How, why and when did you join MI5?
I went to university in Bristol and read Classics, which didn’t set me on a clear vocation path, so I started to look around and ended up joining MI5 in 1980 as a junior desk officer.
In those days, it wasn’t an area you could choose to go into because there was no public profile. People weren’t even sure it existed. I subsequently found out anyone who did make an effort to be recruited would be viewed with deep suspicion.
However, there was a brief moment of openness where they were advertising for analysts to join the Ministry of Defence. I didn’t know what that entailed, but the brochure description looked appealing.
The application process was quite long, including a preliminary interview to make sure I was a plausible candidate, then a two-day selection process with exercises (how you’d behave if given a brief, psychologist’s interview etc). Subsequently, I went before a final selection board - which I later found out consisted of senior members of the service - to make sure they were comfortable with me and fit for the environment. Plus there was a security vetting process.
What roles did you have?
At the beginning I was working on a desk during the Cold War period. My first assignment was with the Bulgarian Intelligence Service in London, a couple of years after the killing of Georgi Markov by a poisonous umbrella. I carried on in the counter espionage side for a couple more years before being promoted and working in counter terrorism from 1987, which became a mainstay of my subsequent work.
I ran agents against Irish terrorist groups who were willing to provide information about threats to the UK. It was fascinating getting to understand the environment and stresses involved.
I also spent time as the secretary of the management board of MI5, supporting the board, writing the minutes etc. This gave me a great insight into what makes the senior officers tick, relationships with government, resources used, and ways you run an organisation.
Then in 1999, I was sent by the director general, Stephen Lander, to be the head of Investigations on international terrorism (effectively al-Qaeda) in the period before 9/11. This was at a time when we were expanding that area of work.
Two years later on 1 September 2001, I was appointed as the director responsible for our work on al-Qaeda and similar groups. Of course, 10 days later, an event happened that changed all our lives.
Was there huge pressure on your shoulders when 9/11 happened?
It was a very busy time. I was working all hours. But the good thing about the service is it has a very supportive culture. Five years later I went on to become the number two to Baroness Manningham-Buller, and therefore in charge of all the operations in the service, not just terrorism, but counter espionage and so on.
I was in that role when the 7 July 2005 bombings happened in London. That and the 21 July attacks two weeks later were clearly low points.
When the 7 July bombing happened, initially it was unclear exactly what was going on. The fog of war came down. Was this a mechanical malfunction or something more sinister? The information seeped out throughout the morning that this was an attack. Then the system kicks in. You have to think: what is happening operationally? What resources do we have on the ground? What deployments do we need to make? How do keep government informed? So you go into an operational response mode. It’s only when you reflect on it afterwards that you see it in a wider context.
Then there was the 2006 liquid bomb plot, which had it been successful would have killed more people than 9/11. But working with the other agencies, police and foreign partners it was stopped. That was a massive blow to the al-Qaeda machine, which put us back on the initiative again after a difficult period.
Digitial technology has had a huge impact on terrorist activities since, hasn’t it? (For example terrorists and financial criminals hiding behind encrypted messaging services like WhatsApp)
There are parallel interests here. As far as possible, the authorities keep people safe by monitoring and understanding the activities of people who are trying to blow us up. That argues for access to digital communications when appropriate and with legal safeguards. But on the other hand there is a very clear public interest in ensuring there is good cyber security and encryption to ensure people (and businesses) can use the internet securely.
I’m not personally a believer in systemic weakening of encryption because the cost in terms of impact on cyber security would be counter productive. On the other hand there needs to be closer collaboration and dialogue between providers of digital communications and authorities when there’s a requirement to intercept.
Is cyber crime one of the UK’s greatest threats?
Yes, partly because all sorts of more traditional threats have become cyber threats. We’ve seen that clearly with Russia – with state interference and political activities in the West. We need to ensure we have a greater ability to protect ourselves in the cyber domain.
When and why did you decide to enter the finance world?
When I left MI5 I had options in government, but decided I wanted to understand things from a different perspective. I didn’t want a full time executive role, so decided to build a portfolio of roles in business and the non-profit sector. I was lucky that HSBC, in the wake of its deferred prosecution agreement with the US authorities, was looking to appoint a main board director who would also chair a new committee focused on financial crime issues.
What does your role at HSBC involve?
As chair of the financial system vulnerabilities ommittee I provide oversight on areas such as financial crime compliance, anti-money laundering sanctions and cyber security. The committee comprises non-executives and advisers who are experts in the field.
One of the key priorities has been making huge strides in our financial crime compliance. The fact that we’ve been under deferred prosecution concentrates the mind. But there has been a lot of effort led by the board to tackle this.
What are your thoughts on the impact of the General Data Protection Regulation, which comes into force in May?
The eye catching fines of 4% of global annual turnover for non compliance demonstrate this is a very serious subject. Firms need to demonstrate appropriate governance, report more about cyber attacks, and get the relevant consent from customers and clients on data usage. It will involve a lot of work for large and smaller organisations, particularly meeting standards that perhaps previously they may not have paid so much attention to.
How can technology like AI and machine learning help with compliance?
The traditional compliance model we’ve been working with is quite 1990s. There are opportunities in big data and machine learning to spot activities that require further investigation. It is not just about running through the data to find known risk signatures or typologies, stuff we know is already there, but looking at the overall behaviours in the whole data environment and see if there are any anomalies that suggest something going wrong.
What do you make of the banking sector in general? Have banks learnt their lessons?
If you look at what was happening in some banks it was completely unacceptable, in terms of way the customers and clients were treated and the risks that were being taken. There had to be a regulatory response to that.
Banks are already better capitalized than they were before and there has been greater investment in compliance personnel and regulatory technology. So my belief is we have a safer system, expectations are greater from regulators and customers are being better protected.
What impact has the Senior Managers Regime (SMR) had on your role at HSBC and the broader finance sector?
I’m subject to the SMR. It certainly means there has to be clarity about what is and isn’t your responsibility. The downside is less flexibility in the ability to change roles and adapt to new requirements. But there is now greater clarity on what you’re supposed to deliver whether as a non- executive or an executive. Everything is more explicit rathe than implicit.
What does your work for the Public Interest Committee at KPMG involve?
It’s still relatively early in the evolution of public interest committees, but the role is based on the premise that the beneficiaries of an audit are not just those who pay for it, but the wider market.
Our goal is to ensure that audit firms are meeting quality standards, are stable and not taking undue risk. It would not be in the public interest if the Big Four went down to the Big Three because of the Arthur Andersen type implosions.
In practice, we committee members are from a variety of backgrounds, and so we are being used as extra pairs of eyes on issues like senior partner selection , nominations, risk, ethics etc.
How has your MI5 background helped?
I clearly have a good understanding of managing risk. I can also bring my experience of working at HSBC and as a non-executive or adviser at technology firms, to compare and contrast ways of doing things.
What are your top tips for firms handling financial crime compliance?
Be curious. Try and understand what’s going on. Identify that this is a risk issue and not just a compliance issue. You’ll do it better that way. Think about what risks you’re taking on. Understand what your clients are doing and why and get to know them. You’ll then be able to ask the questions like “why are they doing that if they’re this sort of company?” That is when you can get behind the skin of risk and really help your clients meet their ambition.