‘Non-linear’ is the joined-up word of the season in the worlds of financial and economic crime. As topics of concern, they have shot to pole position on many boards’ and regulators’ agendas. A spate of cyber attacks on banks across the world in the summer, coupled with a growing fondness for dawn raids on the offices and homes of business people and financiers globally, have sharpened the appetite for an up-to-date understanding of the issues at stake.

The consequences of wrongdoing are becoming ever more severe. Regulatory fines now reflect both the value of transactions and the impact on customers, and frequently include substantial penalties too, resulting in real damage to shareholder value in the longer term and more immediately to dividends.
Billions paid in finesJeannette Lichner MCSI, pictured right, lead speaker at the recent event, reckoned that the top ten banks had paid out “close to $10 billion in fines since the depth of the financial crisis to the end of last year,” a growing percentage of that for direct or indirect involvement in criminal activity. The reputational damage amongst all the institutions’ stakeholders, from clients to governments, can be severe.

Remedial action, says Lichner of FTI Consulting, involves new policies, procedures, systems and controls.  That frequently means new structures and additional resources. The cost of all this? “Conservatively, ten times the amount of the fine,” she warns.

Brandon Davies, former Barclays risk chief and now an independent director and chairman of and adviser to a number of institutions, puts the responsibility squarely on board directors. Boards, he points out, have always had two main responsibilities – to the shareholders, and to the regulators. The former, which until recently was always dominant in boards’ minds, means responsibility to the shareholders for the business’s strategy. It is worth remembering, he says, what this means in practice: “To deliver on this responsibility they must ensure that the strategy can be executed through the business model of the bank and that appropriate resources are available to the executive to execute the strategy.”
Cyber people on the board

In the past, the shareholder responsibility was paramount.  Today, says Davies, both objectives are of equal importance. In pursuance of these objectives, UK bank board members now have three ‘sign off’ obligations, two of which are as a result of reporting changes that become obligatory only from 2014 onwards.

Boards of banks have for some years, as a result of Basel II-based regulation, been required to sign off on the risk appetite of the bank. This requirement is now extended to other financial services companies.
directors may face penalties for inaction in the face of what is for many an unseen and ill-thought-through enemyAdded to this, there is a growing likelihood that, as governments in the UK, US and elsewhere act to stem the spread of cyber crime, directors may face penalties for inaction in the face of what is for many an unseen and ill-thought-through enemy.

Financial services firms are increasingly dependent on IT systems, and many board directors coming from inside the industry have developed their careers in organisations where IT systems were essentially a closed loop, with physical access restricted to company IT staff. Davies says: “There was always the possibility of company staff acting illegally or that criminals could attempt to obtain data from the company and its customers by, say, posing as IT maintenance staff. But in general the systems were contained and so was the threat.”

This cosy world no longer prevails. Many systems are open to customers, greatly improving their ability to manage their finances, make and receive payments and buy and sell investments or goods and services. This has changed the importance of making systems resilient to attacks by criminal attempts to divert payments or raid the accounts of customers, attacks that no longer require physical entry to a firm’s premises. “Managing these risks is a fundamental part of doing business,” says Davies.  The presence of a senior technology officer on the main board is now vital, he believes.

When addressing cyber risk, he says, the first duty of the board is to agree on a definition.  There is no one clear definition, but on the basis of recent experience he suggests the following: “Cyber risk can be defined as the risk connected to activity online, internet trading, information technology systems and networks, and storage of personal and business data.” Customer data, in particular, is a tempting target for criminals, giving direct access to vast sums of money and the technology to transfer it. And rather than one big target, customers represent literally millions of potential victims.

Programmes covering these subjects, featuring Brandon Davies, Francesca Ingram and Jeannette Lichner MCSI, are now available on CISI TV, as are related features from recent events by Professor Michael Mainelli, Chartered FCSI on cyber reinsurance, and David Chismon from MWR Info Security on risks associated with mobile telephones.
Darkness at dawn

Francesca Ingram of lawyers DLA Piper, pictured right, gave the audience an unsettling account of the whos, whys and hows of dawn raids in the financial sector – a waking nightmare for a growing number of financiers. Criminal agencies, including the police and regulators in finance, tax and competition, increasingly use this tactic, she explained, to bring an “element of surprise” to proceedings and to obtain evidence where there is a fear of its concealment or destruction. In Britain, the FCA is now conducting a dawn raid every month on average. She suggested seven key questions all CISI members – even the most upstanding – should be able to answer:

• Do you know how to handle a regulator that arrives at your office at 8am?
• Do you have a raid manual?

Too much co-operation can be equally risky.  Apart from the risk of self-incrimination, it can prejudice your and the firm’s ability to defend actions or challenge allegations made against you. And it can seriously disrupt business. In practical terms, Ingram has a five-finger guide for firms:

• Make sure a dawn raid protocol exists, and that it is up-to-date
• Prepare a contact list – and keep that up-to-date
• Consider regular training, including possibly a mock dawn raid
• Distribute to all staff a list of dos and don’ts, and a step-by-step guide
• Create a shadow team to accompany inspectors on their visit to ensure compliance with the terms of a warrant.