Banks can use AI-based network pattern-detection by spying on staff to uncover insider threats and collusion that is likely to evade human activity. (iStock.com/Zinkevych)
"Google AML AI and our other automated tools play a role in providing a defense in relation to the 'failure to prevent fraud,'" Jennifer Calvery, group head of financial crime at HSBC, told Law360.
The new offense stipulates that a company risks a criminal prosecution if its preventive controls are found to have been inadequate.
Large banks such as HSBC are considered in scope of the offense. The new law applies to companies with two of the following three criteria: more than 250 employees; £36 million ($49 million) in turnover; or £18 million in assets.
HSBC's Multi-Tier Strategy
Strong leadership, internal training programs and industry information sharing, are equally important, Calvery, who before joining HSBC held a CEO-equivalent role at Financial Crimes Enforcement Network in Washington, D.C., said.
"We need to be cautious about putting into the public domain how our fraud controls work in practice, as we know criminals look for and share this information with one another," Calvery said of HSBC. "However, we strive to deploy the latest technology to protect our customers and the bank against financial crime."
The Serious Fraud Office has signaled that it is keen to seek out its first prosecution under the new offense. AI systems and tools that prevent fraud reduce the risk of prosecution for financial services businesses, especially when the new tech is thoughtfully integrated with other controls and human oversight, according to one legal view.
"Firms which are able to show that they have deployed well-designed, monitored and regularly improved AI-powered controls will be far better positioned to defend themselves if prosecuted, proving that efforts to prevent fraud were both current and comprehensive," Tim Wright, a partner and technology lawyer at Fladgate LLP, said, without naming companies.
"But failure to complement AI with human oversight, periodic review, and adaptation to new threats could undermine any defense and leave firms vulnerable," he warned.
On this basis, AI is a double-edged sword for firms bolstering systems against the offense because it requires continual human oversight. Corrupt or careless employees including senior managers may exploit any lapses.
Spying On Staff
Lawyers say that AI can both help companies prevent fraud against the business and simultaneously support regulatory compliance. It can enhance detection of fraud and reduce unjustified red flags from technology.
Advanced AI tools can use biometric behavior analysis — monitoring a user's digital interaction patterns such as typing style, mouse usage or mobile gestures to identify a person. This can distinguish fraudsters from legitimate users by detecting unusual behavior.
Banks can use AI-based network pattern-detection by spying on staff or agents in such ways to uncover insider threats and collusion that is likely to evade human activity, according to lawyers.
"AI can detect complex fraud patterns including where staff or agents use AI techniques to commit fraud, by analyzing behavioral anomalies and transaction irregularities," Wright said.
These AI techniques include, for example, deepfakes. Deepfakes are where machine-learning techniques are used to create videos, pictures, audio or other digital representations that seem realistic, which can spread information and disinformation. Banks can use continuous learning AI models that adapt to new fraud tactics involving the new tech, helping to block emerging threats.
Cross-Border Risks
AI faces its greatest challenge across borders, due to conflicting global rules governing its usage, lawyers said. Fraud benefiting the company with the staff's help in a subsidiary overseas with a U.K. link is in scope of the offense.
"Differences between U.K. and EU AI regulations, especially the AI act, add to the complex regulatory environment which firms must navigate," Wright said.
The Financial Conduct Authority uses the new tech to monitor markets, highlighting how AI-related issues are under its oversight. Businesses that promptly self-report failings under the "failure to prevent fraud" offense — a process that can involve AI — will avoid U.K. prosecution, as the SFO has made clear.
An area where banks are demonstrably ill-prepared is in monitoring staff conversations, which could involve fraud.
The City watchdog found in a recent review of unrecorded communications through what are known as off-channels such as WhatsApp that there were 178 such cases in breach of internal rules in eight banks over 12 months.
"Off-channel communications potentially expose the firm to the offense of 'failure to prevent fraud,' even if there is no fraud committed but just the intention," Karl Foster, a partner at Spencer West LLP, warned. "Firms should limit off-channel communications among other measures to reduce the risk of fraud by employees or agents to benefit the company."
The FCA expects regulated firms to restrict off-channel communications as part of wider measures to reduce risk, according to Foster.
The fundamental risk is failure to supervise off-channel communications as noted by the FCA review, which found 41% of internal policy breaches involved staff at — or above — director level.
"Failing to supervise off channel communications could increase the risk of fraud, whether benefiting the firm or the individual perpetrator," Christopher Collins, partner at Katten Muchin Rosenman LLP, said.
"If firms are not effectively supervising and monitoring such communications, it can be a lot more difficult to detect such serious wrongdoings," he warned. "When senior leaders are violating policies, it signals that firms have not truly embedded the behavioral change necessary for effective control."
Strategic Misconduct Reporting
Another area for necessary action is reporting. Financial companies should strategically coordinate misconduct reports to the FCA and white-collar agency to protect their positions, lawyers said. The "failure to prevent fraud" offense is forcing them to align legal, compliance and risk expertise as well as reporting strategies and systems.
An exacerbating factor in the pressure on firms to take a coordinated approach is the financial watchdog's agreement with the SFO to facilitate information-sharing, joint investigations and co-operative enforcement action.
"Parallel reporting to both regulators demonstrates seriousness and reduces concerns around concealment," Nabeel Osman, a barrister partner at Spencer West LLP, said. "Dual engagement can be a pragmatic way to retain dialogue with prosecutors and some control over what might happen next."
Larger banks still focus on fraud against the institution rather than that committed to benefit it, leaving critical blind spots, according to Osman.
Perilous Corner-Cutting
Lawyers warn that resource-strapped midsized financial firms have cut corners, including in the fraud risk assessment which is crucial to defenses.
"Some [regulated financial] firms have been tempted to take a rather superficial approach to carrying out a fraud risk assessment and jumped straight into updating policy wording or existing procedures," Sarah Lambert-Porter, senior attorney at Ropes & Gray LLP, warned.
Whistleblowing helps prevent fraud benefiting the company, but financial services firms too often see it as box-ticking, even though it is a core reasonable procedure under the government guidance on the "failure to prevent fraud" offense, according to lawyers.
"There is a tendency to see fraud disclosure as an employment or human resources issue and not a financial crime issue," Sara George, a Sidley Austin LLP partner, said.
Compliance Oversight Insufficient
As things stand, some financial services companies wrongly assume that their existing anti-fraud and financial crime controls will suffice for the new offense, lawyers warned.
Financial services firms need to think carefully where the risk of outward fraud, committed by employees or third parties to benefit the organization, is present — perhaps within their sales departments where employee incentives could risk improper conduct, according to Signature Litigation LLP partner Duncan Grieve.
"Monitoring outward fraud is a practical challenge as it may require monitoring of conduct outside from internal systems," he said. "As such, a solid compliance infrastructure usually requires a blend of technological and human oversight."
--Editing by Joe Millis.
For a reprint of this article, please contact reprints@law360.com.
