Banking on the right protection

In an exclusive interview with FST he speaks about the task of protecting the bank and its 56 million customers and 200,000 staff from financial crimes and the myriad of global security threats out there.

By Julian Rogers

In the fall of 2003 Chris Swecker found himself posted to arguably the most dangerous country in the world – Iraq – as the FBI’s On Scene Commander investigating terrorist bombings and forensically examining explosive devices.
At the time the US and coalition forces were engaged in the initial phase of a treacherous campaign to bring peace and stability to the battle-scared country. As you would expect, it wasn’t an assignment for the fainthearted but one that was entrusted to Swecker after a diverse and distinguished career at the bureau that saw him tackle organized criminal gangs, corporate fraud, forensics, counterterrorism, crisis management, cyber crime…the list goes on.

However, after 24 years at the FBI Spanish-born Swecker decided to hand in his badge and retire as Executive Assistant Director and transfer this wealth of experience across to the somewhat safer financial services sector – an industry where security has intensified in recent years. BoA identified Swecker as the right man to become its new Director of Corporate Security, a role that would see him dealing with a full spectrum of issues from employ screening and executive protection to fraud investigations and homeland security.

However, when accepting the job last August Swecker expected the role to be far more constrictive in its focus compared to his varied work at the FBI “When you move from the ‘number three’ position in the FBI where I had a pretty broad scope to an area which I thought was possibly a little bit narrower, you think that the job is going to be a less demanding,” he explains. These fears were quickly dispelled once Swecker got behind his desk. “The role has actually been much more than I expected. It has been extremely challenging, both in scope and complexity, in a way that I had not anticipated because financial crime and physical security issues touch about every aspect of society today.”

Swecker believes that his previous knowledge of threats at the FBI has stood him in good stead for the job. “I was able to transfer over a knowledge of the threat environment and what the drivers for those threats are – everything from crime to terrorism to geopolitical threats.” Swecker says the same rule applies to prevention. We have a prevention mindset at the bank. We focus on problem solving, issues identification and understanding issues so that we can create solutions to address them. Armed with that strategic vision we use our leadership skills to organize around that vision.”

The thrill of the chase

Tracing the financial crime trail can prove complex and laborious for investigators so banks act as the eyes and ears of the law enforcers in flagging suspicious activity. Once a potential fraud has been spotted, BoA’s corporate security team swings into action and starts gathering the crucial evidence to pass on to the authorities. “We’re usually the first to see a problem, we see it and immediately launch an internal investigation,” Swecker says. The authorities typically take over one third of the way down the road.. Indeed, due to a lack of resources fewer and fewer federal investigators are tackling financial crime nowadays and have to rely on banks’ internal security departments to do much of the early work.

Presumably the point when a gang of fraudsters is convicted must be a satisfying feeling for Swecker and his team? He agrees but admits that catching a crime in its embryonic stage is more rewarding. “A better feeling is when it comes to the prevention part and where we detect something early,” he says. “With any fraud, whether it’s money laundering, embezzlement, identity theft or terrorism financing, chances are that it will be spotted first within the bank during our daily activities.” Swecker says the “ultimate metric” for corporate security at BoA is a reduction in losses.

With this in mind, where does corporate security fit into the business’ operations? “In many ways, especially in a financial institution, a strong corporate security program is key,” he notes. “A lot of it means going through our own systems and transactions, as well as using our forensic capabilities to reconstruct what happened.” From its own meticulous investigations the bank has been able take the lessons learned on board and introduce policies to prevent similar crimes.

Today, there are plenty of fraudsters out there looking to carry out copycat crimes and those who are dreaming up ever-more ingenious ways to infiltrate banks’ defenses. One fraud that has exploded in recent years is identity theft – thought to account for more than $1.5 billion industry-wide in losses for US account holders. Of course, being able to trust your hard-earned dollars with an institution is of utmost importance; Swecker is a great believer in the idea that sound security and data protection measures give you an edge. “I really think protecting customer data is a competitive advantage for any financial services company today. Identity theft is probably the most prevalent financial crime right now and consumers are concerned about the protection of their information. They have read about or have experience with identity compromise and they know how difficult it is to deal with it once it has happened.”

Of course, no tool has allowed the criminal element to attack banks and their customers more than the internet. While the criminals of the past pointed a loaded gun at the cashier and demanded the contents of the safe, today’s generation can rob the bank or its customers from the relative safety of their own home on the other side of the globe. “The internet has become the primary tool for those looking to commit fraud. If you are in Russia, Romania or Southeast Asia you can steal money from your front living room or the internet café.” Swecker says. The World Wide Web has been a double-edged sword for the industry. ”It has been a great boon in terms of commerce but it has presented new challenges in terms of preventing or blocking new fraud schemes..”

Increasingly, however, the enemy is found lurking within. In the past 18 months America’s financial institutions have been hit by a number of high profile identity thefts and data losses, some of which have been perpetrated by rogue employees hell-bent on stealing information. This is where secure background screening can save a bank a whole heap of hassle and money in the future. At BoA checks orchestrated by Swecker’s department are carried out on every new member of staff before they even start work. “We screen all of our employees with a background on their employment, their education and whether they have a criminal record.”

Apart from trying to land jobs at the banks, the criminals know that going after the customers directly can yield huge sums. One of their favourite methods is to launch ‘phishing’ attacks to fool people into handing over their details online in order to raid their accounts. The perpetrator of a ‘phishing’ attack is often not aware which bank his target is a a customer of. He/she hopes that the victim will be duped by his false email directing them to a bogus bank website. The perpetrators are going after the consumer’s computer in phishing attacks, not the bank’s. Keeping customers aware of the dangers is key to stamping out this activity. “We are always going to be a primary phishing target…so the challenge is educating consumers.” Swecker says.

Staying on your toes

So is BoA prepared for today’s attacks, as well as the unforeseen ones lurking around the corner? Swecker believes so. “I think we are well-positioned. and I would say that we are among the best in the world in terms of having an understanding on that end-to-end process.” He adds: “A lot of this is organized criminal activity so the ability to connect the dots, is important in identifying the rings and stopping the hemorrhaging that takes place from organized criminal activity.”

For the banks the sharing of intelligence is key to curbing criminal activity, too. “With organized gangs attempting to get at our money and information, it really requires a very capable information sharing process within the bank, between the bank and law enforcement and with other banks. Developing the capability and developing the processes to make those links and cut down the ring activity is the biggest challenge. In a bank this size you are going to see information in many different places. Being able to use all of that information and make those associations is critical.”

Despite BoA’s efforts to tackle all forms of security, Swecker is not of the opinion that the threat has peaked. “I think it is going to continue to intensify and I don’t think we have reached a plateau yet. Both physical security and other corporate security functions in the fraud area along with employment screening are becoming more important and recognized by the C-suites – the CEO, CFO and CRO. They are the first line of defense and also the last line of defense.” He expands: “What I mean is defense is first line of the prevention side but also the last line if something bad does happen by keeping that resiliency and capability of continuing operations.”

In terms of goals for his department for the next 12 months, Swecker’s focus is direct and to the point: “[The aim is] to make us the best in the world at what we do in terms of security, particularly in the area of prevention. This is the prevention of fraud, physical incidents, bank robberies and any bad thing that happens to the bank”. At the heart of this fight is technology. BoA sees it as one of the main drivers to getting the upper hand on the fraudsters – the other being experience.

“One way to stay ahead is being aware of what is going on in the criminal world in terms of what types of scams are being employed. With detection and prevention it is very technology-heavy. You really have to have an end-to-end process where you understand what the threats are through investigations.. or from the other banks or law enforcement. Through that knowledge of the domain you use technology to shut down the schemes and prevent them from happening.

“So, the main challenge is staying on top of technology and the various new fraud schemes that are coming online all of the time. On the physical security side, again you need to get into the prevention mindset, as opposed to simply standing guard.”