What is the difference between private and retail banking in fraud management? Significant use of mobile devices (tablet, smartphone,...) and the growing number of fraud due to human factor are changing private banking management. GARL presentation at Forum Banca 2013 describes fraud risks for private banking and how to manage them in a prevention plan. The presentation was made as a collaboration with Banca Esperia (Mediobanca group).

1. Prevent banking frauds through identity
management
Luca Sciortino – Information Security, Banca Esperia
Giuseppe Paternò – Director Digital, GARL
Milan, 24th September 2013

2. 3
About us
• Security manager with Banca
Esperia
• Experience in similar roles for
international bank groups
• Expert in programming, open source
and IT security
Twitter: @sciortlu
LinkedIn: www.linkedin.com/in/sciortlu
Web Site: www.gruppoesperia.it
• Director Digital with GARL, bank of
digital data founded in Switzerland
in 2008
• IT Consultant cooperating with
Canonical and other big firms
• In the past with Red Hat, Sun
Microsystems and IBM
• Researcher and professor at Trinity
College Dublin
Twitter: @gpaterno
LinkedIn:
www.linkedin.com/in/gpaterno
Web Site: www.garl.ch
Luca Sciortino – Banca Esperia Giuseppe Paternò - GARL

3. 6
Boom time for frauds
Sources: Association of Certified Fraud Examiners, Clusit, Unicredit Group, CRIF
Daily identity
fraud attempts
in Italy
50 Time to
discover an
internal fraud
18MONTHS

4. 8
How much does frauds cost?
5% of profits are lost for frauds
Cost of a single fraud discovered by one
the main American bank in march 2011
Average of 1 out of 5 internal frauds in a
calendar year
Unrecoverable losses
Sources: Association of Certified Fraud Examiners, Clusit, Unicredit Group, CRIF - July 2013
3TRILLION $
A YEAR
10
MILLION $
1
MILLION $
50%

5. 11
Internal vs. external frauds
• Many attempts
• Low impact for the bank
Ex. Credit cards skimming, debit cards,
false bonds, false insurances, online
frauds, identity theft, wire transfers
• Few attempts
• High impact for the bank
Ex. Insider Trading, roundings off,
misappropriation of funds, confidential
information leaking
External frauds Internal frauds

6. 13
Internal frauds
More
risks
More
trust
Internal
audit
policies

7. 16
Private banking and frauds, point of interests
Few VIP customers
Risk for accounts with substantial capital
Trust in the banker
The banker’s role is key in the relationship with
customers
Market Speculation
Personal speculations made by internal
professionals
Reputation
Losing the trust of customers/market is a bigger
damage than the fraud itself

8. 18
External frauds and private banking
Private Banking
Lower risk of external
frauds
(less visibility and access
compared to retail
banking)
Retail Banking
Higher risk of external
frauds
(public access to the core
services)

9. 20
Human factor and frauds
Information leaking
Confidential data about VIP Customers,
personal assets, portfolio of investments
Mutual confidence among colleagues
Passwords exchange, use of applications
forbidden by the security policies, …

10. 23
The role of identity in frauds
Transations
Logging
Frequent
access to VIP
and high
value
accounts
Physical and
logical
access
control
Application
Authorisation
Proven
identity

11. 25
Identity management for frauds prevention
Forbidden and/or
off-hour access
Counterfeiting of
documents
Identity theft

12. 26
KPI
Banca Esperia is the Private Banking boutique of
Mediobanca and Mediolanum, for private and
international clients.
Born in 2001, the group is specialized in advisory
services, financial services and wealth planning
About Banca Esperia
Branches
• Personnel: 250
• Private Banker: 76
• Branches: 12
• Total asset: € 14,3 mld
(june 2013)

13. 30
SecurePass for digital identity protection
Identity management
The user is really who he
claims to be – multifactor
authentication
EMV cards
Identity cards for combined
physical and logical access
Compliance
Compliant to EU regulations

14. 32
SecurePass guarantees digital identity of users
SecurePass manage the
lifecycle of users from an easy-
to-use web control panel
Group
management
Audit and
centralized
management
Hosted in
European
datacenters by
GARL

15. 34
SecurePass cloud service for identity theft prevention
SecurePass is the platform for digital
identity protection
Military grade
protection level
Covered by an
insurance policy
From the experience
and in collaboration
with Swiss banks

16. 36
SecurePass security architecture
• SecurePass identity verifcation
• Verification of the location context
(i.e. Internet, MPLS network, intranet,…)
• Access authorization to applications
• Centralized logging
(who’s accessing what, from which IP, with which
device/operating system and time of the day)
Centralized control
Double authorisation control
over applications and on
every application’s features
Tracking of single features,
Access to NDG, account
Number, etc.
Applications

17. 39
Benefits for finance and banking
Outsouced
identity
management
Streamline
access
Reduced
operating
risks

18. 41
Oousource identity management to a trusted third party
Reduce mantainance cost
Reduce internal fraud
attempts
Latest identity frauds
technologies
Guarantee personnel
identification
Relief the bank
responsability (service
covered by insurance)
Reducing human factor
risks

19. 44
Centralized access
Single point of
management
Reduction of risks
related to
authorisation and
rights management
Improve users’
experience with
Single Sign-On
Compliant with EU
regulations (i.e.
italian “Garante
della privacy II” )

20. 45
Operating risk reduction
Strenghten transaction
control
Prevent information
leaking
Double authorisation:
customer is guaranteed
of the truthfulness of the
transaction

21. 47
Conclusions
Human factor is a risk for frauds in private
banking
Identity management can mitigate risks
Multifactor authentication to guard access
Audit & Compliance

22. 49
Thank you