Latest news with #financialCrime
Finextra
20-06-2025
- Business
- Finextra
Mitigating cyber-risks in outsourcing: Contract strategies for compliance and protection
0 This content is contributed or sourced from third parties but has been subject to Finextra editorial review. A clear and present danger In recent years, several prominent UK businesses have faced significant technology and cybersecurity challenges and the consequences of data protection breaches. For example, in October 2023, the Financial Conduct Authority (FCA) fined Equifax over £11 million for failing to manage and monitor the security of UK consumer data it had outsourced to its parent company based in the US. The breach allowed hackers to access the personal data of millions of people and exposed UK consumers to the risk of financial crime. As reported by Finextra on 15 May, NatWest's head of cyber security has revealed that the Bank faces 100 million cyber-attacks every month. That incident brought into sharp focus the risks and vulnerabilities which can arise where a customer outsources the handling of sensitive data, and the serious regulatory consequences faced by UK firms if they fail to ensure the safeguarding of sensitive information. Rules are rules Aside from principles of good business sense, obligations in relation to security and data protection are imposed on customers looking to outsource IT services to third parties via a range of regulatory and quasi-regulatory/industry measures. Regulatory measures in the UK include the requirements in the UK GDPR relating to security and data processor contracts, as well as more financial services-specific rules such as the FCA Operational Resilience regime, the FCA and PRA rules on material outsourcing and use of cloud, and the incoming FCA rules on use of Critical Third Party suppliers. Businesses operating in the EU (and by extension their relevant suppliers) must now also comply with the requirements of the EU Digital Operational Resilience Act (DORA) and its requirements in relation to critical IT services providers. Regulatory measures carry the added risk of sanctions and penalties from the relevant enforcement agencies if they are breached. Non-regulatory, but nonetheless important, requirements which impact many financial services business include the Payment Card Industry Data Security Standard (PCIDSS) which impose requirements on the security of card data, and the information security requirements of ISO27001. Get it in writing The typical provisions which a customer can try to include into contracts to meet its regulatory obligations, and otherwise to guard against (or at least provide some form of recourse in the event of) cyber and data infringements, can be grouped into two main types: (1) contract standards; and (2) rights and remedies. Contract standards Set out the general standards to which a supplier must conduct its business and provide their service(s) - for example in compliance with all laws and regulations, with professional skill and care and in accordance with good industry practice. standards to which a supplier must conduct its business and provide their service(s) - for example in compliance with all laws and regulations, with professional skill and care and in accordance with good industry practice. Set out any specific requirements which the supplier must meet which are intended to address particular cyber and data concerns, for example: Detailed security provisions, including compliance with the customer's own information and systems security policies Warranties of compliance with any information provided by the supplier pre-contract as part of the customer's due diligence process. Early warning requirements related to suspected cyber incidents or data breaches. Specific clauses designed to meet the requirements of the UK GDPR including: to exercise sufficient technical and organisational measures to protect data against unauthorised access, to notify data breaches in good time, and controls on the export of data outside of the UK/EEA. Compliance with specific industry standards including PCIDSS and ISO27001 Regular conduct of security testing and the provision of results to the customer (this can be a source of debate - a customer may want the right to conduct its own testing (including penetration tests) but suppliers can be reluctant to give this, especially over systems used for multiple customers, and so a right to see the results of the supplier's own internal or third party testing may be the best which can be achieved). An obligation to rectify any detected weaknesses after testing. Restrictions against use of sub-contractors and/or AI systems without the customer's consent. Requirement to use at least 'industry – standard' cybersecurity measures such as firewalls, malware blockers etc. requirements which the supplier must meet which are intended to address particular cyber and data concerns, for example: Rights and remedies Making sure that the supplier's liability for losses which might be suffered due to a cyber or data breach are not excluded out of hand, or caught by a general exclusion of 'indirect or consequential' liability. Potentially no or separate/higher liability caps for issues such as breach of confidentiality, security, or data protection requirements. It is now not uncommon to have 'supercaps' for data liability (although suppliers may not accept uncapped liability given the potentially large data protection regulatory fines). Indemnities for issues such as security or data breach Audit rights for the customer (and also its regulators) - which would extend to the supplier's sub-contractors. Definite termination rights in the event of a cyber or data related breach A right to remove supplier personnel or sub-contractors or the service if there are any concerns. Prevention is always better than the cure, and the only sure-fire way to avoid cyber and data issues is to make sure that, practically, the appropriate measures and behaviours are put in place by suppliers. However, a well-drafted contract will make it clear what a supplier is required to do, meet any regulatory requirements for terms which must be included, provide the customer with various rights and remedies (ideally to try and catch and avoid problems before they escalate), and otherwise provide the customer with a potential claim for damages for breach of contract, or indemnity rights should the supplier fail to comply with the relevant terms and the customer suffers loss or liability as a result.
Yahoo
16-06-2025
- Business
- Yahoo
BIS, BoE test AI to detect fraud in retail payments
The Bank for International Settlements (BIS) Innovation Hub, in collaboration with the Bank of England, has carried out a study known as Project Hertha, testing AI techniques to identify fraud within payment system data. It studies the potential of transaction analytics in detecting financial crime within real-time retail payment systems. The project leverages AI to pinpoint 'complex' criminal networks that operate across multiple financial institutions. Project Hertha's findings suggest that payment system analytics can aid banks and payment service providers in spotting illicit activities and the use of these analytics resulted in a 12% increase in the identification of illegal accounts. Moreover, the system proved detecting new patterns of financial crime, with a 26% improvement in recognising previously unknown behaviours. The research was conducted using a synthetic transaction dataset, representing 1.8 million bank accounts and 308 million transactions. This dataset was generated by an AI model designed to simulate realistic transaction patterns, ensuring that no real customer data was involved. The results also indicate that the application of system analytics has its limitations and is not a solution. The introduction of such analytics would involve 'practical, legal, and regulatory' considerations, which were not explored within the project's scope. The project also highlights the importance of access to labelled training data, a feedback loop for the AI model, and the need for algorithms that can be explained to 'maximise' the effectiveness of such systems. Project Hertha draws its name from the British scientist Hertha Ayrton, known for her work in the physical sciences and her historic presentation to the Royal Society in 1904. "BIS, BoE test AI to detect fraud in retail payments " was originally created and published by Electronic Payments International, a GlobalData owned brand. The information on this site has been included in good faith for general informational purposes only. It is not intended to amount to advice on which you should rely, and we give no representation, warranty or guarantee, whether express or implied as to its accuracy or completeness. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content on our site. Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
Bloomberg
06-06-2025
- Business
- Bloomberg
Fugitive FX Ponzi Scheme Boss Assumed Dead May Be Alive, Police Say
The fugitive boss of a bogus London FX firm convicted as the mastermind behind a Ponzi-style investment scheme, was thought to have died in Mexico while on the run, but London police aren't so sure. Anthony Constantinou stole at least £70 million ($95.1 million) from investors he lured with the promise of risk free returns, and was sentenced to 14 years in prison in his absence. News outlets including UK tabloid The Sun and Miami-based website OffshoreAlert reported that Constantinou died of a heart attack in July 2024 while in Guadalajara, Mexico.
Yahoo
31-05-2025
- Business
- Yahoo
‘Remote purchase' fraud in UK surges as customers tricked into disclosing passcodes
Banks are reporting a surge in a type of fraud where customers are tricked into disclosing online login passcodes they are sent, which has helped to fuel a 22% jump in crimes where scammers go shopping using people's stolen details. The banking body UK Finance revealed that 'remote purchase' fraud hit its highest-ever level in 2024, with almost 2.6m cases logged, which works out at more than 7,000 incidents a day, or almost five a minute. Urging the government to treat fraud as a 'national security threat', UK Finance said the rise in cases suggested that criminals were changing their tactics, amid evidence that another scam – where people are tricked into sending money to fraudsters – was in decline after tougher rules were introduced last autumn. Overall last year, criminals stole about £1.2bn through the various types of financial fraud. This figure was broadly the same as the previous year, but the number of confirmed cases rose by 12% to reach just over 3.3m. The vast majority of these cases involved remote purchase fraud, where criminals use stolen card details to buy items online. Incidents of this type of crime had been falling in recent years, but last year the total amount lost to this scam rose for the first time since 2018. Banks say they are increasingly seeing criminals use sophisticated techniques to get people to disclose one-time passcodes they are sent. These codes usually take the form of a unique set of numbers, a bit like a pin number, and banks typically send them to customers via text message when they use their card to make purchases online, log on to internet banking, or change their personal details. Once in possession of a passcode, a criminal can often use it to authenticate fraudulent online card transactions. These frauds often begin with the familiar methods criminals have developed to encourage people to share their bank details, including sending text messages with a promise of a payment, links to false websites, or offers on social media for cheap products. One variation of the scam involves fraudsters using the details they have obtained to transfer the bank cards of victims to the digital wallets of their own phones and then buy goods online and in high street shops. Related: 'Pay here': the QR code 'quishing' scam targeting drivers In its report, UK Finance said its discussions with the industry 'point to an increase in the compromise of one-time passcodes'. It warned: 'This perhaps points to an over-confidence in one-time passcodes and the protection they offer customers, which is now being exploited to a growing degree by criminals.' Data hacks at third parties, such as retailers, were another 'major driver' of remote purchase fraud, with criminals using stolen card details to make purchases online, said the banking body. It added: 'The data stolen from a breach can be used for months or even years after the incident. Criminals also use the publicity around data breaches as an opportunity to trick people into revealing financial information.' The warning comes after Marks & Spencer was hit by a cyber-attack, though the retailer said this month that the customer data accessed did not include usable payment or card details. Victims of unauthorised fraud – which includes remote purchase scams – are legally protected against losses, and UK Finance said its research indicated that customers were fully refunded in more than 98% of cases. Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
CBC
28-05-2025
- Business
- CBC
5-year CRA investigation into B.C. ‘shadow broker' doomed by ‘technicality'
The CBC has obtained documents that shed new light onto an alleged half-billion-dollar mortgage fraud case involving a so-called "shadow" mortgage broker. The case has resulted in fines, license cancellations and suspensions, but there have never been any charges. CBC's Jason Proctor explains why.
