Trust Decisions: The Risk of a Digital Supply Chain...

Are you a business that is operating internationally?  What components of Operational Risk Management (ORM) currently intersect with your international business operations?  The safety and security of your employees who travel into countries with unstable political elements are no doubt of immediate concern.  There may even be a heightened sensitivity with whom your international business executives are meeting with and the tremendous U.S. rule-base associated with OFAC, as one example.

Fortune 500 organizations are all too familiar with these concerns, as major players in international business. The Chief Security Officers (CSO) and other key executives charged with the safety, security and integrity of employees, are focused on those who are traveling and meeting across the globe.  This is considered ORM 101.  This facet of ORM is quite mature and familiar to the Board of Directors who are charged with the Enterprise Risk Management (ERM) of the company.

What is growing more pervasive and continues to plague organizations doing business internationally is the risk of a Digital Supply Chain.  Trusted information and the confidentiality, integrity and assurance of data.  The "Genie" is out of the bottle and even the most mature and risk adverse global organizations, are continuously barraged by sudden incidents that interface with privacy and security of information.

Here is a recent example:

After a public comment period, the Federal Trade Commission has approved final orders that settle charges against 14 companies for falsely claiming to participate in the international privacy framework known as the U.S.-EU Safe Harbor. Three of the companies were also charged with similar violations related to the U.S.-Swiss Safe Harbor.

The FTC previously announced the settlements in January, February and May of 2014 with the following companies: 

• American Apparel
• Apperian, Inc.
• Atlanta Falcons Football Club, LLC
• Baker Tilly Virchow Krause, LLP
• BitTorrent, Inc.
• Charles River Laboratories International, Inc.
• DataMotion, Inc.
• DDC Laboratories, Inc.
• Fantage, Inc.
• Level 3 Communications, LLC
• PDB Sports, Ltd., d/b/a Denver Broncos Football Club
• Reynolds Consumer Products Inc.
• Receivable Management Services Corporation
• Tennessee Football, Inc

Under the settlements, the companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization.
Consumers who want to know whether a U.S. company is a participant in the U.S-EU or U.S.-Swiss Safe Harbor program may visit http://export.gov/safeharbor to see if the company holds a current self-certification.

Under the settlements, the companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization.

So what is the real underlying issue here?  It is about "Trust Decisions".

These organizations were representing themselves as compliant with a U.S.-EU framework designed and established to protect their constituents, under the jurisdiction of the Federal Trade Commission (FTC).  The decisions to trust these organizations by an individual or business, regarding the perception that they are in compliance with a framework for privacy and security, is what is true.

How often have you ever made a "Trust Decision," based upon your knowledge that a business is displaying an official seal, mark or a sign that your information is safe and secure?  There are dozens of high profile companies operating across the globe that are in the business of selling "Trust".  Symantec, TRUSTe and GeoTrust to name a few.  The reason that a business buys one of these trusted seals or marks is because it wants to increase it's perception of trust, to the consumer or business that it is engaged with to transact business.

The business wants to display that they are compliant with the particular laws or rules associated with their industry or country.  It wants to create a sense of business assurance or peace of mind for the buyer of their products or services.  When you use one of these seals to assist in making an affirmative "Trust Decision" based upon the display of one of these badges, marks, signs or even special symbols or colors; the consumer still assumes risk of the unknown risks.  So what?

So how many consumers on a daily basis do you think visit this web site to get their free annual credit report? Green Padlock https://www.annualcreditreport.com/index.action

This is the official web site advocated by the U.S. Federal Trade Commission (FTC) for consumers to get a free annual credit report in compliance with Fair Credit Reporting Act (FCRA).  When you visit this site, you see that the URL displays a green padlock and the https: designating that the site is using secure protocols to transmit your Personal Identifiable Information (PII).  Or is it?

When you test the Annual Credit Report web site with a SSL security test service, run online by Qualys SSL Labs, https://www.ssllabs.com/ssltest/ this is their rating, on the security of Annual Credit Report.com as of 6/28/14.

Overall Rating

F

0

20

40

60

80

100

Certificate

100

Protocol Support

0

Key Exchange

80

Cipher Strength

90

Documentation: SSL/TLS Deployment Best Practices, SSL Server Rating Guide, and OpenSSL Cookbook.

This server supports SSL 2, which is obsolete and insecure. Grade set to F.

Experimental: This server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224), but probably not exploitable.

The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.

The server does not support Forward Secrecy with the reference browsers.  MORE INFO »

This server is not vulnerable to the Heartbleed attack.

Q: What information do I need to provide to get my free report? 

A: You need to provide your name, address, Social Security number, and date of birth. If you have moved in the last two years, you may have to provide your previous address. To maintain the security of your file, each nationwide credit reporting company may ask you for some information that only you would know, like the amount of your monthly mortgage payment. Each company may ask you for different information because the information each has in your file may come from different sources.

On a daily basis, humans are subjected to signs, marks, badges and other indicators that help them make more informed affirmative "Trust Decisions".  Whether it is the "Green Light" at the local intersection or the "Green Padlock" on the web site where we are being asked to give up our Personal Identifiable Information (PII).  The regulatory and private entities that are tasked to ensure that the signs, marks, badges and even colors are in compliance, must also look to their own level of trust of their Digital Supply Chain.

This is just one glaring example of why "Trust Decisions" are so vital to online global e-commerce.  It is also a wake-up call for any organization that is advocating trust by using a digital third party that the consumer relies on every day.  However, the FTC and other government agencies rely on private sector companies to assist them in outsourced services such as hosting Annual Credit Report. com.  The site is hosted by:

IP Location

- Massachusetts - Cambridge - Akamai Technologies Inc.

How confident are you, that your organizations digital supply chain is ensuring safe and secure "Trust Decisions" for your customers?

operational risk

Digital Paradox: Privacy v. Security...

The media communications and advertising industries are buzzing over the new U.S. Federal Trade Commission report and framework entitled: Protecting Consumer Privacy in an Era of Rapid Change. The Operational Risk Management implications to your enterprise could be significant if you currently do not understand how your marketing department provides disclosures or manages consumer collected data. If you think that you are protected because you outsource to a 3rd party, then think again. The power to the consumer is increasing and the data privacy laws are playing a quick game of catch-up on regulation:

Scope: The framework applies to all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device.

Companies should promote consumer privacy throughout their organizations and at every stage of the development of their products and services.

With 500 Million plus people who are self-profiling themselves on Facebook these days, you might wonder if they even truly think about their privacy. See Controlling How You Share, Facebook

A variety of business models involve practices that fall outside the proposed “commonly accepted practices” category. These include, for example, a retailer collecting purchase information directly from a consumer and then selling it to a data broker or other third party that may be unknown to the consumer. Other examples include online behavioral advertising, in which an online publisher allows third parties to collect data about consumers’ use of the website, as well as social media services, where the service or platform provider allows third party applications to collect data about a consumer’s use of the service. In addition, as noted above, using deep packet inspection to create marketing profiles of consumers would not be a commonly accepted practice.

The new framework and panel discussions has focused on the Operational Risks associated with collecting, storing and sharing data on consumers. The regulations that change going forward to assist in consumer protections and disclosures may not have much impact on whether the consumers "Personal Identifiable Information" (PII) is disclosed to nefarious transnational criminal syndicates without their permission.

If you are a U.S. government military employee you may have received notice lately from your PenFed Credit Union that you too may have your PII in the hands of people that will use it for monetary gain. The continuous loss of data by institutions has now been verified as just another criminal business enterprise by organized crime and in many cases sanctioned by nation states. The data protection and data theft game is the modern equivalent of bank robbery yet it is moving at the speed of electrons across fiber optic networks world wide.

And now that this accelerating consumer issue of cybersecurity has made it's way to The White House, one can only wonder what may change. The cost to business is now $204.00 per record according to well respected research by Ponemon Institute. The MOU with DHS, Department of Commerce and the Financial Services Sector Coordinating Council (FSSCC) remains the window dressing on another unfunded effort to deter the cyber plague before us.

There is no shortage of people reporting about the breaches (this blog included), the hacks and the data leakage via employees using Peer 2 Peer file sharing software within the walls of their Fortune 500 company or government agency. Some people who are disclosing the information are doing it with alternative motives and rarely try to provide a potential solution to the problem.

So what can a PenFed or major U.S. Government agency do, to stem the tide of the growing digital tsunami of data thefts and transnational economic crime or acts of espionage? There is not one solution nor is there ever going to be a day when it all comes to an end. Which brings us to the mind set shift that is necessary to make a difference.

The Security vs. Privacy legal topic is somewhere in the mix of the solution. The education of our digital natives at a young age is another. Many kids know how to type with their thumbs better than they can write a legible letter to grand mother. And finally, the implementation of new technologies that will enable law enforcement to their jobs more effectively.

Now back to the mind set shift. Cecilia Kang of the Washington Post reports:

As the United States looks at ways to better protect Internet users’ privacy, Europe is going through its own update of online privacy rules. The 27-nation European Union is taking a more aggressive approach to privacy by setting higher bars for how data can be collected on Web users.

European laws prohibit Web sites from tracking users without their permission. The E.U. is also weighing legislation that would let users delete all their information from a Web site, such as Facebook, and transfer data from one wireless provider to another without leaving profiles behind.

Viviane Reding, the vice president of the E.U. Justice Commission and head of privacy regulation, visited The Post on Wednesday to talk about her approach to protecting users in the age of Internet over-sharing. On Thursday, she is scheduled to meet with U.S. Attorney General Eric Holder to discuss ways the E.U. and U.S. can cooperate on safeguarding consumers' personal information, including data on travel and finances. The talks may also touch on the recent disclosure of classified documents by Wikileaks.

operational risk

Risk Appetite: Board of Directors Engage...

New management and faces around the Bank of America Board room are taking a new approach to Operational Risk Management. Compliance and other Operational Risk functions are being separated. Most importantly and perhaps a lesson for those institutions that are on the ropes, B of A is pushing the risk management debate from the Board Room to the associates on the front lines.

A Message from Brian Moynihan

Protect Our Company

To my Bank of America teammates:

Bank of America is in the business of taking risk and our goal is to make every good loan and transaction we can within our company’s overall risk appetite. Yet our recent performance demonstrates the need for enhancements. Our management, board and regulators have determined that our risk management practices must improve.

So we have updated our risk framework — or how we manage risk at Bank of America — with the following:

Risk Appetite - The senior team will recommend, and the Board of Directors will approve, an annual risk appetite that establishes how much we are willing to take as a company.

Debate - We’re requiring all associates to openly debate risk related issues…and we’re escalating issues and taking action based on those debates.

Roles - We’ve clarified risk management roles and responsibilities, and all associates will fall into one of three groups, each with specific accountabilities: Line of Business associates, Governance and Control associates (those in Global Risk and our other support groups) or Corporate Audit associates.

Governance - We strengthened the way we oversee risk with new committees at the board and management levels.

Operational Risk - We separated compliance and operational risk functions to have more targeted and focused attention on both.
For those of you who work in a line of business, your job is to serve the clients’ financial needs and to protect the company. You may take only those risk that are within our company’s overall risk appetite as established by the Board of Directors. Senior management will determine the risk appetite for your line of business and will communicate that to you. You will be assessed on your risk-taking results.

Managing risk within the confines of the corporate enterprise goes beyond the awareness building of risk appetite with front line associates. It requires getting the Board of Directors spending more time on the front lines and embedded in the business lines to better understand the operational risks that exist in that particular business. As an example, it would seem that in a rush to reduce expenses, call center operations are being moved offshore to India. Offshoring in itself brings to bear a whole new set of risk issues, especially when you are talking about "Call Center Operations."

Interacting with customers on the telephone subjects the caller and the service provider to the exchange of Personally Identifiable Information (PII). Utilizing new technologies to validate the geographic location of callers is available and the use of more sophisticated means for verifying the caller is who they say they are is being implemented with other technologies. Yet what about the people working in the call centers themselves. Whenever you have an outsourced provider in another country taking calls from US consumers and exchanging PII there are several other operational risks on the table.

Fraud associated with call centers is on the rise and is being facilitated by transnational criminal organizations. There are two primary types of fraud scenarios being perpetuated with call centers:

• The use of phishing e-mails provides credentials for a criminal fraudster to log-in to your online banking account. However, because of certain online controls and security measures, the fraudster may need to make contact with call center for something as easy as a password reset to further their scheme.
• In another use of a form of phishing e-mail, a consumer is asked to phone a fake 800 number that is routed to a fraudulent call center operation, where the banking customer is then asked for PII, mothers maiden name or other security credentials under the guise of an account problem or other account related issue.

Bank of America and other call center operations have integrated analytics with call centers that are specific to only the online banking inquiries. In addition, these integrated call centers should be utilizing the depth of data that exists for consumers from public records, credit and real estate records. Integrating the use of "Visual Analytics" and intelligence-led investigations can provide the institution with the insight and decision advantage to stem the growth of call center fraud across a myriad of industries beyond banking. RSA FraudAction Research Lab has this to say on the subject at hand:

Since the beginning of the year, RSA has uncovered several one-stop-shop call centers in the fraud underground that provide fraudsters with all the tools they need to commit fraud over the phone. These “tools” include:

• “Professional callers”: fluent in numerous languages, both male and female
• Caller-ID spoofing
• Service availability during American and Western European business hours.

These comprehensive criminal services, to which we will refer as “fraudster call centers,” have proliferated in the underground economy over the past year.

As the likes of B of A and other organizations rely on the human factor on the other end of the telephone the operational risk factors increase dramatically. What would be an interesting question to the Board of Directors is this: When was the last time you visited your call center in "XYZ Country" and sat on the line with one of their offshore operators listening to consumer calls from the United States? This could be an eye opening exercise in better understanding Operational Risk Management on the front lines.

operational risk

Human Factors: Early-Warning System...

Predictive Intelligence And Analytics From 1SecureAudit Provides Transnational Organizations With A Preemptive Human Factors Early-Warning System

According to Managing Director and Chief Risk Officer of 1SecureAudit, Peter L. Higgins, the complexity of today's extended global enterprises requires a new governance lens to view hidden insider risks and to guide management executives to achieving a defensible standard of care.

"Our newest consulting practice accelerates the time line in identifying employee insider risks and potential threats associated with international client transactions," said Higgins. "Ms. Marcia Branco is launching our new client offering with more than a decade of experience identifying the complex connections between human behavior and corporate operational risk responsibility."

Advocating a "People First" approach, Ms. Branco, vice president, practice director of the Predictive Intelligence and Analytics practice, believes corporate personnel; partners and suppliers represent a tremendous asset and simultaneously a significant legal liability to a business. "People are the primary focal point to better understanding and resolving systemic risk problems within the walls of the enterprise and beyond to the extended supply-chain," said Branco.

The Association of Certified Fraud Examiners affirms "U.S. organizations lose an estimated seven percent of annual revenues to fraud," and insider negligence is the highest cause of data breaches, reports the Ponemon Institute & PGP Corporation. The complexity and quantity of insider threats is growing at the same time as businesses are facing shrinking budgets and mounting pressures to maintain and grow profits with fewer resources. "How successful has your company been at identifying and swiftly addressing issues, conflicts and preventing malfeasance? Whether originating internally from an employee or contractor or at your extended border of partners, suppliers and clients, predictive intelligence is essential?" asks Higgins.

1SecureAudit provides critical assessments, internal investigations, strategy execution and program development. These proactive governance and advisory services generate positive change to business culture, operations and bottom line.

"Our distinctive 'People First' approach examines your organization's human capital assets to gain unique insights on corporate culture, company issues and the workforce's attitude about management and business initiatives. We convert these human factor data into predictive intelligence to preemptively determine how to best shape current and new corporate strategies. Our clients are able to take advantage of short-lived opportunities, attract and retain employees, partners and customers, demonstrate a more defensible standard of care and promote a trustworthy corporate reputation," stated Branco. "Does your organization consistently adhere to and enforce corporate policies, ethical standards and procedures that value your employees and respond to shareholder advocates?"

Working with 1SecureAudit to integrate predictive intelligence in any business strategy and practices is a sound investment that directly contributes to corporate management's, Board of Directors', and shareholders' peace of mind. For more information, visit 1SecureAudit.com or e-mail RDU (at) 1SecureAudit.com.

operational risk

Virtual Truth: False Information Risk...

How does "False Information" impact the risk to your organization? Decisions based upon faulty or inaccurate information is the root of many of the systemic failures of catastrophic history. The Titanic, Challenger Shuttle and Three Mile Island nuclear incident can all be attributed to the integrity of vital information.

Fast forward to the financial crisis and the past decade of consumer credit expansion strategies. What data have you been collecting from US consumers or clients about their personal identifiable information attributes? The Information Age has drawn us into a more dangerous business operating environment as these digital assets have become another commodity to be sold in an international market place, to the highest bidder. Are you ready when the federal "Suits" or the local LEO's (Law Enforcement Officer) knock on your door in pursuit of the truth:

The Fair Credit Reporting Act (FCRA) spells out rights for victims of identity theft, as well as responsibilities for businesses. Identity theft victims are entitled to ask businesses for a copy of transaction records — such as applications for credit — relating to the theft of their identity. Indeed, victims can authorize law enforcement officers to get the records or ask that the business send a copy of the records directly to a law enforcement officer. The businesses covered by the law must provide copies of these records, free of charge, within 30 days of receiving the request for them in writing. This means that the law enforcement officials who ask for these records in writing may get them from your business without a subpoena, as long as they have the victim’s authorization.

The financial integrity of your future as a business and as a consumer is at stake. Christopher Burns brings this to light in a dramatic fashion in his new book; Deadly Decisions:

"First, it is often extremely difficult to validate, corroborate, or verify the information we are dealing with, except by comparing it to the other information we are dealing with. And often the whole system is contaminated by misunderstanding, bad data and false assumptions that are hard to spot. The truth test rarely works. And second, the real issue of truth is not whether you or I should believe this or that, it is what we believe together. The truth that matters is group truth, and where we get into trouble is when a whole organization--a company, a community, a nation--starts to act on information that has been gathered from many sources and processed by many people but has come to contain significant elements that are false."

Beyond "Red Flags" imposed on business, the LEO community is starting to acquire what it needs for more effective deterence and enforcement mechanisms. The ID Theft Enforcement and Restitution Act of 2008 is providing prosecuters with the tools to address cyber extortion schemes such as the Express Scripts Case:

Corporate custodians of confidential medical data should be closely monitoring events connected to a nightmarish computer security breach in the St. Louis region.

Express Scripts is one of the nation’s largest pharmacy benefits managers. The company, with headquarters in St. Louis County, handles approximately 500 million prescriptions per year for 50 million workers at 1,600 American companies. Early in October, it received an extortion letter, the details of which it released on Nov. 6.

The letter included personal information on about 75 Express Scripts clients — Social Security numbers, dates of birth and, in some cases, information about prescription medications. Whoever sent the letter demanded money from the company — the amount has not been disclosed — and threatened to use the Internet to reveal personal and medical information about millions of people if the demands were not met.

Now the clients themselves are receiving extortion demands directly from the criminal elements behind this latest critical incident. Express Scripts has hired a new Senior Compliance Counsel to start December 1 and one of the Board of Directors has tapped a unit of his former company to provide ID Theft professional services. It looks like they are heading in the right direction.

Trusted Information is at the core of current global trading, business transactions and the fabric of our own personal identities. False information and knowledge is what creates operational risk factors that can change a whole company or the integrity of a whole nation. Systems that comprise vast databases of "so called" trusted information are at our fingertips being utilized to make coherent and effective decisions. Yet what may be the more catostrophic Operational Risk beyond the simple stealing of information is the potential opportunity for the destruction of vital information.

The vulnerability of our institutions and the critical infrastructure of the United States economy is ever more at risk of a systemic loss. While our stolen data will continue to be sold to the highest bidder on a global platform for trading, the 4GW "Non-State" actors will change their modus operandi. This is a given.

Trusted Information systems that have certified integrity and the oversight controls to ensure the highest level of virtual truth is the "Holy Grail." The degree to which these same systems include false knowledge is our most complex problem for business and government in the next decade.

operational risk

New Risks Require CEO Action: Beyond Awareness...

Here was our favorite question sitting in the room at the National Press Club this week during a "Deja Vu" moment, as the Department of Homeland Security and the Federal Trade Commission kicked-off the 2007 National Cyber Security Awareness Month.

"What demands, mandates or filings might be made on your organization from external organizations - public, private or regulatory - during this kind of disruption? What will your customers expect from you?"

The statistics are getting more attention these days due to the real pandemic of ID Theft and transnational crime syndicates now turning to mechanisms of financial fraud. This has surpassed the drug trade in terms of the revenue potential and the ease of acquiring and accessing our personal identifiable information.

The purpose of this summit in conjunction with the National Cyber Security Division (NCSD) of DHS is to examine ways to develop an actionable, sustained national awareness campaign and prevention program to inform Federal, State, and local government, educational institutions, small business users. The focus continues on protection of key resources, critical infrastructure and personal sensitive information and identities from man-made and natural threats.

The presentation that was most refreshing and relevant was from the Honorable Deborah Platt Majoras, Chairman, Federal Trade Commission. She highlighted some of the recent enforcement actions and the continued emphasis on business to assure their reputations by staying out of the popular press. These remarks by Betsy Broder, Assistant Director of the Federal Trade Commission’s Division of Privacy and Identity Protection at an event last month, further address the growing concern by business to adequately protect consumers information:

Law Enforcement on Data Security
"One important way to keep sensitive information out of the hands of identity thieves is by ensuring that those who maintain such information adequately protect it. To further that goal, the Commission brings law enforcement actions against businesses that fail to implement reasonable security measures to protect sensitive consumer data. Public awareness of, and concerns about, data security continue at a high level as reports about breaches of sensitive personal information proliferate."

The awareness agenda continues because it is still a long way from getting the public and the Small and Medium Enterprise to recognize the fiduciary duty they have to their customers. Even this web site OnguardOnline produced by the consortium of government agencies working together to fight cyber crime and improve awareness still have not found all of the answers.

The Business Roundtable's new publication on "New Risks Require CEO Action" has been well recieved due to greater reliance on the Internet for Business Operations. Here are a few of the most important questions that CEO's can ask:

1. Have we considered the dependence of our vendors and supply chain on the Internet?

2. What degree of consumer confidence in our data, services or products may be affected by a disruption of the Internet or corruption of data and services that are dependent on the Internet?

3. Have we set in motion a strategy for attaining early warning information to better protect our customers and corporate assets as well as our suppliers and partners?

The World Economic Forum estimates a 10 to 20 percent probability of a breakdown of the critical information infrastructure in the next 10 years - one of the most likely risks it studied. Additionally, it estimates the global economic cost at $250 Billion, one of the largest cost estimates of the risks examined.

operational risk

FACTA: The Writing is on the Wall...

Now that the financial community is wiping their brow with a sigh of relief on this latest Supreme Court ruling, what can a General Counsel or Chief Risk Officer expect? Will the adversarial train of plaintiff suits slow down and come to a halt. Not likely.

The U.S. Supreme Court's ruling that blocks investors from suing Wall Street investment banks under antitrust laws could save Wall Street firms a bundle by limiting investors to smaller recoveries.

In a case dating back to the dot-com bubble, the high court ruled Monday that antitrust suits would pose a "substantial risk" to the securities market. Damages in antitrust cases are tripled, in contrast to penalties under the securities laws.

The ruling struck down a lower court decision that would have allowed investors to go after Wall Street firms that they say engaged in anticompetitive practices by conspiring to drive up prices on about 900 newly issued stocks in the late 1990s.

Because the well-documented implosion of names like Enron Corp. swallowed any serious money that investors might hope to recover from that and other flame-outs, some investors have turned to the banks and other Wall Street regulars such as accounting firms that did work for such companies.

Wall Street institutions in the case before the Supreme Court were Credit Suisse Securities (USA) LLC, formerly Credit Suisse First Boston LLC; Bear, Stearns & Co. Inc.; Citigroup Global Markets Inc.; Comerica Inc.; Deutsche Bank Securities Inc.; Fidelity Distributors Corp.; Fidelity Brokerage Services LLC; Fidelity Investments Institutional Services Co. Inc.; Goldman, Sachs & Co.; The Goldman Sachs Group Inc.; Janus Capital Management LLC; Lehman Brothers Inc.; Merrill Lynch, Pierce, Fenner & Smith Inc.; Morgan Stanley & Co. Inc.; Robertson Stephens Inc.; Van Wagoner Capital Management Inc.; and Van Wagoner Funds, Inc.

These institutions may not have "Anti-Trust" anxiety from the Supreme Court any longer yet there are plenty of other Operational Risks on their minds. Namely International Fraud.

In an era of data warehousing, metadata management, business process management and the looming BASEL II Accord there are plenty of conversations about what to do about fraud and other regulatory compliance. Multi-factor authentication for online banking systems is not a trivial matter when it comes to Enterprise Risk Management. Is the customer service organization ready for the upgrade? Is the consumer going to be confused on what questions they are being asked to get access to their latest online credit card statement? What is my customer "churn" factor? In other words, how many of my customers are jumping ship as a result of the operational risks that have turned their loyalty into consumer driven class action fraud litigation?

An International Banking Fusion Center is on the horizon and it's not too far from the same justification that addresses Know Your Customer (KYC) and the financing of terrorism.

According to one study respondent, "Organizations are secretive of fraud losses and that inhibits our ability to work together."

"The sharing of intelligence is key to being able to take advantage of the predictability of fraud," First Data's Barwell continues. "Banks are sitting on valuable data that, if analyzed innovatively, could provide fraud intelligence worth sharing. One major bank has shown that if their internal client databases across business lines and geographies are analyzed using sophisticated link analysis tools, spurious networks of accounts can be uncovered and, when fully investigated, could uncover organized networks of first-party fraud accounts."

Barwell adds that several U.S. banks have expressed interest in taking the "quantum leap" to true data sharing.

The International Language of Fraud

"In the last eight to 10 years, fraud has really gone international," says Steve Baker, director of the Midwest region of the Federal Trade Commission (FTC). The FTC maintains a Consumer Sentinel database that includes more than 3.5 million consumer fraud complaints and is accessible to more than 3,000 law enforcement agencies internationally. In 2006, 22 percent of the reported fraud was cross border.

So What? What does information sharing have in common with:

International fraud, Identity Theft and the risk of litigation within the banking or credit card industry. Now the bankers want to sue the retailers and recover losses for the lack of privacy and security controls at the retailers. Since December 2006, plaintiffs’ class action firms in California and elsewhere have filed over 200 nationwide class actions in federal court against a broad spectrum of retailers and restaurants alleging violations of the Fair and Accurate Credit Transactions Act ("FACTA"). In addition to California federal courts, FACTA cases have been filed recently in federal courts in Pennsylvania, Illinois, New Jersey, Nevada, Maryland and Kansas.

operational risk