Ladies and Gentlemen,
I am delighted to have been invited to address the BBA's annual financial crime conference today. The presence of so many of you here demonstrates to me the importance the BBA and its members attach to these issues. Given what we know about the scale of criminal activity and terrorism today, the need for this commitment from the industry has never been greater.
I don’t need to tell this audience that the ways in which firms are attacked keep changing and that criminals appear to be highly dynamic, reacting to changes of firms’ anti-crime systems with frightening speed. We have seen examples of criminals using knowledge of systems and controls in most sectors. And a reported trend in recent years has been organised criminals and terrorists defrauding the financial services sector at levels low enough for the firms to decide not to take action.
It is perfectly rational for you to investigate and prevent fraud up to a point at which the anti fraud investment provides negative returns, or returns lower than the opportunity cost of that investment. However, certain criminals and terrorists appear to know that low level fraud is easy to commit and unlikely to be followed up by the firm as it is not profitable for the firm to do so. But this analysis ignores the wider costs of the criminal activity. The social harms that can arise from money laundering have been discussed widely, as money laundering feeds and sustains all manner of criminal activities. And it allows those that perpetrate these crimes to become role models in their communities ensuring another generation are sucked into their world.
One of the strongest messages we get back from industry is the importance they see in managing the ‘reputational risk’ caused by financial crime, whether in the eyes of investors or the public. But I suggest that there can be a gap between mitigating reputational risk and mitigating financial crime risk. Just because a firm feels confident that they won’t end up on the front page of the FT or the Evening Standard when taking on a new profitable client or product line doesn’t necessarily mean they are managing their Financial Crime risk appropriately.
I am now going to look in detail at two issues: firstly information security, and then the importance of adopting a risk-based approach to fight financial crime if we are to maximise our effectiveness in a proportionate way.
Let me start by looking at information security.
Why is information security so important? Well, personal information has clearly become a new currency that criminals seek to acquire, a key that unlocks the doors to give access to the funds of innocent victims, allowing criminal activity to thrive. Sensitive personal information is the new gold; it is now highly valued and highly marketable. And I think we all know how little personal information is needed to commit ID theft. This is not to say that cash is no longer attractive to criminals; but personal information has many of the same advantages: it is portable, can be used repeatedly and has a very wide market. So inevitably it is extremely attractive to criminals.
Our 2006 Financial Risk Outlook emphasised the significance of online fraud and identity theft and the increased risk they pose to the financial services industry. And we highlighted in particular the value of personal and security data to organised criminals. And as more and more firms seek to encourage customers to move to non face-to-face means of communication, such as the internet or telephone services, to make transactions, criminals are likely to intensify their hunt for personal data.
This is not a new subject, but it is very topical at the moment. If I say that fraud is on the increase, I doubt that anyone here will be surprised. Nor will you be surprised if I say that criminals look to target your new products and delivery channels as soon as they appear. We often hear – and speak – about how financial crime is becoming more and more technologically-advanced, with criminals developing new techniques and strategies to get round our prevention tools. And that is certainly true. Criminals will always try to be ahead of the game, notably in terms of information technology. We need to work hard to make sure we consider the potential for criminals to exploit new products and technologies and where possible to find ways of mitigating these risks. And let us also consider the risk of money laundering as well as fraud when we consider identity theft. The Panorama programme last night showed just how easy it is for determined criminals to obtain forged or stolen passports. If these are presented at most banks, it would be surprising if they were detected, so the importance of KYC and monitoring is yet again confirmed. Only if we have appropriate monitoring arrangements in place is there any real chance of detecting suspicious behaviour. And even if the passport is forged or stolen, your record of that passport will be of great use to law enforcement.
But crime tactics do not need to be especially sophisticated or new to succeed. Not all criminals need to use the latest technology to succeed in defrauding honest firms or their honest but unwary customers of substantial amounts of money. The best known threats are still succeeding with depressing regularity. Let me take the example of phishing. As you all know, phishing is the attempt to acquire fraudulently key personal information, such as passwords and credit card details, bank account or Social Security numbers, by masquerading in an electronic communication as a trustworthy person or business. Phishing is therefore a form of identity theft in which a scammer uses an authentic-looking e-mail to trick recipients into giving out sensitive personal information that can then be used to defraud them.
You might think that by now the messages about phishing would have got through, and that phishing attacks would be increasingly unsuccessful. Yet the opposite is true. Despite all the consumer awareness campaigns, phishing activities are dramatically increasing, with the number of unique phishing websites detected by the Anti-Phishing Working Group increasing 143% in September this year. 92% of phishing targets are in the financial services industry. And, as with advance fee frauds of various kinds, because phishing scams can be sent on a very large scale at minimal cost, it is worth the fraudsters' while to target more and more on-line customers, because the return on their investment is high even if they obtain the personal details of from a small percentage of their victims.
A report produced in 2004 by the Anti-Phishing Working Group showed that at that time firms were confident that UK customers suffered only a 'low exposure', since the media had raised consumer awareness of this issue. However, two years on, it does not seem that this awareness has stuck. Perhaps we have become complacent. We need to bear in mind that, in addition to the loss and distress caused to the victims, there is also the much broader risk that consumers will lose confidence in transacting online. Think what the impact could be on firms and consumers if that were to happen on a large scale.
And let us also remember the need to maintain all the simple, tried and trusted methods of securing data. The lowest tech attacks remain extremely effective. Traditional thefts of data are on the rise, and, I am disappointed to have to say, this includes thefts of customer data that regulated firms have disposed of negligently. As I am sure you will have heard, the Information Commissioner is currently investigating claims that bags containing personal information were found dumped in dustbins outside two branches of a major high street bank, containing cut up credit and debit cards and other account information. Members of the public are regularly exhorted to look after their personal data and shred documents. But this is pointless if those charged with the security of customers' data fail to discharge their responsibilities properly. The FSA will be looking closely at the Information Commissioner's findings in this case, to see whether there is any action we should take.
In today's world, the use of personal security data to authenticate customers will inevitably continue to grow. So we need to improve authentication and data access controls to counter the fraudsters. Without effective and well-controlled systems in place, breaches in security are more than likely to occur. And the consequences for both the industry and consumers could be enormous, since a security breach could create a contagion chain: as I said earlier, the same stolen information can be re-used by criminals entering different financial services. From the FSA's perspective, three of our four statutory objectives could be adversely affected, namely our financial crime, our consumer protection and our market confidence objectives. So you can see that this is an issue the regulator is bound to take very seriously.
Many businesses, not just those in the financial services industry now handle and perhaps outsource transactions involving personal financial data. Telephone and utility companies, airlines and other retailers all handle personal financial data and are transferring administrative services to lower cost jurisdictions. Not surprisingly, the cost of corruptly acquiring personal data is also cheaper in those jurisdictions, but the key point is that this creates an increased risk to financial sector, since, whatever the nature of the firm from which it was stolen, the financial crime will always come through financial firms. So in our view, increasing data loss in turn creates a greater risk to the FSA's financial crime objective.
We are therefore increasingly interested in the security procedures that firms have in place when dealing with non-financial corporates who hold personal data on or offshore. We are currently liaising with other relevant regulators and the Imformation Commissioner, so that we can clarify our joint responsibilities and how we can work better together. We will then consider how the FSA should respond in cases where consumers are affected.
Just as we need to work with other regulators on these issues, so we need to work with our other partners, not least those in the industry. Trade associations including the BBA put a good deal of effort into the fight against fraud and identity theft. This sort of collective effort is essential if we are to keep up with the fraudsters. So the FSA welcomes the BBA’s participation in the E-Banking Fraud Liaison Group, together with APACS and the E-crime team of the Serious Organised Crime Agency (formerly the National Hi-Tech Crime Unit). This group makes an important contribution to the dissemination of intelligence to its members, and by producing leaflets for retail and commercial customers such as ‘Protecting your financial details’. We also welcome the BBA's quarterly publication on Fraud and Intelligence, Crimewatcher.
Understanding the problem and keeping up to date with new developments, just like collating and diffusing intelligence data, are key to putting the right controls in place and ensuring they are used in practice. But they are only a first step. And even the best theoretical security procedures are not enough. Firms' procedures and policies have to be observed in practice too. There have been too many cases where this has not happened.
Given the data they hold, and the trust of customers they must maintain if they are to be successful, banks in particular must understand that they have to be leaders in establishing sound checks, controls and policies, and ensure that they are effectively and continuously implemented, reviewed and updated. Only if they take these issues with the seriousness they merit will they be able to face new threats adequately. It is also, I am afraid, a matter of KYE, or know your employee.
Let me now move on to the issue of the risk-based approach. But before I do let me first say that my concerns about information security and reports of recent lapses do not in any way run counter to our approach to financial crime with which you are familiar. We continue to be a risk-based regulator, we are not enforcement-led, and we do not expect a zero-failure approach. But that does not, indeed cannot, mean that we never take action against firms. What we look for is effective and proportionate anti-financial crime systems and controls. If we find that these are lacking, we will use the most appropriate tools, often starting with informal private supervisory discussions. But where there are particularly aggravating circumstances, for example if significant fraud has resulted, if a breach of our requirements has resulted in significant risk of fraud, or if there has been significant detriment to the consumer, use of our enforcement tools will remain an option.
And we look to senior management in all firms to deliver those effective and proportionate systems and controls. It is heartening to see increasing commitment by senior management to reviewing the effectiveness of their anti financial crime effort. This helps us identify those firms whose management have not yet made the decision to do this, the outliers, so to speak. Since it is clear that the involvement of senior management is key to ensuring that sound procedures are not only in place within an institution, but also embedded in the firm's practices, we will be looking to improve the performance of poor performing firms in this area.
While senior management must take responsibility for their firms' systems and controls to combat financial crime, it is also crucial to provide them with some flexibility to implement systems and controls that are most appropriate for their firm and the real financial crime risk they face, rather than any regulatory risk they may have concerns about. This follows our broader move towards principles-based regulation – as opposed to a formulaic tick-box approach.
What I'd like to emphasise here is that we look at this intensified reliance on senior management in relation to the outcomes which we are seeking to achieve rather than in terms of strict mechanisms and processes. More focus on outcomes goes hand in hand with a less prescriptive approach to the method used to achieve these outcomes. Our principles-based approach is a real opportunity for senior management to manage their firms in the way they think will make more sense for their business, in the way that will benefit their firms and customers, by giving them more leeway to innovate, while still having regard to the right outcomes in relation to financial crime.
We look to senior management to carry out this task effectively. This will require senior management and their team embracing a more judgmental decision-making process. This should prove more cost-effective as you address real financial crime risk. But I will not pretend it will be either simple or the cheap option.
The move towards a more risk-based approach to AML is challenging, for the FSA as well as for firms. There is no doubt that this will give rise to different interpretations from firms on similar matters. But this is what a risk-based approach is all about: different means can be implemented to achieve a sound outcome.
For this reason, we’ve been working really hard over the past year or so to put in place a comprehensive training programme to bring our supervisors and other relevant staff up to speed on developments in financial crime. In particular, we want our supervisors to understand what the risk-based approach means in practice, the kinds of processes that firms should go through when deciding their approach, and that what they see in one firm may be quite different from what they see in another, even if they have quite a similar business profile.
So it is now compulsory for all our staff to take foundation level computer-based training so that they get a basic understanding of the issues involved.
To bolster our supervisors’ knowledge, we have also put in place intermediate level day-long workshops to ensure that they have a good understanding of financial crime risks in their sectors and, importantly, understand what a ‘risk-based approach’ means.
This is all supplemented by an ongoing programme of briefings from industry experts, law enforcement and government agencies to raise awareness of our stakeholders’ roles. A particularly important part of this has been a series of briefings on the new JMLSG Guidance. David Swanney has presented to our staff on the general material in Part 1 of the Guidance, while the relevant trade associations have delivered some excellent sessions on sectoral material in Part 2. The two banking sessions, co-ordinated by the BBA, were delivered to our staff recently. I would like to convey formally our gratitude to the BBA and the other trade associations for putting together these sessions, which will ensure a much improved understanding among our supervisors of the risks and issues in the different industry sectors. The question of how we supervise AML in practice is extremely important and we have tried to be as transparent as possible about our expectations of firms. So I have written public letters to the JMLSG twice this year to set out how we supervise; how we enforce; and how we work in partnership with the industry and other stakeholders in the UK AML regime. Both these letters are available on our website.
My second letter, to Martin Hall at the end of August, explained what we had been doing to prime our supervisors for the changes to the FSA rules and JMLSG Guidance. It enclosed copies of materials that were circulated to our supervisors on the AML regime, setting out the key issues for them to be aware of. So, as this letter is published on our website, you can get a pretty good idea of what a supervisor might ask your firm if they come to examine your AML controls.
As you know, in September, we replaced the old ML Sourcebook with just two pages of high-level rules. This highlights extremely well the point I made earlier: our new principles-based approach seeks to be proportionate and to rely on senior management's sound judgment. You are best placed to understand and assess the money laundering risk you face, in the light of the products you offer, your delivery channels, your customer base and the jurisdictions within which you operate.
This reduction in rules has been facilitated by the new high quality industry guidance produced by the Joint Money Laundering Steering Group. And I would like to pay tribute to the BBA and their members for their dedicated involvement in revising the JMLSG guidance. The recent changes in the guidance have led to a more proportionate regime, notably with regard to customer identification.
Adopting a risk-based and proportionate approach is vital for controls to be effective without discouraging business from operating. And this is true both for the UK’s internal marketplace and our position in the global market. We need to ensure that our regulatory environment is effective and encourages competition and innovation, so the UK financial services continue to thrive internationally.
So our principles-based approach aims precisely to give firms flexibility to run their business in a way which achieves the right financial crime outcomes while remaining both cost-effective and appropriate. We recognise that, however much they welcome this approach in the UK, firms that are internationally active face different approaches in other jurisdictions. I cannot promise that this can be resolved quickly, or to our complete satisfaction. But I can tell you that the FSA is committed to doing what it can to ensure that a genuinely risk-based approach is adopted as widely as possible.
It is the right time for the UK and the FSA to seize the opportunity to influence the international regulatory agenda. This agenda will only achieve its full potential if the industry can inform its direction: the risk-based approach's challenge lies both on us and the industry, and our joint efforts in implementing it is very likely to dictate its success, and validation by international agencies and other regulators.
So it is indeed appropriate that this conference falls in the middle of the mutual evaluation of the UK's AML regime by the Financial Action Task Force. Risk-sensitivity is now embedded in the FATF recommendations that form the bedrock of global anti-money laundering standards. So we have been discussing with the evaluation team just how the risk-based approach is implemented in practice, and the key roles of the Treasury’s Money Laundering Regulations, the FSA’s rules, and the Treasury approved JMLSG Guidance in implementing the FATF standards in the UK.
So, in closing, can I remind you of three key points:
- We see an increasing threat from personal data loss and a need for both firms and consumers to increase their vigilance;
- We want firms to focus increasingly on the outcome of reducing financial crime, in a risk based fashion, and we recognise that the FSA’s regulatory approach must reinforce this behaviour in firms; and
- The successful joint implementation of the key elements of a risk based approach in the UK - by industry, by regulators and by law enforcement - is essential if we are also to be successful in influencing the shape and form of global efforts to fight financial crime.