“We pride ourselves on our ability to protect our customers from all types of threats, no matter where they come from,” said Bob Spencer, the bank’s head of group financial crime, in a statement.
Lloyds TSB is the first UK retail bank to buy Actimize’s software, although Amir Orad, its chief marketing officer, said another unnamed financial institution in Britain was also a customer. “Lloyds is unique in being very aggressive in tackling the problem,” he said.
Several US retail banks already use the firm’s software to watch employees. Orad said the false positive rate was low, although institutions’ varying ways of defining fraud make it difficult to provide figures. But one large US bank with tens of thousands of staff had used the software to find dozens of actual cases within a couple of months, with the equivalent of 1.5 full-time investigators, he added.
Orad said that greater numbers of staff with access to accounts, such as through call-centres, and organised crime’s increasing use of employees to carry out fraud are driving the need for such systems. “Sometimes [criminals] threaten people, sometimes you have employees under financial pressure who offer to sell information online,” he said.
The Financial Services Authority, which launched its financial crime and intelligence division in January, said it is encouraging financial services providers to tackle insider threats.
“We’re not prescriptive in the way we regulate,” said spokesperson Abbi Jones. “We don’t suggest particular systems. We’re saying, ensure the outcome is that consumers are protected.” Vetting of staff is alternative way of achieving this, she added.
Tier-3, an Australian software firm whose anomaly-detection software is used by some customers for tackling financial fraud, says such clients have tended to focus on external threats, but this is changing.
“We’ve seen a definite swing to a more holistic approach by organisations over the last year,” said chief technology officer Geoff Sweeney, taking in both insider and outsider threats. “That is echoed by the establishment of risk officers, who have the mandate to manage risk across the whole IT system.”