Tag Archives: AML

Biometrics and Authentication – A new world of possibilities

This article was written 842938_huella_dactilar_y_lectorby Sacha Breite, head of future payments at SIX Payment Services. It originally appeared here on July 20, 2015.

The search for a common, international standard of payment authentication is in full flow.

Governments, retailers, banks and (not least) consumers are all eager to find a means of confirming someone’s identity beyond any doubt, secure from external hacking and technologically reliable.

The situation has become more urgent with the wildfire spread of mobile technology, opening up countless opportunities for remote transactions, but placing a growing burden on payment systems to prevent fraud and theft, both of assets and identities.

So, what are the best ways forward?

Here are some of the key technologies, with an analysis of their pros and cons:

Fingerprints and vein recognition 

Already in common use at border controls and in many smartphones, fingerprint identification has become widely accepted. But concerns over its reliability and security has dissuaded banks from adopting it for payment authentication.

Some consumers fear that their fingerprint hashdata could be copied and used fraudulently, so they have switched back to pin ID. Younger consumers are more relaxed with the technology and ApplePay can be activated using fingerprint ID.

As technology develops and sensors are more widespread, some are concerned that their fingerprint ID could be captured simply by touching something, without realizing. The technology is likely to remain popular, but probably in combination with other forms of ID.

Facial recognition 

Another border control technology which is likely to spread into the commercial world, this once again raises reliability concerns. What happens if one’s face alters its appearance? Can someone be impersonated by showing an image of their face?

A number of extra aspects can tighten security: infrared scanners can tell the difference between a live person and an image; a 3D scan of someone’s head provides further authentication; and iris recognition is becoming more sophisticated.

The new ‘Hello’ function on Windows 10 includes a means of unlocking one’s computer simply by looking at it. So the prospect of going to an ATM, looking at it and then getting cash out, may be possible in future (though some people will object to being filmed, on privacy grounds).

Customers taking ‘selfies’ and using these as authentication, either as a still image or a video, is another emerging form of authentication. Recently MasterCard announced plans to pilot this solution and replace passwords in 3-D Secure protected payments.

Heartbeats

Like our fingerprints and irises, everyone has a unique heartbeat. Using this for identification has the advantage that is it dynamic rather than static and therefore harder to replicate and proves that you are an actual human being.

The technology is part of many current and emerging devices, particularly for sports and fitness use, providing a ready means of integration with other systems, such as transactions or establishing ID.

Wearable technology, whether for health, fashion or communication, will give this type of authentication further impetus. So we can expect to see more of it in the years to come.

Beyond the technologies employed, there are further debates over whose responsibility it should be to develop any common standard. Governments are an obvious place to start, and indeed they have collaborated successfully to introduce border controls using biometric ID.

Yet transactions involving large amounts of money, especially ones using mobile devices, require greater security than this. People are physically present at border points and have to show their passports, so the biometrics are simply an additional security layer.

Most of the initiatives rolled out by governments using biometric ID authentication for health insurance (for example) have failed to work in the commercial sphere.

Card Schemes such as Visa and MasterCard would love to introduce such a system and have it commonly adopted internationally, since it would increase brand loyalty and probably win them new customers.

But so far, the lack of clarity over what kind of technology will be most widely accepted, by governments, consumers and by the legal world, has prevented any major financial service provider taking a leap of faith. Reliability, security and privacy issues remain unresolved.

In some ways, technology is leaping ahead of the best efforts of governments and banks, through applications like Google Street View and Google Image, where individuals can be identified through pictures taken of them without necessarily having their consent. And commercial services such as Amazon, PayPal and eBay have pioneered slimmed-down ID procedures, which may become more widely adopted.

An ever increasing amount of data is being stored on all of us, which will enable identification through many differing avenues. Irrespectively of the current position of biometrics and technology, it is vital for banking and payment infrastructure providers like SIX Payment Services, to provide high levels of security and reliability. In the near future we can expect further innovations to appear in this space, however it is still unclear which  will form the basis of a single global standard, until the dust has settled from the current burst of activity.

Perhaps a nice change at NICE Actimize?

Posted by Douglas Wood, Editor.  http://www.linkedin.com/in/dougwood

Though not publicly released, news out of NICE Actimize is that long-time CEO Amir Orad is leaving the company effective May 1. Indicative of the ‘what a small world this is’ nature of the financial crimes technology marketplace, former Pegasystems co-founder and head of Americas for BAE Systems Detica, Joe Friscia, will be taking over the helm at that time.

Mr. Orad led NICE Actimize’s product and strategy functions prior to his five year tenure as CEO. During his tenure, he scaled the business size over six-fold. He is also a founding board member at BillGuard the venture backed personal finance analytics and security mobile app company.

Prior to Actimize, Orad was co-founder and CMO of Cyota a cyber security and payment fraud cloud company protecting over 100 million online users, acquired by RSA Security for $145M. Following the acquisition, he was VP Marketing at RSA.

I’ve known both Amir and Joe for several years, and have a tremendous amount of respect for both gentlemen. While it’s sad to see Amir leave the organization, I know that his rather large shoes will be more than adequately filled by Mr. Friscia.

Joe’s background is well-suited to this new position, and all of us here at FightFinancialCrimes wish him well. Joe joined Detica when BAE Systems acquired Norkom Technologies in early 2011, where he served as General Manager and Executive Vice President of the Americas. Joe led the rapid growth of Norkom in the Americas, with direct responsibility for sales, revenue and profit as well as managing multi-discipline teams based in North America. Prior to Norkom, Joe helped start Pegasystems Inc in 1984, a successful Business Process Management software company that went public in 1996.

Best of luck to Amir in his new ventures, and to Joe as he guides Actimize into it’s next phase.

To 314(b) or not to 314(b)?

Posted by Douglas Wood, Editor.  http://www.linkedin.com/in/dougwood

FinCEN today (November 1, 2013) released a fact sheet regarding data sharing between financial institutions under the Section 314(b) of the US Patriot Act.

314(b) provides financial institutions with the ability to share information with one another, under a safe harbor that offers protections from liability, in order to better identify and report potential money laundering or terrorist activities.  314(b) information sharing is a voluntary program, and FinCEN has always encouraged its use.

A few years ago, I spent considerable time looking at the overall 314(b) program. I interviewed dozens of Chief Compliance Officers (CCO) and AML/Fraud experts. I found that, despite the benefits to financial institutions – reduction of fraud loss, more complete SARs filings, shedding light on financial trails, etc – the program was not particularly well-utilized. The system, for all it’s good intentions, is very manual.

Imagine you are a 314(b) officer at a financial institution. Your job is to facilitate the data sharing amongst the community. So, much of your time is spent interacting with your CCO on which specific cases should be shared, and with whom. When you get that information, you open up you financial crimes investigation tools, and begin contacting your counterparts across the U.S. and asking them “Hey, do you know anything about Douglas Wood?” You’re calling the other officers completely blind with no idea whatsoever if they know Doug. In the meantime, your voicemail inbox is being flooded with other calls from other institutions asking if you know a bunch of other people (or entities).

Finding the institutions that know Douglas Wood is a lot like looking for a needle in a haystack… except you don’t know which haystacks to look in. The system too often grinds to a halt, despite some excellent work being done by 314(b) officers across the country. There has to be a better way, and some have proposed a data contribution system where financial institutions upload their bad guy data into one large third-party haystack, making the needle a little easier to find. As an advocate for the use of technology in the fight against financial crimes, I hope that model finds some success. The problem, of course, is that banks are LOATHED to put their data in the hands of a third party. Also, it’s typically up to each individual bank to decide if and when they choose to upload their data to be inter-mingled with other institutions. Far too often, it is not entirely reliable and not particularly current.

There is a better way. Several years ago, working with some tech-savvy employees, I envisioned a member-based 314(b) program where each institution maintained total control of their data. The model does not require individual banks to contribute their data for inter-mingling.  All ‘bad guy’ data sits and remains securely behind the banks’ respective firewalls. When an individual bank sends out a request to find out who, if anyone, may have information about a suspicious entity, the request is systematically sent out to all members using a secure network such as SWIFT, for example. That electronic search returns to the querying bank only a risk score which indicates the likelihood that another member is investigating the same entity.

No personally identifiable information (PII) is ever shared, yet the search is productive. The enquiring bank now knows that the person of interest was found in the bad guy data from other participating institutions. With this information in hand, the respective 314(b) officers can move their voicemail exchanges from “Have you ever heard of Douglas Wood” to “We’re both investigating Douglas Wood… let’s do it together.” The time-consuming, manual efforts are dramatically reduced and more bad guys are put away.

So if the question is to 314(b) or not to 314(b), perhaps the answer lies in data privacy compliant technology.

Financial Crimes and Technology

Posted by Douglas Wood, Editor. 

In the midst of preparing for a presentation last week, I entered the term “financial crimes” into my internet search engine. I’ve probably done this same search a hundred times, but seemingly never took notice of the staggering number of results. Over two million of them!

Among those results are a stunning number of definitions, news reports, and general articles. But with so many links to seemingly unconnected terms such as check fraud, credit card fraud, medical fraud, insider trading, bank fraud, health care fraud, tax evasion, bribery, identity theft, counterfeiting, and money laundering – it must appear to the uninitiated that an understanding of ‘financial crimes’ requires an Einstein-like intelligence pedigree.

To those involved in the daily prevention / detection / and investigation of financial crimes, however, the term can be effectively boiled down to:

1) Intentional deception made for personal gain, and

2) The illegal process of concealing the source of those gains.

Everything else – all that other noise – simply falls underneath that definition, and only a cohesive combination of human intelligence and technology can take a bite out of those crimes.

Of course, most companies that are targets of these crimes invest heavily in different forms of technology for enterprise fraud management and anti-money laundering systems.  There are dozens of vendors in this market with varying levels of functionality and service offerings.

The problem with too many of those offerings, however, is that they do not account for organizational truths such as functional  (and data) silos, data quality issues, changing criminal tactics, human limitations, and big data.

A complete enterprise solution for financial crimes management must include automated processes for:

Customer Onboarding – Knowing the customer is the first step an organization can take to prevent financial crimes. A holistic view of an entity – customers, partners, employees – provides a very clear view of what is already known about the entity including their past interactions and relationships with other entities.

Flexible Rules-Based Alert Detection – A robust rules-based alert detection process must provide out-of-box functionality for the types of crimes outlined at the beginning of this article. At the same time, it should be flexible enough for an organization to modify or create rules as criminal activities evolve.

Predictive Analytics – Expected by analysts to become a 5.25B industry by 2018, predictive analytics ensures that big data is scrutinized and correlated with present and past historical trends. Predictive analytics utilizes a variety of statistics and modeling techniques and also uses machine information, data mining, and Business Intelligence (BI) tools to make predictions about the future behaviors including risk and fraud.

Social Network Analysis – Also known as Fraud Network Analysis, this emerging technology helps organizations detect and prevent fraud by going beyond rules and predictive analytics to analyze all related activities and relationships within a network. Knowing about shared telephone numbers, addresses or employment histories  allows companies to effectively ‘cluster’ groups of suspected financial crime perpetrators. The key here, however, is context. Many technologies can build these networks and clusters for review, but precious few can provide the key “what does this mean” element that business users require.

Investigation Management and Adjudication – Incorporating key elements of enterprise case management, collaboration, link visualization, information dissemination and knowledge discovery, this layer of functionality is designed to uncover insights which aid in investigating complex incidents. The result ought to be actionable visualization of critical entities, and documented results for potential litigation and regulatory compliance.

Anti-Money Laundering (AML) and Regulatory Compliance – With record fines being assessed to financial institutions globally, AML compliance is very clearly a major requirement within a financial crimes management solution. The oversight requirements grow almost daily, but at a minimum include out of box functionality for suspicious activity monitoring, regulatory reporting, watch list filtering, customer due diligence, Currency Transaction Report (CTR) processing, and the Foreign Account Tax Compliance Act (FATCA) compliance.

Now, there are clearly many more dynamics than can be summarized here but hopefully the point is made. The only way that organizations can continue to drive fraud and money laundering out is via a happy marriage between skilled financial crimes professionals and the flexible/adaptable technology that empowers them.

Posted by Douglas G. Wood. Click on ABOUT for more information.