Mathew Hobbis – Chief Architect FSI, Solace

The number of payment channels has grown exponentially. The time it takes to settle a transaction has gone down from days to minutes. Traditional banks have had to move from a couple of channels to potentially 10-15 within their organisation. The more channels, the more vulnerable the system becomes to fraudsters and criminals. The two big challenges for financial institutions right now are payments fraud at the consumer end of the spectrum, and the growing threat of organisational money laundering.

Here’s the conundrum. Modern financial organisations have to mitigate against such criminal activity for the safety of their users and its own reputation. But they must do this without adding any friction into the payments process that would put off or dissuade users of their services.

They need a solution that can not only keep pace but can carry out the additional checks in real-time across systems that often encompass legacy, on-premises deployments, as well as modern container deployments, and public cloud for AI and ML capabilities. In the real-time world of today, this can only mean using the new generation of event-driven architecture (EDA).

The more channels, the more opportunities for payments fraud

McKinsey charts a rise in fraud in a recent article series: “Skyrocketing levels of fraud, enabled by the accelerated adoption of digital commerce and the ever-increasing sophistication of fraudsters, have overwhelmed traditional controls in recent years. This surge has led to increased fraud losses and damaged customers’ experience and trust.”

For retail banks, payments fraud impacts both consumers and their bottom line. The Association for Financial Professionals®’ latest Payments Fraud and Control Survey, underwritten by J.P. Morgan, found 71% of financial professionals report their organisations were victims of payments fraud. Not only do fraudulent payments negatively impact banking customer experience and confidence, the cumulative cost is also large – one recent study by Juniper Research warns online payment fraud losses alone will globally reach $343 billion between 2023 and 2027.

Anti-money laundering (AML) spells the danger of more serious crimes

Money laundering is a major threat for banks because it usually goes hand in hand with serious organised crimes – including drug or people trafficking, weapons dealing or even terrorism.

The estimated amount of money laundered globally is between 2 and 5% of global GDP – and the reputational damage of undetected money laundering can be catastrophic. The Bank for International Settlements also explains “spotting different money laundering patterns is complex, requiring different data points and data sources as well as the ability to connect them across different systems in order to better identify suspicious flows and patterns.”

There are three key areas where technology and event-driven architecture (EDA) can help address these growing threats. The first is the tech to help you better detect. Banking and payments organisations must be able to quickly identify and action these fraudulent or criminal transactions, across all channels. Many are turning to data modelling and Artificial Intelligence (AI) and Machine Learning (ML) that can learn to recognise questionable transactions. But this can be further enhanced with EDA to manage fraudulent and money laundering transactions at scale.

The second issue and challenge for organisations is speed, specifically feeding transaction data, in real-time, to the AI / ML processes which often live in the public cloud. This is where EDA provides the real-time integration allowing legacy core-banking/mainframe systems to communicate with modern micro-service payment frameworks and cloud-based AI/ML for fraud and anti-money laundering (AML).

Finally, they must be able to stay one step ahead. EDA and the Event Mesh allows flexibility in how software components are wired together and flexibility in where they are located. This allows the platform to ‘evolve’, to react quickly and effectively to changes in the financial landscape. Flexibility, or ‘re-wiring’, and platform evolution needs to be a ‘business as usual’ activity as fraud and fraud detection is a constantly evolving game where financial institutions are pitted against criminals. Who can act the fastest wins.

Building a model – it all starts with scoring transactional data and setting triggers

The sort of activities that go into building a fraud prevention or anti-money laundering model with setting trigger points would include: type of transaction vs. is this consistent with a customer’s previous transaction history? Is it in an expected geography? If they travel a lot, then is the time and travel distance between their last transaction and this transaction reasonable? All this data must be fed into the model and assigned a score.

The score also depends on authentication requests. So typically, if you can identify a user together with their mobile phone, banks may pass the transaction because they are comfortable they know who the user is. But if a similar scenario occurs where the user has reached the same score, but there is no biometric data or mobile authentication, then this would be highly likely to trigger a different reaction – blocking or flagging the questionable transaction for escalation.

Now add AI and ML – fraud and money laundering detection starts to get powerful

When a bank has built a database of models, new transactions can then be checked against the models, and given an accumulated score, AI and machine learning then step up to the plate. These technologies, aided by EDA, can make rapid decisions and enable companies to flag abnormal transactions in real-time across all channels.

Layering these data models with AI/ML offers an opportunity for banks to get out in front and gain ground on fraudsters and money launderers. McKinsey research sees “Recent enhancements in machine learning are helping banks to improve their anti-money-laundering programs significantly, including, and most immediately, the transaction monitoring element of these programs.”

To be fully effective, AI/ML needs a big data set. They can only make decisions based on access to historic datasets. So, the first thing a bank has to do is to ‘train’ the model by buying data or scraping from its own historical datasets. And then the model runs through several fraudulent transactions, so it is now ‘trained’ on what a fraudulent transaction looks like. The objective is to build an understanding so AI/ML can pick out the right (fraudulent) activities.

Event-driven architecture helps police fraud and money laundering faster than ever before

Ideally, banks should build one model set for fraud and one model set for money laundering – then implement both models across all transactions and payment channels. And this is where event-driven architecture (EDA) enables them to leverage their fraud and money laundering data models and use AI/ML technology in real-time across an ever-expanding number of payment channels.

EDA allows banks to build an enterprise IT architecture that lets information flow between applications, microservices, and connected devices in a real-time manner as events occur throughout the business.

Meet the event broker who understands it all

EDA works with a middleman known as an event broker, which enables what’s called loose coupling of applications. This is essential because it means applications and devices don’t need to know where they are sending information, or where the information they’re consuming comes from. But the event broker does.

So, in the event-driven world, a bank just has to make sure a payments channel just sends the right event to communicate with the fraud detection or the anti-money laundering system and receive the same events to get the “yes or no” back.

The alternative is not really an option

It’s a much easier integration than trying to do this via standard REST APIs – which becomes a lot more challenging and will need to be built differently for every different channel a bank has now, plus any new channels. This means banks may have to change models based on not only changes in user behaviour, but changes driven by new products and services or to counter new types of fraud or money laundering.

With standard REST APIs – every time a bank adds a new channel, it has to change the way anti-money laundering and fraud systems work, because they have to know about this other channel. In the event-driven world they don’t know, don’t need to know – and they don’t care!

Banks can accurately support a high volume of transactions in the quickest response time, balance transaction authentication and authorisation with fraud detection without decreasing customer satisfaction, and route events securely across the whole payments ecosystem with efficiency.

A platform for the future – EDA opens the door to manage technical debt and quickly introduce new channels

EDA also provides a platform for the future – allowing banks to innovate outside of just countering fraud and money laundering. EDA will help traditional banks compete in the new world as they need to deliver products and services faster in order to compete. A large bank, with its legacy systems, can now compete against an online mortgage lender—and deliver a broader portfolio of products to customers with more speed.”

Yes, newer fintech market entrants have significantly less technical debt than traditional financial institutions. Imagine a new FX rate provider that can provide payments to every country and give customers the best FX rates. Everything is built on a modern infrastructure anyway – there is no legacy core banking app, and everything is microservice, as everything is in the cloud.

But EDA as an approach to enterprise IT architecture can help traditional banks introduce new services and link applications quickly and at scale, ensuring they can match these agile competitors and provide customers with the instant kind of feedback they seek from their banking services, while not being held back by large volumes of existing technical debt.

EDA – keeping financial institutions one step ahead

The challenge for larger banks is to move more towards real-time – even with a large amount of technical debt. EDA not only provides the springboard to payment modernisation; it also ensures a proliferation of payment channels does not come at the cost of increased fraud and money laundering.

Christian Scott, COO/CISO at Gotham Security, an Abacus Group Company

The alternative investment industry is a prime target for cyber breaches. February’s ransomware attack on global financial software firm ION Group was a warning to the wider sector. Russia-linked LockBit Ransomware-as-a-Service (RaaS) affiliate hackers disrupted trading activities in international markets, with firms forced to fall back on expensive, inefficient, and potentially non-compliant manual reporting methods. Not only do attacks like these put critical business operations under threat, but firms also risk falling foul of regulations if they lack a sufficient incident response plan. 

 To ensure that firms protect client assets and keep pace with evolving challenges, the Securities and Exchange Commission (SEC) has proposed new cybersecurity requirements for registered advisors and funds. Codifying previous guidance into non-negotiable rules, these requirements will cover every aspect of the security lifecycle and the specific processes a firm implements, encompassing written policies and procedures, transparent governance records, and the timely disclosure of all material cybersecurity incidents to regulators and investors. Failure to comply with the rules could carry significant financial, legal, and national security implications.

 The proposed SEC rules are expected to come into force in the coming months, following a notice and comment period. However, businesses should not drag their feet in making the necessary adjustments – the SEC has also introduced an extensive lookback period preceding the implementation of the rules, meaning that organisations should already be proving they are meeting these heightened demands.

For investment firms, regulatory developments such as these will help boost cyber resilience and client confidence in the safety of investments. However, with a clear expectation that firms should be well aligned to the requirements already, many will need to proactively step up their security oversight and strengthen their technologies, policies, end-user education, and incident response procedures. So, how can organisations prepare for enforcement and maintain compliance in a shifting regulatory landscape?

Changing demands

In today’s complex, fast-changing, and interconnected business environment, the alternative investment sector must continually take account of its evolving risk profile. Additionally, as more and more organisations shift towards more distributed and flexible ways of working, traditional protection perimeters are dissolving, rendering firms more vulnerable to cyber-attack.    

As such, the new SEC rules provide firms with additional instruction around very specific prescriptive requirements. Organisations need to implement and maintain robust written policies and procedures that closely align with ground-level security issues and industry best practices, such as the NIST Cybersecurity framework. Firms must also be ready to gather and present evidence that proves they are following these watertight policies and procedures on a day-to-day basis. With much less room for ambiguity or assumption, the SEC will scrutinise security policies for detail on how a firm is dealing with cyber risks. Documentation must therefore include comprehensive coverage for business continuity planning and incident response.

 As cyber risk management comes increasingly under the spotlight, firms need to ensure it is fully incorporated as a ‘business as usual’ process. This involves the continual tracking and categorisation of evolving vulnerabilities – not just from a technology perspective, but also from an administrative and physical standpoint. Regular risk assessments must include real-time threat and vulnerability management to detect, mitigate, and remediate cybersecurity risks.  

Another crucial aspect of the new rules is the need to report any ‘material’ cybersecurity incidents to investors and regulators within a 48-hour timeframe – a small window for busy investment firms. Meeting this tight deadline will require firms to quickly pull data from many different sources, as the SEC will demand to know what happened, how the incident was addressed, and its specific impacts. Teams will need to be assembled well in advance, working together seamlessly to record, process, summarise, and report key information in a squeezed timeframe.

Funds and advisors will also need to provide prospective and current investors with updated disclosures on previously disclosed cybersecurity incidents over the past two fiscal years. With security leaders increasingly being held to account over lack of disclosure, failure to report incidents at board level could even be considered an act of fraud. 

Keeping pace

Organisations must now take proactive steps to prepare and respond effectively to these upcoming regulatory changes. Cybersecurity policies, incident response, and continuity plans need to be written up and closely aligned with business objectives. These policies and procedures should be backed up with robust evidence that shows organisations are actually following the documentation – firms need to prove it, not just say it. Carefully thought-out policies will also provide the foundation for organisations to evolve their posture as cyber threats escalate and regulatory demands change.

 Robust cybersecurity risk assessments and continuous vulnerability management must also be in place. The first stage of mitigating a cyber risk is understanding the threat – and this requires in-depth real-time insights on how the attack surface is changing. Internal and external systems should be regularly scanned, and firms must integrate third-party and vendor risk assessments to identify any potential supply chain weaknesses.

 Network and cloud penetration testing is another key tenet of compliance. By imitating how an attacker would exploit a vantage point, organisations can check for any weak spots in their strategy before malicious actors attempt to gain an advantage. Due to the rise of ransomware, phishing, and other sophisticated cyber threats, social engineering testing should be conducted alongside conventional penetration testing to cover every attack vector.

It must also be remembered that security and compliance is the responsibility of every person in the organisation. End-user education is a necessity as regulations evolve, as is multi-layered training exercises. This means bringing in immersive simulations, tabletop exercises and real-world examples of security incidents to inform employees of the potential risks and the role they play in protecting the company.

 To successfully navigate the SEC cybersecurity rules – and prepare for future regulatory changes – alternative investment firms must ensure that security is woven into every part of the business. They can do this by establishing robust written policies and adhesion, conducting regular penetration testing and vulnerability scanning, and ensuring the ongoing education and training of employees.