When the Going Gets Tough the Financial Regulators Get Going

2020 has been a tough year. The Covid-19 pandemic has sent shock waves across every industry as workers were sent to work from home by default. Homeworking has sounded the final death knell for any protection afforded by the corporate perimeter. Cybercrime and fraud too, have taken advantage of the situation of special conditions afforded by a very unusual situation.

As our workers settle into their home office for the foreseeable future, and the financial sector takes on new challenges to meet Covid-19 pandemic-related issues, where does this leave compliance with data protection laws and regulatory scrutiny?

Financial Conduct Authority (FCA) a remote working warning to the wise

Since the pandemic hit, around 70% of finance and financial services companies have implemented strict Work From Home (WFH) policies. In an interview back in May, NatWest Bank revealed figures highlighting the widespread use of connected apps and online meet-ups. The bank offered up figures including 5.5 million video conferencing minutes over 40,000 meetings and login figures for a single week in May when 52,000 remote workers logged in remotely to banking systems. Financial institutions the world over are likely to continue with this ‘new normal’. The situation is such that even if employees return to work, disruption can ensue. This was the case for HSBC who had to send over 100 employees’ home to work when a single colleague tested positive for coronavirus. Deutsche Bank has placed workers on long-term WFH, with the bank telling employees in the U.S. they can WFH until July 2021.

However, WFH has more challenges than Zoom meeting fatigue and secure login. Remote working has come under the watchful eye of the FCA. Julie Hoggett from the FCA talking at the City Financial Global event, said that financial firms need to recognize that there is a need for “effective surveillance at all times”. Julie continued, pointing out that “It is essential in changing times that firms identify the risks associated with the new environment in which we are all operating.”

Even in 2019, the FCA highlighted the issues of environmental changes to working conditions. In the October 2019, edition of FCA Market Watch, they point out that “firms can identify their market abuse-related conduct risks to ensure they have effective systems and controls in place.” The FCA’s 2017, “5 Conduct Questions Programme”, in a recent update stated that:

Covid-19 has created new and greater conduct risks. It will be important for firms to engage staff at home in the effort to identify potential sources of harm in their individual environments. We will continue with our supervisory engagement with firms on their change programmes and their effectiveness. We will also be focusing on new risks emerging from LIBOR transition and other market developments more generally.

Financial institutions have to identify their market abuse-related conduct risks. In doing so, they must put effective systems and controls in place. Risks such as insider trading as outlined in the FCA’s Market Abuse Regulation of 2016, cover prohibitions on insider dealing, market manipulation and the unlawful disclosure of inside information. Doing this within an office context is one thing but applying those same policies to a WTH environment is much more challenging.

A balancing act, financial access vs. cybercrime?

The FCA has rightly highlighted that under new remote working conditions older methods of monitoring employees to meet regulatory compliance may not meet the requirements.

Then, to add to this, other variables have come into play that means that financial institutions must adjust to new expectations brought on by the pandemic. These are centered around the provisioning of loans and similar payments to businesses:

Take CBILS (Coronavirus Business Interruption Loan Scheme) as an example. This is a UK initiative to provide financial support to businesses with less than 50 employees, during the crisis. Banks are effectively backed by the government to make loans to business applicants under CBILS. To remove friction from the loan application process, the UK government relaxed the rules on due diligence. In line with the relaxation, the FCA states on its website that “CONC 5.2A (responsible lending rule) contains rules and guidance on carrying out a reasonable assessment of a customer’s creditworthiness before taking the process forward. Other than for loans made under the Schemes, firms must continue to carry out creditworthiness assessments in line with the whole of CONC 5.2A on all other regulated lending.” The FCA relaxing the rules for some, but not others…

In the U.S. a scheme to access fast cash, the CARES Act, looks to provide “fast and direct economic assistance for American workers, families, and small businesses”. CARES incorporates the Paycheck Protection Program (PPP). CARES lenders must provide fast access to government-backed loans. PPP lenders MUST have BSA-compliant AML programs. However, the compliance is being stretched by the speed and volume of the loan handling process in the crisis.

Like the FCA, U.S. regulators are offering some relief. FinCEN and others including OFAC, the OCC, the FRB, and FINRA, are joining forces to help the industry develop a way forward. However, the Bank Secrecy Act (BSA) requirements persist. FinCEN has suggested that “innovative approaches” should be used to meet the BSA requirements under the current climate. In a notice, FinCEN state:

“FinCEN encourages financial institutions to consider, evaluate, and, where appropriate, responsibly implement innovative approaches to meet their BSA/anti-money laundering compliance obligations, in order to further strengthen the financial system against illicit financial activity and other related fraud.”

The above attempts by regulators to support financial institutions in delivering schemes to help citizens weather the storm, are multi-layered. They have to be deployed within a climate of increasing cybercrime and fraud.

Cybercrime during a pandemic

The coronavirus has turned the finance world upside down. It has also presented opportunities galore to cybercriminal networks. This is not lost on the financial regulators. Finding the balance between ensuring that payments to keep businesses afloat during the pandemic are swift and mitigating fraud is the challenge.

The cybercriminal networks are pushing the regulations to the limit at a time when they are relaxing to adjust to the financial requirements of the pandemic. The state of cybercrime during the pandemic is unprecedented. A snapshot of the dark web during 2020 clearly shows that the engines of cybercrime are on full steam ahead:

Tor Metrics collects information on the numbers of .onion sites (dark websites) over time. Between mid-March to mid-September 2020, the numbers almost tripled at the peak and are still more than double the pre-pandemic numbers.

Some of these websites may well be legitimate, perhaps journalistic data sites. However, the fact that phishing campaigns have tracked the increase in these sites demonstrates the likelihood of the malicious nature of the increase.

A report into the effect of the Covid-19 pandemic on cybercrime from the Financial Action Task Force (FATF) has two key findings that highlight the balance needed in dealing with the crisis:

  • The increase in COVID-19-related crimes, such as fraud, cybercrime, misdirection, or exploitation of government funds or international financial assistance, is creating new sources of proceeds for illicit actors.
  • Measures to contain COVID-19 are impacting on the criminal economy and changing criminal behavior so that profit-driven criminals may move to other forms of illegal conduct

Treading the line between facilitation of loans and other Covid-19 related payments and managing fraud is where technology can help.

Having your financial checks cake and eating it

The financial sector, during the pandemic, has had to weather the storm by ensuring that WFH encompasses the same levels of employee due diligence and monitoring. But at the same time, much of the industry also has to step in and ensure that the wider business community receives fast access to financial help. Squaring this round is a balancing act that needs smart technology to shore it up. There should not have to be a choice between effective AML checks and access to financial help. Believing that providing fast access to cash must mean a degree of acceptance of opening opportunities for cybercriminals should not be a given. There are ways to “have your financial check cake and eat it”.

Smart AML checks can mitigate payment fraud. Juniper Research concurs with this statement. Their report “Fighting Online Fraud in 2020” predicts increased use of machine learning (ML) in fraud detection and prevention. Using a smart technology like ML allows the balance between fast delivery of a service and real-time fraud detection. This gives the financial sector the ability to match customer expectations with the complexity of fraud detection. Using innovative technologies provides the balance needed to meet the challenges of the pandemic, keep regulators happy, and help mitigate fraud.


Related Posts

Subscribe to Newsletter!