The new MAS risk management guidelines and how machine learning can help
The central bank of Singapore says a rules-based approach to cyber-risk management is no longer sufficient and that banks need to employ behavioral analytics and machine learning to protect their customers from criminal gangs, writes Beth Bai
A poll of APAC banks earlier this year found that three-quarters expect fraud and cyber-crime to increase over the coming 12 months, with a fifth believing that the increase will be significant.
This ominous trend has prompted a new drive by central banks to ramp up the fight against cyber-crime across the region. In March this year, the Monetary Authority of Singapore (MAS) launched a consultation paper – revised Technology Risk Management Guidelines - that revealed a fresh impetus towards tackling cyber-threats. In particular, its proposed new guidelines aim to encourage banks to work more closely with FinTechs in their battle against fraud and cyber-crime.
MAS was named central bank of the year by the London-based journal Central Banking for “pioneering FinTech efforts,” among other initiatives. Evidence of its pioneering role can be seen in its taking a leading role among Asian regulators in securing new payment channels and cyber risk points through this consultation paper. Other regulators such as Hong Kong Monetary Authority’s TM-E-1 on Risk Management of E-banking or Bank Negara Malaysia’s recently published exposure draft on Risk Management in Technology are following suit. By aligning their guidelines, the authorities and banks will be better positioned to fight back against criminals.
In addition to ‘traditional’ cyber-crime, such as malware attacks and account takeover, the MAS consultation paper discusses new types of fraud such as social engineering and man in the middle. The former is where cyber criminals manipulate an unsuspecting person into divulging sensitive details; the latter where they compromise the communication between customer and bank. As well as identifying the vulnerabilities of customers when it comes to the fraudsters, the consultation paper also highlights the importance of circumstantial data surrounding these events, such as Internet of Things (IoT).Download our white paper on "Combating Financial Crime in Asia"
The IoT includes any electronic devices, such as smart phones, multi-function printers etc. where machines and banks are networked together. MAS points out that criminals can easily circumvent traditional rules-based controls processes by hacking the IoT. To deal with this threat, the Singapore authorities urge banks to implement technologies such as behavioral analytics to monitor activity logs and prevent cyber attacks.
The terminology of behavioral pattern/analytics can be seen throughout the consultation paper, specifically around real-time payment and digital transaction monitoring. “User behavioral analytics is the use of machine-learning algorithms in real time to analyze system logs, establish a baseline of normal user behavior, and identify suspicious or anomalous behavior. The FI [financial institution] should consider applying user behavioral analytics to enhance the effectiveness of security monitoring,” the MAS says.
It goes on to urge banks to pursue partnerships with FinTechs to enhance fraud prevention. This is because FinTechs such as NetGuardians have developed fraud-mitigation software that incorporates machine learning and behavioral analytics into solutions that are far more effective than any bank could develop in-house.
Just as a bank can collect circumstantial data surrounding online and mobile transactions to build up a profile of the customer from channels, so it can and should collect circumstantial data for transactions involving the IT layers. These include data on the endpoint device, the transaction details, and the IT systems involving human interaction. In this way, the bank can build a profile not only monitoring the transaction but the activity of the end user or IoT devices. When one is initiated that doesn’t fit with the accepted profile, it can be blocked in real time while an alert is raised and investigated.
It is important to note that by drawing attention to expanded system monitoring, MAS is asking banks to think about the fact that risk will keep coming from new directions. It’s encouraging them to stay on their toes – a critical factor in tackling cyber-crime.
MAS, along with other regulators’ efforts, come as bank fraud is becoming more sophisticated. Criminals are themselves using new technologies such as data analytics to go about their business. In addition, there are more lone wolf fraudsters – people acting on their own rather than in criminal gangs. It’s worrying to note that there are videos on YouTube showing how to carry out phishing attacks, for example.
This means banks are dealing with a depth and breadth of fraud on a scale not seen before. MAS, along with other central banks and financial regulators, wants the sector to employ new technology to protect its customers for good reason.
Our research at NetGuardians shows that our machine-learning and behavioral-analytics software spots new types of fraud, helping banks to cut its incidence and attendant losses. In addition, it helps banks reduce the amount of time they spend investigating fraud because it raises far fewer false alerts – 83 per cent fewer. This means they can reallocate resources to more complex investigations or to services that add more value to the customer.
MAS’s message is timely. With the vast majority of organizations across APAC expecting cyber-crime to increase, banks need a specialized partner that can help buttress their defenses against fraud. It’s time to work with FinTech.