Top 10 op risks 2019: theft and fraud

Despite slipping a place on Risk.net’s 2019 list, theft and fraud is still many operational risk manager’s worst nightmare. The idea of a massive heist by enterprising hackers, mercenary employees or plain old bank robbers, possibly followed by fines and penalties, keeps the category near the top of the op risk survey year after year.

Inside jobs made up the top three of 2018’s biggest publicly reported op risk losses: Beijing-based Anbang Insurance lost a shattering $12 billion to embezzlement; in Ukraine, $5.5 billion vanished from PrivatBank in a ‘loan-recycling’ scheme; and in New Delhi, the Punjab National Bank lost $2.2 billion to wayward employees working with a fugitive diamond dealer.

These top losses were the result of old-fashioned crimes in the emerging world. At US and European banks though, it’s the cyber component of theft and fraud that looms large – despite the absence of even a single incident on the top 10 list.

“You can commit theft and fraud anonymously. You can go multicurrency, bitcoin,” comments a senior operational risk executive who says theft and fraud make up the biggest loss at the North American bank where he works. “You can be on the other side of the world, funds in hand, before anyone realises the money is missing.”

According to ORX News, the total of publicly reported losses attributable to cyber-related data breaches and instances of fraud and business disruption was $935 million worldwide in financial services last year. Over half those incidents involved fraud.

Theft losses come in a broad variety. The granddaddy of bank theft – the hold-up – has waned, but still goes on. In 2003, there were almost 7,500 stick-ups at US banks, according to the Federal Bureau of Investigation; by 2017, they had dwindled to around 3,900.

Instead of ski-masked gunmen, hackers are the new fear. Anecdotally, cyber hits are described as a hail of mostly tiny, but relentless attempts on data defences, leaving managers on perpetual alert. Whatever cash is stolen is a loss, but so are fines, the cost of patches and new bulwarks, the possibility of suits from other parties (Target paid millions to banks that had to re-issue credit cards after its 2013 breach) and the brand becomes a late-night punchline.

Cyber fraud comes generally in one of two sorts: one sows chaos, then grabs data en masse in the ensuing turmoil; the other zeros in on individuals to drain their accounts.

A large-scale attack could consist of millions of small transactions, like a $1 charge on a credit card, each likely unnoticed by the cardholder. In a targeted attack, thieves try to pry loose enough data from a customer’s social media persona to get access to their bank account. Other, more sophisticated schemes look for the weak points in authentication systems like biometrics. Some apps, for instance, can replicate a person’s voice patterns and fool voice ID systems.

“Equifax taught us that you need to move away from knowledge-based authentication to more activity-based identification,” says an op risk head at a second North American bank, for instance, something like asking people what their last two transactions were. In 2017, hackers stole data such as names, birthdates and Social Security numbers on nearly 148 million people from Equifax’s online systems.

Cyber fraud losses tend to come in waves, reflecting the arms race between hackers and banks as each tries to outgun the other, says Michael Grimwade, head of operational risk at ICBC Standard Bank, in forthcoming research.

Perpetrators continue to exploit known vulnerabilities in the financial system – fraudsters have used the Swift network, for instance – but Grimwade says their success rate may be diminishing; the industry has responded vigorously to high-profile break-ins.

Others disagree.

“Banks will not give much information on the details of a cyber attack if they don’t have to – that includes their losses and costs,” says one op risk expert. “One reason is because they do not want to provide useful information to future potential fraudsters.”

But managers are hardly forgetting the here-and-now world of in-house bad behaviour. Avoiding it has required banks to try to establish a culture of ethics, not just at the top, but setting a ‘tone-in-the-middle’. Employees should know the line between what is acceptable in their roles, and what isn’t.

“Employees should know what fraud looks like, what their responsibilities are to mitigate it and how to report,” says a fraud management expert at a North American bank.

A whistleblower hotline should be available for employees fearful of retaliation by managers, says the fraud management expert.

Internal fraud can also be soft. Just last month, the Federal Reserve permanently barred a former managing director of JP Morgan from the banking industry for bribing Chinese government officials by providing jobs for their children, known as the ‘princelings’. JP Morgan agreed to pay $264 million to settle the matter.

But for all the dereliction on the inside, everyone is quietly watching for ambushes on the cyber front.

“Interconnectivity and the tools the fraudsters are using allows them to commit it on a much broader scale – we are seeing fraud be more successful,” a bank regulatory official says.

Return to index