f Sed id fatis probatur (vt hoc illi addas) ex eo quod a noftris traditur,pofTeflorium licet in- ^ofefforii tentarinon poisit ratione vcdigalis perfonalis, vt multis placet, poteft tamen haud dubie anpofsitin

Philippe P. Bertrand CXI Group

Risk in the financial industry is a vast subject and this chapter will therefore be limited to reviewing some of the non-technical challenges faced by the retail sector of the financial industry. In particular, I shall address fraud risk and risk management in regard to consumer products like payment cards.

Today there are, worldwide, billions of credit and debit cards in circulation. ‘Tomorrow’s money’, as they have been termed, is now a global reality with considerable advantages and convenience for consumers worldwide. Credit and debit cards, like all consumer products, are the targets of crime and the resulting fraud is a considerable hindrance to safe growth.

Crime is not a static phenomenon; like most forms of criminality, financial crime in general and card crime in particular constantly evolves. While true innovation is rare, specialised criminals constantly adapt and re-adapt known ways of operating to new products and see new markets as target areas for an ever-rewarding blend of the old and the new.

This evolution has accelerated considerably over the last 12 years and has been perhaps most noticeable in the field of counterfeiting. Asia, in particular, has over the last decade proved to be a fertile proving ground for organised criminals focused on payment card counterfeiting, and this Asian expertise has quickly and successfully spread worldwide. From Thailand to Malaysia to Hong Kong in the early 1990s and from there to Europe and Canada then across the border to the United States, ethnic Chinese criminals have made card counterfeiting a truly global enterprise and created a global challenge for all concerned. Since 1990, five or six subsequent generations of counterfeited cards and holograms of increasing quality, at least three generations of skimming devices and at least two generations of terminal implants are true evidence of the capacity of Asian card counterfeiters to innovate and adapt.

It would, however, be wrong to assign all the blame to the entrepreneurial, loosely organised Hong Kong criminals, as was so often done in the past. The opening of the former Eastern Bloc, for example, has had its own consequences for some specific aspects of card crime. Nonetheless, as a direct result of such phenomena, accounted losses due to counterfeiting have grown from less than 10 per cent of global losses in the late 1980s to nearly 40 per cent today – a much faster rate of increase than any other form of card crime and one that shows no sign of abating.

Financial institutions recognise this overall risk and its potential negative effect on both growth and consumer confidence. Today they invest more resources than ever before in making their products and the networks that make those products as impervious as economically possible to the threat of organised financial crime.

The investments and efforts made over the last ten years by law enforcement authorities, though considerable, have understandably focused on fraud prevention. Increasingly better, safer and more reliable products, safer networks, consumer education and overall better training and communication for all parties involved have had undeniably positive effects but remain challenged by a very adaptable criminal class. Even larger investments are on the way and will be made in the years to come. The real issues associated with the necessary solutions to the constant challenge of card crime are not so much technological ones but the cost-effectiveness of these solutions and the actual time required for their global deployment.

While redesigning a card is easy enough, imagine the challenge of producing and distributing this new safer product to individual consumers, two or three billion times every two or five years. Imagine converting terminals and ATMs and adapting both systems and the required procedures globally, and this without impeding day-to-day operation, and you will have an idea of the true challenges at hand. More flexible, more intelligent and more resilient products like the smart card, supported by ever smarter networks will, I trust, effectively address most of the threats identified to date, but considerable challenges remain which are not essentially technological in nature.

It is somehow paradoxical that in an industry that accounts, to the very second, for the last cent in every single transaction, there is a near total absence of truly detailed, historically researched and readily usable documentation about fraud and where, how and by whom it is committed. This is one of the issues that continues to hinder both broad investigations and prosecutions and the further refinement of fraud detection, investigation and analysis methodology and therefore overall better fraud prevention.

The ever more advanced risk management policies and the deployment of new fraud prevention, detection and control mechanisms needed to face ever more sophisticated and global criminals requires day-to-day monitoring, analysis and exploitation on a much larger scale than ever before. The reality is that most of the financial institutions concerned simply do not have, individually, the ability to be truly effective in this area because of limitations in individual scope, focus, staff and budget.

As a result, individual institutions involved with the issue and acquisition of payment cards must and increasingly will rely on their brands or payment systems affiliation for most of their strategic thinking and planning as well as for data extraction and analysis.

While data collection from individual banks has improved, most of the data is still financial in nature and therefore allows for limited analysis only. Data collected from investigations remains, for the most part, fragmented and uncollated. This non-numerical, historical and empirical data is nonetheless essential to refine the logic and better exploit, for example, the output of artificial intelligence-based fraud prediction and detection systems. The industry is gradually acquiring and deploying these systems worldwide but they are still lacking in both volume and consistency.

Of all the disciplines in banking, risk management for new payment instruments is one of the more demanding but one of the least documented. While within a card operation the risk function may once have been a sideshow, it is today a true profession with well over 100 000 practitioners in the card industry alone.

Despite this reality, most of today’s risk managers still learn on the job from colleagues. As the ranks of those who know are depleted and as more demands are made on their time, focused analysis is sparse and consequently true risk management innovation remains the exception rather than the rule.

We can only regret the unavailability of a truly comprehensive historical documentation. There is no true curriculum for the specialist who needs an understanding of subjects as diverse as banking, crime, forensic science and the possibilities offered by artificial intelligence. Skilled and experienced instructors are hard to find.

The interface that must exist between private and public sectors remains affected by issues ranging from lack of trust to urban legends like ‘banks are insured and therefore do not care’. Focused, effective and accurate communication between financial institutions, or between banks and payment systems or with law enforcement as a whole, while infinitely better today than it may have been in the 1980s, remains a constant challenge, particularly in a market-driven industry.

Limitation in jurisdiction remains a considerable hindrance to the full investigation of large-scale fraud schemes, which, with the odd exception, tend to be multinational in nature. Law enforcement and the judiciary are at the uncomfortable end of this stick. Official statistics about commercial crime are universally inaccurate as barely 5 per cent of commercial crime is officially reported. Partly as a result of that lack of comprehensive reporting about the actual volume of commercial crime within each jurisdiction, specialised units and officers are still the exception rather than the rule. In the particular area of card crime, in great part due to the efforts of the main card brands or payment systems, the amount of information and reporting that reaches law enforcement is better and more accurate than for other forms of commercial crime. It nonetheless fails to be as complete, detailed and readily exploitable as it could be.

The challenges listed above are by no means the reserved domain of the new payment instrument industry.

The very same issues, in one or another way, are facing our risk management specialists involved, for example, with the protection of copyright, whether for software or luxury goods, as well as professionals concerned with the challenge of safety on the Internet.

Beyond technical issues, what I would term the human element of modern risk management would benefit enormously from true academic research. The influence such studies could have when applied to the essential area of professional development would be a real asset to all professionals involved.

It is therefore my conclusion that one of the solutions to most of the issues listed above is the need for better, more comprehensive, easily available multi-level training and professional development for both private and public sector professionals.

As such, an initiative like the Hong Kong University Centre for Criminology and this conference, which today provides us, for the third year running, with this remarkable platform to meet and exchange views on this and other subjects, deserves our strongest support.

5