Bottomline: Regulation Versus Fraud – it’s Not a Choice

Share this post

The last thing any executive at a financial institution needs now is ‘difficulty factors’. After all, it’s time for year-end reporting and 2022 forecasting. Digital transformation strategies are already in the melting point and at varying stages of progress and capital expenditure. Throw in the creativity of fraudsters and we’ll agree there’s enough to deal with.

But the difficulty factors for FIs are not dropping as the year closes. In fact, we’re seeing two areas amping the difficulty factor: insider fraud and regulatory technology (RegTech). Both go hand-in-hand as many new regulations can help or hinder insider fraud challenges. A new research report, “The Future of Competitive Advantage in Banking & Payments”, considers these two issues (among others) and uncovers surprising levels of concern about solving them. While there’s no silver bullet for reckoning with fraud or RegTech, there are technology, advisory and data solutions to help.

Dealing with fraud, specifically insider fraud, first. Insider fraud happens when a current employee or contractor accesses and shares sensitive data or payments information that they don’t have access to in the normal execution of their job.

When we asked FI executives about their top overall concerns, 16 percent placed insider fraud within the top six issues. We argue that insider fraud should definitely be a higher priority than it appears to be in the report.

That’s because insider fraud has two costs, reputational and financial. The reputational damage for an employee-based data breach is impossible to calculate. According to a Ponemon Institute study, the frequency of global insider fraud incidents over the past two years spiked 47 percent. The average incident takes 77 days to contain, and when that passes 90 days, the global cost can top $13.7 million a year.

In an age of hybrid work from home environments, it’s easier for employees to access and share sensitive data, especially if companies lack proper defence technology. The effectiveness of that technology depends on whether it addresses insider fraud at the server level because if it’s not, those defences may not work in today or tomorrow’s environment.

Here’s why: Many companies rely on content filtering to stop insider fraud. Content filtering technology sits between the end-user and the outside world. It does a great job at catching sensitive data (called data leakage) and other information after being accessed. But then it’s often too late. The filter can spark the right alarms and be an essential tool in investigating exactly which employee shared the sensitive information. But in the case of a data breach, the reputational damage may already be done. What’s needed to fight insider fraud is an application layer. That layer doesn’t sit between the employee and the outside world; it sits between the employee and the application server, where 80 percent of insider fraud happens. This layer evaluates the employee’s access to and transmission of sensitive information and profiles their behaviour. It can then detect abnormal patterns that may indicate data leakage in the process. The application layer stops insider fraud before it happens.

Now for the RegTech difficulty factor. In our survey, 63.5 percent of respondents said RegTech will become more critical in the next year. My take is that this concern is as vital for fraud defence as it is for addressing the issues of interoperability and data. While RegTech is undoubtedly a challenging compliance factor to plan and execute, FIs see RegTech as a positive factor. Looking at what regulation aims to do, the most crucial factor is to sync almost perfectly with several problems that need solving to improve customer experience and security. Examples: ISO 20022 messaging format will address data interoperability. Confirmation of Payee (CoP) will help address fraud. PSD2, Open Banking and UK Faster Payments Access Models will address easier access to data. So while 25 percent of respondents appreciate the importance of regulations they are equally worried about looming deadlines and the need for business continuity. But regulations aim to create better conditions for growth and competitive opportunities for FIs. And it’s important to remember that new regulation is there to fight fraudsters, who are one step ahead of the game. They don’t wait for regulations to play fair.

However, broader challenges exist when fighting financial fraud, inclusive of insider fraud. Despite a positive attitude toward their outcomes, the biggest challenge in executing fraud and financial crimes strategy is keeping up with regulations (31%). The second challenge is increasing fraud threats (30%), and the third (at 11%) is the alert investigation time and false positives. These results illustrate a big challenge as FIs try to comply with regulations and manage assets on one side but remain strict enough without creating false positives and alienating customers. The fraud issue also tracks back to ISO 20022. Because the messaging yields more data, there’s more information to analyse in ensuring that all parties involved are legitimate, thereby reducing the potential for false positives

The solution to these challenges has its foundation in technology. We’ve already offered examples of how innovative technology can help fight insider fraud. But let’s consider other fraud tactics that can profit from technology adoption. For instance, keeping track of sanctioned countries and organisations is not an inside, manual job in today’s complicated cross-border business environment. Nor is it a job for outdated technology. For example, legacy watchlist screening tools can be tripped up by spelling errors, typos, and data quality issues. That’s an easy get for clever criminals who use aliases or even steal identities.

Modern technology for watchlist screening will be SaaS-based and provide a real-time, automated look across the journey of each payment. This technology will reduce false positives and speed-up investigations, which is where data comes in. By using machine learning and artificial intelligence, systems can proactively detect and prevent financial crimes. It’s no longer a box-ticking exercise.

So yes, our research shows the difficulty factor for FIs goes up in the short term. But continued focus on digital transformation and the judicious use of technology makes fighting financial fraud a bit easier and will ultimately make corporate and consumer customers happier in the long run.

Article by Bottomline Technologies

More To Explore


Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.


Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?