With billions of dollars of transactions passing through the world’s corporate treasuries every day, the function is potentially high-risk in terms of financial crime. As fraudsters attempt ever more audacious ways of stealing corporate cash and data, what measures can be taken to keep treasury safe?

Security controls are an everyday fact in all corporate banking activities. Indeed, identification and authentication are now expected components of doing business across all channels of interaction. And yet financial crime still happens.

For Jonathan Williams, Principal of payments, identity and fraud prevention firm, Mk2 Consulting, the simple explanation is that the criminals are very good at looking for loopholes in the way systems are configured, and they understand how to exploit people as the weakest link in the security chain.

e-challenge

The shift to e-commerce and immediate payments systems has increased the strike-power of criminals. Fortunately, the European Union, as part of its PSD2 deliberations in 2012, responded to the need to tighten up security. This aligned with work commencing at roughly the same time in the card space that looked at 3D security for e-commerce. But whereas fraud prevention has improved in this space over the past decade, criminals seeing a more secure card space started shifting their attention elsewhere, says Williams.

The targeting of corporate payments, ERP and TMS systems and even treasury personnel, is now a real threat. Attacks of this nature have grown over the past few years since Condé Nast was defrauded of around US$8m back in 2010 through social engineering (although this wasn’t an authentication failure per se but a failure to identify the supplier, or rather, the fraudster).

Identity and authentication processes try to ascertain who a business is really dealing with. In the treasury space, many treasurers use security devices to log on to each of their banks. Although these have proven fairly secure over the years, they have failed to enhance the user experience; any multi-banking treasurer knows all too well about the desk-full of tokens. It’s been a great driver to move to the inherently secure SWIFT network, says Williams, but accepts that not every treasurer has this option.

It is personal

The challenge remains to deliver the best experience for treasurers accessing their accounts, either online or on the phone. Some systems are secure enough, for now, but the highly motivated criminal makes success a moving feast, says Williams. “Authentication is trying to keep up, and we are seeing more processes geared specifically to the payment-service user,” he notes.

In making it personal, the industry is trying to create the same level of trust across electronic channels that existed naturally when people used to present in-the-flesh at the bank to conduct business. To reach that level of trust, authentication is moving towards the combined use of several factors which are demonstrably independent of each other.

These include three primary categories: knowledge factors such as passwords; possession factors such as one-time passwords or authentication tokens; and inherence factors such as biometrics. For business transactions in particular, biometrics are increasingly being adopted to authenticate the individual, alongside at least one of the other two factors. This is a notion referred to as multi-factor authentication.

With the advent of more automation in bank/corporate interactions, between ERPs/TMSs and banking systems, authentication of systems rather than individuals becomes essential. Herein lies another challenge, because currently legislation implies someone has to approve an automated transaction unless otherwise exempted.

Biometrics

In changing a bank mandate or adding new signatories, the bank still needs to know it is the corporate treasurer, or other authorised individual, actioning that. Biometrics is currently the best way to provide that confidence. Access to the right knowledge and possession factors do not in themselves offer conclusive identification; these could have been acquired by foul means.

Biometrics as part of multi-factor authentication processes work well. A treasurer using a mobile device to access a payments system may therefore use the device’s identity (and its registration to the individual), the fact that the right password or one-time code is being used, and that the individual can offer up a correct biometric identity (a fingerprint, facial recognition, an iris scan or even how the phone is held).

Whilst the combination of these factors can deliver a higher degree of confidence that the individual is the real customer, it becomes more challenging when an extended sign-in process is demanded, such as where multiple signatories are required to make payments over a certain threshold.

Here, the principle underpinning success requires an understanding of who needs to be involved in the transaction, what level of confidence is needed in the identity of each individual to authorise the transaction, and what means each has at their disposal to prove it really is them, notes Williams.

And one caveat for biometrics, he notes, is the quality of the technology used to read biometric data; not all sensors are the same. Technology is progressing rapidly but with every innovation, only when it is deployed to a mass market will it reveal its true strengths and weaknesses. This pressurises the development process.

“Banks are now in a situation where they feel forced to use biometrics – and they do want to use it from a customer experience point of view – but they remain wary of putting all of their security ‘eggs’ in one basket,” he comments.

Instead, they are rightly considering what security factors, including biometrics, best support their own and their customers’ needs. Given that usable provenance only comes from mass-market adoption, banks and other FIs will need to be agile and flexible in their development programmes. They will also need to learn from real-world feedback as quickly as they can, because criminals will constantly be trying to undermine them.

BSI PAS 499: a joined-up approach

The range of different approaches to security suggests a lack of coherence across the financial sector. Understandably, each organisation bases its response on its own risk appetite and assessment of which solutions work best; this is likely to continue. The area where a more standard approach is desirable is around the documentation of authentication processes and procedures.

Launched in July 2019, British Standards Institute (BSI)’s Publicly Available Specification (PAS) 499, Digital Identification & Authentication Code of Practice (of which Williams was one of two authors) builds a risk model around authentication, addressing the elements that should be considered when trying to ascertain identity with the right level of confidence.

In essence, PAS 499 provides standardised recommendations and principles for security in online transactions and services. It covers identity, validation, verification and authentication. “Even where procedures and processes are different in each payment provider, PAS 499 offers a system of documenting them in the same way,” he notes.

Mindful that the same sorts of challenges are being faced by these organisations, and that they are therefore likely to come up with similar, if not the same, solutions, this set of guiding principles around factors such as strong authentication, anti-money laundering and biometrics, means the whole industry can begin moving in the same direction.

If implemented widely, PAS 499 at least gives regulators a level of confidence that participating FIs are taking the same security steps for each customer base, from consumer to corporate. It may even usher in the more collaborative approach that could ultimately offer multi-banking treasurers an easier time as they access their different platforms.

Not infallible

Whilst there are many steps that can be taken to try to correctly identify an individual, confidence in the systems being used remains a potential issue in that it’s not possible to know with complete certainty that, for example, the mobile being used to transact has not been corrupted in some way.

“What we can aim for is making sure that the confidence of authentication matches the confidence needed for the transaction,” suggests Williams. “Doing so at least enables industry in general to reduce fraud levels. But I don’t think we are ever going to reduce them to zero, or ever know with absolute certainty that every individual is who they say they are.”

Indeed, there is always a theoretical chance that even if ten security factors are used, they have been compromised. Of course, the more factors that are used, the more obstacles are put in the way of the criminals, lowering the risk of fraud. But some of the more advanced technologies available also make it possible to detect fraud and financial crime before they have happened.

Banks are now in a situation where they feel forced to use biometrics – and they do want to use it from a customer experience point of view – but they remain wary of putting all of their security ‘eggs’ in one basket.

Jonathan Williams, Principal, Mk2 Consulting

Stopping it before it happens

Where customers interact with their financial services providers through a growing number of digital channels, so the means of identification and authentication have necessarily grown in number. Each new access point creates another potential weak point, says Ian Holmes, Global Lead for Enterprise Fraud Solutions at SAS.

Cybercriminals use a moving feast of tools to access financial data. For example, ‘geo-spoofing’ enables criminals to use intermediate computers to hide their IP address and appear in a location that matches the stolen credentials. Hackers are also implementing ‘bots’ that use automated scripts to crack passwords. Social engineering is often used, targeting the weakest link of all, the human, with increasingly clever and convincing tricks that place vital information in the fraudster’s hands.

Proving identity is the critical first step in preventing fraud. But what if access has been gained fraudulently or an insider has criminal intent? Although arguably digitisation has complicated matters with regard to identity and authentication management, Holmes believes that it also holds the key to resolving the problem. In particular, he cites AI and advanced analytics as the most effective means of improving security.

Together, he believes that AI and advanced real-time analytics can help organisations pre-emptively detect fraud, rather than them having to deal with the aftermath. AI and advanced analytics, Holmes explains, can be used to spot anomalies – activities that contradict the system’s constantly updating understanding of normal behaviour. With the capacity to do this in real-time, across huge pools of data, certainly far larger than any human could analyse with any degree of accuracy or speed, it means there is no hiding place for criminal activity.

This makes it easier, for example, for banks to stop fraud in the first place, and as the system learns, can reduce the number of false positives (challenges on legitimate transactions) that traditional systems create. This helps to reduce customer frustration and friction whilst maintaining high levels of security.

Despite the obvious advantages, few financial institutions are leveraging advanced AI in this context. Research from advisory firm Aite Group shows that only 10% of organisations are actively using machine learning analytics to orchestrate authentication. Whilst 50% are in the process of implementing these solutions or have them on their road maps, 40% are yet to take a firm stance on the adoption of AI. Clearly, an opportunity exists to improve the way customers access and use banking systems.

The term ‘know your customer’ is no longer good enough, know your transaction’ (KYT) is more appropriate.

Nick Armstrong, CEO, Identitii

Anyone for KYT? Blockchain upholding the rules

For every transaction between bank and client, not only must the right of the individual to make that transaction be ascertained, but also the transaction itself must be shown not to be contravening any regulations, notably know your customer (KYC), anti-money laundering (AML) and sanctions regulations. It’s a serious matter: 58 AML penalties were handed down globally in 2019, totalling US$8.14bn, double the amount, and nearly double the value, of 2018 penalties.

“The term ‘know your customer’ is no longer good enough,” states Nick Armstrong, CEO of Identitii, an Australia-based firm using blockchain technology to reduce the risk of fraud when data is shared between banks and corporates. Instead, he argues that the term ‘know your transaction’ (KYT) is more appropriate.

“We know traditional KYC is often only done once every few years at best,” explains Armstrong. “For corporates and banks, if the director or ultimate beneficial owner changes in the meantime, and this is not acknowledged, either party could be unknowingly allowing money to flow to terrorists or be used for money laundering.”

As a more rigorous and timely version of identity checking for financial crime management, KYT’s aim is to create a deeper real-time record and audit trail of KYC information, relating to both the sender and the beneficiary of a payment. Identitii uses KYT in its Overlay+ platform. Monitoring is already a requirement under Financial Action Task Force (FATF) recommendation 16. Using KYT in Overlay+ KYT allows for details of the underlying purpose of the transaction to be appended, applying blockchain security to the entire process in real-time, to ensure correct screening at a corporate level, across every transaction.

Most of the rails that move money around limit the amount of information that can be included with the payment, Armstrong explains, and these limits are so low that it is rarely enough to allow corporates and their banks to describe what their transactions are for. “KYT aims to link rich information to every transfer to address this problem; banks using this system will no longer have to call their corporate clients to request information that wasn’t able to fit into the original transaction.” This is one of the main pain points of KYC.

Identitii was a winner of SWIFT’s Innotribe Challenge on Compliance competition in 2016 and worked with seven large correspondent banks for a PoC that followed. Initially, it focused on reducing the risk of fines being imposed on banks for inadvertently allowing funds to flow to sanctioned beneficiaries. But with far-reaching consequences for KYC and AML regulation infringement (possible fines, sanctions, and reputational damage), corporates, too, have cause to check their counterparties.

But with many having spent large sums connecting to their banks, any solution has to be able to integrate with legacy technologies and existing payments rails. Armstrong says Identitii’s Overlay+ solution achieves this goal, adding that HSBC has already adopted it across five of its key markets, predominantly in Asia.

As a real-time overlay system, it allows AML, KYC and sanctions screening to be carried out prior to the payment being sent. As data is entered to set up a payment, it can be checked, the system effectively pre-validating that information before releasing that payment.

As part of its data verifying mechanism, the system leverages blockchain technology to create a fully audited record of information exchange that fraudsters will find impossible to circumvent. If any data (such as a bank account number) is altered for the purpose of invoice fraud, for example, blockchain, having applied a hash (or digital signature) to the underlying invoice, will immediately flag it up. It can do so in real-time at any stage in the payments process. Once alerted, the bank can suspend release of the payment, pending enquiry.

The whole notion of real-time processing in the fight against financial crime is an active area of investigation for many financial technologists. SWIFT, for example, currently has a team developing KYC, AML transaction monitoring and analysis, and fraud-prevention solutions as part of its wider Payment Controls programme. It aims to combine real-time monitoring, alerting and blocking of sent payments.