Our collective connectivity increases the digital attack surface for cyber—both at home and at the workplace. But the same technologies that have given rise to a digital criminal ecosystem can be turned on their head to help combat financial crimes.
At the height of the Roman Empire, 250,000 miles of road connected two million square miles of land. The connectivity spurred innovation to levels never witnessed before in history. The network of roads made it possible for engineers to be deployed across the empire to transform rural landscapes into new cities and towns; it also made it possible to recruit and deploy more than 450,000 soldiers across the empire.1
Explore the cyber risk collection
Subscribe to receive related content from Deloitte Insights
Download the Deloitte Insights and Dow Jones app
However, over the centuries, the same innovation and technology that led to the rise of the Roman Empire contributed to its downfall. Increased trade turned relatively low-threat barbarian tribes into wealthier existential threats to Rome, as they were now equipped with modern weaponry and improved agricultural tools. Simultaneously, the sheer size of the empire gave way to the formation of dozens of smaller provinces. By 476 C.E., the now-sophisticated tribes completely outmatched the disparate and less-coordinated provinces—leading to the sacking of Rome and the toppling of one of the greatest empires in history.
Today, akin to the early road design and construction of Rome, Fourth Industrial Revolution (4IR) technologies like the Internet of Things (IoT) and cloud computing connect us in ways we had never imagined. This has led to an unprecedented level of business innovation and advanced technical solutions while also creating a converging landscape of cyber, financial crime, and money laundering risks.2 These blurred lines have, in turn, given birth to new and more innovative forms of financial crime—forms that are sophisticated in their approach and agnostic to industry and geography.
Traditionally, these threats manifested in the financial sphere, but they’re now surfacing in other industries as well. From our homes to our workplaces to our cars and airports, our collective connectivity increases the digital attack surface for cyber, with potential threats cutting across smart factories, health care institutions, and even home appliances.3 Further, a new digital underground society of cybercriminals has emerged, seeking to exploit any vulnerability they can find in our digital platforms and the myriad connection points generated by the proliferation of IoT technologies, making it easier to monetize system attacks and steal data on an industrial scale. These new-age fraudsters can operationalize global campaigns to misappropriate funds and their fellow launderers can adopt modern digital technologies—like blockchain—to anonymously operate across borders (see sidebar, “The changing face of financial crime”).
Both at home and at work, our collective connectivity increases the digital attack surface for cyber, with potential threats to smart factories, health care institutions, and home appliances.
But there is good news: The same technologies that are responsible for creating the present-day digital criminal ecosystem can be harnessed to detect and, in many cases, prevent these crimes before they occur. In this article, we explore how companies can elevate and intensify the fight against financial crime beyond the level of battling criminals by taking the following steps:
The connectivity between cyber, financial crime, and money laundering changes the way we identify and fight myriad economic criminal activities—terrorist financing, human trafficking, tax evasion, fraud, handling the proceeds of a crime, and bribery, to name a few. Below, we list some of the most prevalent techniques employed to carry out these crimes, along with the costs incurred by the global economy.
Financial crime aided by technology is a multifaceted and far-reaching problem impacting nearly every organization. Paradoxically, in the face of greater worldwide connectivity, organizational structures can’t always keep pace with the speed of technological change. While criminals are indifferent to corporate structures, many organizations still have dedicated, standalone teams to combat and detect cyberattacks and financial crime. These teams often operate in silos, similar to the Roman provinces fighting off each new threat in isolation. But, unlike the fall of the Roman Empire, which spanned centuries, threats to even the largest multinational business can be manifest in seconds.
As a result, companies in most industries, as well as their risk management teams and systems intended to combat financial crime, are facing unprecedented strain. The cost of fraud and cyberattacks is estimated to exceed US$3 trillion across the globe annually.11 Yet, most risk monitoring systems yield unproductive and inefficient investigatory work to ensure that compliance regimes are met at the base level, rather than effectively identifying suspicious activity with high levels of confidence.
Thankfully, organizations today have access to a wealth of data, tools, and modeling techniques they can use to combat even the most sophisticated crimes. However, the options and approaches to tackling these crimes can be overwhelming, and the regulatory climate doesn’t always keep up with the capabilities deployed by bad actors. Most organizations are just trying to keep pace with compliance requirements rather than matching criminal adversaries in their approach. This often leads to rigid and more easily circumvented rule sets to detect financial crime—for example, rules relating to exceeding predetermined spending limits. Further, insider threats can relay even the most complex rule sets to those looking to maneuver around them.
Unlike the fall of the Roman Empire, which spanned centuries, threats to even the largest multinational business can be manifest in seconds.
In an era of 4IR technologies and AI, the natural response is to replace monitoring rule sets with more advanced analytical techniques, such as using machine learning to more accurately detect cases of fraud. While these techniques may be more effective, it’s no small feat to overhaul years, even decades, of old infrastructure and corporate practices with new risk management structures and methodologies. There are two primary reasons for this:
The best way to make these formidable issues more manageable could be to articulate more specific goals while combating financial crime. By going deeper than a “stop all cases of fraud” goal, organizations can get a better sense of the data required, people with whom to coordinate, and the most effective analytical approaches to address the issue. There are four areas in which organizations can define more manageable goals with a view to protect themselves from various forms of financial crime. They are:
The best way to make formidable crime management issues more manageable is to articulate more specific goals while combating financial crime.
Starting with the board and top management teams, these key action areas should be agreed upon, communicated, and prioritized across the organization. Specific goals can become a rallying cry for gaining internal and external support, providing direction on how to improve processes (regardless of organizational silos), and determining the best tools and analytical techniques to address the issue. As an example, if the goal is to rapidly identify anomalies, the cyber, fraud, and AML departments can work together to build a single database across the organization that identifies bad actors, rather than have each group figure this out in isolation—and after several attacks on the company.
Sharply defined goals help companies to react in a more agile manner. In a recent panel discussion for Risk.net, executives discussed the need to simplify the objectives to defend against financial crime in a more agile manner. Specifically, it requires ensuring that cybersecurity, application security, fraud, and data scientists are working collaboratively to consolidate data sources in order to gain an enterprise-wide view of vulnerabilities and opportunities to share knowledge in the fight against financial crime.13
Starting with the board and top management teams, these key action areas should be agreed upon, communicated, and prioritized across the organization.
As financial criminals function in ecosystems, so too should the institutions tasked with defending against them. Businesses and law enforcement can work in tandem to thwart these criminal ecosystems through fast and effective sharing of information on bad actors, knowledge related to new criminal schemes, and intelligence on best practices for prevention and detection of financial crime. To do so effectively, organizations should consider a two-fold approach: Elevate the importance of procuring third-party data and participate in public-private partnerships (PPP) to share information and best practices.
Sharing data outside the organization is not a new concept—retailers and suppliers have been doing it for decades. However, the level of granularity, sensitivity of information, and sheer volume of data required to combat financial crime is compelling many organizations to look outside their own four walls. When multiple institutions artfully combine their data, they can piece together a mosaic of criminal activity that none can discern in isolation, thus creating actionable insights in aggregate.
Banks are some of the earliest adopters of third-party data-sharing and have been safely and appropriately exchanging data with external parties for decades. Many banks understand that one of the best ways of defending against financial crime is by proactively building “herd immunity.” This entails sharing intel to collectively learn from one another and preemptively put measures in place to prevent or minimize future crimes.
This is manifesting in the financial services industry through third-party platforms, which provide cloud-based communities for standardizing and sharing information across vendors.14 Perhaps more promisingly, recent innovations like homomorphic encryption and multiparty computation enable organizations to compare data sets and perform complex analytical routines against an aggregated data set.15 By doing so, they can collectively extricate insights from patterns of malicious behavior that indicate criminal activity—with a higher rate of fidelity than previously possible.
For example, consider IP addresses with a troubled history. Companies can contribute and upload “bad” device data on a shared database and use it as a data modeling attribute. These data sources can help companies uncover IPs that either have a direct malicious history (sending spam emails, account takeovers, and malware data) or are in a nexus with IPs that do.16
Many government agencies around the world are working to combat various types of financial crime but they can be significantly more effective if they collaborate more with the private sector—and vice versa. These PPPs can provide law enforcement with quick access to intelligence related to relevant case work and inform organizations of the most current status of the threat landscape.17 Further, they can create a safe environment for both groups to share information and data.
Public-private partnerships can provide law enforcement with quick access to intelligence on cases and inform organizations of the current threat landscape.
Such partnerships seem to be growing across the world. One notable example is the United Kingdom’s Joint Money Laundering Intelligence Taskforce (JMLIT). This group consists of more than 20 large banks, the National Crime Agency (NCA), the Home Office, and the Financial Conduct Authority (apart from a number of other agencies). Together, they can tackle cases of financial crime, such as human trafficking, and share information and data to better understand patterns of criminal behavior and the identities of potential bad actors. By working directly with banks, government agencies can share “red flag” activities that indicate trafficking behavior, such as payments made to cover multiple individuals’ travel expenses from a country the financer has never personally visited.
Such PPPs don’t have to be limited to financial institutions. Retailers, for instance, are frequent targets of criminals looking to steal consumers’ bank details. Retailers can provide insights on suspicious transactions and use of online resources to authorities and financial institutions. Similarly, automotive dealers or high-end consumer credit brokers can share consumer spend information to help alert the authorities and banks of potential money laundering.
The same sophisticated tools, technologies, and techniques that make financial criminals formidable adversaries for organizations can be repositioned to fight crime. But companies first need to ensure that the basics are in place—that is, they have defined specific and concise goals, are working collaboratively across silos, and sharing relevant data and information safely with external parties. These foundational practices can put organizations in prime position to explore the full potential of 4IR technologies in combating financial crime.
The same sophisticated tools, technologies, and techniques that make financial criminals formidable adversaries for organizations can be repositioned to fight crime.
With 4IR technologies, data can be organized, shared, and analyzed in the cloud more easily. Specifically, organizations can fuse data across cyber, fraud, and anti–money laundering functions into a single data set—and interrogate the information through more sophisticated means than traditional rule sets. By combining this data with AI and predictive analytics, organizations can safeguard highly targeted information and alert teams to high-risk scenarios through the following data capture and analysis methods:
Each of the methods mentioned above employs a structured modeling technique to identify criminal behavior. That is, a human informs the model what good-versus-bad behavior looks like. Other techniques such as machine learning can elevate these approaches to a new level of sophistication—and analyze the digital entity's fingerprinting, session monitoring, and behavioral biometrics data in concert. Machine learning is an iterative process that employs a variety of complex algorithms to analyze data patterns; further, it typically adjusts its predictions based on new data and information that enters into the system.
With unsupervised modeling (that is, modeling techniques that draw conclusions without human intervention), machine learning can identify unique groups of behavior that may indicate some form of financial crime. These same groups can then be entered into more structured machine learning approaches to score and assess the likelihood of improper behavior. For instance, various platforms are coming to market that employ machine learning to analyze transactions from a consortium of thousands of e-commerce websites to defend against online fraud and abuse.18 Each time a potential fraudster initiates an activity on one of their partnering websites, a fraud score is updated and shared across the consortium.
Encouragingly, these techniques are growing in popularity. One study suggests that by 2021, 72 percent of organizations will employ automated monitoring and anomaly detection, and 50 percent will rely on predictive analytics and advanced modeling techniques to combat financial crime.19 As more and more organizations adopt advanced technologies to combat crime, the pressure is expected to mount on those still relying on outdated crime monitoring systems to change as they will likely become relatively easier targets for cybercriminals.
Whether you operate in the financial industry or not, increased digital connectivity is making combating financial crime a universal problem. To forge your own organizational path to defend against bad actors, your leadership team should consider implementing the following advice:
Rome wasn’t built in a day. An organization has a considerable number of moving parts across governance, culture, people, process, technology, and data. However, it isn’t necessary to accomplish everything in a single seismic shift. Starting with specific goals, consider seeking opportunities for internal fusion at a smaller scale. Within your organization, that could mean looking to areas where skill sets, core processes, enabling technologies, and mutual data synergies exist. Increasingly, cyber offers opportunities to connect with physical security and fraud departments. Bringing these teams together, even just through closer collaboration, can help improve their respective effectiveness and operational efficiencies.
Know thyself. It is a strategic imperative to build a comprehensive, current, and accurate knowledge base of your business value chains and the critical assets that enable a business to function. This represents your organization’s attack surface and, therefore, the potential opportunities for an adversary to steal, manipulate, or disrupt your key systems, people, data, and workflows. This attack surface also extends through to your larger business ecosystem (including your customers, supply chain, and industry peers).
Know thy enemy. Seek out credible intelligence on adversaries and triangulate this information across multiple sources. Strategic advisory groups, external data-sharing platforms, and a consortium of peers can help your organization build a better understanding of who, how, and why a criminal group might attack your business.
Plan for the worst, hope for the best. Analytically based intelligence and empirical data makes it possible to prioritize preventative countermeasures—and measure their efficacy. By building a comprehensive map of scenarios mapped to controls, it becomes easier to identify commonalities and redundancies, and therefore, improve consistency of coverage and realize operational efficiencies.
Drill your defense strategies. Rehearsing predicted scenarios and plans to prevent, detect, and respond to attacks can create opportunities to challenge old assumptions and refine solutions. By socializing these learnings, businesses can raise awareness on new threats and cultivate a culture that supports core goals and objectives.
Seek out credible intelligence on adversaries and triangulate this information across multiple sources.
By taking the above steps, organizations can proactively build an ecosystem of security to match—and possibly eventually exceed—the criminal elements they are charged with thwarting.