Counter Fraud and Money Laundering – PSD2 / AML5

All Participants should ensure that counter fraud controls are given sufficient profile in their organisation to prevent financial loss to service users and participating organisations.

Introduction

The minimisation of fraud risk within the open banking Ecosystem is considered of fundamental importance by the OBIE to ensure the protection of customers and the security of transactions.

Recommendations are based on the regulatory guidance together with EBA/FCA guidance on monitoring and reporting requirements.

What do I need to comply with?

 

You must ensure that your onboarding facilitates compliance with the relevant regulation and legislation, relevant to the type of services you provide. In addition to PSD2 and GDPR, TPPs should also consider the application of other applicable legislation e.g. rules relating to anti money laundering and consumer protection.

Critically – for data and cyber security, GDPR expects organisations to implement ‘appropriate’ technical and organisational controls to protect personal information.

Counter Fraud Strategy & Operations

Create a counter fraud strategy focused on three areas:

  1. Fraud Prevention: including code of conduct, policies and controls, awareness training, risk assessment and management plans.
  2. Fraud Detection: including fraud detection tools and fraud reporting processes.
  3. Fraud Response: including investigation processes, data, management information and reporting, legal action and dispute resolution.

The strategy should also detail other controls and policies that link to the counter fraud strategy – such as ISO27001 information security controls, internal audit function and the enterprise risk management function.

  • Recruit specialist counter fraud operations staff.
  • Ensure data collected contains appropriate fraud indicators.
  • Implement a counter fraud engine to detect and prevent fraud.
  • Ensure ID & V practices.
  • Detail and maintain strong counter fraud policies and processes.
  • Identify, evaluate, monitor and measure fraud levels and report at board level.
  • Share information and intelligence with financial services peers.
Regulatory Consequences: High fraud levels could lead to regulatory investigations, enforcement action, fines and / or revocation of your regulatory permissions.
Financial Impact: In 2018, fraudsters successfully stole £1.2bn in fraud and scams (source UK Finance).
Identify Your Greatest Threats: Fraud is closely linked to poor cyber security and poor people and process information security.

Secure Customer Accounts

In addition to a smooth onboarding process, it is important that customers trust you will keep their data and account information secure. You should take as much care with protecting customer accounts as you take with your internal user and administration accounts. Demonstrating such care is a key element of complying with GDPR requirements that you process personal data “in a manner that ensures appropriate security of personal data, including protection against… accidental loss, destruction or damage, using appropriate technical or organisational measures.”

How do I Create Secure Customer Accounts?

The (ICO) has guidance on protecting personal data here ICO Guide to Data Protection, including tips on password management. It is important to note that all current good practice suggests using technical controls to protect user accounts, reducing reliance on individual user security. Whilst there are many different techniques and controls you could deploy, starting with a risk assessment to understand those that apply to your customer accounts, is a good way to identify which are most appropriate to your environment.

What technical controls should I deploy?

You should consider the following technical controls to secure customer accounts:

Throttling – add an incremental time delay for each failed log-in attempt. This also protects against brute-force attacks.

Lockout – after a certain number of failed log-in attempts, lock the customer out of their account for a set amount of time. This should increase incrementally for up to (for example) 10 failed attempts. After the maximum number of attempts has been reached, alternative ways to reset passwords should be deployed. Allowing customers to reset their passwords every time they forget it, enables fraudsters to change passwords on accounts where they have obtained some, but not all credentials.

Blacklist predictable passwords – many applications contain blacklists of common passwords – switch them on. At a minimum, users should not be allowed to create passwords that include their user (or real) name, birthday or address.

Logging and monitoring – monitor all attempts to access customer accounts and set alerts for odd or unexpected activity.

What about passwords?

There are plenty of good practices available from NCSC and NIST about password management. Latest guidance suggests against making complicated rules (upper case, lower case, special characters etc) and recommends the use of a passphrase instead.

A key change to previous recommended good practice is around the requirement to change passwords at regular intervals. Evidence suggests that this increases the likelihood that users will re-use existing passwords (reducing security) rather than selecting a unique one each time (for example, users often add a number to an existing password and increase it sequentially).

Current good practice suggests advising users to change passwords ONLY if they suspect their credentials have been compromised (or if you detect a potential breach).

PSD2 and Payment Security

The EBA recently published Guidelines on ICT and security risk management which will repeal and replace the current EBA Guidelines on the security measures for operational and security risks of payment services under PSD2 which come into force on 30 June 2020.

Ensuring the security of payments is at the core of PSD2.Participants are obliged to ensure that they have an established framework to manage their operational and security risks”.Participants must also be mindful of the interplay with other statutory obligations, such as ensuring the security and protection of personal data, including financial data, in accordance with data privacy laws.

  • PSD2 requires all PSPs to provide statistical data on fraud to their competent authority, i.e. the FCA in the UK.

Fraud Monitoring & Reporting

Reporting is on a semi annual basis for PISPs and an annual basis for AISPs.

For AISPs , reporting is limited to:

  • Number of incidents of fraud.
  • Total value of fraud.
  • Description of fraud.

See FCA Handbook Sup16 Annex 27f, Table 2. 

PISPs are required to report the following:

  • Volume and value of all fraudulent transactions.
  • Payment type.
  • Fraud type.
  • Method of authentication.
  • Geographical location.

See FCA Handbook Sup16 Annex 27f, Table 1.

Regulatory Consequences: Regular fraud reporting is required by both the FCA and EBA.
Financial Impact: Understanding fraud levels maximises investment in defences.
Identify Your Greatest Threats: Review and assess the EBA fraud reporting requirements and align your monitoring system to prevent accidental misreporting.

Money Laundering

What do I need to comply with?

You must ensure that your onboarding facilitates compliance with the relevant regulation and legislation, relevant to the type of services you provide. In addition to PSD2 and GDPR, TPPs should also consider the application of other applicable legislation e.g. rules relating to anti money laundering and consumer protection.

The 5th AML Directive came into force on 10 January 2020, and can be found at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32018L0843

Customer on-boarding process

The customer onboarding experience can be a key differentiator for digital platforms. Reducing friction, removing unnecessary clicks and inputs can reduce the anxiety customers feel opening a new account. However, customer experience design in financial services must balance usability, security, regulatory and legal compliance. The onboarding journey is where the fight against financial crime begins, and insufficient inputs can open the door to fraud.

Know Your Customer (KYC) checks

Central to AML5 compliance is Know Your Customer (KYC) checks when onboarding new users and periodically for existing ones. AS Part of your AML obligations, a KYC check ensures you know who you are dealing with and that you have assessed the risks associated with enabling their account.

Do I need to do KYC checks?

You will need to do KYC checks if:

  • You are operating a regulated business under PSD2,
  • You are opening an account for a new customer,
  • You have concerns about the financial viability or dealings of your customer,
  • You have not recently undertaken KYC checks on existing customers.

What do I need to check ?

A KYC check can be automated or manual. It can be performed in-house or on your behalf by a third party. The checks should include:

  • Verification of address.
  • Verification of identity.
  • Politically Exposed Persons (PEP) and Sanctions Screening.
  • For businesses, identification of Beneficial Owners and Directors.
  • Monitoring for changes in ownership or directors in an organisation.
  • Audit trail and secure archive of checks, with appropriate protection of data in transit and at rest.