Day 1
Session 1: Opening Keynote
Matthew Redhead, Associate fellow – Royal United Services Institute (RUSI)
Cybercrime used to be seen as separate from other crime, but now crosses over into other areas of major, organised crime such as money laundering, people trafficking, terrorist financing and tax evasion, whilst around 40% derives from the drugs trade. The scale of it is daunting – most recent figures suggest that fraud alone accounted for losses of £840 million in the UK over the last year and the global losses are estimated at 2-5% of GDP. As a global financial hub, it is safe to assume that hundreds of billions of pounds of ’dirty money’ is finding it’s way through the City.
The pandemic, with the huge uptake in technology brought on by the enforced work from home restriction, has markedly increased both corporate and personal vulnerability, causing employers particularly to re-evaluate how to keep their operating systems secure. What has become clear is that, whilst cyber security tools can prove effective, it is the human behavioural element which needs to be brought up to speed in conjunction. Whatever the transaction, it needs to be managed securely and knowing your clients and where their money comes from is essential to this process.
Financial crime is like water – it will find its own level. Regulatory compliance is, of course, essential but the attitudes we take into this process are vital too. It is no longer enough to keep regulators happy by simply ‘ticking boxes’. Constant vigilance, testing and education, from schools all the way through to senior citizens, will all help in achieving a safer future.
Day 1
Session 2: Impacts of Fraud
Steve Jackson; Detective Inspector – National Fraud Intelligence Bureau (NFIB)
There are many types of fraud out there which we can all fall victim to; cheque, plastic card, payment diversion, dating, computer software, investment – virtually all sectors of society have at least one type which applies. Over the last year there have been more than 5 million phishing attacks alone notified, with losses rising, yet DI Jackson suggests that less than 3% of fraud is reported, so he stressed that firms need to be evangelistic about cyber protection, encouraging the reporting of crimes and sharing information to combat the threat.
On emerging issues, he cited the recent large-scale phishing attack on Facebook and, as we start to emerge from what we all hope is the final Covid lockdown, ticketing fraud targeting both holidays and the coming raft of summer festivals as examples of how this activity is spreading. Sales fraud is also on the increase, particularly concerning high-value watches, bullion and crypto currencies and pension scheme fraud is also rising.
The impact of this type of crime is huge, causing extreme hardship, debt, loss of wellbeing and, in some tragic cases, suicide, so we need to get on top of this as soon as possible. This includes getting ‘into bed’ with the social media providers to identify and remove fraudulent messages from the system. Also, the NFIB’s monthly threat assessment will henceforth be made available to interested members via PIMFA and he urges people to access the information, tips and guidance available through Action Fraud.
Day 1
Session 3: 5MLD: How Tech-led, Risk-based Compliance Can Unlock Customer Excellence and Lower Operational Costs
Steve Elliott. Managing Director – Lexis Nexis
Whilst Oxford Economics suggest that the overall costs of compliance for Financial Services firms is running at around £28.7 billion, the National Crime Agency also says that only around £1 billion of money laundered through the UK has been recovered.
The 5MLD regulation has been delivered from the EU to nations at state level, then implemented by local regulators. New sectors captured by this include estate agents and crypto providers, and it has 5 technical areas of improvement.
Mr Elliott described how technology can help in getting the compliance job done faster, using less man-hours on manual functions and allowing staff to concentrate on doing what they’re best at. Further, he suggests that repetitive, manual tasks account for around 70% of total compliance costs. Whilst it’s not an advisers’ job to authenticate – they want to get on with advising – it is essential in these times to know who your clients actually are and where their money comes from.
To help this, technology can help to provide an Holistic Customer View, incorporating enhanced and automated KYC, electronic customer ID & V, automated CDD/EDDI, payment validation and screening.
Looking at the prediction that as much as $68 trillion will be transferred to heirs globally over the next 25 years, authentication of these funds and proof of individual identity are both critical for their protection. This can come in three parts; Physical, using biometrics; Personal, using address, ‘phones, relatives, passport etc and Digital, looking at account histories, geolocation and digital behaviour. All of this produces a nice, thick file on each client, with richer, broader data than hitherto available.
Acting now will provide speedier onboarding, generating an accurate customer view and allowing a more tailored investment strategy, cost savings and enhanced security for clients. It will also avoid the burden of cost falling on those who haven’t embraced technological solutions as regulatory changes continue to evolve. Plus, those who do invest will likely end up more competitive.
Day 1
Session 4: Regulatory Update.
Susannah Cogman, Financial Crime Expert & Partner, and Chris Noonan, Financial Services Regulatory Partner, both with Herbert Smith Freehills.
Overall, ant-corruption compliance – the Bribery Act, etc – has remained pretty static. There have been some ‘Business as Usual’ changes on sanctions, now that we have left the EU and become autonomous, plus monetary penalties guidance has been updated. Apart from ‘bedding in’ 5MLD, there have been lots of AML changes, with more coming, along with increased FCA enforcement, extension of reporting requirements and updated NCA guidance on SARs.
There’s a lot on the horizon, though, starting with the upcoming Consultation on MLR, Companies House reform, the Economic Crime levy and the Trusts Register shortly going live. On Corporate Criminal Liability, a Law Commission consultation has been launched and longer-term reform is likely in the future. MLD 6 is also on the way. This is not part of the MLD series 1-5 and there are no direct compliance issues for the UK as, overall, POCA does more than MLD 6 requires. The EBA have updated their Risk Factors guidance on, for example, when you need to use simple or enhanced due diligence but, whilst this is relevant to firms with EU branches or subsidiaries, there is no direct UK impact.
Finally, there are the 6 pillars of the EU Action Plan. Two of these are important; The Single Rulebook, with legislative proposals coming shortly and Supervision, with similar impact and proposals as the Single Rulebook and aimed at strengthening supervisory powers. The final model for this is yet to appear but the question is will we want to remain aligned to this post-Brexit?
As to purely domestic updates, make sure that you are familiar with the latest National Risk Assessment, released last December, as it may affect your firm’s ML/TF risk assessments. Also, there was an extension of the Annual Financial Crime Reporting Obligation in March of this year, requiring firms within the extended scope to file a financial crime data return within 60 days from the first accounting reference date after 30th March 2022. The FCA estimate that the number of firms within scope will rise from 2,500 to approximately 7000, so check if you are affected.
FCA enforcement will be stepped up in terms of legal action, where applicable. Likely areas of AML reform and upcoming activity include; Amending POCA to reduce low-value reporting, exploring how high-value private sector resources could be rebalanced to focus on proactive investigations and improving the quality of information on the Companies House Register and cross-sector work on fraud and intelligence sharing.
Day 1
Session 5: Lessons Learned & Priorities for 2021
Louise Stanway, Compliance Officer, MLRO & Partner – Ruffer
Michael Harden, Head of Compliance, MLRO – Network Investments
Marieke Kernet, Director, Head of Financial Crime, Deputy MLRO – Tilney Smith Williamson
Faced with the onset of the pandemic 13 months ago, our industry had to take drastic steps in migrating up to 96% of our workforce to an online ‘work from home’ model, supported by a huge uptake in the use of technology. Nobody could have predicted that this period would last as long as it has and, now we look forward to coming out of lockdown, we need to decide what to keep from this process, and what to lose. Hybrid working will become the new norm, as remote working has proved so effective in our industry. It’s now really about who is needed in the office, how often and why.
Regulatory compliance has had to be more flexible and pragmatic during this period, partly due to the increase in cybercrime but positives include a huge increase in digital interaction and internal process reviews, creating new scenario bases from which to learn and apply new strategies. This will continue as we move forward.
Looking forward, a new regulatory impetus is expected in areas such as ESG, Financial Crime and the Investment Firms Prudential Regulation, plus a closer look at the use of 3rd party technology to gain a better understanding of how this can improve our working practices.
Day 1
Session 6: Closing Keynote:
Louise Marshall; EU Exit, Governance, Engagement, Operational Policy & Litigation for the Office of Financial Sanctions Implementation (OFSI)
This session covered the role of the OFSI; key changes to financial sanctions following the transition from EU to UK Financial Sanctions legislation under SAMLA and an overview of OFSI’s compliance approach.
As part of the Treasury, the OFSI was set up 5 years ago to look at how sanctions are implemented, understood and enforced in the UK, ensuring the integrity of financial markets. They raise awareness of sanctions and the compliance responsibilities, develop compliance tools through guidance and work with enforcement and security agencies in both civil and criminal cases. Louise also outlined that prior to Brexit, sanctions came to the UK from the UN via the EU and said that now the UK has broken away from the EU, the country has a greater amount of agility in creating and applying sanction with less complexity.
The UK has introduced 34 Statutory Instruments during the Transition Period transferring UN and former EU regimes into UK law but, broadly, we retain the same legislative aims as before. Similarities to the previous regime include having the same application process for licences and reporting breaches, existing licences are carried over, enforcement penalties and legislation remain the same and OFSI will continue to provide e-alerts an notices on changes to the consolidated list.
Examples of differences include changes to licensing derogations in the schedule of the regulations, changes to the guidance on Libya and Russia, the UK’s ability to issue general licenses and a greater degree of domestic ownership and control. OFSI have also updated their general guidance on sectors such as charity, maritime and Import and export.
In dealing with stocks and shares where a designated person is involved, there are three elements to be aware of. You must identify the owner of the assets and treat them as ‘frozen’ if owned by a designated person; if a designated person or entity acquires more than 50% of company then sanctions could apply and always be aware of compulsory corporate actions, in the sense that financial sanctions breaches can be caused not only by Making funds available to a designated person but also by dealing with funds belonging to a designated person.
Day 2
Session 1: Opening Keynote: It’s All About Data
Dr. Claudia Natanson, Chair – UK Cybersecurity Council
To give an idea of the cyber security challenge we currently face, Dr Natanson stated that there is a ransomware attack every 14 seconds. By 2025 that frequency will increase to one in every 11 seconds. Claudia explained that we are now in a ‘perfect storm’ of cyber vulnerability as we use unprecedented amounts of data, and that the challenge lies in knowing where it all is and who has access. Hackers are very patient she warned, adding that we all need to be aware of our digital environment as its “easy to see if you’ve left a window ajar, but not so easy to detect a slight change in your data streams”.
The Council Chair went on to add that as we begin to exit the more extreme pandemic-led restrictions we can see that, where we used to use predictive analysis in combating cybercrime, we now utilise dynamic analysis, assessing the threat in real time. Where we used to ‘follow the money’, we should now follow the data but, for this to be viable, the data has to be pristine and secure with the risks clearly understood.
Looking forward, the Internet of Things and 5G will increase and improve the online experience. With around 40 billion devices connected by 2025, the data volume will double and AI-enabled options like ALEXA will become more prevalent, providing more opportunities for criminals. The SME sector – 90% of UK businesses – are also a concern. They make a huge contribution to the economy so the hackers are watching closely, yet research suggests that around 60% of them don’t have a clear cyber policy.
Whilst the Council is here to help with setting and monitoring benchmarks for the burgeoning cybersecurity profession, it is also charged with making it an attractive profession for all sectors of the population, so there is a big D&I element to their work, accenting the need to work as closely together as the criminals do, sharing as much information as possible on a regular basis in order to keep the ‘bad guys’ at bay.
The workforce which left the office in 2020 is not the same as the one returning in the future. Significant cultural and process change has happened, leading to different thought patterns and approaches. All of this means that we must constantly re-evaluate our security protocols, Ultimately, everyone is now involved in risk management.
Day 2
Session 2: Building a Cyber-Resilient Business
Heather Adams, Managing Director – UKI Risk for Accenture
Cyber resilience is defined as the ability to recover from an attack or breach in a way that gains sufficient control over critical faculties, minimising loss to the firm, it’s customers, partners and employees, embracing disruption safely, strengthening customer trust and boosting value.
This can be achieved by identifying important business services and setting impact tolerances for them, then mapping the resources – teams, processes, systems etc – required to deliver those services and assess their resilience vulnerabilities. Then, identify extreme but plausible scenarios and run stress tests and use the lessons learned to complete a resilience self-assessment and deliver it to the Board, along with defined communications and actions targeting resilience responses.
Both the FCA and the PRA require that these elements are in place by March 2022. Firms will then have time to make the improvements required.
As we put more security in place, so the criminals will learn how to bypass this. He key word here is ‘learn’, and we have to be as good, or better, than they are. Regular testing is crucial to this process, allowing us to adapt better to new threats and increasing our ability to prevent attacks.
Day 2
Session 3: Protecting Clients Against Fraudulent Domains
Andy Bates, Executive Director, UK – Middle East & India for the Global Cyber Alliance (GCA)
‘Domain Trust’ is a new GCA platform which helps to take down criminal domains, working with the UK Information Commissioner, global law enforcement, British Telecom and others in the domain industry, focusing on how this project can help fight the criminals who ‘impersonate’ businesses on the internet. Two years in the making, its products are free to use, it’s private and global in reach. Globally, GCA has so far saved firms around £1 billion and one of its products, QUAD 9, has so far stopped 25 billion phishing attacks from landing.
The platform deals with both malicious and suspicious domains, with around 2 million of them currently on file and the list increasing steadily. It protects 200 million people in 99 countries, giving the GCA a very loud voice in dealing with governments and law enforcement agencies.
One of the main ways to defend yourself from this type of activity is to log your official operating domains with the GCA so that they can then detect criminal misuse. Another is by giving your clients the GCA’s QUAD 9 tool, worth around £5000 in todays market, so that they are protected.
Finally, reporting misuse only takes a few minutes and can end up protecting many other firms and their clients. Some people still feel that no one cares about this issue – the GCA does and looks forward to the conversation.
Day 2
Session 4: How Vulnerable Is Our Technology?
David Fleming, Chief Technical Officer – Mitigo
Using case studies, David explained the increasingly sophisticated methodology used by criminals to exploit our use of technology and cloud platforms, the role which human error plays and the need for control frameworks.
One example from the case studies is Travelex, who work with most major banks. They were down for several weeks following a ransomware attack and it is rumoured that they paid a £2.3 million ransom to the Russian gang which claimed responsibility, the same gang which has attacked many small firms. So these criminals are looking for vulnerabilities everywhere, not just amongst the ‘big guys’. If Travelex’s systems are vulnerable, it’s reasonable to suppose that yours are, too, so stay up to date with your policies and procedures.
The list common attacks where human error can feature is long but four types were highlighted here; Email account takeover, Ransomware, Cloud Data breaches and the Covid-related, accelerated use of mobile ‘phones.
It is critical to get policy, training and testing right. Email addresses and passwords are no longer good enough as identification tools so more sophisticated authentication processes are needed and always check that your security is correctly configured. Especially when using the Cloud.
Day 2
Closing Session: Third Party Risk
Philip Tansly, Sam Tyfield, Jonathan Crook and John Hartley, all Partners at Shoosmiths.
This session explored the range of third party risks for regulated entities who have suffered a cyber incident. This is a fairly extensive list as 68% of companies worth over £5 million have experienced an incident within the last year and liabilities often overlooked include contractual, indemnity and insurance.
Regulatory Risk falls mainly under GDPR. There are massively increased fines under the new regime, between 2 and 4 % of global turnover for ‘administrative’ up to ‘principal’ breaches. Notification obligations are also very strict as information on a breach must reach the ICO within 72 hours and the FCA as soon as is practicable. There is no flexibility on this and full transparency is essential.
However, provided a firm can prove that they’ve done as much as possible to ameliorate the effects of an attack, they may be able to reduce any applied fines, common causes for which are failure or delay in notification, lack of adequate tech controls and lack of adequate internal practices and procedures to mitigate risk. If you are attacked via a third party, you are still the ‘Data Controller’ under GDPR but the regulator may be inclined towards leniency if you have taken the right steps, so a proactive response is advised at all times.
Other key risk areas include Follow-on Data Protection claims, ‘Traditional’ Litigation risk, claims against third-party providers, Insurance and Directors and Officers liability.
If your firm finds itself under investigation for a breach, or you fall foul of any of the above, seek immediate advice and preserve all relevant data, including individual mobile ‘phones if needed. A clear definition of what ‘Confidential Information is also essential.