Comment: How breaching compliance leaves you exposed to data breaches

A single cyberattack has the power to erode trust from the public, clients and even internal employees, as well as deliver heavy financial consequences, says Bion Behdin, CRO, First AML.

AdobeStock

It was recently reported that Samsung alerted customers to a year-long breach which resulted in leaked customer data. It’s another example to add to the list of billions of exposed customer records in 2023. For Samsung, this is immediate and unfortunate reputational damage which is likely to result in fines as well. 

What a data breach can do, amongst many things, is highlight a company’s internal shortcomings in collecting and protecting personal identification information (PII) when conducting compliance and customer due diligence (CDD) – just a single cyberattack has the power to erode trust from the public, clients and even internal employees, as well as deliver heavy financial consequences. What’s more, the online and social media world can intensify this damage, meaning a single misstep can linger over a company long after it has happened.

And for bad actors, a data breach can bring rich rewards in the form of identity information and documentation, helping them to carry out more fraud, cybercrime and even hold people to ransom. 

The Australian Transaction Reports and Analysis Centre (AUSTRAC) has a whole page of guidance outlining anti-money laundering (AML) obligations around data breaches. But it can sometimes be harder to make the move from seeking advice to actually implementing it. So, how can companies form a more robust and stringent buffer against data breaches? 

Making the move from AML advice to action 

As data breaches can come from any direction, regulations change and bad actors become more sophisticated at faking identities, it can be hard for companies to turn AML advice into action and start building such a culture. 

Creating a culture of compliance stems from a broader culture of risk mitigation in the organisation. Every member of the team should be responsible for keeping bad actors out. It’s the same from a cybersecurity standpoint – it’s everyone’s responsibility to flag suspicious (or phishing) emails. 

AML technology can provide immediate and embedded safeguards against data breaches. Traditional AML processes often rely heavily on email, physical documents, and spreadsheets – all of which can be easily hacked or copied. With AML technology, all data transmitted and stored is encrypted both in transit and at rest, and access to customer data is both highly secured and audited. 

The most secure platforms will have full disk encryption, anti-virus/malware protection, access on a least privilege basis, be regularly pen tested by third parties, have the ability to remotely wipe their content in the event of a breach and a host of other security measures. These platforms also equip companies with the ability to conduct extensive know your customer (KYC) checks, securely storing verification documents and securely pulling data from public records to help confirm identities.

With this system in place, you can then start to roll out cultural change, scaling compliance across the company and enabling employees to work off the same platform. Yet technology is only one part of the process, and conducting AML training (such as explaining common red flags and different ways criminals fake identities) and forming clear lines of communication to report suspicious activity, all help to build this culture.  

Fighting a new world of threats to customer data  

In a world of new technological threats and innovative criminal tactics, having adaptive technology and training is even more essential. Biometric assessments, such as facial and voice recognition, have become widely used and accepted as secure ways of authenticating customers. Banks, for example, have become popular adopters of such an approach by using Electronic Identification Verification (eIDV) for KYC checks.  

On the surface, these are highly secure and cost-effective security measures. But the rising world of generative AI and deep fakes is providing criminals with increasingly deceptive ways of creating synthetic voices, faces and even the capability to prove liveness. Moreover, the increasing use of eIDV has created a vast amount of data on biometric authentication, meaning that if criminals can breach such data sources, they have ample opportunity to create further ‘synthetic biometrics’, imitate more identities and fake documentation. 

How can companies battle this new world of threats?

From a practical perspective, companies should carry out enhanced due diligence where customer identities are in doubt. This could be in the form of clients jumping on a video call and holding an item such as a company letterhead or writing down a phrase to evidence their liveness. While criminals can outwit one or two authentication protocols, having a three-factor strategy of liveness, voice and face recognition is currently almost impossible to outmanoeuvre.  

As mentioned, this needs to form part of a wider culture of compliance and technology, where employees are acutely aware of the threats and dangers of criminal tactics and data breaches and AML tech is used to fight (illicit uses of) tech.  

Running a tight AML ship   

A loose AML compliance programme can leave companies exposed to such attacks and lacking the necessary means to deal with them.  

Technology can help instigate the move from AML advice to action and create a wider culture of compliance. As criminals become more innovative in their approach to faking identities with new technologies, having AML tech is becoming a must-have to fight off these new threats. 

Bion Behdin, CRO, First AML