It’s no secret that Latin America has suffered its fair share of cyberattacks, but the extent of the damage might be worse than many have imagined. In a 2018 study of cybercrime by the Organization of American States (OAS), 92% of banks in the study reported some kind of digital security event and more than 1 in 3 banks reported falling victim to at least one successful attack.

The OAS report uses two kinds of data: on the behavior of banks, and on a sample of their customers. Regarding the banks, there are 3 top level results to frame the more detailed data:

• Cyber-attacks are ubiquitous. 92% of banks in the study reported some kind of digital security event, including both successful and unsuccessful attacks (65% of large banks reported successful attacks). If you are a banker, you’ve been hacked.
• Most banks, by a narrow margin, do NOT use advanced detection tools and controls based on big data or artificial intelligence. This problem is more severe for smaller banks, of course, but it exists across the system.
• Cyber-attacks work, and they are costly. The average cost of an attack in Latin America was US $1.9 million, with a region-wide loss in 2017 of US $809 million.

From the customer/users’ point of view, digital services are desirable and widely utilized. This is reflected in the fact that customers are increasingly using the super-convenient smartphone as a banking platform.

• A large majority of customers, 88%, use one or more digital service, and the percentages of various services are increasing. Of those who did not, 59% cited distrust of the digital environment as the reason.
• Customers are the weaker link in the chain. Though most of them understand the general threat and some of the methods of cyber-attacks, they do not use sophisticated methods to thwart them.
• 27% of customers had suffered some kind of attack, with 47% of these reporting a financial loss. About 70% of these were fully or partially compensated (at a loss to the bank or insurer). People who were attacked also reported reduced affect for the banks (reputational loss).
• Incident reporting was very low. Customers reported that their banks did not have visible reporting mechanisms, and few reported losses to the authorities.

From the detailed OAS report, a few lessons emerge. First, the digital security risks that warrant the most attention from banking entities are theft of a critical database; compromise of privileged user credentials; and data loss.

Second, defensive systems used by both the financial institution and its customers are probably behind the curve. Hackers on the other hand, are persistent and aggressive. Banks need to step up their efforts to adopt advanced controls and invest continuously in these tools. Banks might also improve efforts to educate customers and install security requirements that help to insulate the system from mistakes of relatively unsophisticated users.

Finally, both banks and customers are committed to the digital future. Customers report that even knowing the threats of digital services, they will not stop using them. Banks continue to adopt ever more digital services to satisfy customers and lower costs. So, the prize for fraudsters and criminals will remain.

Cyber criminals will not miss seeing the opportunity. The question is, how will banks respond?

The on-going regulatory response to the 2008 financial crisis includes the Office of the Comptroller of the Currency (OCC) Risk Management Guidance on third-party relationships, issued in October 2013. The bulletin states that the OCC expects a bank to practice effective risk management regardless of whether the bank performs the activity internally or through a third party.

“A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.”

In a recent speech before the Risk Management Association, Thomas J. Curry, Comptroller of the Currency, emphasized the importance of managing the risks “associated with bank systems and processes” even above credit risk. He noted banks’ “increasing reliance on third parties” and the systemic risks they impose. … Continue reading

The Office of the Comptroller of the Currency (OCC) is focused on the responsibility of financial institutions—national banks and Federal savings associations—to be responsible for the risk management of business operations whether they are performed internally or through third party vendors.

CIT companies are clearly included in this mandate.

The OCC recognizes that the growing interconnectedness of banks with third party cash management service providers has created new sources of risk due to gaps or inconsistencies of controls that can occur where distinct businesses interface. In everyday terms, this means there can be situations where “no one is in charge.”

Since the OCC is responsible for the security of the overall financial system, it is moving to make banks accountable for the gaps and inconsistencies between them and third party vendors that may pose risk to the system.

This creates specific kinds of difficulties for banks because they can be held accountable for the actions of organizations they do not own. Banks and their third party vendors, including CIT businesses, have different regulatory, standard practice, and incentive profiles, as well as different cultures and assumptions.  It will take especially thorough due diligence to write contracts that lay out the important responsibilities and performance expectations for the different parties to get all the entities on the same page.

In these circumstances, monitoring performance takes on greater importance. There is a substantial possibility that unanticipated gaps or inconsistencies will emerge despite careful risk management planning. Banks have a strong incentive to measure performance and find irregularities as quickly as possible. … Continue reading

Stop for a minute and think about the flow of cash in the American economy.  You almost certainly have some in your pocket or purse right now, and at some point in the day, or the near future you will use it to buy something. Even if you rely mainly on plastic, you will sometimes tap an ATM for cash. Billions upon billions of cash dollars circulate every single day. Most importantly, you, and all parties concerned can easily access just the right amount of cash for their needs.

This miraculous flow of cash does not happen by accident. The Cash-in-Transit (CIT) system—a.k.a. the cash management industry—has evolved to manage cash efficiently and securely. This huge system is ubiquitous, yet many people have never heard of anything beyond “armored cars.” The system actually includes a large assortment of cash management businesses, some of them specialized and others offering a fully integrated package of services that help to keep commercial and retail markets liquid.

The CIT system serves banks, including the Federal Reserve, by providing the transportation, storage, processing, accounting, and other services that financial institutions need to ensure the right amounts of cash get to where they are needed. With the extensive geographic dispersion of branch banks and ATMs, it is no longer cost effective for each and every bank to provide all the cash management services it needs. Today, third party businesses in the cash management system can support multiple banks, including providing a level of risk management the industry demands. … Continue reading