Many defence lessons were learnt post-9/11 – lessons that former Ministry of defence director Alan Lovell utilised when devising his transformational surveillance model for HSBC. We asked him how far it has come and what is still to do.
When Alan Lovell left behind a more than 25-year career with the Ministry of Defence to join HSBC as its global head of group regulatory surveillance in early 2016, he launched a five-year transformation plan for the bank’s surveillance function. Informed by lessons learned in counter terrorism, the strategy mimics the journey taken by governments across the globe post-9/11, and envisages an operating model for banking surveillance that revolves around improved detection, integration, analytics and outlier identification.
Three and a half years later, the bank has made good progress, Lovell says. Some underlying data has been pooled and HSBC has settled on its next-generation detection tools. And while bringing the plan to full fruition will require further investment and hard work, it is “certainly do-able”.
Better detection needed
The challenges Lovell inherited at HSBC echo those faced at many banks. While much of the surveillance technology being used was the best available in 2016, it was still clunky, noisy and inefficient when compared with the risk-based probabilistic machine-learning and algorithm-driven solutions that some vendors have since started to market.
Using legacy rules-based systems to detect incidents of market abuse, a bank first needs to identify the various actions an employee might make to undertake each kind of abuse it is required to protect against, and then configure its surveillance systems to recognise them. Programming systems to recognise genuine red flags in every language or colloquialism in use at a global bank is almost impossible and lexicon-based methods of detection are easily defeated by the use of code.
“You get an awful lot of noise and it’s enormously expensive to configure this for every asset class in every jurisdiction for every relevant employee,” Lovell says. “What I needed was a more sophisticated way of detection.”
Must work together
The first step was to better integrate HSBC’s surveillance – a journey that many banks are now on. Lessons learned at government level have been invaluable here, Lovell says.
Before 2001’s 9/11 terror attacks in the US and the 7/7 bombings in London four years later, police and intelligence agencies tended to approach detection and surveillance in a disjointed way, with different agencies and teams monitoring emails, voice calls and CCTV. Afterwards, however, they realised that to identify bad actors and bad behaviour quickly, it was essential to integrate these activities and related data to gain as close to a single picture of individuals as possible.
At a bank, the same approach may involve organising surveillance teams by asset class so that data scientists, voice communication specialists and former traders, for example, work side by side in a team. That should make it easier to draw together what a person is trading, saying and writing at a specific time with other behavioural characteristics drawn from external systems, and to understand their significance, Lovell argues.
Given the legacy technology challenges that many banks face – with growth through acquisition meaning different sets of data are often stored in different ways in different places – consolidating data in this way is not easy, although cloud technology is becoming part of the solution, he says.
Deeper look at outliers
The next step in HSBC’s transformation plan has been to ramp up its analytical capabilities. Once multiple pieces of the puzzle have been rolled together in one place, sophisticated trade surveillance detection systems can be used to attach a risk score, or ranking to each and then look for correlations. These can alert surveillance officers to incidents or patterns that warrant deep-dive analysis and investigation, Lovell says. That same data can be used to better understand normal behaviour and – crucially – to flag outliers.
One area that offers fertile ground for identifying outliers is communications surveillance. Historically, it has mostly been used to detect ill-intent, helping government agencies and now banks intercept plans before they can be actioned.
The rapid growth in encrypted messaging platforms has made this more difficult. However, even without access to the content of messages, metadata related to their frequency, timing, length or target audience will in the future become a useful source of outlier alerts as part of an integrated surveillance system, he predicts.
“If somebody normally sends an average of X number of emails a day to Y number of copy addressees, and then in advance of a benchmark event suddenly they are including many fewer or no copy addressees – and they are very much peaking on sending to one particular person – you might have some indication of collusion going on,” he notes.
Collection, correlation and analysis of such metadata is theoretically very easy to automate at enormous scale. “It’s an area where an awful lot of work has been done by governments and practically none I think by banks, although I want to,” says Lovell. “It would be a useful signal to add to all the other signals in this integrated picture, and it’s one more question that an inquisitive surveillance officer can ask.”
It’s important in banking surveillance to be mindful that the populations being targeted are “radically different” from those by governments, Lovell stresses. Far from being terrorists, the vast majority of traders that are flagged for further investigation are not even criminals.
“Maybe they’ve broken some regulation, but more often than not it’s because they weren’t properly trained or they were under pressure and forgot,” he notes. “There are benign explanations for most of the things we detect – but nonetheless, we need to be able to detect them.”