# Financial Crime Survey 2016: Compliance and online fraud top the financial crime investment charts

## Sponsored survey analysis: BAE Systems

Since 2007, Operational Risk, in collaboration with BAE Systems, has conducted a series of surveys covering key industry trends in financial crime, risk and compliance. This year’s survey shows continued investment in anti-fraud and compliance solutions. However, the focus and priorities of financial institutions appear to reflect the uncertainty of global markets and the growing impact of money laundering and counter-regulatory measures.

A key indicator of the overall health of the market is the change in investment in the two primary areas of financial crime: compliance and counter fraud. These two areas have seen sustained investment growth since the first survey was conducted in 2007. This comes despite retrenchment elsewhere in financial services (figure 1). This year’s survey indicates significant growth of investment in anti-money laundering (AML) and particularly non-AML compliance: 51.5% of respondents said that AML budgets would increase and 55% said that non-AML compliance budgets would increase, compared with 45% and 49.6%, respectively, for 2013. However, more financial institutions in 2016 than in 2013 say that their AML and non-AML budgets will decrease. This trend does not appear to be reflected in combatting fraud, where an almost identical percentage (41.8% in 2016 and 41.6% in 2013) indicates that investment will remain at the same level.

### A shift in priority

We asked respondents what the financial crime priorities for senior management would be in the coming year (figure 2). In 2013 – and for several years prior to that – insider fraud was regarded as the priority for respondents. However, this state of affairs has changed dramatically. As of this year, online fraud is the priority. The growth of remote banking channels, with the proportion of business conducted through online and mobile banking, is a possible explanation. According to the Global Mobile Banking Report, published by KPMG in conjunction with UBS Evidence Lab, this past growth is just the beginning. The number of mobile banking users globally is forecast to double to 1.8 billion over the next four years, representing more than one-quarter of the world’s population. In the US, 74% of banking customers used online banking in 2014, and 35% used mobile banking to access banking services. Payment fraud remains a strong priority, but is down when compared with 2013 numbers.

### Insider fraud

Where does this leave insider fraud? In terms of priority initiatives for senior management, the survey revealed that it had fallen to a 5.61 average score in 2016 from 7.44 in 2013, when it was considered the second priority; only cheque and deposit fraud in 2016 are considered to be lower priority in banking. It could be that, as it is notoriously difficult to detect, senior management now believe the levels of insider fraud to be low and therefore of lower priority.

The survey measured fraud detection performance for the first time in 2016, and insider fraud detection is comparable with online fraud, for example, at 39.4% detected (however with a high false-positive rate at 29.5%). This would support an argument that this area has been a focus for financial institutions. However, further analysis of the survey participants suggests that the mix of relevant financial institutions is different in 2016 to that of 2013. In 2016, 32.6% of businesses did not use insider fraud detection, compared with 21.3% of businesses in 2013.

Most current research suggests that, far from being addressed, insider fraud is a growing problem. The Kroll Global Fraud Report 2015–2016, carried out with and conducted by the Economist Intelligence Unit, found that 60% of companies were defrauded by an insider – a 72% increase on the previous year. According to the Association of Certified Fraud Examiners’ (ACFE) 2014 Report to the Nations, more than one insider colluding in a fraud is especially harmful, and appears in between 36% and 42% of cases covered by the report. Yet losses from this type of fraud have fallen from a median of $500,000 in ACFE’s 2008 report to half this figure in 2014. ### Changes in AML and compliance Investment in AML remains significant, with 51.5% of respondents expecting budgets to increase over the next three years. The data also suggests financial institutions are shifting slightly towards solving this problem internally, with an increase from 20.6% in 2013 to 26.4% in 2016. In comparison, those going to third parties have fallen from 42.1% in 2013 to 35% in 2016. That said, third-party vendors remain the most popular option overall. The survey asked respondents which solutions they would build in-house, as opposed to outsourcing (figure 3). This year saw a significant migration to third-party politically exposed persons (PEP) screening and sanctions solutions. Almost one-third (31.3%) went outside their organisations in 2013; that figure rose to 43.8% in 2016. This is possibly explained by the increasing development and focus of sanctions regimes introduced by governments around the world to target organised crime and stem the funding of terrorism, which has forced financial institutions to prioritise investment in this area. The expansion has resulted in a more complex set of actions and obligations and, for this reason, financial institutions are turning to third-party vendors. Recently, it has been the considered view of many financial crime experts that financial institutions can benefit from combining fraud and AML resources to create efficiencies and identify crossovers. This year’s results suggest the idea has currency, with a more than 10-point jump in financial institutions using consolidated fraud and compliance solutions: 76.6% in 2016, compared with 65.7% in 2013. The trend is also towards third-party vendors providing these solutions, with 21.9% in 2016 compared with 13.7% in 2013. ### The rise of application fraud There has been a trend towards developing tools in-house for specific areas of financial crime. Notable in this group is application fraud (figure 3). Just over one-quarter (25.5%) of surveyed financial institutions now have an in-house solution, an increase of 2.2% since 2013. There has been a decline in the number of those that have a third-party application fraud solution (from 23.7% to 20.8%), and a decline in the number of financial institutions that said that they would possibly outsource their application fraud solution service over the next three years – from 18.3% to 15.1%. The skewing towards internal spend could be explained in part by the common practice of tackling application fraud with existing fraud solutions. It would be interesting to analyse the impact on effectiveness of application fraud detection over time (beyond the scope of this research), as BAE Systems’ experience suggests that specific application fraud modelling and entity matching is required. That said, fraud departments are also frequently challenged to justify additional IT spends, so may need to maximise what they have already. We will be watching this space carefully, given the increasing prevalence of the application fraud problem with the global migration towards EMV standard, and would expect the trend to in-house solutions to target this problem to be reversed. ### Cyber attack On the list of priority initiatives for senior management in 2013, cyber crime was included as a general category. At the time, it was cited as the highest priority, with 7.7% of the total. With the increasing number of high-profile cyber attacks, and the increasingly documented connection with financial crime (the UK’s National Fraud Investigation Bureau estimates that 43% of fraud is cyber-enabled), this year’s survey asked more specific questions about the perceived and likely impacts of a successful cyber attack on financial institutions (figures 4 and 5). When asked what would be the likely financial cost of a successful cyber attack on their organisation, 36.7% of respondents said they did not know the estimated potential financial impact; 46.7% estimated this to be less than £10 million; and 23.3% estimated less than £1 million. This may reflect some widely reported figures that show that the average payout for a claim for a cyber breach is around £1 million (figure 4). NetDiligence’s 2015 Cyber Claims Study notes the average claim for a breach at$673,000 and, for a large company, \$4.8 million. The UK government’s 2015 Information Security Breaches Survey suggests costs had risen from £600,000 in 2014 to £1.46 million in 2015 for large firms

Yet this only refers to the direct costs of a cyber incident. The indirect costs can be far greater, and this is recognised in response to the second cyber-related question. Exactly half of respondents believed that the greatest risk to their business was reputational damage, and 30.6% considered loss of customer data to be the greatest risk. Direct monetary loss was the greatest risk for only 8.1% of respondents, which is unsurprising given how easy it is to insure against. In contrast, the damage to reputation can be far-reaching, long-term, and difficult to insure against. Detection and prevention technologies, in combination with relevant insurance protection, can be effective options for the financial institution to manage this risk (figure 5).

In summary, this year’s research has once again provided highly valuable insight into the key trends and the state of the financial crime market. Investment in financial crime defences is increasing, most significantly in AML and non-AML compliance. Leading the trend is the likely move to third-party solution providers for sanctions and PEP screening solutions, but also the move to consolidation between fraud and compliance solutions.

### The Financial Crime 2016 Survey methodology

BAE Systems and Operational Risk received 204 responses to the survey, which was conducted during March and April 2016. Respondents were drawn from banks and insurers who work in risk, fraud, compliance and finance and were asked to share their views on their businesses’ investment priorities in the area of financial crime, what are the key threats now and in the next three years, and the potential financial impact of cyber-enabled crime. The survey was carried out using SurveyMonkey and marketed through Risk.net