Financial institutions are concerned about cyber crimes, but don’t know how best to tackle the problem. In PwC’s 2018 Global State of Information Security Survey (GSISS) and the 21st Global CEO Survey, CEOs and boards named cyber attacks as the business threat they were most concerned about, yet in the GSISS survey, 44% of respondents said they did not have an overall information security strategy. And PwC’s 2018 Global Economic Crime Survey showed that about half of global firms have fallen victim to fraud in the past two years – a 13% increase since 2016. We believe that for financial institutions to get a clearer view of the threat landscape, better detect suspicious transactions, and streamline investigations, they’ll need to better coordinate their cybersecurity, anti-fraud and AML controls.
Cybersecurity, anti-fraud and AML programs often have common elements and controls, as well as synergies across people, processes and technology. Most firms are going to find that certain processes should converge and others should remain separate but share information more closely.
One example of how converging will help financial institutions is in managing crime prevention at the same time that they explore new technologies, such as faster payments and open banking. Firms will need to be able to push back on suspicious transactions very quickly, since customers expect their payments and other requests to go through instantaneously. To do this, organisations will need to be able to quickly reference user behavior patterns, such as the type of mobile device being used, IP address and previous payment history, to assess the validity of payment requests — which will only be possible with the more complete data that results from better information sharing.
The convergence of financial crime processes can only be accomplished by creating a clear operating model to serve as the backbone for the overall program. An effective operating model consists of a few building blocks: structure, oversight and capabilities.
The path to convergence is not simple or quick, particularly depending on the size and complexities of the institution. There are immediate opportunities that are ripe for convergence now, areas to integrate in the future and, in some instances, areas that should remain separate.
The right solution for each organisation is dependent on several factors, including but not limited to: products and services offered, geographic footprint, local laws and regulatory expectations, and customer demographics.
So what actions should firms be taking now?
Start meeting counterparts in the other financial crimes pillars and initiate discussions around the idea of convergence; uncover short-term benefits, solicit feedback and maintain the dialogue. Identify the various technologies and tools being leveraged; start discussing what steps would be required to successfully move toward more effective solutions.
Global Cybersecurity & Privacy Leader, PwC US; Cyber, Risk & Regulatory Leader, PwC United States