Head of Big Six bank's Financial Crimes Unit sounds off on rising threats, and how the institution is working to combat them
It has been a little more than a year since BMO took the ground-breaking step of establishing a dedicated Financial Crimes Unit, with the aim of housing its multiple anti-crime capabilities. And according to the head of that unit, that decision is now paying dividends as risks and incidents pick up amid the COVID-19 pandemic.
“The attacks really haven't changed,” Zelvin told Wealth Professional. “Fraudsters and hackers aren’t radically changing their tactics. What’s different is the frequency and in some cases, the themes they're using, and it's had a much higher success rate because people's guards are down.”
Hackers and fraudsters may also target the banks themselves. With advances in technology, illicit actors could potentially steal from hundreds of institutions without leaving the comfort of their own home. A victim institution might be able to trace the source of the attack, but nonetheless law enforcement officials may be unable to catch the perpetrator because of certain protections that they may enjoy from the country they’re based in.
Another problem for financial institutions, according to Zelvin, is the vastly expanded threat surface that the pandemic has created from an operational perspective. With the overwhelming majority of employees at BMO and other financial companies shifting to a remote-work arrangement in a matter of weeks, the bank found its capacity to monitor and oversee workers’ activities severely challenged initially.
“All of a sudden, we went from having traders working from a floor where we had a lot of monitoring to having a lot of them working from home,” he said. “You had to adapt to that environment not just because it makes good security sense, but also because there were regulations that we had to continue to follow to protect our employees and the bank.”
Even in normal circumstances, financial institutions should ensure that their critical partners and vendors operate in a protected manner; that has become even more of a concern as those third parties likewise adopt a much more decentralized mode of working. Add the fact that some companies may be using non-secure connections, and the number of variables to worry about increases exponentially.
In a sense, BMO took out the best possible type of insurance coverage with its decision to establish the Financial Crimes Unit. As Zelvin explained, its three pillars – cybersecurity, fraud, and physical security – include information silos that are typically hard to access horizontally from an organizational perspective. With the ability to coordinate both vertically and horizontally, he said the members of the group have become far more effective and quick to respond to threats.
“You can buy every great piece of cybersecurity tech on the market and still not be secure,” Zelvin said. “I think having the best security takes both great technology and great people working together.”
The bank’s international footprint makes it especially well-positioned to harness “people power” for cybersecurity purposes. With teams in Singapore and London complementing those in Canada and the U.S., the bank has created a “follow the sun” capability that ensures on any given day and time, there are cyber experts and fraud experts on hand to respond to threats that may arise.
“I think the great thing is you get people with different cultures, language skills, and experiences,” Zelvin said. “That diversity is a powerful enabler when you’re trying to understand threats that come from overseas, which means understanding them could require an appreciation of some cultural and linguistic nuances at work.”
The bank also tries to be its own worst critic, proactively working to find holes within its networks. Internally, it pays a team of so-called ethical hackers whose sole job is to discover cracks and leaks within BMO’s websites, applications, and other electronic systems that might be exploited to access sensitive accounts or information. As a redundancy, BMO also hires third-party consulting firms to hack its systems, just in case other vulnerabilities were missed.
Still, even the best safety measures fall down sometimes, and that’s especially true within dynamic and shifting landscapes. That includes the COVID-19 crisis, which Zelvin says is conjuring up some exceedingly tough questions: If some massive cyberattack took away people’s ability to work from home, how would BMO get people back to the office without jeopardizing their health and safety? Are there any latent dangers within the payment systems that people are increasingly relying on? Is his team doing everything it can to stave off the possibility of a ransomware attack? And how can the firm mitigate potential insider threats as economic realities and personal circumstances push more people to act in their own self-interest?
“In some cases there may be a flaw or vulnerability in a vendor we use that's completely out of our control, and we may not find out about it until after the fact,” Zelvin added. “There are things you can defend against and there are things you'll never be able to defend against, but you have to be responsible for both. It's quite a challenge.”