It is very easy to conflate fraud associated with the recent increase in cyber-attacks with money lost
from the actions of employees of financial institutions or any business for that matter. Regardless of
which form the fraud takes the result is the same. People lose their money.

It is important to understand that the more digital we go is the greater the responsibilities around due
diligence are shared between businesses and consumers to ensure a safe and trusted business
environment.

So, how can customers of financial institutions protect themselves against fraudulent activities the likes
of which have been happening over the past year.

Fraudulent financial activities can take many different forms some of which are very simple and others
which are very sophisticated. But simply put you can have fraud that is:

• perpetrated by internal actors e.g. employees, managers, the institution
• perpetrated by internal actors in association with external parties e.g. customers, family
  members
• perpetrated by external actors e.g. customers, hackers

In each of these cases it can be difficult for a customer to easily protect themselves against being
defrauded. That is because most of the measures that must be implemented to mitigate these
occurrences have to be done by the institution in custody of the funds. It would also follow that, as a
matter of course, the measures that are implemented would not be shared with the general public.

So how then, in lieu of the duties of regulators and the institutions they regulate, can our hard-earned
money be protected and how do we as customers ensure that where we deposit or invest is protecting
our funds?

What Can the Institutions Do?

Many financial institutions, mainly deposit-taking institutions and their extensions, have implemented a
lot of technology platforms to safeguard against fraud. This is mostly because these measures are for
regulatory compliance.

It is surprising, however, as to the number of other types of regulated financial institutions outside of the
“deposit-taking” space that do not use technology to fully implement stringent measures of monitoring
and access controls to guard against possible fraud scenarios that may originate internally or externally.

One such glaring example is demonstrated in the fact that there are still institutions that allow
customers to issue directives to employees via an email or, in some cases, even a phone call. This
represents an easy opportunity to bypass and manipulate immutable audit trails.

Institutions should rethink these practices and implement systems where all client communications are
conducted from within an online client portal controlled and monitored by the institution. The technology exists to do this.

Additionally, institutions should implement notification controls, whether by email, SMS or IVR-based
phone call, that alert both the client and designated representatives of that institution whenever
unauthorised or “idle” access to accounts happens. In other words, if there is no trigger or reason for an
employee, manager, or executive to access a customer account, the relevant parties should be notified
whenever such activities occur. Again, the technology exists to do this.

What Can the Customer Do?

When dealing with financial institutions, there is a level of trust that customers must have with the
institutions that they do business with. There is also a responsibility for due diligence that the customer
must adopt regardless of the entity they do business with. Unfortunately, this is easier said than done
because customers may not know the right questions to ask or maybe they do not know where to find
answers to critical questions. In my humble view, here are some simple things that customers can do or
look for to get a better idea of who they are entrusting their money to.

1. Stay woke! Increase your personal awareness about the services and technologies you use.
2. Do research about who you are investing your money with by consulting with independent
   financial advisors.
3. Make sure that the financial advisors you seek advice from are licensed.
4. Make sure the firms you invest with are licensed.
5. Check to see if the institution has a secure website and if they publish detailed information
   about their directors, staff and financial statements on their website.
6. Do not issue transaction instructions via regular email or phone call. Your institution should have
   its own managed customer portal that you must login to which allows you to submit
   instructions.
7. Demand that they be immediately notified about access to their account. This can be automated
   via text message, email or Interactive Voice Calling.

The Role of Data Protection Laws

Recently, the Government passed the Data Protection Act, which is a very far-reaching piece of legislation
which, for the first time, places power in the hands of citizens as it relates to how personal information
is treated. The law goes into full effect on December 1, 2023. Provisions in this law and the resultant
actions, processes, and systems that this law demands can be used by both financial institutions and
consumers to increase the level of security, privacy and trust, especially as we move along the path of
becoming a digital society.

– Trevor Forrest is CEO of 876 Technology Solutions, a provider of Data and Information Security
Solutions and Consulting Services. Send feedback to [email protected] and [email protected]