Fight against Cybercrime in Financial Services is Crucial
Money Makes the World Go Round
The best things in life may be free, but it would be supremely naïve to overlook the importance of money: finance holds a central role in every society the world over. Money is fundamental to all value chains and it’s an integral part of our economic systems. The majority of wealth created by the industries and individuals circulates through financial institutions, and, eventually, ends up in the banks.
Given their importance, it’s no surprise that the financial services (FS) sector are one of the top targets for cybercrime – in fact, research has found that more than a third of financial sector organisations have been victims of cybercrime while only 17 percent of organisations from other industries have been targeted.
And thanks to the looming threat of cybercrime, the FS industry has also found itself under the beady eye of regulators who are keen to ensure the sector’s systemic position is not exploited.
Since the 2008 financial crisis, the industry has seen a rapid and substantial increase in the level of pressure it is under to remain compliant. New regulations appear with dizzying frequency – such as the sanctions against Russia, the Foreign Account Tax Compliance Act (FATCA) or the BCBS239, just to name a view. In Q3 of 2014 alone there were 82 new regulatory changes; ensuring compliance with these changes took around 653 hours per institution.
And regulators are not shy when it comes to punishing bad behaviour – between 2009 and 2013 FS organisations paid out over $266bn in fines, settlements and provision for future liabilities.
Risk management and compliance have an extraordinary role in banks and the cost of effective risk and compliance management is rising with a new regulation and could reduce bank return on equity by 2.5% to 4%, as evaluated by McKinsey.
Pressure is once again rising. In September 2015, S&P announced plans to include cybersecurity risk as a key factor in credit ratings. Banks may see their ratings cut if they fail to sufficiently protect themselves against cyber-attacks, or sustain a particularly damaging breach. The S&P consideration of maturity to protect against cyber-attacks will have a direct impact on the refinancing condition of a bank and is, therefore, a positive or negative lever to the core business.
It’s also important to note that the largest threats do not always come from outside the business – even if these external threats are growing, notably with the rise of digital payments and mobile banking. Threats also come from inside – take the recent cases of tax evasion by cum/ex-deals: more than 100 financial institutions could be involved. The number of potential crimes is huge: criminals engage in everything from money laundering to violating trade embargos, as well as exploiting the complex and unstable world of international regulations in order to conduct ‘grey zone’ transactions. The $8.9bn fine against BNP Paribas for their part in concealing transactions for clients in the Sudan, Iran and Cuba shows the extent, and severity, of the problem.
While 99 percent of decision-makers plays strictly by the book, the world is becoming more complicated and unpredictable. This makes it difficult to foresee and prevent all the potential risks or side-effects of each activity – whether this is credit or trading for instance – which takes place in a labyrinth of different subsidiaries, spread across multiple locations and subject to varying numbers of local and international regulations.
In order to deal with the complex, dynamic and multi-dimensional challenges regulations and cyber-attacks we need a comprehensive and holistic strategy. Given the political, legal, organisational, and technical implications it is not an easy ride. Any solution requires a holistic approach in order to assess, protect, and react with appropriate responses.
Check out my next blog to hear more about how a digital-first approach can help tackle the challenges of trust and compliance within the Financial Services sector.