Virus weakens banks’ defences against internal fraud

Stressed markets and remote working leave firms vulnerable to op risks and cyber attacks

cyber-defences-security-0420.jpg

House-sharing is common in major cities around the world. Trapped at home because of the coronavirus pandemic, housemates are jostling for space and privacy. For those in the financial industry, their home office set-up is not merely a source of domestic tension. It’s an operational risk for their employer.

“There’s a flat in London shared by four 25-year-olds. Three of them are traders for big banks, trading broadly the same instruments in the same room,” says Paul Ford, chief executive officer at risk control firm Acin. “How do you make sure they’re not colluding? Compliance departments don’t know how to deal with that.”

The risk of insider-perpetrated financial crime is growing as businesses struggle to cope with the impacts of the virus. Experts warn that countrywide lockdowns, dramatic changes in working practices and pronounced economic stress will result in greater exposure to internal events such as unauthorised trading, theft, and the deliberate leaking of sensitive information.

Traders and other front-office staff have been redeployed to multiple remote trading floors, or are working from home, with investment banks supplying virtual turrets and high-tech audiovisual equipment to employees. Risk control managers no longer have direct lines of sight over some key functions. The fear is that a lack of supervision could create a breeding ground for unauthorised trades or fraudulent activity.

“Bad actors aren’t in controlled environments,” says one senior risk manager at a mid-sized bank. “And with all the market movements, volatility and higher trading volumes – a rise of two to three times – it increases the probability that somebody will try to squeeze in a few trades close to the end of the market or when volatility is hitting.”

Supervision takes different forms. In some cases, it’s literal: a manager watching out for team members using non-secure devices in the office, for instance.

“Bad actors aren’t in controlled environments … It increases the probability that somebody will try to squeeze in a few trades close to the end of the market or when volatility is hitting

Senior risk manager at a mid-sized bank

“We have a very strict policy that you can’t use [mobile] phones on the trading floor – but if someone is working from home, how do you enforce that?” asks a regulatory reporting manager at a global bank. “We cannot practically enforce that now.”

Other forms of oversight are computer-based. Trade surveillance systems are increasingly reliant on machine learning techniques to detect misdeeds based on patterns of past behaviour. But the models can’t be trained fast enough to keep up with the wave of behavioural patterns that have emerged during the Covid-19 crisis. As a result, the number of false positives picked up by these systems has ballooned, heaping more pressure on monitoring teams.

“There’s a lot more strain on our transaction monitoring,” says Richard Snookes, chief compliance officer for corporate and investment banking at Sberbank. “Most of these systems are calibrated to detect unusual activity, whether that’s increased volumes or changes in trading practices. The number of false positives has gone up dramatically due to the fact that you can only calibrate a system so far.”

One cyber security expert estimates that false positives make up around 80–90% of the alerts generated by automated systems.

Attack surface

Scattering employees among different working locations has widened what experts call the “attack surface” – that is, the breadth of vulnerable systems architecture that a wrongdoer can access and exploit.

Where a given critical system is available only on-site, it has an attack surface that is relatively small: a fraudster would need to be in the room to gain entry to that system. But coronavirus has made such traditional security measures impossible for some firms. In many cases, employees need to remotely access sensitive systems – from devices at home – if they’re to continue working. This new requirement creates an opportunity for the criminally minded.

“Whatever [firms are] deploying to protect home users, [it] must be integrated with the network-level security controls,” says Tom Kellermann, chief security officer of Carbon Black, a cyber security vendor. “If the controls aren’t interconnected, they don’t provide you with visibility.”

Firms have rehearsed for large numbers of staff working from home. But in many cases, the tests were focused on the impact of remote working on productivity, rather than security. Cyber security experts fear that new vulnerabilities will emerge amid the scramble to equip bank staff to work from home. Internal investigations into suspicious activity, some say, will become a lot harder as monitoring systems struggle to separate genuine misbehaviour from ‘noise’.

“As they’re setting up remote access for employees, their surveillance systems are kicking out thousands and thousands of events,” says Ed Sander, chief product officer for cyber security and data analytics firm ThetaRay. “And the volume of backlog that’s going to start building up at banks is significant.”

As a result of this industry-wide flurry of activity, Sander argues, suspicious acts might be recorded wrongly. He says he is “concerned” about the potential for fraudulent activity by a firm’s own staff to go ignored or miscategorised.

Even a new set of rules specifically designed for home working would not necessarily ease the pressure on compliance departments. Where employees are working off-premises, it’s hard to ensure they are following guidelines set up to prevent insider activity.

Mistakes and misdeeds

Not only does the mass migration of employees from office to home make it easier for insiders to commit and conceal frauds, market participants say the economic shudders caused by the virus may give rise to new sources of wrongdoing.

“The most likely scenario is that a trader suffers losses and deliberately mismarks his or her position,” says an op risk managing director at a corporate bank. “It’s easier in illiquid markets, and the risk is heightened in volatile markets. The fragmentation of a bank’s staff may delay discovery.”

Traders are more prone to making desperate gambles in an unpredictable market, and employees that would follow the rules closely during normal business conditions might not be so reliable in a protracted stress period, practitioners argue.

“I’m nervous about internal fraud and misconduct. Unauthorised activities in times of heightened stress – I don’t think we’ve seen the worst of it yet,” says an op risk consultant.

The economic downturn has also left employees at risk of redundancy, which may leave employers more exposed to revenge attacks by disgruntled former staff members. If there is no choice but to sack an employee, Carbon Black’s Kellermann says firms must be especially diligent in protecting themselves from potential retaliation.

Some forms of retributive sabotage will be hard to shut down. A long-serving employee, for instance, may have a significant quantity of sensitive information stored on personal devices or simply written down. These private stores are a potential source of damage to an employer, whether intentional or otherwise.

“The risk of fraud lies in data leakage and the fraudulent sale of sensitive internal data with significant market value,” says an individual at a national US retail bank. “Either by employees pressured by upcoming financial difficulties or third-party providers.”

Additional reporting by Alexander Campbell and Steve Marlin

Editing by Alex Krohn

  • LinkedIn  
  • Save this article
  • Print this page  

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact [email protected] or view our subscription options here: http://subscriptions.risk.net/subscribe

You are currently unable to copy this content. Please contact [email protected] to find out more.

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here: