We live in a connected world where it is almost difficult to avoid using the Internet for personal or for work or as part of business. Unfortunately, where there is money to be made, criminal elements are not far behind. In 2018, cybercrime saw cryptojacking overtaking ransomware as the most popular cybercrime type.
These days people discount the merits of Wikipedia but in the interest of keeping things simple, the online encyclopedia lists four categories of computer-related crime: financial fraud crimes, cyberterrorism, cyber extortion, cyberwarfare, computer-as-a-target, and computer-as-a-tool.
While most of these activities are out to make money in one form or another, some will argue that financial crime is the most lucrative. In the second part of the series, Fintech Innovation spoke to Tim Phillips, Deloitte SEA Leader, Forensic & Analytics - APAC Financial Crime Leader at the consultancy to get his take on financial crime.
PART ONE: Fighting cyber-powered financial crime
What is the state of financial crime in the banking and finance industry within the APAC region?
Tim Phillipps: The only thing that stays the same is the change associated with financial crime, there’s a constant level of change occurring. However, these past 12 months  hasn’t really seen much at all. There is a significant regulatory focus on financial institutions in fighting financial crime.
There is also greater focus by the media on identifying and making fairly obvious more significant financial crimes. We see them coming out of places like China or Malaysia. But really, it has not changed much. It is a steady stream of criminal activity and banks and financial institutions trying to fight it.
With regards to how the industry fights financial crime, what has worked and what hasn’t worked?
Tim Phillipps: Everything works to an extent. It really is about the nature or community of regulatory expectations on what they’ll do to fight it. Every time you see some new reports of major bribery, money laundering or breach of sanctions scandal, there is public outrage that a bank somewhere has processed the transaction that has been involved in that.
However, the reality is that financial transactions get processed by banks. No one else actually can do that. Small transactions can be done by start-ups and new RegTechs. But it’s the banks that process financial transactions.
It’s a no surprise that, as a consequence, banks become victims of financial crimes themselves.
The real focus should be the level of effort banks are putting in to make a change – How hard are they working to identify and prevent financial crime. That’s really where the banks and regulators are focusing on.
That is changing. The pattern of activity is going from simple monitoring of transactions as they worked their way through now to modern AI, machine learning technology to detect patterns of financial crime behavior before they become legal.
Where is the weakest link for financial institutions and how is this being addressed?
Tim Phillipps: The biggest weakness is data privacy. Things such as GDPR rules actually make it much difficult for banks to share information (even sharing information between countries of their own banking systems and certainly makes it impossible to share financial crime intelligence across jurisdictions).
We’re often surprised to hear that two banks have been involved/processed a transaction that’s been part of a financial crime. At the same time regulation prevent the sharing of information between banks, especially if it crosses jurisdictions.
So, we’re tying their hands behind their back and then expecting them to paint a beautiful picture. And it doesn’t work. One of the greatest problems, therefore, is data privacy. Of course, it’s good for individuals, but it’s also good for criminals.
Speaking from a technology point of view, what can AI and ML do that analytical tools cannot already do today?
Tim Phillipps: So, what’s happened is – you’re moving from rules-based analytics, which is as you said, has been around forever. If the transaction processes through the bank and the value of the transaction is $10,000 or above, then you have to tag it as a transaction that needs to be reported.
So that’s a rule-based approach to analytics. But what it doesn’t do is, and it might, some rules are capable of saying that if the same customer transacts value at $9,998 and if they do 10 of them, then it’s clear that they’re trying to avoid the $10,000 rule. Some rules-based activities do that.
What machine learning does (not so much AI) is say: If I look at that particular transaction and I look at that customer – and they might only do two – but I start to look at the behavior at all the customers around them, same bank, similar branch activity, similar backgrounds, same algorithms around the type of numbers being used, the time of day being deposited, where it’s withdrawn, you start to build a pattern of behavior.
That sort of behavioral analytic process is not looking for a breach of a specific amount (like $10,000). Rather it is looking at all the behaviors and trying to define which ones demonstrate financial crime behavior.
If we know that the pattern of a criminal is X and Y, we can look across the network of all of the behaviors to find people who look a little like that and whose behaviors are similar. It’s a much more sophisticated way of doing and you don’t need to tell it what to do. You’re letting the analytics speak for itself.
You don’t need to say, “Go and look at that individual and tell me if they’ve done the wrong thing.” You’re just saying, “Show me all the transactions/behaviors across the bank and show me the ones that look suspicious.” So, it’s quite a different lens through which we look at the same things. It’s very powerful and most banks are moving in that direction.
Are regulators acknowledging that banks need tools in developing technology to help fight financial crimes and amending said rules?
Tim Phillipps: So, let’s just break that into two parts. The first part of your question which is, “Have they recognized?” the answer is yes. The MAS in Singapore is probably the world’s leading example of their recognition of Fintech in the push in developing RegTech-type opportunities to enable banks to do more.
They’ve developed a sandbox that enables them to come in and test potential machine-learning and AI capabilities in a safe environment with bank information. We’ve seen the same in Australia with the alliance between RegTechs and the Australian regulators to do that.
The limitations of the law [data privacy] mean banks can only look at their data – no one else’s is. But if you look at bank breaches, it may actually involve more than one, maybe 4-5 banks.
The regulators are conscious of the fact that if you truly want to do this [stop cybercrime], you’ve got to find a way for banks to share data. So, I think regulators are aware of it, but I think everyone’s struggling with, “How do you effectively share intelligence information across banks without breaching the data privacy rules?”
What is your advice to financial institutions and regulators in fighting financial crime in the years to come?
Tim Phillipps: They have to be consistent in their approach. They’ve got to have good foundational programs and ecosystems in the way they apply this. They also have to be resilient because they’ll always be under attack and they’re always blamed for transactions that go through – sometimes it is their fault, sometimes it is not. So, they have got to be resilient.
And they have got to continue to acknowledge that financial crime is a major issue and they have a major place to play, so they have got to keep making investments. They’ve got to acknowledge their place in the ecosystem.
Is it fair to say that with all the tools we have, the limiting factor is a mindset or skillset requirement for the use of technology?
Tim Phillipps: There is a change occurring with people trained on rules-based systems who understand how to set rules, how to monitor them, how to look at the alerts they’ve generated and so on. That’s changing to the concept of looking at machine-learning outputs and looking a broader pattern and so you do need to have a broader view of what it means and what it could be. So it has be more analytical and more financial crime intelligent. It’s quite a different skill set.
The banks have many people and they’re all building up their analytics team. There’s an emerging skillset around financial crime analytics – people who understand financial crime, people who understand banks and people who understand behavioral analytics.
It’s an investment and most organizations are actively heading in that direction.
What can we expect as we head to 2019?
Tim Phillipps: There will be an exponential increase in its use. It won’t replace human decision making. I know the promise of AI is – machines will do it all. But in the context of financial crime, we are still decades away, and what it will do is make us look more broadly at what goes on inside in the banks, and not make assumptions about what is wrong and what is right. We’ll just look at what the machines tell us about the behavior appearing in the banks and that will give us insights into what is potentially financial crime and what’s not.
My sense is that will grow in the next 3-5 years to the point where there is much less reliance on rules-based transaction monitoring engines and much more focused on looking more broadly (that behavioral approach to detecting financial crimes).