Financial crime and cyber security
By Jagdev Kenth, Director of Risk & Regulatory Strategy, Financial Institutions Group, Willis Limited
Published: 30 June 2015
A recently released paper by AIMA demonstrated clearly that hedge fund firms and other alternative asset managers are playing an important role in financing the economy, providing much needed capital and investment to the SME market, real estate and infrastructure projects amongst others. As the sector plays an increasingly mainstream role, issues such financial crime and cyber security will remain central to further growth. As recent events show, these remain a priority for regulators and law enforcement agencies.
Financial crime
Financial crime seems to have occupied much of the Financial Conduct Authority’s (FCA) time. Earlier this year, in response to an FOI request, the FCA confirmed it is investigating 67 firms or individuals that fall within the Alternative Investment Fund Managers Directive (AIFMD) for possible abuses ranging from financial crime to market abuse. These cases will take time to work through the FCA enforcement process but it is likely that some of the investigations will result in public enforcement action. Separately, the FCA announced the findings from its thematic review into market abuse in the asset management sector, which covered 19 asset management firms. In April 2015, it issued the latest version of its guidelines “Financial Crime: A guide for firms” which followed on from the FCA Business Plan 2015/16 in which the FCA identified “The importance of firms’ systems and controls in preventing financial crime” as a new forward looking area of focus for this year.
Not to be outdone, the Serious Fraud Office has also been busy; last year it requested “blockbuster funding” to continue its complex investigations and earlier this year it secured a successful conviction against the founder of a hedge fund that defrauded investors during the financial crisis.
The law enforcement agencies focus on financial crime follows earlier Government measures and initiatives to tackle financial crime, from the Introduction of Deferred Prosecution Agreements (under which a company charged with a criminal offence can have proceedings suspended if it agrees to various conditions, such as co-operating with prosecutions of individuals, making reparations or paying a financial penalty), to proposed legislative changes to the disclosure of beneficial ownership of companies in order to enhance transparency of UK corporates, combat tax evasion and financial crime. Last year this work culminated in the release of the UK Government’s “Anti-Corruption Plan” which set out 60 action points for the Government and its partners, both in the public and private sector.
US regulators are equally as concerned with financial crime. Benjamin M. Lawsky, Superintendent of Financial Services for the State of New York, recently spoke about the need for robust transaction monitoring and filtering systems to prevent money laundering. Flawed or ineffective monitoring and filtering systems would risk creating “a gaping loophole in our financial system that terrorists, drug dealers, and other violent criminals could exploit” warned Lawsky.
Against this backdrop, it is an appropriate time for hedge funds and alternative asset managers to review financial crime systems and controls. The FCA Financial Crime guide provides useful guidance on managing risks associated with key financial crime issues from money laundering, anti-bribery & corruption, fraud and data-security. It also provides useful examples of good and poor practice in relation to a range of controls, such as due diligence, managing PEPs and dealing with third parties. Regulators will be looking for senior management to demonstrate strong and effective governance and display identification and mitigation of these risks.
Cyber security
The United States administration recently warned that hedge funds are a weak link in the US financial systems defences against hackers and terrorists and has expressed concern that hedge fund investors data could be at risk. According to press reports, this blunt assessment, by the Department of Justice, also included warnings that hedge funds had been victims of cyber extortion. There was further concern that a cyber attack which resulted in the theft, sale and subsequent use of a hedge fund’s intellectual assets, such as market sensitive information or trading algorithms, might cause market disruption if cyber hackers were able to make significant sums of money in a very short period of time.
These concerns came after the Cybersecurity Examination Sweep Summary, issued by the SEC’s Office of Compliance Inspections and Examinations (OCIE), of its review of 57 registered broker-dealers and 49 registered investment advisers to better understand how broker-dealers and advisers address the legal, regulatory, and compliance issues associated with cybersecurity. The OCIE asked respondents about written information security policies, periodic risk assessment and training and education. According to the results, a majority of the broker-dealers (88%) and the advisers (74%) stated that they have experienced cyber-attacks directly or through one or more of their vendors. The majority of the cyber-related incidents related to malware and fraudulent emails. The OCIE guidelines will soon be updated to take account of the findings.
The SEC’s Division of Investment Management issued Cybersecurity Guidance in February, recognising that funds and advisors are increasingly using technology and must protect confidential and sensitive information related to their business activities from third parties, including information concerning fund investors and advisory clients. The Cybersecurity Guidance provided several measures to address cyber security risks, ranging from:
- Conducting periodic assessments of the nature of the information the firm collects and cybersecurity threats;
- Creating a strategy that is designed to prevent, detect and respond to cybersecurity threats, which might include controlling access to various systems, data encryption, backup and retrieval.
- Implementing the strategy through written policies, procedures and training.
The UK Government has similarly expressed concerns about cyber threats and has been collaborating with the insurance sector to help firms identify cyber threats and how insurers can help reduce cyber risks.
The significance of the cyber threat can be difficult to convey but should not be underestimated. Cyber vulnerabilities are best viewed as enablers, amplifiers and accelerators of risks (including financial crime risks), which are already established in an organisation. Firms must understand their cyber vulnerabilities and how these impact the level of risk for the firm’s portfolio of existing risk, to allocate their resources effectively and manage this threat.
The only wrong answer in this picture is not to embrace the need to start the journey to understand the cyber vulnerabilities in your business. Starting the journey is about three key steps:
- education and awareness within your business;
- doing the simple cyber defence things well; and
- planning for the worst and rehearsing the plan.
Over time, it will become clear for all to see which of those organisations have embarked on the journey and are prepared for a breach and which have not.
