to reach US$106bn – but also huge policing resources.
Left unchecked, financial crime could be a substantial threat to the development and stability of economies. In a presentation to the World Economic Forum Annual Meeting in 2018, David Craig, CEO of Refinitiv, dispelled the myth that nobody loses ‘real’ money or suffers true harm as a result of financial crime. “[It] is a trillion-dollar industry that takes an enormous social and economic toll on the lives it touches.”
Joined-up thinking
Combating financial crime is a challenge but increased collaboration between law enforcement agencies and other stakeholders should deliver positive results.
In the UK, the National Economic Crime Centre (NECC) works with the Financial Conduct Authority (FCA), City of London Police and the government, among other organisations, to tackle financial crime. Fighting the same cause is the Economic Crime Strategic Board (ECSB), a UK government task force that includes the chancellor of the exchequer and the CEOs of Barclays, Lloyds and Santander, alongside senior representatives from UK Finance and the National Crime Agency. It has set out priority areas for combating financial crime that include better sharing and usage of information to combat economic crime within and between the public and private sectors.
Intergovernmental bodies have also had some success in tightening the net on financial criminals. For instance, the Philippines passed new laws in 2021 to tackle money laundering and terrorist financing after a deadline set by the global Financial Action Task Force, which was threatening to add the country to a list of ‘jurisdictions under increased monitoring’.
Professional sector membership bodies, such as the CISI, also have a role to play. Andrella Guzman-Sandejas, CISI head of Asia Pacific, points to an Anti-Money Laundering/Counter-Terrorism Financing (AML/CTF) Professional Assessment, which the CISI introduced in the Philippines in 2020. Successful completion of the assessment and subsequent updates allow firms and individuals to demonstrate compliance and adherence to annual training regulatory standards stipulated by the country’s Anti-Money Laundering Council. The CISI launched similar professional assessments in Qatar and Hong Kong in 2021.
A proactive partnership
Knowledge-sharing between public and private sectors is at the heart of a pilot partnership between City of London Police and the CISI. Under the scheme, CISI members are encouraged to volunteer for the City of London Police to support its efforts to tackle fraud and cyber crime. If the scheme is a success, there could be future collaboration between police forces and CISI members across the UK and perhaps, eventually, globally.
In a CISI YouTube video published in 2020, Ian Dyson, City of London Police Commissioner, explains: “The challenge in the modern world is the volume of data we are dealing with. We have limited capacity in policing at the moment to manage this. People who are operating in a profession can bring those specialist skills that help me and my officers understand how the criminal is committing their fraud. CISI members all have skills that we need.”
James Phipson, special commander, City of London Police, is the man tasked with overseeing all volunteering to the pilot scheme. James is himself a volunteer, and in his day job owns and manages his own professional services firm near the City. Recruitment is open to CISI members of all ages, levels of seniority and skillsets, although it is likely to suit retired or soon-to-retire members particularly well. James says that the onus is on members to choose what capacity they want to volunteer in and how much time they can give.
CISI member Charlotte Cullen, a senior operations analyst at Ruffer LLP, is aiming to become a special constable volunteer, either with the Uniformed Policing or Intelligence & Information departments, once she has passed through the various stages of the application process. Charlotte says she will use her existing administration, investigation and communication skills to aid the City of London Police, although she’s also “hoping to learn and develop skills that [she] can take back to the workplace”.
"Fraud is complex and can only be tackled by a multi-agency approach"
Those who specifically want to work within financial crime detection and prevention in the Economic Crime Department (ECD) are warmly welcomed by the City of London Police. “A special constable volunteer from the CISI who can draw on skillsets including derivatives trading or forensic accounting is hugely valuable to the police, as they are unlikely to have this level of expertise in these specific areas within the force,” James explains.
In the past, the ECD has tried to recruit those with such skillsets directly, but it has proved difficult. The partnership with the CISI goes a long way to solving this problem, without being a drain on financial resources. As James points out, the cost of training and kitting out a special constable (to patrol the streets) is about £3,500, but for a volunteer assisting the economic crime unit, the initial outlay is purely on recruitment costs.
James believes that UK groups and bodies combating financial crime – including the NECC, FCA and City of London Police – are getting better at sharing information. He also echoes the point made by Commissioner Dyson that the role of CISI volunteers working alongside law enforcement bodies should not be underplayed.
As a case in point, he references the financial fraud committed by Kweku Adoboli, a rogue trader at UBS who lost U$2.2bn of the bank’s money and was jailed for seven years in 2012. He was detected by a special constable (with a detailed knowledge of trading) working with the City of London Police.
AC McLaren agrees that a joined-up approach is vital, and that membership bodies have a key role to play: “Fraud is complex and can only be tackled by a multi-agency approach. We therefore work with other police forces, law enforcement agencies and the private sector to prevent crime, protect victims and bring criminals to justice. We continue to build capacity through investment and leadership, and schemes like the partnership with CISI are to be welcomed in assisting us in these efforts.”
The role of technology
While human expertise in areas of investment such as derivatives trading or insurance has enormous benefits in terms of providing essential insight, detection of financial fraud also relies heavily on the use of technology – especially artificial intelligence (AI).
Patrick Craig is EY’s UK data and analytics lead, and financial crime technology lead for Europe, the Middle East, India, and Africa. He explains the use of technology is the only way to keep pace with the threats of evolving criminal activity and patterns because of the sheer volumes of data involved.
"Banks are fined for not complying with the rules but are not awarded for going beyond the requirements"
There are a number of AI applications firms can use to help combat financial crime. These range from processes to auto-escalate or de-prioritise cases for investigation, to automating time-consuming steps of investigations. However, the need for greater collaboration between banks and technology firms in the war against financial crime is clear. Patrick says: “Cooperation can improve both technological and operational capabilities, offering a multilateral way to combat crime. However, tackling financial crime should not just involve the banking sector, and all sectors must be on this journey together.”
A duty of care
Many banks refer to the importance of ‘putting the customer first’ and there is a legal precedent here in the form of duty of care to account holders. The ‘Quincecare duty’ is one such duty that banks should be aware of. Established in the wake of the ‘Barclays Bank Plc v Quincecare 4 All ER 363’ court case of 1992, it stipulates that banks should take reasonable care when issuing a payment that is instructed by a customer. Banks in the EU (and UK) are also legally required to disclose data breaches under the General Data Protection Regulation of 2018.
But banks need to go beyond regulatory compliance and pivot towards actively preventing and disrupting criminal behaviour. Patrick says: “If banks could apply a truly risk-based approach, traditional controls would likely be discontinued – not least because they can result in high false positives rates – and be replaced with more innovative solutions.”
Is there a need to change the emphasis and incentivise banks to be more proactive? Patrick thinks so. “The current regulatory approach is based on sticks not carrots: banks are fined for not complying with the rules but are not awarded for going beyond the requirements. This approach incentivises banks to seek compliance as a minimum but does not always encourage the exploration of opportunities to make internal controls more effective.”
The consensus seems to be that to effectively combat financial crime there needs to be joined-up thinking and buy in from all parties, including banks, major financial institutions, sector bodies, governments, cyber technology developers and police forces. And crucially, these interactions need to be global in nature. Collaborations such as the CISI’s partnership with City of London Police make a real difference, and act as a blueprint for how resources can be enhanced as the cross-border war on global financial crime continues to be waged.