Insider Threat Detection in Financial Services

In today’s financial world, banks are relying on countless financial applications to help manage important tasks. Wealth Management, Trading, Revenue Management, Investor Accounting, along with many other business needs are consistently being improved by operating them through financial applications. However, now that these apps are containing vast amounts of customer and company data, organizations are having trouble keeping track of exactly “who did what” in these apps.

In a couple of cases, this lack of insight has resulted in major insider threat cases for financial services organizations. At Morgan Stanley, a financial advisor accessed their financial application and downloaded account data on 10% of their wealth management clients – about 350,000 people.

JPMorgan also detected an insider threat when an employee got access to one of JP Morgan’s banking applications and stole customer accounts in order to sell customer data, which included birth dates, Social Security numbers, passwords, bank account balances, and debit card numbers.

Whereas these financial applications are extremely productive for business, they can also be extremely risky from an insider threat perspective. But due to the sheer volume of activity and necessary access, detecting insider threats are often hidden in the large volume of normal user actions, leading to undetected and overlooked exposure of sensitive data. Below we breakdown some of the most popular applications used in the financial sector, and why it is important to know exactly “who is doing what” within these applications.

The Shortlist of Core Banking and Wealth Management Systems You Need Visibility Into

Finserv

Fiserv is a leading financial services company that specializes in banking and wealth management applications. These applications have a wide array of uses and functions.

1. Cleartouch is an online, real-time bank platform that delivers business analytics and customizable workflows. This platform is used to understand profit potential of customers and save time by centralizing business actions.
2. DNA is a real-time account-processing platform. The DNA data model organizes all account, transaction and related information around an accountholder and stores it in an enterprise database.
3. Precision supports new account and transaction processing, document management and imaging, online banking, business intelligence and risk management. This is Fiserv’s most user-friendly application platform.
4. The Premier platform focuses especially on banking applications. This platform is endorsed by the American Bankers Association and is known for its feature-rich functionality, open integration and scalability.
5. Signature is a comprehensive customer-centric banking solution that allows organizations to offer consistent information across multiple delivery channels, streamline business processes and mitigate risk.

Why Monitor?: Cleartouch is used to collect loads of customer data specifically within their bank account, such as credit and debit card numbers and bank pins. Cleartouch also centralizes business actions, which means numerous departments could have access to data they don’t necessarily need access to.

It is important to monitor the activity on this application to make sure the customer data and company data are accessed solely by the correct and necessary employees. DNA uses an enterprise database, which means that there is a massive amount of data in one place. Most employees who have access to this information likely only need small bits of information at any given moment to do their jobs, but have authorized access to view large amounts of data. When modifying or setting up new accounts, application admins can adjust application entitlements to expand privileges to access more customer data such as Social Security numbers and contact information.

Knowing who exactly is doing what with this data and tracking application admin entitlement changes is critical for any financial service in order to mitigate insider threat.

Jack Henry

Jack Henry supports approximately 1,300 banks – ranging from community banks to mid-tier institutions – with in-house and outsourced core processing solutions.

1. The SilverLake System at Jack Henry Banking is a high customizable, IBM Power System-based solution for commercial banks. The platform supports 140 applications and services aimed at information and transaction processing.
2. CIF 20/20 is a parameter-drive, IBM Power System-based solution. The platform is a bank-centric system that supports dynamic processing requirements by integrating robust core functionality, and supports 120 applications and services.
3. Core Director is a Windows-based core processing solution. Core Director is aimed at maximizing staff efficiency and productivity, by providing intuitive point-and-click operation to ensure ease-of-use. The platform supports 110 applications and services and is used by more than 200 banks.

Why Monitor?: All three of these application-based solutions operate by centralizing business actions. Thus, with numerous departments within a company (Sales, Marketing, HR, R&D etc.) having access, customer and company data is significantly more vulnerable to improper or unnecessary usage.

In a system like this, it is especially important to monitor administrator accounts, given their ability to create, modify or delete users. Creating a fake user or granting a user certain privileges can result in drastic consequences, such as in the case of JP Morgan mentioned earlier. Financial institutions need to be able to set parameters to trigger alerts for unnecessary access to critical information.

Bloomberg Professional

Bloomberg Professional is used globally for countless functions. Their financial apps are among the most recognized in the world.

1. The Bloomberg Terminal is one of the most famous financial applications. The application functionality serves functions such as asset management, investment banking, treasury and risk management, and private equity. The application has been used since Bloomberg’s creation in order to make trades.
2. Instant Bloomberg is a leading chat tool used by financial organizations all over the world. It is integrated with the Bloomberg Terminal and is a globally used communication tool.

Why Monitor?: Bloomberg Terminal is used for trading world-wide. With data going from city-to-city, country-to-country, it is important to be able to identify irregular or potentially malicious activities. It is imperative that organizations using Bloomberg Terminal can see who has privileges within the applications to make certain trades or transaction policies.

Another important aspect to monitoring the Bloomberg Terminal is that many employees of organizations that use the Terminal, who don’t make trades, can possibly still access and review the data with the Terminal. Thus it is vital for companies to make sure the actions taking place within the Bloomberg Terminal are inline with company policy and compliance regulations. Instant Bloomberg is also a significant application to monitor in order to detect potential abnormal activity related to insider trading. By logging all the actions within Instant Bloomberg, any forensic investigation into unethical or insider trading will be much swifter by having a full record of the communication that took place in regards to the malicious activity.

Fundtech

Fundtech offers solutions for a variety of financial services such as payments, cash management and merchant services.

1. PAYplus USA is a wire transfer automation solution for US national and regional banks. The wire transfer system utilizes a Windows or browser-based user interface, incorporates high levels of straight-through processing (STP) and uses exceptions-based displays.
2. CASHplus is a highly configurable US domestic cash management solution. It incorporates a full suite of functionality with secure access to account balance and activity reporting, account transfers, US domestic and international funds transfers, loan and credit card reporting, payment initiation, bank reports, and online enrollment.

Why Monitor?: Payment and cash management solutions collect PII (Personal Identifiable Information) ranging from Social Security numbers to phone numbers to addresses and so on. Along with the PII, lots of financial information is available in each and every wire-transfer and account balance, such as credit card numbers, debit card numbers and account numbers. In order to prevent mishaps with customer information, companies should monitor these two apps.

ADVENT

Advent builds financial solutions applications, which focus heavily on wealth management. They also branch out into many other areas such as compliance and reporting.

1. Advent’s Moxy application streamlines trading and order management. It acts as a centralized platform for making and executing trade decisions quickly and confidently. Moxy includes tools for portfolio modeling, rebalancing and drift analysis.
2. Black Diamond is a cloud-based management platform for advisors. The application features cloud-based portfolio management, customizable reporting and performance measurement.

Why Monitor?: Any centralized platform opens up an organization to the misuse of data by various departments. Advent’s Moxy primarily focuses as a trading application. The combination of centralization and trading results in numerous departments potentially having access to loads of data they don’t require.

Monitoring user actions on this data is essential to safely protect customer data.

Satisfying FFIEC Monitoring Requirements

Application administrators are now in scope of the FFIEC. High privileged accounts include individuals who can change permissions in core banking and wealth management applications. Privileged access is being regulated more tightly by the FFIEC, meaning in order to meet requirements, monitoring core banking and wealth management applications has gone from a luxury to a necessity.

Financial applications can become a sore point from an audit perspective. Financial service companies need to comply with FDIC requirements surrounding the audit and logging of privileged access to applications. An FDIC audit has certain visibility requirements such as:

• A holistic view of application utilization by administrator level users in order to detect insider threat
• Real-time alerts for creation, modification, or deletion of users Reports centered around application access as a whole

Within these applications, administrators are risky users. Their ability to create users and modify user privileges makes administrator level users very powerful, and sometimes, too powerful. In any financial application, an administrator could have the ability to create a user, grant it certain levels of access, and use the account to take company information. Thus, organizations need a system in place that can detect insider threat by monitoring the actions of administrators and also monitoring the alteration and creation of user accounts.

Satisfying OCC Monitoring Requirements

The U.S. Department of the Treasury’s Office of the Comptroller of the Currency (OCC) requires that all national banks file a Suspicious Activity Report (SAR) when they detect certain known or suspected violations of federal law or suspicious transactions related to a money laundering activity or a violation of the Bank Secrecy Act. This SAR filing is required for any criminal activity:

• Involving insider threat regardless of the dollar amount;
• Where there is identifiable suspect and the transaction involves $5,000 or more; and Where there is no identifiable suspect and the transaction involves $25,000 or more.

Insider threat abuse of any dollar amount results in a SAR filing. Thus companies need to be able to monitor their internal users in order to know if any abuse is taking place. Without a monitoring solution in place, organizations open themselves up to potentially breaking OCC requirements, which can result in massive fines.

Satisfying GLBA Monitoring Requirements

The Gramm-Leach-Bliley Act (GLBA) of 1999, forces banks to review their security posture. According to section 501 from the GLBA, “It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.” Furthermore the Act stipulates that each institution that is subject to the GLBA must:

• Insure the Security and confidentiality of customer records and information;
• Protect against any anticipated threats or hazards to the security or integrity of such records; and
• Protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer

Today there are numerous independent auditors that organizations hire in order to comply with GLBA regulations. A monitoring solution that can accurately depict what access was authorized vs. unauthorized is a vital component of having a successful GLBA audit. As one of the main components to the creation of the GLBA, unauthorized access to customer data stands out as the major concern for any organization looking to comply with the GLBA.