Is your refrigerator running? Yes it is, and it’s flooding the Internet!

By Scott Laliberte, Managing Director
Technology Consulting

 

 

The distributed denial of service (DDOS) attack on October 21 offered a new twist on an old trick that should cause us to pause and pay attention. DDOS attacks are nothing new. They became popular in the late 90s, when all of us security experts were busy trying to figure out how to combat them. At the time, the attackers were taking advantage of outdated and unpatched operating systems of home users and small businesses, using them as “zombies” – devices attackers can compromise and use to attack other devices. Operating system vendors responded to the rash of DDOS attacks by creating operating systems that were more difficult to hack and easier for end users to patch and update. The “arms race” between manufacturers and hackers has been going on ever since.

While end-user machines are still easy targets for phishing, malware and other types of attacks, internet of things (IoT) devices have opened up a whole new opportunity for hackers. Layer on this opportunity an attractive sci-fi scenario of an army of rebellious home appliances bringing down some of the biggest businesses on the Internet, and you have provided plenty of motivation for hackers to take that route.

IoT devices represent advances in technology that are beginning to change our way of life, in many ways for the better. My colleague Jim wrote about the possibilities of IoT in a post last year. He also cautioned that the IoT will bring new risks, in addition to new opportunities.

This caution was well placed. From a security perspective, the IoT presents a new attack vector that manufacturers of connected devices must take seriously. Some IoT manufacturers have expressed a cavalier attitude toward the possibility of their devices being hacked. In conversations, I often hear that “if an IoT device is hacked, only a handful of users will be affected and the impact to the business would be minimal.” Unfortunately, this position does not take into account the manufacturers’ responsibility to the rest of the internet to make sure these devices are properly protected so they cannot be used as weapons to attack other legitimate businesses on the internet.

Internet of Things (IoT) technologies are relatively new, of course, and many organizations are still figuring out how to ensure their security, but manufacturers must be the first to step up to build protections into the product’s life cycle. Consumers must demand this as well and be willing to pay for the additional costs that accompany these proper levels of protection.

Online businesses, for their part, must recognize the DDOS threat is real and will not go away. They must consider the potential impact to their businesses and design appropriate protections commensurate with the risk of IoT. Multiple on-premise and cloud-based solutions exist today to help combat DDOS attacks.

Here is my prediction: This month’s news item is just one of many more to come. I think this most recent round was a message from attackers, saying they can bring down even the biggest players using the most ordinary of home electronic devices, should they so desire. I fully expect to see an increase in ransom and protection payment demands in the coming weeks. So the challenge is on. Is your company ready? Share your thoughts in the comments.

Prioritizing an Offshore Health Check

matt-taylorBy Matt Taylor, Managing Director
Risk and Compliance, Financial Services, UK

 

 

 

Political, regulatory and media attention on the use of offshore jurisdictions by individuals and companies to evade taxes is intensifying. The issue was thrust into the spotlight when the International Consortium of Investigative Journalists (ICIJ) released 11.5 million historical documents hacked from Panamanian law firm and corporate service provider Mossack Fonseca in April 2016. The release detailed the names of individuals and companies with links to offshore companies, trusts and foundations in a number of offshore jurisdictions. We covered some of the implications of this leak in a blog post in May this year.

The issue was reignited recently by the ICIJ’s release of 1.3 million documents from a Bahamas corporate registry, dubbed the Bahamas Leak. The released documents reveal names of individuals and organizations with links to entities registered in the Bahamas. With the latest release, the ICIJ’s Offshore Leaks Database now contains information on nearly 500,000 offshore entities.

There are legitimate reasons for the use of offshore structures in jurisdictions like Panama and the Bahamas, such as to reduce or eliminate legally individual and company taxes. However, these structures also present opportunities for money launderers and terrorist financiers to hide potentially illicit funds.

In the few short months since the Panama Papers leak, regulators around the world have initiated investigations into the tax affairs of the individuals and companies referenced in the offshore database. A similar response is expected following the Bahamas Leak, and it is only a matter of time before another offshore jurisdiction is the target of an “ethical hack” such as this. In the meantime, the regulatory scrutiny of offshore banking is intensifying.

Protiviti hosted a roundtable discussion in London on October 11 in conjunction with the Association of Certified Anti-Money Laundering Specialists (ACAMS). A host of multinational banks and wealth management providers attended the roundtable to hear practical advice on how to deal with the increased level of regulatory requests for information and proactively manage their offshore exposure.

To begin with, financial institutions should review, if they haven’t done so already, their exposure to any of the companies and people named in the Panama Papers. This action may also trigger know-your-customer (KYC) reviews. Following the most recent Bahamas Leaks, financial institutions should have already triggered negative news reviews to screen for any potential links to the companies and individuals named in the leak. They should also have reviewed their geographic risk ratings for offshore banking centers to ensure they accurately reflect the inherent risks of these jurisdictions. Going forward, firms need to be further prepared for regulatory reviews across all of their offshore exposures.

For many firms, existing KYC systems and files may not cover all the fields necessary to identify the ultimate beneficial owners (UBOs) of offshore structures. Firms need to test their KYC systems to see if they can access the data accurately and rapidly. Some KYC systems and files may not identify UBOs to the required level of ownership percentage and/or distinguish UBOs from nominees, while other KYC systems/files may not hold sufficient information on offshore structures being used by customers that will give the firm comfort that it is not enabling tax evasion.

In the UK, HM Revenue & Customs is specifically calling out “enablers” of tax evasion. All financial institutions have an obligation (which extends to individual employees in many jurisdictions) to demonstrate they are taking reasonable steps to ensure that neither the institution nor its employees are enabling tax evasion for the institution’s customers. Firms need to assess how they are ensuring their customers who are using offshore structures are not involved in tax evasion of any sort, and document this assessment.

Protiviti and ACAMs are in agreement that self-certification by companies and individuals stating they are paying taxes where taxes are due provides limited comfort to institutions. Firms must take further steps to satisfy themselves that the use of an offshore structure (particularly a multilayered one) makes sense in the context of their overall knowledge and understanding of the customer. Documenting that an offshore entity is being used for “tax purposes” will not suffice.

The footprint of tax evasion can look very different from other types of money laundering, and transaction monitoring alerts typically will not flag issues related to tax evasion. Therefore financial services firms need to apply a bigger scope and have a more holistic understanding of their customers’ relationships to ensure everything makes sense from a tax perspective.

With the latest Bahamas Leak, regulatory requests for KYC information are going to increase. Firms should be taking preparatory steps now to ensure that they are able to respond promptly, fully and accurately to such requests.

Fintech Promises Faster, Easier Payments for People and Businesses

Blockchain, globalization, digitization, cybersecurity, fintech, new customer demands, and more. Money 20/20, the largest global financial industry event focused on payments and financial services innovation for connected commerce at the intersection of mobile, retail, marketing services, data and technology, takes place Oct. 23-26. Once again, Protiviti is proud to be an exhibitor sponsor and speaker at the event.
We will be posting daily dispatches from the event’s sessions, starting Sunday, here and on Twitter. Subscribe and follow us for current commentary, insights and reactions from industry experts as the event unfolds.

 

Jason Goldberg moderating a panel on customer experience at Money 20/20.

By Jason Goldberg, Director, Financial Services Business Performance Improvement

Financial technology, or fintech, firms are promising to revolutionize the person-to-person (P2P) and business-to-business (B2B) payments industry, and are already causing a seismic shift in this sector. On the floor at Money 20/20 this week, some of the hottest discussions are revolving around payments: cross-border transfers, customer authentication and fraud, customer experience, and open APIs and cloud processing specifically are a focus of fintech companies.

Unburdened by regulation and legacy IT systems, new entrants in the payment services space are claiming to provide faster and cheaper transfer of monies, both domestically and across borders, than the established players.

PayPal, the first big shock to the payment industry, was launched in 1998 and for years remained one of the most popular alternatives to using credit cards for online purchases. Today, it is just one of a multitude of person-to-person (P2P) and business-to-business (B2B) payment alternatives being used on any number of devices.

Ironically, the flurry of new technologies and players has lumped one-time industry disrupter PayPal in with traditional payment services, as technology behemoths such as Google, Facebook and Apple have entered the payment space. Seeing the writing on the wall, established players like J.P. Morgan Chase, U.S. Bank, Bank of America, Wells Fargo and other well-known financial institutions partnered five years ago to launch digital payment provider ClearXchange to fend off fintech upstarts. Just this year, ClearXchange began offering a real-time payment option for users who want to avoid the traditional three-day transfer period.

In cross-border payment services, traditional service firms like SWIFT, Visa and MasterCard, are also under threat from new entrants. Upstarts like Align Commerce, Traxpay, Payoneer and others, are relying on distributed ledger technology (DLT), aka blockchain, and virtual currencies to speed up the payment process and make it both secure and transparent. The use of DLT provides a faster, cheaper and trackable mechanism for the transfer of funds. Where a SWIFT transfer may take four or five business days, new entrants can promise transfers within two days and for about half the cost.

These new developments, and our discussion of them, are outlined in a recently published paper, Innovating Payments. All the trends point toward mobile, instant and near-frictionless transactions. But established players are not likely to be disintermediated; they are more likely to embed real-time, P2P functionality within their secure banking apps, and earn fees from other payment interfaces.

The battle for the digital payment market is far from over. Regulators are watching the developments closely, and will surely have the last word on what technologies become widely adopted. As far as consumers and businesses are concerned, the future of payments looks promising.

Money 20/20, Day 3: Get the View From the Inside With Today’s Podcasts

Blockchain, globalization, digitization, cybersecurity, fintech, new customer demands, and more. Money 20/20, the largest global financial industry event focused on payments and financial services innovation for connected commerce at the intersection of mobile, retail, marketing services, data and technology, takes place Oct. 23-26. Once again, Protiviti is proud to be an exhibitor sponsor and speaker at the event.
We will be posting daily dispatches from the event’s sessions, starting Sunday, here and on Twitter. Subscribe and follow us for current commentary, insights and reactions from industry experts as the event unfolds.

 

Ed Page, Managing Director, Technology Consulting for Financial Services, on IT Trends (6:08 minutes)

Share on Twitter

Nirav Shah, Director, Risk and Compliance, on Regulating Fintech (3:03 minutes)

Share on Twitter

Nirav Shah, Director, Risk and Compliance, on Good vs. Bad Innovation (4:46 mnutes)

Share on Twitter

Robert Ferguson, Senior Manager, Business Performance Improvement, on Customer Stickiness (3:21 minutes)

Share on Twitter

Regtech: The Fintech Innovation at the Heart of Compliance Transformation

Blockchain, globalization, digitization, cybersecurity, fintech, new customer demands, and more. Money 20/20, the largest global financial industry event focused on payments and financial services innovation for connected commerce at the intersection of mobile, retail, marketing services, data and technology, takes place Oct. 23-26. Once again, Protiviti is proud to be an exhibitor sponsor and speaker at the event.
We will be posting daily dispatches from the event’s sessions, starting Sunday, here and on Twitter. Subscribe and follow us for current commentary, insights and reactions from industry experts as the event unfolds.

 

By Vishal Ranjane, Managing Director
Risk and Compliance

 

 

Recently, my colleague Jason Goldberg wrote about balancing the competitive need for technology-enabled customer experiences in payments, banking and wealth management with security and privacy controls. Customer-facing technology, as the most publicly visible example of financial technology (fintech), has received a lot of media attention. Nevertheless, it’s only half of the fintech picture.

Behind the scenes, financial institutions are beginning to adopt a subset of fintech, known as regulatory technology, or “regtech.” (Protiviti’s recently-introduced automated Risk Index tool is an example of such regtech solution applied to management information and reporting.)

Like fintech, regtech applies the same nimble, scalable, mobile-friendly solutions and rapid, low-cost cloud deployment to improve risk management, transaction monitoring, regulatory compliance, reporting, data storage and analytics. Unlike fintech however, regtech does not compete with traditional banking for the same customers; rather, it offers new ways of solving old problems by offering, speed, security, and agility in complying with regulatory requirements. As such, financial institutions have good reasons to look forward to implementing the technology.

Regtech has the potential to replace many of the traditional manual and paper-based solutions. Traditional solutions tend to be inflexible, disconnected and hard to update. Traditional solutions also tend to be resource-intensive, tying up both capital and IT capacity.

Regtech enables controls such as employee surveillance and transaction monitoring, on-demand reporting and full population data analytics. It makes conducting risk assessments faster, and provides a better audit trail.

Applied to anti-money laundering (AML) and counter-terrorist financing (CTF) compliance, a regtech real-time transaction monitoring solution can bridge communication gaps by consolidating and analyzing data from disparate systems. Applied to know-your-customer (KYC) processes, regtech can be used to create a secure central data repository with reference data utilities to protect personally identifiable information. The technology also can monitor financial services regulations in every country and region within an institution’s footprint, and report back to internal audit.

[Listen to Vishal discuss faster KYC onboarding revealed at Money 20/20]

In short, the opportunities for regtech in compliance automation, AML and management reporting are many and exciting. Financial institutions historically have struggled to comply with new regulations, in part because the compliance processes were rigid and not easily changed. As regtech matures, risk and compliance functions are likely to see increased operational excellence. Underlying data will become more reliable, enabling better decisions; adoption of new controls and compliance procedures will get faster and easier; and senior management will be able to manage risk more effectively.

One important caveat: Regtech relies heavily on third-party providers of cloud-based technology solutions but this does not mean that these parties assume the risk of the institution. While the IT burden of implementation and maintenance of the new technology may be reduced, there is a new and growing responsibility for institutions to vet and monitor vendors to ensure that the providers’ polices, values and procedures align with those of the organization — especially when it comes to privacy and cybersecurity.

Also, while automation can improve processes, it is critical for financial institutions to review all risk and compliance procedures during project planning to avoid accelerating bad or obsolete processes, and to verify data integrity to ensure that reports are accurate and reliable.

Regtech is a good example of what the U.S. Office of the Comptroller of the Currency meant when it talked about the need for “responsible innovation.” As the financial services industry undergoes a fundamental and disruptive digital transformation, financial institutions are going to need technology-enabled risk management and compliance tools to ensure that they can manage at the speed of risk.

This is an exciting trend and we’ll keep you posted as things develop.

Money 20/20: Protiviti Experts Share Their Views on Hot Topics in Day 2

Blockchain, globalization, digitization, cybersecurity, fintech, new customer demands, and more. Money 20/20, the largest global financial industry event focused on payments and financial services innovation for connected commerce at the intersection of mobile, retail, marketing services, data and technology, takes place Oct. 23-26. Once again, Protiviti is proud to be an exhibitor sponsor and speaker at the event.
We will be posting daily dispatches from the event’s sessions, starting Sunday, here and on Twitter. Subscribe and follow us for current commentary, insights and reactions from industry experts as the event unfolds.

 

In Day 2 of Money 20/20, Kevin Donahue talks with two Protiviti experts who share their views on some of the hot topics discussed at the conference today. Tyrone Canaday, Managing Director in Protiviti’s IT Consulting practice, discusses open API – the open platform technology used by fintech firms to speed up innovation, increase speed to market and facilitate the shift from branch to digital.

In the second segment, Atul Garg, Managing Director in Protiviti’s Business Performance Improvement practice, outlines the dichotomy between traditional and fintech banking firms, and the conversations needed to achieve the convergence desired by both of these groups.

Listen to their thoughts and share these conversations by accessing them on Twitter, here and here.

 

Money 20/20: Impact of the U.S. Presidential Election on the Financial Services Regulatory Landscape

Blockchain, globalization, digitization, cybersecurity, fintech, new customer demands, and more. Money 20/20, the largest global financial industry event focused on payments and financial services innovation for connected commerce at the intersection of mobile, retail, marketing services, data and technology, gets underway this weekend (Oct. 23-26). Once again, Protiviti is proud to be an exhibitor sponsor and speaker at the event.
We will be posting daily dispatches from the event’s sessions, starting Sunday, here and on Twitter. Subscribe and follow us for current commentary, insights and reactions from industry experts as the event unfolds.

 

In a session Sunday titled “Impact of U.S. Presidential Election on the Financial Services Regulatory Landscape,” Tim Pawlenty, former governor of Minnesota, and Neal Wolin, former deputy secretary with the U.S. Department of the Treasury, shared their thoughts on what may happen after the election with regard to regulation in the financial services industry.

Both panelists noted that the financial services industry remains a bit in flux with regard to the regulatory landscape. Memories of the global financial crisis from a decade ago still linger with consumers and lawmakers alike. Pawlenty noted that the overall financial services industry, and so-called “big banks and Wall Street,” in particular, remain very unpopular. In the eyes of many, he said, events leading up to the global financial crisis nearly derailed the economy, so the reaction and sentiment is understandable. Any efforts to curtail regulation significantly likely will be met with protests as part of a growing populist movement in the country. Lawmakers are unlikely to introduce any drastic changes in this environment.

That said, change is possible, especially over the long-term. Whoever wins the presidency on November 8 will be making numerous appointments that will dictate the pace and cadence of regulatory changes. In addition, one or more Supreme Court appointments have the opportunity to introduce shifts in the regulatory landscape. However, those changes almost certainly will be slow to come. Pawlenty and Wolin explained that regardless of which parties control the House and Senate after Election Day, both chambers of Congress will remain relatively balanced – enough so that one party will be unable to enact major regulatory changes without the other party curtailing them.

Another item of note: With regard to fintech, Wolin observed that the views of both candidates for president are murky. It is unclear how either might proceed with regulatory oversight of the burgeoning fintech industry.

Bottom line: Despite an acrimonious presidential election and numerous promises and pledges from the presidential candidates as well as those running for House and Senate seats, the panelists believe the regulatory landscape for the financial services industry is unlikely to shift dramatically. Instead, new regulations will continue to come from the executive branch as well as from individual regulators in response to specific events or developments in the industry.