Month: June 2020

Why third parties present a risk - Waymark Tech blog

Why Third Parties Represent a Risk

With digital technology evolving by the day, more and more financial institutions are turning to third parties to handle an array of business functions. However, this can open up regulatory vulnerabilities which can be easy to miss – as Raphaels Bank discovered to their cost last year.

Third party risk

The FCA issued the bank with separate fines totalling £1,887,252 for failing to manage their outsourcing correctly. In 2015, one of Raphael’s card processor providers suffered a technical incident which caused the complete failure of the authorisation and processing services it provides to Raphael. This meant 5,356 transactions were not authorised at sales terminals.

The FCA investigation found that Raphaels failed to implement adequate processed to enable it to understand and assess the business continuity and disaster recovery arrangements of its provider. In particular, they had not assessed how that provider would support the continued operations of its programmes during a disruptive event.

Back in March, the FCA published new research on cyber resilience in the financial sector which included statements on third parties. Their research stressed the need for businesses to consider the risks and weaknesses of third party systems and resources when assessing their cyber resilience measures.

In January, they also released a paper explaining the implications of operational resilience for firms using third party service providers. We have more details of the FCA’s stance on the Global Regulatory Platform, but the essential message from the FCA is that every firm has the responsibility for managing its third parties. While you might be surrendering control of operations and data, the responsibility rests with you.

That means that if your third party experiences a problem which results in harm to your customers, you may be held accountable for the damage which results.

This has major implications for any company working with third parties, particularly in relation to their exposure to cybercrime. Data obtained last year from accountancy firm RSM under the Freedom of Information Act, found that a fifth of all cyber breaches occurred due to third parties.

Lessons to be learned

The lessons are clear. As a firm, you should monitor all third parties you’re working with. Each one may potentially represent a vulnerability if their processes and systems are not up to scratch.

Extensive due diligence should be conducted before entering into an agreement. You should have a full understanding of what redundancy measures are in place in the event of any disruption of system failure. You should establish how resilient the company is to cyber attacks and what measures are in place if they suffer a breach.

Failure to undertake these precautions will leave you vulnerable to fines from the regulators and in the age of GDPR, these fines can be considerable.

How AI can help boost compliance - Waymark Tech Blog

How AI Can Boost Compliance

According to the Thompson Reuters, Cost of Compliance report, the most common cited problems by compliance professionals are increasing regulatory burden, compliance with anti money laundering requirements, culture and risk, availability of skilled resources.

Those problems are likely to become even more serious after COVID-19 as financial services companies seek to maintain business resilience throughout this unprecedented crisis. Costs will be cut and the compliance department will be one of the first to face scrutiny.

This was already happening before the outbreak. According to Accenture, most compliance departments are having their budgets cut and are being presented with cost reduction targets.

This comes despite the compliance department moving to the fore in recent years. Since 2008, regulators have been tightening their oversight and are constantly adjusting guidance – and bringing in new regulations. Each update will bring new requirements for firms to comply with. Keeping up to date with the evolving landscape and ensuring your teams are doing everything they can to stay the right side of the rules is a constant struggle.

Secondly, the rise of cybercrime and the increasing tendency of businesses to handle data remotely has also seen regulators ramp up the pressure on firms to ensure clients have control over their data, to keep that data safe and identify where breaches occur as quickly as possible.

Thirdly, the need to comply with regulations and maintain the integrity and resilience of systems has seen a dramatic increase in the data management and administration requirements of firms. More than ever, they need oversight of their key systems and to process information and control their data.

For example, if a client asks for their data to be deleted or altered, as they are able to do under GDPR, firms must be able to retrieve that information as quickly as possible and feel certain that they haven’t left some of that client’s personal data lying around somewhere.

Equally, MiFID II requires that they maintain a complete record of all communications with clients over business dealings. They will have to ensure this data is stored safely and can be retrieved at short notice to satisfy regulators.

Compliance teams will also need to maintain a transparent trail of evidence demonstrating what steps they have taken to comply with the regulations. The burden is heavy. However, all this work drives zero revenue into the company which is why compliance is traditionally one of the first candidates to be trimmed.

The challenge is familiar: to do more with less. At a time when workloads are being upped they are being asked to cut costs.

Unsurprisingly, therefore, firms are investing in AI and automation technologies which can variously reduce costs, streamline operations, improve oversight and reduce the risks of human error.

Some of the most common areas in which AI and automation are being used include:

Monitoring regulatory sources:

Applications can constantly monitor regulators for changes and updates to the regulations. They can notify the compliance team who can then determine what action they should take. Systems use natural language processing (NLP) algorithms to analyse news releases and extract salient information.

Checking compliance with regulations:

Both firms and regulators are making use of applications which monitor a firm’s compliance. Rather than spending time on audits, these applications can alert compliance officers and authorities to breaches, record evidence and prompt the user to take action.

Processing large quantities of text and other data:

New regulations normally get to the market in the form of lengthy documents, often comprising hundreds of pages. Compliance officers and business leaders may not have the time to go through all documents. However, applications can use natural language processing to read through the documents and extract the key actionable highlights.

Such systems are not fool proof. They rely on the AI working as intended in order to deliver value. By automating systems, businesses assume they are eliminating the risk of error. However, they are placing a huge amount of faith in the algorithms underpinning the application. Due diligence will be essential to ensure systems can deliver on their promises.

Even so, automation can significantly improve outcomes for businesses. On the one hand they will be able to reduce the time and attention spent on compliance, while on the other, the increased oversight they offer will provide value in many different ways. It will shine a light on areas of the business which hitherto remained in the shadows. As such, they can even help a business improve performance, cut risks and identify revenues. They help take compliance from being an administrative function and turn it into a proactive tool in driving the business forward.

If you would like to understand more about how AI can help your compliance efforts, please get in touch and we will be happy to guide you. We can offer a trial to demonstrate just how effective our systems are.

Please contact Mark for enquiries.

Was EasyJet Responsible for the Recent Data Breach?

Were EasyJet Responsible for the Recent Data Breach?

Has EasyJet mishandled customer data? Were they responsible for the recent data breach? Could they have done more to prevent a cyber-attack?

These are all questions being asked, among many others.

With an annual global turnover in the region of £6.4 billion in 2019, the airline company is facing a potentially very heavy fine from the Information Commissioner’s Office (ICO) relating to the breach, under General Data Protection Regulation (GDPR). This will not include compensation payouts to affected customers if negligence on the part of EasyJet is proven, which could reach up to £3 billion.

EasyJet has said the breach was due to a:

“highly sophisticated cyber-attack.”


Around nine million customers have been affected with email addresses and travel itineraries stolen. Furthermore, 2,208 customers who stored their debit and credit card details within their profiles on the EasyJet website, have had them stolen.

Why are we only finding out about this now when EasyJet was first alerted to the attack in January 2020?

Good question.

EasyJet has claimed it was only able to inform those customers whose card details were stolen in early April 2020.

When questioned by the BBC as to why it took so long to notify customers, EasyJet stated,

“This was a highly sophisticated attacker. It took time to understand the scope of the attack and to identify who had been impacted.”


They added,

“We could only inform customers once the investigation had progressed enough that we were able to identify whether any individuals had been affected. Then, who had been impacted and what information had been accessed.”


It turns out that even the secure CVV digits (the three verification numbers on the back of cards) of those 2,208 customers had been accessed.

EasyJet has warned all affected customers that their email addresses had been stolen during the cyber-attack and has advised them to be aware of potential phishing attempts. No details on the exact nature of the attack have been provided by the airline company, however, it confirmed the investigation is ongoing and believes the attackers were targeting the airline’s intellectual property. It didn’t believe they were stealing data to use in identity fraud. EasyJet maintains its stance that it does not think that any of the nine million customers’ personal data has been misappropriated and has further advised that it has been acting under the recommendations of the ICO.

Until the ICO has completed its investigation, EasyJet faces a more pressing issue. The law firm, PGMBM has issued a class-action claim against the airline which could mean a possible liability of more than £18 billion. PGMBM has filed the claim in the High Court of London on customers’ behalves. One of the reasons for this lawsuit is the fact that it took EasyJet four months to inform customers of the breach, even though it had informed the ICO earlier than this.

The British Airways cyber-attack and subsequent data breach in 2018 should have been a warning to all airline companies. Unfortunately, passenger trust is extremely low during the current crisis and this breach has most certainly not helped that.

The ICO is still investigating the data breach. It said that the general public has a right to expect companies to maintain their personal data in a secure and responsible manner and where that does not occur, it will “take robust action”. Due to the coronavirus pandemic though, they may need to be more lenient in regard to the EasyJet data breach, considering how badly the airline industry has been affected. They must, nevertheless, act adequately because they have been deemed as having not done enough around GDPR enforcement.

What can we learn from the EasyJet fine?

Keeping on top of data protection under the GDPR rules has never been more important. These turbulent times we are experiencing have meant significantly increased cyber-attack attempts and a growing number of cyber criminals with the majority trying to access stored personal information and intellectual property. If your own business does not have data control protocols in place, it is high time to plan and implement them – without delay.

Final thoughts

EasyJet has advised affected customers that they should be weary of any messages claiming to come from either EasyJet Holidays or EasyJet itself. Regrettably, the COVID-19 pandemic has brought with it an increase in the occurrence of phishing attempts and Google is purportedly blocking over 100 million attempts each and every day. This does not include those phishing emails that manage to slip through the net, so the public needs to be more alert than ever to these potential threats.

No doubt, the trust of most airline customers has been significantly affected and organisations will need to work hard in gaining it back. EasyJet, especially, will need to clarify why it took so long to publicly announce the cyber-attack. Yes, it has been working with the ICO to handle the issue, however its customers’ data was still out there, without them knowing, for months. Perhaps the fact that EasyJet has been liaising with the ICO and NCSC will reduce the impending GDPR fines, but still, a cyber-attack occurred and the customers whose personal data was stolen should have been notified sooner in order to take appropriate safeguarding action.

Opportunity Knocks: How to Protect Against Money Laundering During COVID-19

Opportunity Knocks: How to Protect Against Money Laundering During COVID-19

The current crisis created a golden opportunity for fraudsters. A heady cocktail of disruption to business processes, financial pressures and multiple online transactions mean the stage is set perfectly for cyber criminals and money launderers. Regulators, therefore, have been issuing guidance to companies about how they can reduce their exposure.

The Institute for Chartered Surveyors acknowledges where some of the biggest risks will come from. Their guidance document on anti money laundering states:

“In particular, firms should consider whether the current economic climate may make them or their customers more susceptible to financial difficulties or other pressures, thus creating risk and potential weaknesses for criminals to exploit.”

In France, guidance from the Commission de Surveillance du Secteur Financier (CSSR) has identified a number of activities terrorists and criminals can exploit, including:

  • Online payment services
  • Clients in financial distress
  • Mortgages and other forms of collateralised lending
  • Credit backed by government guarantees
  • Distressed investment products; and
  • Delivery of aid through non-profit organisations.

The FCA’s revised business plan for 2020/21 places a firm focus on mitigating problems caused by COVID-19 including the heightened vulnerability to cybercrime and money laundering. It expressly confirms that it will continue to take enforcement in this area. It is also consulting on extending its Financial Crime Data Return to strengthen risk-based supervision in this area.

Stay alert

All the guidance from various authorities hammers home similar messages. The risks are higher and firms must have effective systems and controls to detect and mitigate the risk of money laundering. To avoid enforcement action, firms will have to be able to point to documentary evidence which shows they have taken necessary steps.

Here are the key lessons that firms can take away from this:

  • Identifying weak points: As institutions shift to work from home models, their risks multiply. They will be moving much more data across the cloud as their workforce shifts to a predominantly work from home model. They must maintain system security by establishing clear protocols and endpoint security.
  • Maintain oversight: Disruption to business processes must not be permitted to compromise monitoring and oversight of transactions. This may become more difficult due to the expected increase of online payment transactions as well as interruption to their regular working patterns.
  • Managing delays: The FCA acknowledges that disruption may force firms to prioritise or delay some operations such as customer due diligence. However, where this happens, they must show they have taken a risk-based approach. For example, delays to due diligence to high risk customers should be avoided.
  • Verifying client identity: Travel restrictions can make it more difficult to verify the identity of clients. However, firms should be able to ensure numerous verification procedures are carried out remotely. For example, by accepting scanned documents by email or asking clients to submit digital photos to compare with other forms of ID.

COVID-19 is a gift for a fraudster. It hinders the ability of financial firms and regulators to maintain oversight and to safeguard against the possibilities of fraud. By understanding the challenges and what alternative options are available to them, firms can minimise the interruption to their processes and strengthen their defences against criminals as much as possible.

Powered by WordPress & Theme by Anders Norén