big data analytics and big money fraud litigation · 2019-06-04 · mcmillan.ca l 13 big data...
TRANSCRIPT
Big Data Analytics and Big Money Fraud Litigation
CPE PIN Code: PMCY
David Debenham
McMillan LLP | Vancouver | Calgary | Toronto | Ottawa | Montréal | Hong Kong | mcmillan.ca
David Debenham
BA, J.D., LL.M (Ottawa), LLM (York), MBA, MSC (Fraud & Forensics), D.I.F.A., CMA, C.P.E., C.F.E.
BIG DATA ANALYTICS AND BIG MONEY FRAUD LITIGATION
TRACK F Wednesday, June 15, 2016 – 27th Annual ACFE Global Fraud Conference
June 12–17, 2016
ARIA/Las Vegas
mcmillan.ca l 3
Ottawa – Canada’s Capital
Skating to Work in the Winter
About the Speaker
David Debenham, J.D., MSc, MBA, LLM, CPA, CFF
Co-Chair, Supreme Court of Canada Practice Group
Partner in Ottawa office of McMillan LLP
McMillan LLP, one of Canada’s largest law firms, with offices across Canada and in Hong Kong
A trial and appellate lawyer and forensic accountant
Author of “The Law of Fraud and the Forensic Investigator” (Carswell 1-800-387-5164)
Masters in Science (Fraud and Forensics)
mcmillan.ca l 5
Agenda
1. Big Data Analytics (“BDA”)
• Real-Time Big Data Architectures
2. Liability to Third Parties
3. Constructive Knowledge
4. Emerging Case Law
5. What does it mean for financial institutions and Security Professionals?
mcmillan.ca l 6
Big Data Analytics: What Is It?
Structured and unstructured data
Meets statistical techniques
To identify customer behavior
With machine learning allowing for “better judgments” over time
mcmillan.ca l 7
BDA in a Nutshell
Analyze all the data (not sampling)
In real time
mcmillan.ca l 8
Big Data Analytics and Fraud
With greater knowledge comes greater responsibility, including legal responsibility.
Fraud Red Flag Data Source
Living Beyond Means/Financial Difficulties
• Credit (EQUIFAX) • PPSA Search
Close Association with Vendors/Customers
• Address Correlation • Social Media Association (Spokeo)
Divorce/Family Problems – Past Legal Problems
Court Records
mcmillan.ca l 9
Authentication vs. Behavioral Analytics
Authentication Customer High Risk Profiling – Behavioral Analytics
• Encryption • High-Risk Transaction
• Tokenization • Out of Character
• EMV (Smart) Chips • Customer Behavior (where, when, what they buy)
• P.I.N. vs. “Card-Not-Present Fraud”
mcmillan.ca l 10
Authentication vs. Behavioral Metrics
“Studying the cardholders' behavior and looking for deviations [is] a much more effective method of keeping fraud in check than using authentication methods, which the crooks could find ways around.”
- R. Subramanian, Bank Fraud 5 (2014) -
mcmillan.ca l 11
Behavioral Metrics – High-Risk Transactions
At night
Series of small dollar charges first
Away from human eyes
Speedy huge transactions (jewelry, electronic goods)
mcmillan.ca l 12
Behavioural Metrics - Judgments About the Customer
Is this the customer or an impersonator?
BDA red flags
Website site log-in from suspicious location
Password typed in at a steady (robotic) rate
Customer purchasing volume or items out of character (e.g., Amazon profile from cookies)
Items purchased via suspicious means
Items purchased being sent to suspicious location
mcmillan.ca l 13
Big Data Analytics − First Principles
Information is a significant corporate asset.
Data sources are exploding exponentially, both within and outside the organization.
Cost of converting data into information is falling rapidly due Moore’s law.
Algorithms can imperfectly translate structured and unstructured data into information based on probability theory.
Where is the judgment about the customer really being made?
Data Miner Statistician Management
mcmillan.ca l 14
What Is Fraud?
Is that a dog or a lion?
What is the context?
At a Zoo?
On a sidewalk?
Common sense, not law, requires that in deciding if fraud has occurred, regard should be had to inherent probabilities of situation. There can be
no rule of law imposing any particular formula for its determination.
mcmillan.ca l 15
Big Data Analytics:
Businesses endlessly accumulate data and create information from them as Moore’s law reduces the cost of data and information processing.
Auditor-led policies to ensure “internal processes and procedures are in place to ensure the appropriateness, completeness, and accuracy of the data” ensures that information becomes more reliable.
The more reliable the information, the greater the legal obligation to warn others.
mcmillan.ca l 16
Approximately Right, Exactly Wrong!
A method that is 99% right has 10,000 false positives in a million. You do not know which 10,000 were wrongfully accused until the Class Action Certification hearing.
mcmillan.ca l 17
C-Suite Attitudes
1. The greatest concern is hindering user experience—customers moving accounts.
2. Fraud losses are presently within acceptable limits.
RESULTS
Bias in Favour of Inaction
Customer
Inaction
Interfere with Model
• In Favour of Doing Nothing with True Positives
mcmillan.ca l 18
What Happens?
BDA − sources from outside the org.—Social media reports on fraud allegations against one of your customers. How do you process this? Since it is public, do you have to disclose? What if your internal BDA substantiates social media public sources?
Unstructured data analysis suggests that your sub-prime mortgage portfolio is likely full of non-performing mortgages. Is this a latent defect requiring disclosure to a vendor? Is it a patent defect that does not? What if it is only your analytics that drew this conclusion, and not others?
Analytics disclose that a customer’s business is failing. Do you call the loan and trigger the failure of the business? Do you sell the loan and let others suffer the loss without warning the buyer? Can you sell the loan without disclosing the risk factors to regulators or the purchaser?
What if someone in the marketing department analyzes data that suggests a fraud? Can they recognize the red flags of fraud? Is the entire organization deemed to have their knowledge so the company must warn non-customers?
What if the data supports more than one conclusion? What percentage of probability equals constructive knowledge? What if you misinterpret the data and are too late or too early in concluding that fraudulent activity is “probably” taking place?
mcmillan.ca l 19
Liability to Third Parties
Financial institutions can be liable to third parties for either:
Taking assets that they know belong to others—seizing embezzled funds in customer’s account (knowing receipt)
Participating in fraud
• Example: “knowingly assisting” in fraud for embezzlement cases where the account is left open and embezzlement continues
mcmillan.ca l 20
Knowing Receipt (conversion)
If the customer deposits several cheques payable to the customer “in trust” into her personal account, does the bank know that the customer is breaching her trust obligations by comingling personal and trust funds? Are the deposits themselves “some knowledge” of wrongdoing?
Does the bank have (a) actual knowledge of an irregularity such that (b) a reasonable banker would investigate further to confirm or dispel a reasonable suspicion of fraud?
mcmillan.ca l 21
Knowing Assistance (Aiding and Abetting)
Actual knowledge of fraudulent activity and bank’s continued facilitation of that activity after knowledge of fraud
Actual knowledge includes willful blindness and recklessness, but
Constructive knowledge is not sufficient (unlike knowing receipt)
mcmillan.ca l 22
What Does “Knowing” Mean in the World of Data?
Did the Bank have “constructive” knowledge of the use of the bank’s facilities for a fraudulent purpose?
Did the bank’s internal controls signal “red flags” in relation to the irregularities in the use of the account?
If so, did the bank act on these red flags ? Did the bank act on data analysis to protect itself?
If so, shouldn’t it have shared that information to protect others at risk?
mcmillan.ca l 23
Dynasty Furniture v. TD Bank
Stanford International Bank (SIB) sells CD = Ponzi scheme
TD is SIB’s Correspondent Bank
• Did not understand SIB business
• Collected fees for services SIB could do itself (fee to lend credibility to scheme?)
• Knew SIB was under SEC investigation
• Unusual circulation of funds between SIB and TD
• SIB publicly stigmatized as Ponzi scheme
• TD audit called for investigation of SIB
• TD management knew something “not quite right” at SIB and were “getting nervous”
mcmillan.ca l 24
Semac Industries Ltd. v. 1131426 Ontario Ltd.
Facts (lots of dishonoured cheques—p.i. alleging fraud—customer purchasing items and then countermanding payment cheques)
What is constructive knowledge?
• Actual knowledge: “I knew.”
• Willful blindness: “I knew what I would find, so I closed my eyes so I would not find it.”
• Recklessness: “I knew it was likely, but I really did not care one way or the other.”
• Constructive knowledge: “I did not know for sure, but I knew enough that a reasonable person would have known.”
• Negligence: “I did not know, but I had an obligation to take reasonable steps to investigate, and if I had take those reasonable steps, I would have known.”
mcmillan.ca l 25
Dupont Heating & Air Conditioning Ltd. v. Bank of Montreal
Facts: The plaintiff employer alleged that the Bank of Nova Scotia breached its “Know Your Customer” policy and its obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act.
The court held that a bank may owe a duty of care to detect “indications of fraud in its own customer’s account”, and found record was not clear whether sufficient “suspicious circumstances” existed to
hold bank liable.
Frequency of deposits
Withdrawal after each deposit
mcmillan.ca l 26
Benson v. J.P. Morgan
Customer selling CDs
Customer not licensed to sell CDs
Money going into personal accounts instead of buying CDs
Cheques stated on their face they were to buy CDs
Bank “consciously avoidance” of facts that would have led to fraud—is the same as actual knowledge of fraud and continued use of banking facilities was aiding and abetting fraud
mcmillan.ca l 27
Koss Corp v. American Express Company
Facts: Credit card company “knew” CFO was abusing corporate account—took 9 months to report to CEO.
A bank or credit card company cannot simply ignore defalcations about which it is actually or “constructively” aware.
The bank or credit card company may be liable for aiding and abetting the fraud or knowing assistance in the breach of fiduciary duty by its customer.
mcmillan.ca l 28
Bank of Montreal v. Bank of Nova Scotia
When one of its customers
undertakes transactions that
the reasonable banker in
the circumstances would
consider to be suspicious,
the bank must take
appropriate measures to
remove the suspicions in
order to prevent misdealing
in the account that would
harm third parties.
Failure to take such
measures could result in
liability.
mcmillan.ca l 29
Bank of Montreal v. Bank of Nova Scotia (Cont’d)
Facts:
Kiting scheme
The Bank of Montreal decided to:
1. Stop the BMO money from going out
2. Keep the money of the Bank of Nova-Scotia coming in
Bank of Montreal
Credit card
Bank of Nova Scotia Credit
card
Consequently, the Bank of Nova Scotia lost $12 million without BMO breaking the clearing rules.
mcmillan.ca l 30
What About Customer Privacy?
The duty of confidentiality owed by a bank to its customer is not an absolute one. A bank can disclose customer information (1) to the extent necessary to protect the bank’s own interests, either against the customer or third parties; or (2) to protect the bank, person’s interest, or the public against fraud or crime. “It is inconceivable that an honest banker would ever be willing to do business on terms obliging the bank to remain silent in order to facilitate its customers in deceiving a third party.”
Grossman v. The Toronto-Dominion Bank, 2014 ONSC 3578 (CanLII).
mcmillan.ca l 31
Summary
1. Generally, a bank doesn’t owe a duty of care to third parties in dealing with its clients’ accounts.
2. The bank is not deemed to have knowledge of all banking transactions in all accounts that it maintains for its customers.
3. Further, banks have a duty to take steps to prevent such a fraud when the bank has knowledge of facts that establish a “clear probability” of fraud. That involves actual knowledge of facts that lead to reasonable suspicions of fraud.
4. Reasonable suspicions must be investigated and either proven or dispelled.
mcmillan.ca l 32
Summary (Cont’d)
5. The bank doesn’t have a duty of care to have knowledge about all banking activities of its customers or to be aware of all suspicious activities. Banks are not required to keep their clients’ accounts under surveillance or to keep a watchful eye for potential fraud or for suspicious transactions.
6. Banks don’t have a duty to investigate their customers unless suspicious circumstances would require a reasonable person to do so.
mcmillan.ca l 33
Duty to Investigate
In the future, when BDA is that standard in your industry/required to meet money laundering regulations, a failure to conduct audits of customers could be negligent. Conduct is negligent if it creates an objectively unreasonable risk of harm. To avoid liability, a person must exercise the standard of care that would be expected of an ordinary, reasonable, and prudent person in the same circumstances. The measure of what is reasonable depends on the facts of each case, including the likelihood of a known or foreseeable harm, the gravity of that harm, and the burden or cost that would be incurred to prevent the injury. In addition, one can look to external indicators of reasonable conduct, such as custom, industry practice, and statutory or regulatory standards.
Will Banks ever have a duty to investigate even in the absence of suspicious circumstance?
mcmillan.ca l 34
Data Analytics − Fraud Prevention, Detection, and Beyond
Data centric business model
Opportunities to drive broader enterprise value through data analytics
Deloitte LLP, Ontario Lottery and Gaming Corporation, A data analytic review of lottery transactions (January 26, 2009) reported in
“RE Ontario Lottery and Gaming Corporation (Re), 2009 CanLII 43355 (ON IPC)”
mcmillan.ca l 35
Risks
1. False Positive
There is no fraud, you allege one—defamation, inducing breach of contract.
2. False Negative
There is a fraud and you missed it = “negligence”—no liability for negligence to non-customers so far.
3. True Positive
There was a fraud and BDA found it—did you alert non-customers in time?
mcmillan.ca l 36
What Does It Mean?
Duty to client and customer
Duty to others based on constructive knowledge
What does it mean for financial institutions and Security Professionals?
mcmillan.ca l 37
Debenham's Dilemmas and the 3 Vs
1. Can your BDA identify the infinite VARIETY of frauds?
2. Can your BDA report the fraud in real time? VELOCITY
3. Can your BDA rank the fraud victims in a socially responsible way? VOLUME (vulnerability of victims, size and number of frauds, privacy concerns)
mcmillan.ca l 38
Per Deloitte LLP (2015)
mcmillan.ca l 39
Legal Critique of BDA
1. Is the data right/right form for algorithms?
2. Is data being weighted based on their availability rather than relevance?
3. Is the data valuable enough/sufficient to warrant the conclusion rendered?
4. What conclusions do other BDA methods reach?
5. BDA gives an answer, not THE answer. (Who makes the call?)
6. BDA involves the intuition/common sense/judgment of the data analyst.
7. When is the data "conclusive"?
mcmillan.ca l 40
Watergate Question
What did your organization know, and when did it know it?
Whose knowledge counts within your organization?
In a world of probability, when do you "know" anything?
Is crying “fraud” too early as harmful as sounding the alarm too late?
mcmillan.ca l 41
Takeaways for You and Your Organization
Duty to client-privacy vs. Duty to disclose based on constructive knowledge (Where is the tipping point in your organization?)
Can you set the tipping point—policy/contract? Bright line or judgment call?
Does machine knowledge = constructive knowledge of the institution?
Is “constructive” knowledge of subordinates constructive knowledge of the institution?
How much time for “professional judgment” will the law allow?
What are the consequences of “false positives”—crying wolf—and “false negatives”—failing to cry foul in a timely way in your organization? Have you analyzed this?
mcmillan.ca l 42
Questions
David Debenham
Co-Chair of the Supreme Court of Canada Group
T: 613.691.6109
McMillan LLP | Vancouver | Calgary | Toronto | Ottawa | Montréal | Hong Kong | mcmillan.ca
McMillan offices
Vancouver
Royal Centre, 1055 West Georgia Street Suite 1500, PO Box 11117 Vancouver, British Columbia Canada V6E 4N7 t: 604.689.9111
Calgary
TD Canada Trust Tower, Suite 1700 421 7th Avenue S.W. Calgary, Alberta Canada T2P 4K9 t: 403.531.4700
Toronto
Brookfield Place, Suite 4400 181 Bay Street Toronto, Ontario Canada M5J 2T3 t: 416.865.7000
Ottawa
World Exchange Plaza 45 O'Connor Street, Suite 2000 Ottawa, Ontario Canada K1P 1A4 t: 613.232.7171
Montréal
1000 Sherbrooke Street West Suite 2700 Montréal, QC Canada H3A 3G4 t: 514.987.5000
Hong Kong
3502 Tower 2 Lippo Centre 89 Queensway Hong Kong, China t: 852.3101.0213
Big Data Analytics and Big Money Fraud Litigation
CPE PIN Code: PMCY
David Debenham