GDPR – A Never Ending Story

Posted on : 28-06-2018 | By : richard.gale | In : compliance, Consumer behaviour, Cyber Security, Data, data security, GDPR

Tags: , , , , , ,

0

For most of us, the run up to the implementation of GDPR meant that we were overwhelmed by privacy notices and emails begging us to sign up to mailing lists. A month on, what is the reality of this regulation and what does it mean for businesses and their clients?

There was much agonising by companies who were racing to comply, concerned that they would not meet the deadline and worried what the impact of the new rules would mean for their business.

If we look at the regulation from a simple, practical level all GDPR has done is to make sure that people are aware of what data they hand over and can control how it’s used. That should not be something new.

Understanding where data is and how it is managed correctly is not only fundamental to regulatory compliance and customer trust, but also to providing the highly personalised and predictive services that customers crave. Therefore, the requirements of regulation are by no means at odds with the strategies of data-driven finance firms, but in fact are perfectly in tune.

Having this knowledge is great for business as clients will experience a more transparent relationship and with this transparency comes trust. Businesses may potentially have a smaller customer base to market to, but this potential customer base will be more willing and engaged which should lead to greater sales conversion.

The businesses that will see a negative impact on their business will be the companies that collect data by tricking people with dubious tactics. The winners will be the companies that collect data in open and honest ways, then use that data to clearly benefit customers. Those companies will deliver good experiences that foster loyalty. Loyalty drives consumers to share more data. Better data allows for an even better, more relevant customer experiences.

If we look at the fundamentals of financial services, clients are often handing over their life savings which they are entrusting to companies to nurture and grow. Regardless of GDPR, business shouldn’t rely on regulation to keep their companies in check but instead always have customer trust at the top of their agenda. No trust means no business.

The key consideration is what can you offer that will inspire individuals to want to share their data.

Consumers willingly give their financial data to financial institutions when they become customers. An investment company may want to ask each prospect how much money she is looking to invest, what her investment goal is, what interests she has and what kind of investor she is. If these questions are asked “so we can sell to you better,” it is unlikely that the prospect will answer or engage. But, if these questions are asked “so that we can send you a weekly email that describes an investment option relevant to you and includes a few bullets on the pros and cons of that option,” now the prospect may happily answer the questions because she will get something from the exchange of data.

Another advantage of GDPR is the awareness requirement. All companies must ensure that their staff know about GDPR and understand the importance of data protection. This is a great opportunity to review your policies and procedures and address the company culture around client information and how it should be protected.  With around 50% of security breaches being caused by careless employees, the reputational risks and potential damage to customer relationships are significant, as are the fines that can be levied by the ICO for privacy breeches.

Therefore, it is important to address the culture to make sure all staff take responsibility for data security and the part that they play. Whilst disciplinary codes may be tightened up to make individuals more accountable, forward thinking organisations will take this opportunity to positively engage with staff and reinforce a culture of genuine customer care and respect.

A month on, it is important to stress that being GDPR ready is not the same as being done! Data protection is an ongoing challenge requiring regular review and updates in fast moving threat environment.

With some work upfront, GDPR is a chance to clean your data and review your processes to make everything more streamlined benefiting both your business and your clients.

Everyone’s a winner!

 

kerry.housley@broadgateconsultants.com

 

The Opportunity for Intelligent Process Automation in KYC / AML

Posted on : 28-06-2018 | By : richard.gale | In : compliance, Data, Finance, FinTech, Innovation

Tags: , , , , , , , , , , ,

0

Financial services firms have had a preoccupation with meeting the rules and regulations for fighting Financial Crime for the best part of the past decade. Ever since HSBC received sanction from both UK and US regulators in 2010, many other firms have also been caught short in failing to meet society’s expectations in this space. There have been huge programmes of change and remediation, amounting to 10’s of Billions of any currency you choose, to try to get Anti-Financial Crime (AFC) or Know Your Customer (KYC) / Anti-Money Laundering (AML) policies, risk methodologies, data sources, processes, organisation structures, systems and client populations into shape, at least to be able to meet the expectations of regulators, if not exactly stop financial crime.

The challenge for the industry is that Financial Crime is a massive and complex problem to solve. It is not just the detection and prevention of money laundering, but also needs to cover terrorist financing, bribery & corruption and tax evasion. Therefore, as the Banks, Asset Managers and Insurers have been doing, there is a need to focus upon all elements of the AFC regime, from education to process, and all the other activities in-between. Estimates as to the scale of the problem vary but the consensus is that somewhere between $3-5 trillion is introduced into the financial systems each year.

However, progress is being made. Harmonisation and clarity of industry standards and more consistency has come from the regulators with initiatives such as the 4th EU AML Directive. The appreciation and understanding of the importance of the controls are certainly better understood within Financial Services firms and by their shareholders. Perhaps what has not yet progressed significantly are the processes of performing client due diligence and monitoring of their subsequent activity. Most would argue that this is down to a number of factors, possibly the greatest challenge being the disparate and inconsistent nature of the data required to support these processes. Data needs to be sourced in many formats from country registries, stock exchanges, documents of incorporation, multiple media sources etc… Still today many firms have a predominantly manual process to achieve this, even when much of the data is available in digital form. Many still do not automatically ingest data into their work flows and have poorly defined processes to progress onboarding, or monitoring activities. This is for the regulations as they stand today, in the future this burden will further increase as firms will be expected to take all possible efforts to determine the integrity of their clients i.e. by establishing linkages to bad actors through other data sources such as social media and the dark web not evident in traditional sources such as company registries.

There have been several advances in recent years with technologies that have enormous potential for supporting the AFC cause. Data vendors have made big improvements in providing a broader and higher quality of data. The Aggregation solutions, such as Encompass offer services where the constituents of a corporate ownership structure can be assembled, and sanctions & PEP checks undertaken in seconds, rather than the current norm of multiple hours. This works well where the data is available from a reliable electronic source. However, does not work where there are no, or unreliable sources of digital data, as is the case for Trusts or in many jurisdictions around the world. Here we quickly get back to the world of paper and PDFs’ which still require human horsepower to review and decision.

Getting the information in the first instance can be very time consuming with complex interactions between multiple parties (relationship managers, clients, lawyers, data vendors, compliance teams etc) and multiple communications channels i.e. voice, email and chat in its various forms. We also have the challenge of Adverse Media, where thousands of news stories are generated every day on Corporates and Individuals that are the clients of Financial firms. The news items can be positive or negative but consumes tens of thousands of people to review, eliminate or investigate this mountain of data each day. The same challenges come with transaction monitoring, where individual firms can have thousands of ‘hits’ every day on ‘unusual’ payment patterns or ‘questionable’ beneficiaries. These also require review, repair, discounting or further investigation, the clear majority of which are false positives that can be readily discarded.

What is probably the most interesting opportunity for allowing the industry to see the wood for the trees in this data heavy world, is the maturing of Artificial Intelligence (AI) based, or ‘Intelligent’ solutions. The combination of Natural Language Processing with Machine Learning can help the human find the needles in the haystack or make sense of unstructured data that would ordinarily require much time to read and record. AI on its own is not a solution but combined with process management (workflow) and digitised, multi-channel communications, and even Robotics can achieve significant advances. In summary ‘Intelligent’ processing can address 3 of the main data challenges with the AFC regimes within financial institutions;

  1. Sourcing the right data – Where data is structured and digitally obtainable it can be readily harvested but needs to be integrated into the process flows to be compared, analysed, accepted or rejected as part of a review process. Here AI can be used to perform these comparisons, support analysis and look for patterns of common or disparate Data. Where the data is unstructured i.e. embedded in a paper document (email / PDF / doc etc.) then AI NLP and Machine Learning can be used to extract the relevant data and turn the unstructured into structured form for onward processing
  2. Filtering – with both Transaction Monitoring and Adverse Media reviews there is a tsunami of data and events presented to Compliance and Operations teams for sifting, reviewing, rejecting or further investigation. The use of AI can be extremely effective at performing this sifting and presenting back only relevant results to users. Done correctly this can reduce this burden by 90+% but perhaps more importantly, never miss or overlook a case so providing reassurance that relevant data is being captured
  3. By using Intelligent workflows, processes can be fully automated where simple decision making is supported by AI, thereby removing the need for manual intervention in many tasks being processed. Leaving the human to provide value in the complex end of problem solving

Solutions are now emerging in the industry, such as OPSMATiX, one of the first Intelligent Process Automation (IPA) solutions. Devised by a group of industry business experts as a set of technologies that combine to make sense of data across different communication channels, uses AI to turn the unstructured data into structured, and applies robust workflows to optimally manage the resolution of cases, exceptions and issues. The data vendors, and solution vendors such as Encompass are also embracing AI techniques and technologies to effectively create ‘smart filters’ that can be used to scour through thousands, if not millions of pieces of news and other media to discover, or discount information of interest. This can be achieved in a tiny fraction of the time, and therefore cost, and more importantly with far better accuracy than the human can achieve. The outcome of this will be to liberate the human from the process, and firms can either choose to reduce the costs of their operations or use people more effectively to investigate and analyse those events, information and clients that maybe of genuine cause for concern, rather than deal with the noise.

Only once the process has been made significantly more efficient, and the data brought under control can Financial firms really start to address the insidious business of financial crime. Currently all the effort is still going into meeting the regulations, and not societies actual demand which is to combat this global menace, Intelligent process should unlock this capability

 

Guest Author : David Deane, Managing Partner of FIMATIX and CEO of OPSMATiX. David has had a long and illustrious career within Operations and Technology global leadership with Wholesale Banks and Wealth Managers. Before creating FIMATIX and OPSMATiX, he was recently the Global Head of KYC / AML Operations for a Tier 1 Wholesale Bank.

david.deane@fimatix.com

Insider Threat – Who is Taking Your Data Home?

Posted on : 25-06-2018 | By : richard.gale | In : Uncategorized

0

“Employee theft has always been a problem for organisations. Critical information is now more accessible and portable than ever before. So, what used to be an irritation has now become a threat to a company’s very existence.”

Stealing company secrets or having a grudge against a company is nothing new. However, today the rise of the digital age has made it easier to gain access to information from the inside and created a host of vulnerabilities ripe for exploitation.

Organisations can find it difficult to identify such insider threats, or by the time they have recognised them it may be too late, and the leak has already happened. This is made ever more difficult to monitor by the increasing complexity of an organisation’s network. The amount of data stored and number and types of devices connecting to it makes it harder than ever to monitor usage.

Companies have spent big money and devoted a lot of resource to protect themselves against external threats and have built strong defences with firewalls, anti-virus software, mail filters and numerous other filters used extensively to protect themselves.  But have they left themselves vulnerable from the inside?

Recently, two Corporate giants Coca-Cola and Tesla fell victim to malicious behaviour. In the case of Coca-Cola, a former employee stored 1000’s of employees’ personal data on an external hard drive.  Electric car giant Tesla was sabotaged by an aggrieved employee who was upset not to have been awarded a promotion. To demonstrate his feelings, he stole highly sensitive data from the manufacturing operating system and sold it on to third parties.

According to a recent survey by Egress Software Technologies,  almost a quarter of UK employees have purposely shared business information to people outside of their organisation. Clearswift research has found that employees are willing to sell company information for as little as £125, so it doesn’t take much to turn a disgruntled or bored employee into the criminal’s accomplice! Add to this the number of employees tricked by social engineering and spoof emails causing damage unintentionally, then organisations are faced with a potentially massive security problem inside their own organisation.

Guarding against the insider threat is difficult because technology alone cannot solve the issue. This type of threat is more about personality and behaviour, feelings and motivation. There are highly capable tools to track keyboard strokes and data, but these will not identify an individual that was passed up for a promotion or the individual going through a divorce or financial difficulties, technology alone cannot detect that.

So, what can companies do? There is a fine balance between monitoring employees and allowing them the freedom and responsibility to do their job.  Let’s face it, no one wants to work for an organisation where every move they make is monitored and they feel they are not trusted to behave in the appropriate way.

Where cybercrime is concerned, people can often be the weakest link in the security chain, but with education and training, they can be your greatest asset.

Ongoing training and education programs are essential in influencing employee behaviour, it only takes one person to click on a phishing email to expose an entire organisation. Companies also need to continue to invest in employee education about cybercrime and the detrimental effect a breach can have on brand, reputation and the bottom line. When assessing personnel, consider how much access they should have, what data they control and influence, and run background checks on new employees before granting physical or logical access to facilities, systems or data. Also, identify which people within the business have significant information system security roles, and ensure the process for documentation is comprehensive and regularly updated.

Once you have set policies and procedures in place, a layer of technology can be added to bring additional security. But, as we said before, technology alone will not address all the issues:

  • Use specialist security software to track files and malware entering/leaving the network. Many tools now have advanced tracking functionality to spot unusual behaviour on a network. Tools such as Darktrace, FireEye and Palo Alto can track unusual network behaviour as well as unexpected user behaviour.
  • Consider tools such as Dtex or Egress deployed on an individual’s PC to monitor behaviour. Capturing changes in user patterns (e.g. an employee getting ready to leave the organisations), High risk pattern behaviour or finding what information was lost on a laptop left on a train.
  • Other monitoring solutions such as Digital Shadows to track data that has left the internal boundary to calculate the amount of exposure you have outside the organisation. Even tracking data on social media and the “Dark web”. Controlled environment – Four Eyes checks of files leaving the network to ensure sensitive files are not being sent externally.

With better controls, procedures and policies in place together with technology that can identify unusual activity and misuse, it is possible to capture potential losses and remediate as quickly as possible thereby limiting any damage caused.

 

As always, it’s not just about technology but the people and processes too!

 

kerry.housley@broadgateconsultants.com