The pandemic has fundamentally altered the world's banking and commerce models. Digital transformation has rapidly accelerated in large and small businesses, and online financial interactions have become the default across multiple sectors. Unfortunately, with that growth comes a swell of cyber-enabled financial crimes.
We've come a long way since the days of boiler rooms and nail bars, and financial crime is becoming increasingly sophisticated. Financial crimes nowadays include online 'card not present' fraud that uses card information obtained via data breaches; phishing emails; synthetic or fake identities used to open digital bank accounts; and e-commerce and video games platforms laundering proceeds of crime.
Fraud, financial crime and cyber security teams have common enemies in this space and often strive to collaborate by sharing intelligence and making the best of analytical tools. But in the past, they have usually inhabited parallel operating universes with different reporting lines, tools, languages and cultures.
Historically, this has been a barrier to stronger integration, raising the cost of each function. With businesses facing a cost squeeze as they recover from the pandemic, internal functions are now under intense pressure to find efficiencies.
In recent times, fraud teams have moved between the lines of defense. Early operating models placed fraud in second line, but more recent operating models integrate fraud across first and second lines with reporting lines into operations, compliance and/or risk functions.
An increasing number of organizations have taken initial steps to integrate fraud and financial crime operations at the governance level by sharing risk indicators and reporting to reduce operational costs and provide a holistic view of the overall exposure to economic crime.
At the level of the first line operations, however, the segregation is still a challenge. Fraud typically receives less attention and investment than regulated areas of financial crime, such as sanctions and anti-money laundering. This results in operational inefficiencies. A KPMG firm's banking sector client attempting to rationalize their fraud operations discovered that that the loss to fraud is often dwarfed by the operational cost of handling the fraud itself.
This is in part due to this operational segregation. The cost of meeting economic crime obligations has been increasing over the years. For example, the fraud team subscribes to a vendor's fraud database access, while the financial crime team is looking to add a new customer ID verification tool. Both tools ultimately serve the same purpose -- identifying fraudulent accounts -- but they're operating independently and duplicating costs.
Some clients, recognizing those inefficiencies, have already conducted deep dives into the holistic cost of dealing with economic crime and fostering cooperation between functions. However, full integration is still a daunting task that requires drastic transformation. Some leading organizations have recognized reducing operating costs while leveraging common data and tools across functions as the way forward.
Should we use the same model to integrate the fraud and cyber teams -- starting with governance, and then gradually building operational integration? Or is it easier to go the other way?
Some banks have been testing the waters in terms of combining operations, starting with a few select use cases. For example, one bank has combined fraud predictive analytics tools and cyber security intelligence to detect IP addresses and payment patterns, thus identifying mule accounts and preventing money laundering.
In another case, IP addresses were used in detecting criminal network activities (a case of criminal groups using e-commerce platform to test stolen credit card and e-wallets), in an investigative exercise that included the fraud, financial crime (money laundering) and cyber security teams.
In each case, the toolsets are a natural complement, and when used cohesively, they're a powerful defense against insider threat and external fraud.
But integrating fraud and cyber teams at the governance level is harder than it is for fraud and financial crime. At least financial crime and fraud professionals mostly share a lexicon -- one derived from a range of typologies, fraudster modus operandi, criminology and finance depending on the context (e.g. Ponzi scheme, authorized push payment, first and third party, embezzlement and more).
On the other hand, cyber terminology originates from a fundamentally different landscape, drawing from technology architectures, malware deployment methodologies and ethical hacker handbooks.
While the idea of operational integration may be possible in small steps, governing economic crime and cyber risk under the same system requires the two functions to agree on a common language.
There are, however, major similarities we can leverage to help unify the cultures. By their nature, acts of fraud are polymorphic, exploiting any weaknesses in controls, requiring different treatments to investigate and manage. For example, dealing with an increase in fraudulent chargebacks requires various tools and skills different than those required by a forensic investigator in a financial fraud matter where the books have been 'cooked.'
However, both internal and external fraud can be viewed through the prism of 'prevention, detection, response' and rely on enterprise-wide risk assessment, strong deterrence culture and support from the Board.
The same is true of cyber teams. Cyber security has a similar breadth of methodologies and radically different skillsets working under the same umbrella, and yet their approaches fall under the same industry standards. The “prevention, detection, response” prism, for example, is reminiscent of the NIST Cybersecurity Framework's five-stage security control model, with risk assessment a major component of the process.
Building the necessary deterrence culture in the broader business requires the same kinds of staff training, awareness campaigns, culture metrics and policy frameworks as those that work for fraud and financial crime. And as with fraud, every business unit should be assessing cyber threats to boost defenses.
Is there an opportunity to combine threat assessment or preparation methodologies? For example, could open source intelligence (OSINT) be used in fraud investigations? What interviewing skills can cyber take from financial crime investigations to apply in cyber forensics? Can red teaming exercises be used to train fraud teams in insider threat response?
Lest we forget, ultimately fraud is becoming cyber-enabled fraud, and the criminal groups we seek to counter benefit from our slowness to adopt a holistic approach to countering their activities. Some organizations are already taking steps to move towards integration, leveraging tools, skills, and data across cyber security and financial crime. But reimagining existing models and building future-proofed centers of excellence against crime will require a significant transformation at the level of technology, culture and risk governance.
Throughout this article, “we”, “KPMG”, “us” and “our” refer to the network of independent member firms operating under the KPMG name and affiliated with KPMG International or to one or more of these firms or to KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.