The Good News About AML: Technology to the Rescue

 

By Robert McGarvey

 

For CU2.0

 

Talk with credit union AML/BSA staffers as well as senior executives and you will hear a torrent of woe is me complaining about rising workloads, intransigent regulators, too tight budgets, and inadequate resources.

And then there is a new report from Aite Group’s Julie Conroy – based on extensive interviews with over 40 BSA/AML experts – and the title tells you the theme: The AML of Tomorrow: Here Today.

In the second paragraph Conroy puts out the good news: “Advanced technologies such as machine learning, robotic process automation (RPA), and natural language processing and generation are helping to even the playing field by enhancing both detection and operational efficiency. The even better news: Regulators are gradually growing comfortable with the use of these advanced technologies for AML.”

Read that again.  What she is insisting is that financial institutions now have access to technologies that will let them keep pace with – maybe get a step ahead of – criminals who want to launder money.

The stakes are high.  Two credit unions in the past decade have effectively been put out of business because of AML deficiencies – Bethex and North Dade.  

No credit union wants to be linked with money laundering. But, frankly, trying to keep up with this with a small staff who are doing everything by hand is a loser’s tactic.

How much money is laundered annually? Nobody knows. The United Nations has estimated it’s somewhere between $800 billion and $2 trillion.  The high end is about the GDP of Brazil and more than Italy’s.  That’s a lot of money in motion and, accordingly, you have to assume that the people who have put it in motion are savvy, wily, and of course know exactly the defenses used by banks and credit unions.

Accordingly, FIs are spending a lot to defend themselves – much of it on payroll. Conroy cited a report from the Clearing House that estimated that major US FIs spent $8 billion on compliance in 2017. She also noted that one large US FI interviewed for her report employed more than 5000 in compliance and “can’t hire fast enough.”

All those workers push out an avalanche of SARs. In 2013 they filed 1.22 million. By 2017 that rose to 2.03 million.

Conroy also pointed to a numerical disconnect that frustrates AML workers and their bosses.  “the fact remains that there are on average only 1,200 moneylaundering- related convictions per year in the U.S., compared with over 1 million SARs filed per year.”

In other words: is all the work really worth the effort and expense?

It gets worse. In many institutions, said Conroy, business line execs grumble that AML teams are “hassling” their customers, making it harder to do the business that brings in money to the FI.   AML, in many institutions, is seen as a nuisance that wastes money while making it harder to make money.

Ouch.

Wrote Conroy: “All of this points to the need for the AML function to find technology that enables precise detection while minimizing false positive noise.”

She continued: “The trifecta of increasing criminal sophistication, a steady increase in regulatory expectations, and under-resourced AML departments are bringing AML efforts to a breaking point. As a result, financial services firms are beginning to embrace technologies such as machine learning, RPA [robotic process automation], and natural language processing and generation.”

“Today’s AML function can no longer rely on legions of AML analysts, investigators, and rules-based automation. The use of advanced technologies is needed to aid AML departments in the gathering, filtering, and meaningful assessment of data from multiple sources in multiple formats.”

That prescription puts fear in the hearts of many credit union leaders – they worry about the costs and also the complexities of advanced technologies.

But Conroy has this absolutely right. The only way to stay ahead the AML wars is with technology that can automate much detection and even reporting.  There just aren’t enough AML staffers to be hired and so they get paid ever more.

But – and this is crucial – many of them are burning out, even quitting.  

The machines won’t quit on you.

What should your next step be?

In her report Conroy reviews the many technology options out there. Get the report, read her reviews.

And then what?  Her advice is simple: accept that you can’t wait, delay is not an option.

She added: “Try starting small. Cloud-based solutions can be implemented in modules that wrap around or interact with legacy systems to improve performance without a ‘rip and replace’ scenario. In this way, FIs can address the most pressing system deficiencies relatively quickly with less impact to budget and IT resources.”

It’s good advice.

Just don’t wait.

 

Fiserv Core Flaw Exposed Customer Data at Hundreds of Banks: Security Researcher

 

By Robert McGarvey

 

Highly regarded security researcher Brian Krebs has published a bombshell report that maintains a flaw in some Fiserv banking technology leaves customer data potentially exposed to criminals.

Krebs does not finger credit unions that may have fallen victim to this but there is no reason to think some aren’t.  

Krebs credited the flaw discovery to independent security researcher Kristian Erik Hermansen who noticed that when he setup an alert on his bank account, the alert was assigned an event number.  So Hermansen, on a hunch, tried to log into an event number a digit different and what he found was that he indeed could log in.  This matters because, said Krebs, “In an instant, he could then view and edit alerts previously set up by another bank customer, and could see that customer’s email address, phone number and full bank account number.”

That means a criminal could add his email address to the account and get alerts on, for instance, all transactions.

Krebs also noted that a criminal could hunt for customers who had set up high minimum balance alerts – $5000, say. Which would tell the crook he could siphon out $4999 and he might be undetected for some time.

Krebs said he personally signed up for accounts at two small banks that use Fiserv.  Here’s what he found: “In both cases I was able to replicate Hermansen’s findings and view email addresses, phone numbers, partial account numbers and alert details for other customers of each bank just by editing a single digit in a Web page request.”

He said he found “hundreds” more banks with similar vulnerabilities.

Krebs told Fiserv what he had discovered. The company responded this way: “Fiserv places a high priority on security, and we have responded accordingly,” Fiserv spokesperson Ann Cave said. “After receiving your email, we promptly engaged appropriate resources and worked around the clock to research and remediate the situation. We developed a security patch within 24 hours of receiving notification and deployed the patch to clients that utilize a hosted version of the solution. We will be deploying the patch this evening to clients that utilize an in-house version of the solution.”

Cave elaborated to Credit Union Times: “This is related to a one-way messaging feature on a limited number of bank websites. Upon notification, we promptly developed a patch to update the feature, deployed the patch to clients using the feature and completed testing to confirm the issue has been fully resolved. Our ongoing research and continued monitoring have not identified, and we have not received reports of, any adverse consumer impact.”

There is no count of the number of websites impacted by this flaw.

Any credit union running a Fiserv core and/or online banking ought to quickly contact Fiserv and inquire into the availability of that patch.  They ought also to see if they can replicate Krebs’ hack of the alerts system. And – above all else – check your own systems to see if you can replicate the Hermansen hack.

If you can, take action.

Krebs said that, in his inspection, the Fiserv patch in fact works.  “This author confirmed that Fiserv no longer shows a sequential event number in their banking sites and has replaced them with a pseudo-random string.”

But Fiserv is not blowing trumpets to announce the patch or the flaw.

A scan of Fiserv’s Twitter feed found no mention of the flaw or Krebs’ reporting or the purported patch.   

There’s silence over at Facebook too.

Julie Conroy of Aite told Krebs this about Fiserv’s customers: “These financial institutions use a core banking provider like Fiserv because they don’t have the wherewithal to do it on their own, so they’re really trusting Fiserv to do this on their behalf,” Conroy said. “This will not only reflect on Fiserv’s brand, but also it will impact customer’s perception about their small local bank, which is already struggling to compete with the larger, nationwide institutions.”

What she is saying is that big banks – that ordinarily don’t buy off the shelf technology from a Fiserv – may have a competitive advantage because they build their own.

I’m not sure that is true – I doubt most consumers have a clue as to whether their bank or credit union technology is off the shelf or bespoke.

But Conroy is right: in some ways the big banks keep expanding their technology lead over small institutions. That does not have to be the case. A smart credit union can use fintech alliances to create an institution that is the rival of even the most polished money center banks.

But the credit union has to want to get there.

And a necessary first step is cleaning up that Fiserv mess if your institution is a victim.  Do it now.