Wissam Maroun- CAMS Head Of Compliance- BBAC S.A.L

Setting an effective control framework Definition of BEC. Awareness as a Key factor for an effective control environment. Identify critical products/Services and set the necessary control measures. Lessons learned.

Business E-mail Compromise (BEC) BEC schemes target financial institutions’ commercial customers. Criminals seek to: Typology Type Impersonate a Financial Institution’s commercial customer to instruct fraudulent transactions from the FI. Bank Email Compromise (BEC1). Impersonate a Financial Institution’s Executive to instruct fraudulent transactions from the FI’s branches/departments. Bank Email Compromise (BEC2). Impersonate a Financial Institution’s Executive in order to request personal or account information from the Financial Institution’s commercial customer . Bank Email Compromise (BEC3). Impersonate a supplier to instruct fraudulent transactions from the FI’s commercial customer . Company Email Compromise (CEC1). Impersonate a Financial Institution’s commercial customer to instruct fraudulent transactions from their clients. Company Email Compromise (CEC2). Impersonate an Executive of the Financial Institution’s commercial customer to instruct fraudulent transactions from the FI’s branches/departments. Company Email Compromise (CEC3).

Awareness Program Employees. Customers.

Staff Awareness Recruitment policy. Maintaining an effective Code of Conduct: Banking secrecy. Fighting financial crimes (not to facilitate, not to be involved, report). Access rights and unauthorized access. Transparency (customers, colleagues, third parties) Data privacy and confidentiality. Whistleblowing. Incident reporting. Disciplinary measures.

Staff Awareness Establishing an effective training program: New employees Vs. Key Personnel. Evolving risks. Red flags (Cybercrimes prevention guide for the financial sector). Staff Rotation.

Staff Awareness Red flags: Customer/Senior manager sending instructions by/limiting communication to e-mails. Online banking/e-mail instructions to process transfers from savings/dormant accounts. E-mailed transaction instructions direct payment to a known beneficiary; however, the beneficiary’s account information is different from what was previously used (ex: different IBAN, country, etc…). E-mailed transaction instructions are delivered in a way that give the FI limited time or opportunity to confirm the authenticity of the requested transaction or that include markings, assertions, or language designating the transaction request as “Urgent”, “Secret”, or “confidential”. Customer requesting by e-mail, online banking or by phone to change his phone number or to cancel the SMS service. Customer refraining from answering the security questions during the identity validation call. Customer requesting a sudden change to the name/account number of the beneficiary party of an outgoing transfer. Transfer request (by e-mail or online banking) ,where neither the purpose of the transaction nor the relationship with the beneficiary party is clear. A wire transfer received for credit into an account however, the wire transfer names a beneficiary that is not the account holder of record. E-mailed transaction instructions direct wire transfers to a foreign bank account that has been documented in customer complaints as the destination of fraudulent transactions.

Customers Awareness Customer’s rights and Obligations: Critical products and services and related risks. Red flags (Cybercrimes prevention guide for the non-financial sector). Reporting.

Control Procedures: Preventive Measures. Process Implemented control On-Boarding Properly communicate risks to the customer. Implement prior EDD on the customer’s main expected activities (transactions with major customers, suppliers, other third parties). Maintain an electronic database on the collected information. On-going Ensure transactions are in compliance with the implemented EDD. Update EDD measures when necessary. Online banking Pre-approved transfers list. Prior EDD. Transaction Validation. E-mail instructions Refrain from accepting transaction requests or providing financial information. Refer customer to Online banking. Forward and don’t reply. Validate the request. Phone validation Always ask the Identity validation question. Ask the customer to restate the request instead of confirming it. Ensure calls are recorded. Review calls. Credit cards Implement Visa/MC guidelines. Wire transfers Include alerts in the transfer request. Maintain an updated blacklist for suspicious names (banks, customers, IBAN) on the swift screening tool. Request the customer to validate the transaction with the beneficiary party prior to execution. Enable the SMS service, acquire a signed confirmation on the transaction.

Transfer request: alert questions Ask the customer to confirm: 1- If he had previously performed any transaction with the related beneficiary party? 2- Whether the previous transactions performed with the same beneficiary party was done on the same IBAN number? 3- In case the answer on any of the above questions was no, did he validate the transaction with the beneficiary party through methods other than the e-mail?

Lesson Learned Incident reporting. Revisiting our controls. Communication and Training.

Thank you!