It’s criminal!

[Dave Birch] I went to a seminar on financial crime the other today. Not, as you might think, to look into the possibility of an alternative career if the whole consulting thing doesn’t pan out, but because I’m always looking for ways to help our customers to develop new propositions that have a chance working because they solve genuine problems, perhaps in new and innovative ways. So, I thought, why not brush up on the key financial crimes and get an idea of where some of our clients might useful focus their efforts, while at the same time getting a sense on the priorities of law enforcement agencies, banks, regulators and so on. It turned out that some of it wasn’t particularly relevant because financial crime is a wide-ranging (you might even say “catch all”) term for a pretty diverse set of concerns. There were people at the seminar concerned with armed robbery, anti-money laundering (AML) activity, sanctions-busting and goodness knows what else. To me, this made seminar less useful than it might have been had it been more focused, but I still felt as if I was learning something, but there were to many different concerns being expressed and responded to. The particular issue of payment security was discussed, of course, but for many of the people there it wasn’t as much of a concern (in terms of both financial and reputation loss) as you might think: if your bank has just lost a few billion quid, what’s a few tens of millions in card fraud?

The seminar was held under Chatham House rules — as, indeed, was the seminar that went to at Chatham House last week — so I can’t go into any details on organisational positions, but I will say that I found the strategic perspective limited. One recirculating meme was that of market failure. A couple of people said something like “the market hasn’t produced secure solutions”, which I think is a misunderstanding of what a market is. If banks wanted better security, they would already be paying for it. To some of the participants, particularly from law enforcement, this is evidence of a market failing, where to me it is evidence of a market working. If the law enforcement guys want, for example, better security for payment cards then they need to either transfer more of the cost of failure away from the public purse and on to the industry (which they’ve started to to in the UK by no longer treating card fraud as a crime) or incentivise the desired behaviour.

The Home Office has been accused of failing to take credit card fraud seriously after it was revealed the crime can no longer be reported by victims directly to the police.

[From Police News – Card Fraud ‘Being Decriminalised’]

There were some crimes being discussed, such as mortgage fraud, that are clearly of scale but unquantified. No-one seemed to know how much of it is going on or how it breaks down. Others, such as sanctions-busting, are very important but there is no obvious way that technology can help: if the tanks get loaded onto the ship labelled “Kenya” then dropped off in Sudan instead, I don’t think that better passwords or chip cards will make much difference to be honest.

As to how technology could make a difference, someone asked a representative of the banking sector precisely that question, and we were told to improve the keys on JCBs! Apparently, every time one of these is driven through a bank wall to steal the ATM, the bank loses about a hundred grand on the ATM and the cash inside, together with five times as much to repair the bank branch. Since the incidence of this kind of crime is both seasonal (it rises towards the holiday season) and recession-enhanced, making mechnical diggers harder to steal would make all the difference!

A major part of the discussion was about the use of PINs captured from tampered POS terminals to withdraw money from overseas ATMs, a crime that is almost out of control here. Hopefully, the use of ICVV should mean that there is a fall in this type of fraud in prospect, but it did once again set me thinking about the dynamic. When customers only ever put PINs into highly-secure, bank-controlled devices (ie, ATMs) then PINs were a good solution to the authentication problem. But now that those PINs are being used in insecure terminals (and in the future maybe on the Internet and in mobile phones) they are as much the problem as the solution. One way forward would be to begin to introduce biometrics for larger transactions, and that’s something we’ll be discussing at next year’s Digital Money Forum. But in the meantime, forum friend Chris Skinner pointed me to a good source of PIN ideas over at Halfbakery, by the way, so you may want to pop over there and enjoy a few of them while I get one of the guys to write me a Javascript to automatically submit all of them to the Patent Office.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]