ABA Bank Compliance Magazine – Beyond the Bounds: What Compliance Should Know About Cybersecurity
This article by Gary M. Shiffman appeared in the November/December 2021 issue of the American Bankers Association’s Bank Compliance Magazine, which can be accessed here.
For almost a decade, Instagram influencer Ramon “Hushpuppi” Abbas was best known for his lavish lifestyle, flaunting Ferraris, Rolexes, and more on social media. He kept himself warm on private jets with a Louis Vuitton blanket and velvet Versace robes. But in 2020, he was charged with conspiring to launder hundreds of millions of dollars from “business email compromise” (BEC) frauds and other scams—including laundering millions for North Korean hackers. Hushpuppi was “successful” for many years at the top of the cybercrime ladder, and his downfall, as anyone who has watched the movie “Goodfellas” knows, likely came from his public display of wealth.
Interestingly, this cybercrime rock star had no college degree and no background in computer science. He was not a hacker. That’s because cybercriminals don’t need to be skilled hackers to commit crimes. Technology enables a gig economy for the underworld, where people no longer need to be educated, meet in person, or even know each other to carry out sophisticated schemes. And in turn, compliance professionals also don’t need to know cybersecurity and coding to find criminals.
Every day, compliance, security and IT departments at financial institutions (FIs) employ standard risk frameworks and technology to prevent and detect cybercrime. For example, it was a compliance professional that uncovered a lucrative online crime syndicate that was using fraudulent disability service providers to over-inflate invoices and steal from victims’ disability plans. With few technical skills, these illicit actors earned upwards of $50,000 a day. The compliance professional intent on applying know your customer (KYC) principles discovered the bad actors by screening a large population using a machine learning platform for risk detection.
What the Federal Agencies Say about Compliance and Cybersecurity
In recent years, the Financial Crimes Enforcement Network (FinCEN) and federal regulators concerned about cybersecurity risk have encouraged FIs to break down IT, security, and compliance silos and work cooperatively to combat their common cyberthreat. In October of 2016, FinCEN advised financial institutions about the importance of reporting cyber-events and cyber-enabled crime through BSA reporting systems in the FinCEN Advisory, FIN-2016-A005, October 25, 2016. This advisory prompted compliance teams to review and update policies and procedures, and many developed formal communication channels with IT and security departments, or at least identified a liaison to assist in collaboration efforts.
Then in a January 2020 Joint Statement on cybersecurity risk, the Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency (OCC) laid out key controls institutions should implement to protect themselves from malicious cyber activity and actors. The principles highlighted include:
· Response, Resilience, and Recovery Capabilities
· Identity and Access Management
· Network Configuration and System Handling
· Employee Training
· Security Tools and Monitoring
· Data Protection
These principles are intended to provide risk mitigation techniques to reduce the impact of a cyber-attack and are mostly geared toward IT and risk management groups. However, compliance professionals should take note to integrate these important principles into existing BSA/AML and fraud programs, including KYC procedures. This includes enhancing policies, procedures and technology to recognize and understand the importance of identity and access management, data protection and the use of technology for monitoring activity. These familiar compliance control spaces can help build a bridge and foster communication, cooperation and reporting across IT, security, and compliance groups.
More recently, in June of this year, FinCEN named “cybercrime” as a priority within their Anti-Money Laundering and Countering the Financing of Terrorism National Priorities (“the Priorities”). (For more information see FinCEN Releases AML/CTF Priorities: Is There Nothing New? On page 4 of this issue.) FinCEN cautioned that cyber actors are specifically targeting financial institutions’ websites, systems, and employees to steal customer data, gain access to proprietary information, and disrupt business functions. Also highlighted are concerns about cyber-enabled financial crime, ransomware attacks, and the misuse of virtual assets. The inclusion of cybercrime as a FinCEN priority further merges IT, security and compliance responsibilities and should prompt compliance professionals to once again reassess processes and evolve communication within the FI.
Three Ways to Bring Compliance to the Cyber Fight
Compliance should be taking proactive steps to integrate these regulatory priorities and ensure that they are actively involved in the fight to identify cybercriminals. Be sure to think about enhancements and increased collaboration with a renewed focus on people, processes, and technology within your FI.
A financial institution (FI) is more than a collection of systems, processes and transactions—it is also a collection of people. The “IT Departments” and “Security Departments” within an FI are typically well-established silos that have their own way of doing things, including what seems to be their own language. In order to manage risk proactively and holistically, compliance professionals need to build effective interpersonal relationships with the people within IT and Security. And, learning the language is an integral part of building that compliance bridge.
One place to start is with the sidebar to this article, Cybersecurity Terms Compliance Should Know. Also take a look at your org chart to be sure you are up-to-date in identifying roles and responsibilities to better understand the people with whom you need to collaborate. Ask those in-the-know to make warm introductions to key managers to help you connect faces to functions, and build relationships. You may then need to initiate meetings to discuss processes, risks and controls to ensure a coordinated cybersecurity plan that eliminates redundancies and operates efficiently.
Before you begin to review how to quantify cybersecurity risks or evaluate control effectiveness, you’ll need to understand where those risks reside, and if and where those risks are already being captured. For example, data integrity risks for mortgage customer data could be captured by Compliance within the risks and controls for the Home Mortgage Disclosure Act (HMDA) regulation. However, you’ll need to see how other data risks are managed, and if there are any gaps.
Consider the flow of data from data entry to the scanning of a document, and then, where data is processed and stored. Also consider the totality of privacy, security, and cybersecurity risks. Understand the big picture of your IT processes and work streams, including any that are outsourced to third parties. Then gradually drill down by reviewing policies, procedures, field guides, flowcharts, and any other documentation available. The bridge you build can be constructed from these bits of information. This process is not done in a day, a month or a year—it is ongoing, especially considering the continuing need for constant innovation and change to meet evolving cyberthreats.
Just as we can use computers without fully understanding how they work, technology can enable compliance to gain the upper hand, even though we may not know the inner workings of the technologies utilized. However, the more you know, the better you can become at detecting and thwarting cyberthreats.
You may want to consider learning something about the technology itself, “how” a technology works, as another integral step in building the compliance bridge to do your part in managing IT and Security risks. Not only is the use of technology expanding, but also the pace of the introduction of ever-more complex technology is increasing. From artificial intelligence (AI) and machine learning (ML) capabilities to various models and black boxes, there is a lot to understand.
This is why building connections with IT and Security professionals is so important. Together, they can help compliance understand more about how things work, where risks lie, and what technology may already be available to monitor and mitigate cyber risks.
Putting it All Together
The same technologies which empower criminals also empower those of us engaged in the fight against crime, corruption, and coercion. The internet has made everything—both data and people—connected and accessible to criminals and non-criminals alike.
Banking professionals can use AI and ML tools to easily do the complicated mathematical work involved in combing through large amounts of data. Whether you outsource or purchase software to perform technology functions in-house, AI models use ML algorithms to detect patterns in large data. And, when appropriate, these algorithms can continue the learning and training processes, so they better support the human users over time. These patterns are important because they can lead you to what is termed, “entity resolution.”
Entity Resolution is the task of finding every instance of an entity, such as a customer, across all enterprise systems, applications, and knowledge bases on-premises and in the cloud.
Those engaged in malicious cyber activities work to mask their identities, so AI/ML is used to perform entity resolution across structured (lists) and unstructured data (open, deep, and dark web pages). (Note: It is generally best to not access the dark web by yourself, this can be outsourced or done by leveraging technologies.) Overall, the better the entity resolution, the more data can be used in identifying risks.
Entity resolution of unstructured data is the future of cybersecurity, compliance, fraud detection, and every other aspect of bank operations. If you don’t know who is behind the transaction, you are vulnerable. The biggest risk for a bank is in missing data because of an inability to resolve and cluster across large unstructured data like that in the open and deep web.
You’ll also want to be part of the implementation/development process to better understand the technology necessary for entity resolution, as you may want to determine what risk tolerances and other thresholds will require human review. ML algorithms can learn patterns from training data and use that pattern to measure similarity, converting a population of customers into a distribution of customers, from low to high similarity. And of course people are important too—humans, at least for now, still play an important role in reviewing the training data, using test data to measure results, and to be ultimate arbiters of assigning value to a customer, risky or not. However, the ultimate purpose of AI and ML is to learn, identify patterns and modify decision making with minimal human intervention.
It is true that people and AIs both have biases, but with AI, it may be possible to measure the bias and its source—the data used to train the algorithm. (To understand more about how algorithms perform, see my article, Artificial Intelligence and the Future of Bank Compliance: How Do You Know If It Is Working? In the May–June issue of ABA Bank Compliance on page 18.)
By using humans for inherently human tasks (making value judgments), and algorithms for computer tasks (finding patterns), the entire community of cybercrime professionals, cybersecurity experts, and compliance professionals can use more data, and that means there will be more patterns found, and more criminals discovered. More data also improves analytics and helps you to achieve your goals with greater effectiveness and efficiency. Compliance professionals can engage in the cybercrime fight by doing what you already do better than anyone in the bank: know your customer.
ABOUT THE AUTHOR
Gary teaches economic science and national security at Georgetown University. Reach him at LinkedIn.com/in/garyshiffman.
Cybersecurity Terms Compliance Should Know:
As we discuss how to implement these steps, let’s start by defining some terms:
● Big data: Think of an Excel spreadsheet with a list of your customers and certain attributes about them, like income or age. Big data means adding columns – not adding customers but adding attributes so that better predictions of illegal behavior can be made based on those attributes.
● Machine Learning (ML): The technical basis for finding patterns in Big Data. ML is inductive learning, or learning by example. ML needs good data for training.
● Bias: ML picks up biases from the training data. Humans also maintain and perpetuate biases. The key to addressing bias is to start by acknowledging both humans and machine processes have biases. In the absence of trust in data or the interpretation of data facts provided by AI/ML, humans resort to bias. Machines don’t hold biases the way people do; they learn the biases from the data used to train the algorithm.
● Artificial Intelligence (AI): An “agent” next to the ML process which perceives and takes action. AI is how humans can get machines to do what the humans want.
● Entity Resolution (ER): The process of identifying the people or companies within the data. It is, essentially, finding or confirming the person behind the online persona is who they say they are. ER is much easier in structured data than unstructured data. Currently, most banks perform entity resolution using curated lists, or data sets, that they buy from traditional vendors.
● Structured data: Imagine data organized into rows and columns. This data format is easily searchable, like matching names, dates, addresses, and account numbers.
● Unstructured data: Imagine text, like this article. Humans communicate mostly in unstructured ways, through writing, voice, and video. Making sense of unstructured data represents the frontiers of AI/ML technologies. Making sense of unstructured data enables the abandonment of expensive but ineffective list-based methods and the incorporation of more data to drive efficiency and effectiveness.
● The open web: Content that is indexed and displayed by search engines like Google or Bing, is called the open web. Most people don’t know that this content only accounts for one percent of the entire internet; it is just the tip of the iceberg.
● The deep web: The other 99 percent of content is called the deep web—the content that is not easily retrievable with conventional search engines, yet remains equally publicly available.
● The dark web: A very small portion of the deep web is the dark web, intentionally hidden from web indexers. Illicit activities can take place here. Human rights activists around the world also use the dark web, to stay hidden from corrupt and coercive government regimes.
● Topic clustering—Grouping related content that collectively covers a broad subject area