28 April 2006

Bank Fraud | Chicken Little | Las Vegas. Learn the Connection...

The quest to tame bank fraud and money laundering is upon us. The OCC and other reg agencies in the US are finding the needles in the haystack. This latest Money Laundering Terrorist Connection is only the first of many such investigations:

The brother of a man suspected of ties to the al-Qaida terrorist group has been arrested in Utah and indicted on charges of loan fraud and money laundering. The question that federal authorities are trying to answer is whether Sharif Omar funneled some of that money to support terrorist activities. Omar is the brother of Shawqi Omar, who is being investigated for ties to al-Qaida in Iraq.

"We do have some indications of where the money went," said Greg Bretzing, a special agent with the FBI's Joint Terrorism Task Force in Utah. "We know some went to Jordan overseas and a lot went to personal accounts. What exactly it was spent on or what happened to it overseas is still under investigation."

And if that is not all the bankers have to worry about. International Phishing is gaining momentum:

The number of phishing attacks targeting non-English speaking financial institutions is on the rise.

Attacks targeting countries outside the English-speaking world now represents almost 40 per cent of worldwide phishing targets, according to data processed by RSA Security's Anti-Fraud Command Centre. RSA said it has shut down more than 10,000 phishing attacks hosted in 70 different countries.
Click here to find out more!

The primary phishing targets worldwide still remain English speaking countries such as the US and the UK, followed by Australia and Canada. The United States alone accounts for approximately half of fraudulent email attacks. Over the last six months or so there's been an upswing in attacks targeting European countries, including Spain, Germany and Italy, as well as the Netherlands, Scandinavia and France.

What is the answer to mitigating these Operational Risks in your institution? Look no further than the line items in the budget for safety, security and continuity of your next fiscal year. After the last three days at the GovSec|U.S. Law Enforcement| Ready Conference I'm convinced that the likes of people who are technology experts from firms like Akamai, Asst. Deputy's and former operators of 3 Letter agencies along with hundreds of other small business vendors for Homeland Security solutions have the same play book. It's titled: Chicken Little. Because the sky is falling. Every once in awhile it would be refreshing to see and hear a presentation about risk, security, safety and business continuity when the speaker is not talking about or yelling about how the "Sky is Falling" and the money isn't there to fix the problems.

Why is it that the people who are doing all of the presentations and speaking are from non-profits, government or lobby shops in DC? They are the people the private sector pays to get influence for their projects in Congress and they have to make sure they keep getting the funding to keep up their campaigns.

Bank fraud and Phishing will not ever be solved with more money from the US Treasury or any other countries reserves but it doesn't hurt to ear mark a percentage of revenues to fund the budget for safety, security and continuity of operations. If only some companies would behave like the pinnacle of publicly traded, high target and continuously operating organizations known on the planet as Las Vegas Casino Hotels.

For a real look into what the banks and other institutions, either public or private need to do to mitigate risk, protect assets and keep the enterprise safe, secure and operating 24/7 and 365 days a year, see InfraGard Nations Capital Members Alliance

24 April 2006

AML & Data Theft: Risks to International Banks and Domestic Universities...

If you are a parent of a son or daughter at an institution of higher learning, this is a notice that makes you shake your head in disappointment. And if you are Chief Information Security Officer at University of Texas - McCombs you wonder how this could happen again?

Unauthorized Access of Computer Records Discovered at The University of Texas at Austin

AUSTIN, Texas –The University of Texas at Austin officials announced today (April 23) that an unknown person or persons has gained entry to the McCombs School of Business computers and gained unauthorized access to a large number of McCombs’ electronic records.

“It is our highest priority to notify those who may be affected by this security breach,” said university President William Powers Jr. “We have notified the attorney general and his Internet enforcement unit and are doing everything we can to protect those whose information has been accessed unlawfully.”

The security violation was discovered late Friday, April 21, and the university has devoted all available resources to identify the extent and source of the breach. Some of an estimated 197,000 records were accessed.

An investigation has determined that information from the business school’s computer system was obtained as early as April 11, including some Social Security numbers and possibly other biographical data, including those of alumni, faculty, staff and current and prospective students of the business school as well as corporate recruiters.

Even though the transnational nature of data theft is a major financial concern for law enforcement, the banking community and those potential consumers impacted at this university, there are other priorities that may be of greater risk to US financial institutions. Money Laundering and the enforcement of the Bank Secrecy Act (BSA) is a continued United States Treasury priority along with the Office of the Comptroller of Currency (OCC).

Metropolitan Bank & Trust is one of the latest institutions to be penalized for violations of BSA.

An examination of Metrobank by the Office of the Comptroller of the Currency found deficiencies in Metrobank's anti-money laundering program, revealing that Metrobank had failed to implement an adequate system of internal controls to ensure compliance with the Bank Secrecy Act and manage the risks of money laundering involving funds transfers. The examination also revealed that Metrobank had failed to conduct adequate independent testing to allow for the timely identification and correction of Bank Secrecy Act compliance failures. These failures in internal controls and independent testing led, in turn, to failures by Metrobank to identify and report suspicious transactions in a timely manner. The failures of Metrobank to comply with the Bank Secrecy Act and the regulations issued pursuant to that Act were

Metrobank and Metro Remittance handle large volumes of funds transfers involving the Philippines and, since September 2003, the People's Republic of China. The volume of funds transfers to the Philippines in 2003 was 162,000 transactions totaling $208 million. Prior to February 11,2005, the Philippines was included in the list of Non-Cooperative Countries or Territories designated by the Financial Action Task Force on Money Laundering.

While this civil penalty will result in a fine of only $150,000., you could predict that the cost will be much higher. A system implemented to assist with due diligence installed in 2003 has not been effective and the use of manual controls is the source of much of the banks failures in a fully compliant Anti-Money Laundering (AML) program. The passage of the USA PATRIOT Act, after the terrorist attacks of September 11, 2001, has placed greater emphasis on AML issues. Increased scrutiny of potential laundering, and stringent requirements placed on institutions to increase their efforts to detect money laundering by terrorist groups, reinforces the importance of the need for certified professionals who protect institutions from potentially devastating laundering crimes.

The lack of oversight by banking institutions or universities comes back to a single aspect of Operational Risk Management. Without a framework for managing risk of all kinds and having an effective system for continuous risk monitoring, you are setting yourself up for a major loss.

21 April 2006

Mechanisms for Continuous Risk Monitoring...

Today Freddie Mac announced their settlement with shareholders. 410 Million Reasons why they have now hired a SVP of Enterprise Operational Risk Management.

Freddie Mac's New Chief of OPS Risk is now in a great position even though the SEC and the Justice Department are still a pair of "External Events" that could continue to be an issue.

WASHINGTON (MarketWatch) -- Gareth Davies, a veteran of nearly 20 years with General Electric (GE), will be joining Freddie Mac (FRE) April 24 as senior vice president, enterprise operational risk.

A native of Wales, Davies joined General Electric in London in 1987. Most recently, he served as vice president and chief risk officer for GE Asset Management. Davies will report to Anurag Saksena, SVP and chief enterprise risk officer. For the past five years, Davies has served as vice president and chief risk officer for GE Asset Management, where he developed both a risk framework and an operational risk structure. Additionally, he developed an in-house system to automate operational risk reporting.

One of the systemic problems at large institutions including organizations like Freddie Mac is keeping your finger on the pulse of "Risk Indicators". Unfortunately for SVP's and other executives in the corporate hierarchy, your middle managers are creating the layer that impedes the best Early Warning System you have at your disposal. When problems surface on the front line or in the "Cube City" down in Information Systems the normal agenda is for the employee to go to their direct supervisor to raise the "Red Flag" or disclose the incident. And the first behavioral response by the Middle Manager is to keep it quiet. Fix it before anyone else finds out. Keep it under wraps until damage control can be implemented.

When you are the head of Enterprise Risk Management, you need mechanisms to bypass and eradicate the barrier holding your intelligence, incidents and overall hunches for ransom. There is no magic system or process that will solve it all. The only way to attempt at breaking through this layer of social and organizational dysfunction is to circumvent it.

A continuous risk monitoring system has to be implemented and operating anonymously 24/7 if the upper echelons of executive management are ever going to "Feel the Pulse" of risk hotspots in the company. These hotspots translate into "Risk Indicators" from the sources themselves, people who know what's going wrong and know the truth. A Continuous Risk Monitoring System (CRMS) is an automated human feedback and problem identification mechanism for detecting risks. It allows leaders of large organizations to quickly identify problems and incidents of all kinds in their company. Call it a sophisticated whistle-blower system or suggestion box but that is exactly what it is, on steroids.

The ideal system would emulate communication patterns in small groups which is often a major ingredient in successful teams. It would also run on the existing computers and networks of the organization or from home by logging in via a VPN. The soldiers on the front line know what is going on far sooner than the commanders in the Joint Operations Center just as the employee or supplier does and they need a way to communicate the issue, concern or threat in a rapid and efficient manner. The system provides the executives with instant or trend based intel that is actionable. It provides the "Insight" as well as the pertinent facts that you need to make quick effective decisions.

Think about how long it takes for data and information to percolate and bubble up from the places in your organization that are considered "Current Risk Hot Spots". How many times do you kick yourself for not shooting the messenger. The point is that for far too long we have been playing the old telephone game. You know, the one that you played as a kid sitting around the kitchen table or on the floor in a circle. One person starts and whispers into the ear of the person to their right. Just a sentence or two. By the time the message gets around to the 3rd or 4th person, now the data is dramatically different than the original. It's been interpreted, edited and sanitized.

Walk down and visit the person who is in charge of the electronic suggestion box or whistle-blower program at your insitution. Ask them for an activity log. Ask yourself how you could get this mechanism to perform better and then work with your front line to develop something that middle management can't filter, change or delete. That is when you will be on your way to getting the real story, in real time.

19 April 2006

The Next Wave of Operational Risk Innovation...

Today, if you are reading this blog you may have found your way here from Yahoo like tens of thousands of others have. Or maybe from another source on the web. However, when you search for Operational Risk Management at Yahoo, you get This Blog at the top of the first page of search results. Try searching on the same exact terms on Google, and the blog doesn't make the cut for the first page of search results. When you are searching for relevant information on "Operational Risk Management" (ORM), it's always important to look in more than one place and use more than one search engine. That's just life on the Internet in this age of paid advertising and mathmatical decisions on who deserves the top spots on search results.

Several years ago, there where only a few people who really had any idea what Operational Risk was all about. The US Navy / Marine Corps for one. They know that the work they performed was full of hazards and risk. If they didn't do something to systematically reduce operational risks in every process they performed or mission they executed, they knew that more people might be injured or die.

And what is the Navy's definition of ORM:

ORM is a decision making tool- used by people at all levels to increase operational effectiveness by anticipating hazards and reducing the potential for loss, thereby increasing the probability of a successful mission.

ORM is an effective tool for maintaining readiness in peacetime and success in combat because it helps conserve assets so they can be applied at the decisive time and place.

Applying the ORM process will reduce mishaps, lower injury and property damage costs, provide for more effective use of resources, improve training realism and effectiveness, and improve readiness.

At the same time, you have the Global Financial community wrestling with something called Basle:

The Basle Committee on Banking supervision has recently initiated work related to operational risk. Managing such risk is becoming an important feature of sound risk management practice in modern financial markets. The most important types of operational risk involve breakdowns in internal controls and corporate governance. Such breakdowns can lead to financial losses through error, fraud, or failure to perform in a timely manner or cause the interests of the bank to be compromised in some other way, for example, by its dealers, lending officers or other staff exceeding their authority or conducting business in an unethical or risky manner. Other aspects of operational risk include major failure of information technology systems or events such as major fires or other disasters.

The prudent Risk Manager today can see the similarities in what the US Marines and the Bankers are trying to accomplish. The good news is that the convergence of what the military has known for years and the knowledge that the bankers have gained from having their institutions fail, provides us with a vast foundation to begin the next wave of innovation.

The innovations surrounding Operational Risk Management are upon us. Now it's our duty as practitioners to "Walk the Talk" and to "Practice What We Preach". Get busy!

16 April 2006

The Speed of Loss in the Connected Economy...

Operational risks are also becoming more important in the large, complex financial institution as more technology and automated processes are used in all areas of operations. When banks used manual processes, errors were confined to the limited area where the employee worked. But in a modern technology setting, factors such as breakdowns in controls, errors in software code, and processing stream interruptions can have enterprisewide effects on the performance of the organization.

Recent history provides us with ample evidence that operational risk can be significant. Large financial institutions have reported operational losses from breakdowns in operating controls that, in some cases, have exceeded their credit- or market-related losses. In the area of legal risk, for example, many institutions have learned that failing to identify and promptly correct problems can result in losses that significantly exceed management's initial expectations. Over the past decade, large financial institutions have experienced more than 100 operational loss events in excess of $100 million each; some of these individual operational losses, resulting from fraud, rogue trading, and settlements stemming from questionable business practices, have exceeded $1 billion.

These remarks by Ms Susan Schmidt Bies, Member of the Board of Governors of the US Federal Reserve System, at the OpRisk USA 2006 Conference reflect a growing emphasis on Operational Risk. This focus translates to a greater regulatory attention to the quality of data that institutions are utilizing for their calculations.

The level of data quality has been a management challenge for decades. The speed of change in the connected economy has created an even larger tempest for institutions to grasp. The physical and logistical problems associated with moving, archiving and retrieval is only part of the data puzzle. As Ms. Schmidt Bies has so clearly concluded, the simple fact that "Automation" creates an even larger field of risk to monitor, provides an even greater opportunity for failure. The absence of data doesn't decrease the amount of risk. What risks should we focus on? The normal and expected risks from external data, or the unexpected risks that have been encountered before.

If you think about the places where the velocity of data is the greatest, then you have a place to begin. The processes and business functions associated with traditional annual financial audits and other external data give us a known history of loss events that need continuous scrutiny. However, it is those key risk indicators (KRI's) in places where the insitutions knowledge of the root operational risk causes combines with little or no history of losses that remains the nexus for concern.

Thinking beyond the current horizon is where the focus should be on active risk management scenarios.

12 April 2006

CRO Strategy: Balancing Risk Across Functions...

RiskCenter (04/04/06) ; Kloman, H. Felix
At a recent Global Association of Risk Professionals (GARP) conference in New York, risk managers highlighted the importance of accurate data being provided to the appropriate decision makers in order to make the best decisions for a given situation, and risk managers also noted that they needed to be independent and objective at all times. Risk management tasks should not be absorbed by finance, accounting, or compliance functions, according to experts, because balance is needed between those functions and the risk managers' function as an educated "fortune-teller."

Chief risk officers (CRO), for instance, should be familiar enough with operational functions, while still remaining outside the internal politics of those functions, allowing them to make educated and objective decisions. Panelists at the conference touched upon the learning experiences they had from risk management mistakes and how they turned those mistakes into opportunities for their firms. For risk managers in the banking sector, Basel II is the latest challenge, especially when it comes to allying risks with capital holdings and the disclosure of how those calculations and decisions were made.

CRO's today are coming from more diverse backgrounds than from years past where they may have lived most of their careers in Finance or Internal Audit. Educated fortune tellers are a thing of the past as new tools, systems and sensors provide the modern CRO with new insight. As new tools are introduced to financial institutions to assist them with creating and mining loss event data, the regulators will be watching. What methodology and frameworks are acceptable? What process was utilized for critical calculations?

Lenders that are not banks or owned by banks--and therefore not subject to FDIC rules--are regulated by states. With the growth of these aggressive and potentially deceptive lending practices, state regulators have come under pressure to issue new rules or guidance to ensure that these "exotic loans" do not continue unchecked.

A Chief Risk Officer needs to be active with both state and national associations to keep in touch with the guidance that may be forthcoming.

10 April 2006

Coaching to Mitigate Risks on the Front Line...

HR Troubles are growing in the corporate ranks.

New and various studies reveal that unethical activity continues to occur in the private sector, even while SOX watch dogs are in place and whistle blowers are amoung us. Studies also suggest that large investments in compliance programs have had little impact. Indeed, 16 percent of HR professionals say they have quit their jobs for ethical reasons, according to a 2005 survey by SHRM, the top five ethical lapses given for resigning are:

Lying by management

Title VII violations

The falsification of reports and records

Employee privacy violations

Employees committing fraud

It's not surprising that these compliance programs may be having trouble getting the human behaviors to change. Coaching employees on a regular and consistent basis is far more effective than a one-time class upon hire. Management behavior is the litmus test on whether the culture of an organization could have the potential to become more ethical.

The enforcement of ethical and legal issues is often left up to corporate human resources (HR) departments, when it should be handled daily by front line managers. This is where the behavior or incident is observed in real-time and has the most credibility for making a coaching or serious discussion successful.

06 April 2006

Phishing: Why it Works and What is Next...

If you have ever wondered Why Phishing Works, you need to read this article by Rachna Dhamija at Harvard University, J. D. Tygar, and Marti Hearst from UC Berkeley.

What makes a web site credible? This question has been addressed extensively by researchers in computer-human interaction. This paper examines a twist on this question:

What makes a bogus website credible?
In the last two years, Internet users have seen the rapid expansion of a scourge on the Internet: phishing, the practice of directing users to fraudulent web sites. This question raises fascinating questions for user interface designers, because both phishers and anti-phishers do battle in user interface space. Successful phishers must not only present a high credibility web presence to their victims; they must create a presence that is so impressive that it causes the victim to fail to recognize security measures installed in web browsers.

The phishers are very good and spoofing financial services web sites to the tune of more than 2 million users being fooled last year alone. The web site designers are doing their best to create a site that is so sophisticated in it's look that it is more difficult to replicate on a fraudulent site and URL. The point is, we as consumers are always being asked for information only we would know, or information that we have to authenticate ourselves.

Why can't we turn this problem upside down? Why can't I authenticate the banks web site by asking the bank for a piece of information that only they have or would know the answer to? Some tools and technologies already exist to help with this upside down thinking. Bank of America is using SiteKey, that retrieves a graphical image from it's database, one that I have personally picked and no one else "should" be able to replicate. The answers are on the way.

Chris Young
Senior Vice President and General Manager, Consumer Solutions Division
RSA Security

As senior vice president of the Consumer Division at RSA Security, Christopher Young is responsible for driving the company’s consumer identity protection strategy, including the delivery of RSA® Authentication Service to provide simple and secure layered and two-factor authentication to all online users.

Cyota FraudAction Service is just one example of some new and exciting anti-fraud solutions on the way.

03 April 2006

Partnership for Protection...

Are your research and development secrets protected and safe? Do you have a counterintelligence program operating in concert with your own Information Security strategy? Economic Espionage is a growing concern and a top priority at many US-based global organizations. Who do you know personally that can help you and your organization deter, detect, and defend against potential attacks on your intellectual assets?

As the lead counterintelligence agency within the United States Intelligence Community, the FBI has the principal authority to conduct and coordinate counterintelligence investigations and operations within the United States. The FBI is the only federal agency with a mandate to investigate foreign counterintelligence cases within US borders. Specially trained FBI counterintelligence experts monitor and neutralize foreign intelligence operations against the United States and investigate violations of federal laws against espionage, misuse of classified data, and other criminal matters relating to national security issues. The counterintelligence program is also involved in international terrorism threats, weapons of mass destruction threats, and attacks on the nation's critical infrastructures (i.e., communications, banking systems, and transportation systems). Supported by other US agencies as needed, the FBI also conducts espionage investigations anywhere in the world when the subject of the investigation is a US citizen. The FBI's counterintelligence program strives to be predictive and proactive and to maintain a protective umbrella around the nation's critical technology, infrastructure, and information.

Those formulas, algorithms and new break through products in beta testing are vulnerable from a barrage of social engineering and sophisticated attack tools. The employees, suppliers and contractors operating in and around the perimeter of your organization represent the audience for your next tactical awareness program. However, that is only the "tip of the iceberg" when it comes to your complete counterintelligence strategy. How do you keep a consistent and pervasive mechanism in place to ensure that your greatest vulnerabilities and most valuable secrets are safe and secure?

If you ever find yourself having a conversation about the fact that your "source code" is now posted on the Internet or that a new competitor has just emerged with a very similar product as your own, then maybe the denial phase is now over. The reality phase is kicking in and you now understand that you now need a more robust management system for all employees to learn and practice. Something that they can utilize in conjunction with your most valuable suppliers and contractors.

The answer begins with a phone call to your local Community Outreach Coordinator at one of 56 locations. They will be able to help you create the kind of education and program strategy to make sure that your organization is not a target of corporate sabotage or economic espionage.

The rewards that your employees receive go far beyond the workplace and into their local cul-de-sac or apartment complex. Raising peoples awareness about what has happened in the past and could happen in the future, is every leaders responsibility.