Stronger bank-corporate dialogue urged to tackle cybercrime
Corporates are calling for banks to work more closely on cybercrime and fraud risks they face – but banks also want to see corporates being more honest about their experiences.
The risk of cybercrime and fraud is likely to rise in the coming years as business becomes more digitized.
An effective way to combat these issues seems to be through the greater sharing of information between corporates and their banking partners. However, both parties are reluctant to share experiences, given a lack of trust, reputational risks, compliance and concerns over the integrity of business models.
Euromoney this month attended the BNP Paribas Cash Management University, where cybercrime and fraud was a much-discussed topic. The consensus was that corporates and banks alike are reluctant to discuss on the record the types of crimes they have experienced or the preventative methods they could take.
One senior worker at an e-commerce corporate was happy to detail his experiences, but did not want to identify his company due to concerns over increased exposure to risk.
He details a number of different type of attacks the company can experience on almost a daily basis. Money laundering is experienced when the consumer and the merchant placing the order is the same person. There is also fraud on delivery, when the purchaser states they did not receive their goods.
Some are specific to the consumer commerce space. These include a 'clean' fraud which describes situations when it is conducted in a professional manner where private details and credit card information have been stolen. Similarly, they witness hostile frauds, where stolen detail are used with incorrect customer information. These occurred in a higher volume, but are easier to detect.
There are also hacking attempts, denial of service attempts and the use of malware for account details to be stolen. Keeping on top of all of these requires substantial time and financial investment.
The senior worker believes banks should encourage conversations and educate their merchants in more detail on the potential risks, but that corporates also need to be taking responsibility by having rigorous security implemented from the inception of a business. If the information on an attack is not being shared, then providing details on how to improve a system is almost impossible.
Michael Mueller, Barclays
Michael Mueller, head of cash management at Barclays, agrees. “In a lot of cases we find that the compromise has come not from the bank’s side or the product, but through the customer’s methods of operating," he says. "The cyber-attack may not be directed at the bank’s systems, but it can still compromise the end-to-end workflow in the treasury.”
The banks are often ready and willing to step in as soon as a breach has been identified on the corporate’s system, says Mueller.
“If something has happened, we have technology in place that can identify unusual behaviour,” he says. “This signals to us when there has been a compromise. If the payment has already been made, there are processes to go through to stop the transaction and retrieve the money if possible.”
Corporates are also less likely to speak up if there has been a data breach.
“The corporates will often inform us directly if there has been a fraudulent payment made from their accounts,” says Mueller.
“The other question to look at is how are the corporates keeping their data safe? This is a big focus area for many of our clients, and there are a number of very high-profile cases that illustrate this. Corporates would not necessarily share this information with their bank, but the loss of data can be as significant as a fraudulent transaction being made.”
As Mueller points out, in some cases, corporates don't want to share too much information which might play directly into the hands of potential criminals.
“Communication is vital if we are to stop a fraud from happening," he says. "On the bank side, we can temporarily disable services or take other appropriate action if fraud has been detected on a client’s account.”
Henri Eydoux, security and anti-fraud adviser, BNP Paribas Cash Management, says dialogue needs to take place between the financial institutions too.
“Fraud is clearly not a competition area," he says. "At BNP Paribas, we work with interbank groups and treasurer associations at domestic level, but there is definitely more space for cooperation, especially at international level. The idea is, for example, to share newly detected fraud schemes, malware, or even fraudulent beneficiary account numbers.”
Mueller says Barclays also endeavours to inform their customers of the risks involved in possible attacks.
“At the bank, we try to directly help with educating our corporates on the risks out there," he says. "We host in-branch sessions for smaller corporates on the risks that they face. When we are asked by a corporate how they can digitize their operations, we do, of course, address important aspects around cybercrime and fraud.”
Eydoux says BNP Paribas is being proactive in its approach to alerting its clients to the types of attack that are being experienced, adding: “We send regularly some alerts on new fraud schemes via all our channels. We hold many awareness sessions on fraud at our initiative, or at the corporate's request.
“Our largest clients can also subscribe to detailed fraud-prevention email alerts. Besides, we think that fraud awareness is part of client relationship: each month, we hold thousands of personalized meetings. We have a very simple questionnaire to help them diagnose their risks and identify areas of improvement.”
This desire is also apparent from the corporate perspective and that increased dialogue is an essential step.
The senior worker concludes: “Talking on a daily basis with your acquiring bank can prove useful. Have them to help you assess your risk and provide you with basic security and fraud control rules.”