Bottomline: Regulation Versus Fraud – it’s Not a Choice
December 2, 2021

James Richardson, Head of Market Development Risk and Fraud at Bottomline shares his  thoughts on the importance of regulation when fighting fraud in financial institutions.

The last thing any executive at a financial institution needs now is ‘difficulty factors’. After all, it’s  time for year-end reporting and 2022 forecasting. Digital transformation strategies are already in  the melting point and at varying stages of progress and capital expenditure. Throw in the creativity  of fraudsters and we’ll agree there’s enough to deal with. 

But the difficulty factors for FIs are not dropping as the year closes. In fact, we’re seeing two areas  amping the difficulty factor: insider fraud and regulatory technology (RegTech). Both go hand -in hand as many new regulations can help or hinder insider fraud challenges. A new research report,  “The Future of Competitive Advantage in Banking & Payments”, considers these two issues  (among others) and uncovers surprising levels of concern about solving them. While there’s no  silver bullet for reckoning with fraud or RegTech, there are technology, advisory and data solutions  to help.  

Dealing with fraud, specifically insider fraud, first. Insider fraud happens when a current employee  or contractor accesses and shares sensitive data or payments information that they don’t have  access to in the normal execution of their job. 

When we asked FI executives about their top overall concerns, 16 percent placed insider fraud  within the top six issues. We argue that insider fraud should definitely be a higher priority than it  appears to be in the report.  

That’s because insider fraud has two costs, reputational and financial. The reputational damage  for an employee-based data breach is impossible to calculate. According to a Ponemon Institute  study, the frequency of global insider fraud incidents over the past two years spiked 47 percent.  The average incident takes 77 days to contain, and when that passes 90 days, the global cost can  top $13.7 million a year.  

In an age of hybrid work from home environments, it’s easier for employees to access and share  sensitive data, especially if companies lack proper defence technology. The effectiveness of that  technology depends on whether it addresses insider fraud at the server level because if it’s not,  those defences may not work in today or tomorrow’s environment.  

Here’s why: Many companies rely on content filtering to stop insider fraud. Content filtering  technology sits between the end-user and the outside world. It does a great job at catching  sensitive data (called data leakage) and other information after being accessed. But then it’s often  too late. The filter can spark the right alarms and be an essential tool in investigating exactly which  employee shared the sensitive information. But in the case of a data breach, the reputational  damage may already be done. What’s needed to fight insider fraud is an application layer. That  layer doesn’t sit between the employee and the outside world; it sits between the employee and  the application server, where 80 percent of insider fraud happens. This layer evaluates the  employee’s access to and transmission of sensitive information and profiles their behaviour. It can  then detect abnormal patterns that may indicate data leakage in the process. The application layer  stops insider fraud before it happens. 

Now for the RegTech difficulty factor. In our survey, 63.5 percent of respondents said RegTech  will become more critical in the next year. My take is that this concern is as vital for fraud defence  as it is for addressing the issues of interoperability and data. While RegTech is undoubtedly a  challenging compliance factor to plan and execute, FIs see RegTech as a positive factor. Looking  at what regulation aims to do, the most crucial factor is to sync almost perfectly with several  problems that need solving to improve customer experience and security. Examples: ISO 20022  messaging format will address data interoperability. Confirmation of Payee (CoP) will help address  fraud. PSD2, Open Banking and UK Faster Payments Access Models will address easier access  to data. So while 25 percent of respondents appreciate the importance of regulations they are  equally worried about looming deadlines and the need for business continuity. But regulations aim  to create better conditions for growth and competitive opportunities for FIs. And it’s important to  remember that new regulation is there to fight fraudsters, who are one step ahead of the game.  They don’t wait for regulations to play fair.  

However, broader challenges exist when fighting financial fraud, inclusive of insider fraud. Despite  a positive attitude toward their outcomes, the biggest challenge in executing fraud and financial  crimes strategy is keeping up with regulations (31%). The second challenge is increasing fraud  threats (30%), and the third (at 11%) is the alert investigation time and false p ositives. These  results illustrate a big challenge as FIs try to comply with regulations and manage assets on one  side but remain strict enough without creating false positives and alienating customers. The fraud  issue also tracks back to ISO 20022. Because the messaging yields more data, there’s more  information to analyse in ensuring that all parties involved are legitimate, thereby reducing the  potential for false positives  

The solution to these challenges has its foundation in technology. We’ve alread y offered examples  of how innovative technology can help fight insider fraud. But let’s consider other fraud tactics that  can profit from technology adoption. For instance, keeping track of sanctioned countries and  organisations is not an inside, manual job in today’s complicated cross-border business  environment. Nor is it a job for outdated technology. For example, legacy watchlist screening tools  can be tripped up by spelling errors, typos, and data quality issues. That’s an easy get for clever  criminals who use aliases or even steal identities. 

Modern technology for watchlist screening will be SaaS-based and provide a real-time, automated  look across the journey of each payment. This technology will reduce false positives and speed up investigations, which is where data comes in. By using machine learning and artificial  intelligence, systems can proactively detect and prevent financial crimes. It’s no longer a box ticking exercise. 

So yes, our research shows the difficulty factor for FIs goes up in the short term. But continued  focus on digital transformation and the judicious use of technology makes fighting financial fraud  a bit easier and will ultimately make corporate and consumer customers happier in the long run.