Putting the bits together

Working to develop best practices and de facto standards for the industry around the areas of risk management and payments and ecommerce, BITS works with the CEOs, the CIOs, the CTOs and the heads of risk, payment, fraud, business continuity and information security. FST spoke with Catherine Allen, the CEO of BITS, who shared her thoughts on the state of risk management in the industry.

FST. You have a good overview of the financial services industry as a whole. How would you rate it in comparison with other sectors in terms of risk management?
CA. I would have to rate them as the absolute top, and there are several reasons for that. Because the industry is always as good as the safety and soundness of the financial services systems that enable trade to take place, that has meant risk mitigation strategies were built in from the very beginning. So addressing reputational risk is at the heart of it the industry’s operations.

Then we obviously have financial and fiduciary risk, which is normal for a financial institution. We also have to address regulatory and compliance risk – increasingly the regulators have guided the financial community. Sometimes you might argue too much, but for the most part it has been a collaborative relationship. In terms of the risk management practices we are so far ahead of other sectors that when Richard Clarke was cyber security czar in the White House he used to use BITS and the financial services industry as the poster child for other critical infrastructure sectors to look at how you mitigate and manage risk.

If you think about it, the basis of our business is really managing risk – making loans and taking a calculated risk that people will pay you back and pay you back on time. And that’s true of whether you’re a bank, insurance company or security company – they’re all different ways of creating financial vehicles that are based on risk management.

FST. And this is why the industry is such a leader on the use of risk calculation models for example?
CA. Right. What has happened is we’re seeing more sophisticated risk calculation methods emerge and those methods applied to some of the more difficult areas to manage. As an example, operational risk and technology risk are relatively new, but they can have a big impact. During 9/11, the reason the markets weren’t back up wasn’t that the markets weren’t ready, it was that the telecom infrastructure wasn’t in place. You see this kind of cascading dependency on other industries and other technologies – telecom, IT, power – has made the risk calculations for business continuity, technology and operations much more difficult to predict. How do you try to calculate the risk of a terrorist attack? It’s a catastrophic event that may only occur once but has a significant impact. I would say the emergence of more sophisticated risk models in the business continuity, technology and operations area is where we’re focused right now.

FST. Do you want to touch upon some emerging technologies and calculation tools that can be leveraged to improve risk management?
CA. Let me start with technologies and come back to tools – you’re going to see increasing use of predictive technologies, parallel processing, artificial intelligence and predictive modeling. We’ve seen that in the credit card area where you could start to look at factors that might predict that a customer is going to be slow to pay or not pay or fraudulent activity might occur. And you’re going to start to see those kind of technologies applied internally to look at internal fraud and to look at other cross-channel payment risk factors because we’re finding that the fraudsters are smarter and smarter about how financial services systems are set up. Internally it’s about how the silos within organizations are being exploited, so technologies that help to predict are one area.

The second area is wireless – there’s been tremendous growth in its use and this will continue to proliferate. You’ll see the wireless network and devices becoming the predominant way that people not only communicate, but also authenticate themselves and make transactions. It’s immediately important for the financial sector to work with other sectors to look at enhancing the security in those networks, devices and applications and that’s a major project that BITS has underway this year.

FST. Looking at some of the fraud trends across various delivery channels and payment applications, what do you see as the greatest emerging issues that can be attributed to the growth of cross-channel payment risks?
CA. The greatest risk is the lack of existing internal mechanisms to understand and track this. Many financial institutions are in silos – the check payments, the credit card, the debit card, the ACH, the mortgage are often in different divisions, and the fraud people don’t always talk to each other, or to the information security people. So until the organizations have internal holistic and enterprise-wide risk management strategies, I think you’ll have the bad guys able to exploit that. To me that’s the number one problem – the lack of awareness and the lack of an organizational method internally to track and coordinate. Secondly, I think that some of the payment vehicles are much more rigorous in their security practices than others…we’re working on addressing those payment tracks that have the potential for more fraud. I prefer not to name that because, like anything, we don’t want to lay out for the fraudsters what those vulnerabilities are.

FST. Looking at that lack of internal mechanism, do you have any advice in terms of emerging technologies or techniques that can address reducing risk?
CA. Yes, first of all, what we’re trying to support in the industry is the development of common fraud databases. So different parts of the business can track to see if the same names, account numbers or address numbers show up as potential fraudulent activity. We’re working within the industry within a payment Partner Group, made up of the network providers, Visa and MasterCard, the Clearing Houses, NACHA and financial institutions, and we’re looking at some of the ways we can prevent fraud within the network. Most importantly we’re looking at how we can share data and information about bad actors out there, whether they be individuals or merchants.

In addition there are predictive technologies emerging that look at internal fraud. You link to people’s PCs and automatically look at the patterns of behavior, for say a customer service officer, and identify any exceptions to the pattern and investigate them.

FST. How do short-term and long-term industry approaches to risk mitigation differ?
CA. Right now we’re playing catch-up on those payment systems that were maybe less secure than others. We’re doing that very quickly with technology processes and industry fixes – it’s really a very tactical approach. Longer-term the trend is towards an enterprise-wide risk management focus. I’m talking here not about technology but about a mind set, that starts at the Board of Directors. We are looking at the risks that are occurring in each of the silo areas, but then crossing those silos, and looking at what kind of industry trends these fit into. And, again, we are working within the industry to address some of those risk factors.

An example of this would be identity theft and data breaches. Frankly the financial community gets unjustified bad publicity for some of this. For example if you look at the most recent data breaches of cards at TJ Maxx recently – that’s not the financial communities fault, but we pick up the pieces, both in having to re-issue cards, close accounts, and notify customers, and also in incurring the customer ire which comes back at the financial institution, rather than the retailer. So one of the things in the longer-term is to look at ‘have you got your own house in order’, and then look at other industries that we’re either dependent on – like telecoms, IT or power – or industries that we have strategic relationships with – like retailers, and then we need to put pressure on them just as we do our vendors to adhere to the appropriate risk management strategies. To me this interdependence is where our greatest vulnerability lies – it’s what is outside our control

FST. Looking at internal fraud, do you have any best practices that can mitigate risk?
CA. We have created an internal fraud prevention database that is managed by Early Warning®, and we are able to plug into that database information on employees who have been convicted of theft, or who have been fired by two or more employers because of fraud. That database then allows financial institutions to contribute data, and others to check against it, so as to avoid re-hiring them – the practice is often for fraudsters to move down the street to another institution when they’ve been fired.

We also have a vendor group. Although vendors can’t be members of BITS, we’ve set up this group – that has players like Microsoft, Momento and ChoicePoint – to really be a mirror of BITS, looking at the vendor perspective on internal fraud, and on data storage and security, in order to provide this back to the financial sector.

We are actually having a conference on March 15 in Washington DC specifically about internal fraud. We have regulators, technology providers and financial institutions coming to share some of the best practices.

FST. That sounds like a good example of the industry collaborating. What kind of collaboration needs to happen to improve risk management and security efforts?
CA. Another good example would be the study we recently published with KPMG looking at Gramm Leach Bliley, FIDICA, Basel II and Sarbanes-Oxley. This looked at the internal overlap within financial institutions’ compliance efforts, but also the overlap and redundancies between the various examining agencies. And where there are redundancies or opportunities for efficiencies, and things that the industry needs to do, we’re going to look at how you might take the next step in that. The regulators are interested in that as well, because what we’re all after is compliance and efficiency – this is an area where I think we’re going to see much more collaboration which will result in better operational risk.

FST. How do you see regulations evolving to address emerging fraud and security threats?
CA. I think the regulators have really done an excellent job at staying up to speed with what the technology challenges are. They have given appropriate levels of guidance – by that I mean good guidance on practice without being too prescriptive, an example being the guidelines on authentication that the FFIEC put together. The guidance on ID theft has been good. The next level is to look at what needs to be done in the wireless area. I think the regulators are also looking at internal fraud and seeing if there’s anything there.

What gives me most happiness is that regulators are not being prescriptive about technology specific solutions. Providing guidance on a risk-based approach is absolutely appropriate and they’ve done a great job at doing that.

FST. And looking at BITS, what are your core initiatives for risk management in 2007?
CA. Our core initiatives for 2007 will continue to be in the security and risk management, fraud reduction, and the management of third party service provider areas. We’ll continue to support the business continuity and crisis management area. In the payments risk area we’re completing the work in the first quarter on the payments Partner Group recommendations, and then we’ll hand that to other payments-oriented associations to continue that.

We’re also taking on strategic issues, and one of the areas we’ll be looking at is mobile security. We’ll look at the devices, the networks, the applications. We’ll be looking at other appropriate levels of security. We’ll be looking at recommendations for best practices for the financial sector. as well as for the device manufacturing provider sector. We’re going to be engaging the vendors as part of the process. So that’s a major effort that we have.

We’re also engaged in the Financial Institution Shared Assessments Program, which is a much more rigorous audit of third party service providers. We’re doing that and then sharing the results with a larger group within the financial community. The regulators are interested in this because they’re interested in how we manage third party providers. We have major roll out of this. We plan to have a hundred assessments completed this year, and have many more institutions and vendors engaged. We have the big four audit firms involved already, and we are going to be doing assessments of Indian firms and other foreign global firms, as well as US vendors.

We’re also looking at some of the emerging types of fraud such as mortgage or debit card fraud, and working with law enforcement on those. And we have another effort looking at encryption and storage of public keys. This includes looking at the appropriate levels of encryption, when you do this and who manages the key process. And it’s likely that we’ll be doing some more work on reconciliation and driving efficiency in regulatory compliance.

The two most important things will be working in the wireless area, and continuing to work on the data breach security issues.

FST. Do you have any final thoughts on security and risk management in the financial services arena?
CA. It’s absolutely key that we look at fraud from a holistic enterprise wide view – that is how the fraudsters are looking at us. So we need to assess the risk across the business in a common way. I believe the fraudsters are much more sophisticated, and unless we look at this from an enterprise wide perspective we’re going to continue to get hammered. And we can’t do this alone – we need to work with other financial institutions within the industry, and then we must work with the telecoms, IT and power industries to address our dependence on them. And lastly we must collaborate with the regulators; they are not our enemies. We are all trying to enhance the safety and soundness of the financial infrastructure. You know these are enormous challenges driven by technology and emerging global risk, and we must work together in a collaborative vein.