The Duty of Care against Cybercrime

But, what does this mean in the world of financial cybercrime?

This episode on the Payments Podcast reviews the responsibility organisations have when customers trust them with their payments, money and data.

So far, we’ve learnt a lot about the evolving threats through real-life cyber-attacks, which are reviewed in this episode to explain how now is the time to remain vigilant in the fight against fraud.

Podcast Transcript

Rich Williams: Within the payments community, we all have a duty of care to our customers, but what do I mean by this? Well, financial cybercrime operates silently like a slick, oiled machine and when customers entrust us with their payments, money and data, it’s our joint responsibility to protect them against these malicious parties.

Hello, I'm Rich Williams, host of the Payments Podcast and today I'm speaking James Richardson, Bottomline’s Head of Market Development for Risk and Compliance. We’re going to discuss what lesson we've learned in recent years with regard to payment fraud, the evolving threats that continue to emerge and how, as a community, we all have a duty of care to ourselves and our customers to ensure we remain vigilant in the fight against fraud. Hi, James and welcome back to the podcast.

James Richardson: Hi, Rich.

Rich Williams: I began thereby referencing the lessons we've learned in recent years but, with payment fraud, we don’t really want to learn from experience if at all possible so how does one make the most of the mishaps that are observed in the market?

James Richardson: Yes, you're definitely right, Rich, we've learned a lot over the last few years. Actually, the Bangladeshi bank heist from a few years ago, which we covered, I believe, in one of the podcasts previously, was a real turning point for the industry as a whole. That was four years ago and, between then and now, we've all learned so much about what the fraudsters are trying to do and, importantly, how their techniques have changed and evolved.

I think the good news is there's a big drive across the industry to collaborate and partner more and more to take action. That’s one of the pros that have really come as a result of this. There are initiatives, such as the SWIFT Customer Security Programme, that kicked off a few years ago, actually, as a result directly of the Bangladeshi bank heist from 2016.

Other initiatives, like the Shared Infrastructure Programme as well, they're all around similar things. It’s all about improving security controls when it comes to payments. Actually, a lot of organisations that have taken the opportunity to tighten up those controls have already started seeing benefit as a result of that.

Rich Williams: Thanks for that, James. What, if any, are the biggest trends that you’ve observed in the market place in relation to cybercrime and fraud?

James Richardson: I think the biggest thing that’s shifted and really changed our thinking about the whole element of fraud is that this is now seen as, in quotes, “a professional business and a professional outfit.” Cyber fraudsters or hackers, however, you want to call them, they operate in a collaborative fashion via the dark web.

This has actually created a bit of culture in… Like a normal business, it’s created cybercrime as a service. Pretty much everything runs as a service today and cybercrime as a service is a new name that’s been applied to what some of these fraudsters are actually doing.

Here’s the thing, we've seen quite an evolution in the methods and efforts that are being used by these criminals. There's a report that we've done in conjunction with Strategic Treasurer, which will be available to the audience members and that will be published very shortly, that shows that fraudulent attempts have increased by 50% in the last three years and also shows that criminals are now differentiating their targets to really get the best returns without being caught.

I think when you look at Bottomline, as an organisation, payments are at our absolute core. That is what we do and that is what we understand and we've done that for over three decades. We help our customers gain access into payment platforms and into payment gateways but, over the last few years, that has evolved to really continuously help customers detect, deter and prevent fraudulent attempts. This is around transactional analytics, suspicious activity and, basically, things that are outside the ordinary of what an organisation does.

We've seen and we've observed across our networks that fraudulent activity is being attempted by people on the outside, being thwarted, being identified and stopped as a result of some of the measures that we put in place to help customers. Secure payments being one of the solutions that helps with that. For banks, the average value is over £200,000 and, for corporates, the average value is over £20,000.

These aren’t insignificant sums, whether you're a bank or whether you're a corporate. If you're a small to mid-sized business, £20,000 is not an insignificant amount of money. We see that, we observe it and, by the way, these aren’t the large values that we observe. There are significantly higher sums in the millions that we observe globally.

I guess what's interesting to see is that, A, those values are coming through and, B, we’re able to help identify that they're abnormal in the context of what an organisation pushes through into Bottomline so, therefore, thank goodness, are able to alert that it’s out of the ordinary.

For our customers, of course, what's good news for them is that this could have been a large loss, whether it’s through fraud or whether it’s through error. It’s damaged reputation and it’s potential fines that they could see as a consequence if things did get through the net. I think that’s really what's woken us up and it’s what's woken up the industry.

It’s worth sharing that a lot of the transactions that we see across our networks that we’d put within this bracket of secured funds or potential fraud or error, they’ve been in US dollars, they’ve been in Euros and some in Sterling pounds as well, of course. Pushing out into the SWIFT network, they would take the common form of FIN messages, so 102 or 103 message types. There's also a lot that takes place domestically and that’s across the UK and Europe as well.

I think I summarise by saying what we see also correlates with what gets published from SWIFT, actually. They produced a report about a year ago, just under a year, April 2019 and they highlighted some of the changes in the landscape around the evolution of the fraud threats. We see exactly the same across our networks, not just SWIFT but across our transactions into other payment networks.

This is where we’re able to collectively see that the modus operandi being used by fraudsters is shifting. Examples would be out-of-hours fraudulent attempts. That started shifting to during business hours, during working days and using dormant payment corridors. The reason why they're doing it is because organisations have woken up to trying to put the defences on payments being made outside of business hours. So what are fraudsters doing? They're now trying to look like a normal transaction that sits within a typical day.

Rich Williams: Thanks, James. There seems to a lot that we can learn from these experiences but, as is often the case, unless we apply that knowledge that we've gleaned then it’s largely a wasted opportunity, a bit of a so what scenario, if you like. Are companies actually doing anything about what they can observe?

James Richardson: Yes. I think so. There's definitely, in the last few years, an increase in awareness of the issue. I think we've definitely moved on in the debate from, in quotes, “Fraud is bad, let’s talk about it too.” We know that that’s happening and what are the steps and measures that we're putting in place to help fight it? I think the challenge now, actually, is are organisations really continuously improving their defences in three areas.

People. That’s about the education. Are they continuously updating their staff involved in payments? Is it process? What are people doing around the processing of payments? Is it okay, culturally, to be able to challenge an urgent payment that comes down from the CEO or the CFO before it goes out the door?

From a technology standpoint, has the technology been updated? It might sound obvious but there are a couple of things at play. One is it’s pretty common to have technology defences in place now that were implemented two years ago. That’s fine. The challenge is a lot of the payment world has actually moved on quite significantly just in the last two years.

Anyone listening on the podcast, you’ve got to ask yourself, are you now making faster payments today rather than traditional three-day payments through the BACS network? Just to use UK domestic as an example. There is a significant shift towards faster payments within the UK, across Europe and globally and a lot of the defences that were put in place at the technology end of the spectrum and at people and process were wholly dependent on a three-day payment cycle.

It gave people the ability to have this safety net that, if something bad went through the door, they had time to be able to claw it back. That has now changed. It’s going and, very soon, it will be gone forever. What's important is that the technology then gets applied and improved into this process.

I'll say one last point on this and this really ties, perhaps, to why we’re pushing a duty of care programme, why SWIFT are pushing their SWIFT Customer Security Programme and why the MAS body out in Singapore is pushing greater controls on organisations and banks worldwide. The issue is fraudsters don’t wait for 1st January to be polite and respectful to organisations globally to make sure that they're compliant with a certain programme or regulation.

They don’t care about any of that stuff. What they care about is making sure they can cause maximum damage in the shortest amount of time and making sure that it’s as lucrative an opportunity as possible for them. Fraudsters aren’t going to wait until a regulation is in place in order for them to act.

Frankly, that window of time is seen as opportunity in the eyes of a fraudster. Our job as technology providers, our job as industry thought leaders, speakers and, frankly, anyone in the audience that is associated with moving money around the world is to ensure that we really understand what is going on and help raise the bar when it comes to security standards.

Rich Williams: Speaking about raising the bar and relating back to the original title of this episode, which is Duty of Care, Bottomline’s own Chief Information Security Officer recently announced a duty of care programme to its customers. James, could you explain to our listeners more about what Bottomline’s interpretation of duty of care means for them?

James Richardson: Absolutely. Duty of care, this is about Bottomline having a duty of care for its customers, on its network that it provides access to and, also, it’s about our customers having a duty of care around their payments as well. This isn’t just about Bottomline and its customers. This actually extends out to our partners and to our suppliers. This is about everyone that touches money within our ecosystems that this duty of care programme really applies to.

To my earlier point, what we’re really trying to do is create a movement that doesn’t just rely wholly on one particular industry regulation for people to do the right thing, which is part of our mantra at Bottomline, “Do the right thing.” This is the right thing. This is about making sure that people are protecting their payments from the outset and not waiting for a regulator to say you should do something in, perhaps, 18 months’ time.

For us, we work very closely with our Chief Information Security Officer and the team in really looking at where are the risks for us, for our customers, suppliers and partners that push money around in the ecosystem. What we wanted to do was really build on all of the good work that we’d seen over the last few years around multifactor authentication, securing login access for individuals onto systems and really start taking that a step further.

These are things, actually, that we've advising and that we've been recommending but now is the point in time where it’s really seen, dare I say it, essential. Certainly, with what we see and observe that goes through our financial messaging network across our bureaus and across our data centres worldwide, this is way beyond theory. This stuff is actually happening and it’s very real.

What we’re really asking the community to do is act upon this data, is act upon the fact that the cyber threats are really evolving at quite a rate of knots and making sure that they have got the right defences in place. Very specifically, we’re asking that organisations have got transaction monitoring in place and user behaviour analytics in place.

For us, we’re often seen as the last line of defence. There will be multiple steps in a payment process and in a workflow. There will be multiple people involved in making the payment. It is not a surprise that fraudsters spend their time analysing the gaps in that process, in the technology that exists and then looking to circumvent it. That is why our technology has been successful in identifying frauds in over £250,000 in an average value for banks and over £20,000 incorporates.

As I said right at the beginning of the podcast, that’s just an average value and there are far more significant values that have been identified as well but it just goes to show that you don’t want to wait for a regulator to drive the change. This is about the community acting and really making a difference.

Rich Williams: James, why is this programme of duty of care so important to Bottomline specifically?

James Richardson: I think we see a lot of payments. We've been involved for over three decades helping organisations pay and get paid and we want to keep that simple, smart and secure. That’s what we've always been about and it’s worth referencing that we see anything between 12% and 15% of SWIFT international cross-border traffic. We see 50% of traffic across UK domestic payments, Swiss domestic payments and even out in Saudi as well, quite a high proportion going through Bottomline through partners.

For us, I think it’s only right and fair that we want to see ourselves and our customers, partners and suppliers all upheld to high-security standards and regulations. That is critical and we’re only going to solve this issue if we do this in a collaborative fashion.

The old cliché of you're only as strong as the weakest link in the chain, we really want to make sure that all of the links in the Bottomline chain are as secure as they possibly can be. For us, where we see the fraudsters really upping their game, and I mean really upping their game in recent years, it’s critical now that organisations up theirs as well.

Rich Williams: Thanks, James. As we draw this episode to a close now, would it be fair to say that we have much bigger expectations now, as customers, and we rely on the trust that our data and our money is being protected and, if we start to feel uneasy that that is the case, it can be quite damaging to the relationship of the parties involved?

James Richardson: Absolutely. At a compliance level, you get it wrong, people get fined, people go to jail and banks go out of business.

Rich Williams: Unfortunately, that’s all we have time for today. We’ll be back with some more podcasts very soon and, in the meantime, you can listen to more episodes on all things payments at the touch of a button using your preferred provider. We’ll see you all next time.