Orchestrating the back office of the future: why the human factor is becoming the primary vulnerability

As financial institutions continue to digitalise their operations, the back office is undergoing a profound transformation. This was the focus of the “Orchestrating the Back Office of the Future” executive dialogue, which brought together actors from across the banking and trade finance ecosystem to reflect on how automation, data and AI are reshaping back-office functions.

Organised in collaboration with Iron Mountain and Conpend, the dialogue explored how institutions can move from fragmented, manual processes towards more integrated and intelligent operations.

Within this broader transformation, one question becomes increasingly important: where does risk sit in a digital back office?

A paradox: stronger systems, growing losses

Financial institutions have invested heavily in securing systems and strengthening controls. Yet global losses from fraud are estimated at around $5 trillion annually, and a significant share of successful attacks involve a human element.

This points to a structural paradox. As technical systems become more robust, fraud does not disappear, it adapts.

Rather than attempting to break systems, fraudsters increasingly operate within them.

From technical “hacks” to social engineering

A key shift highlighted in the discussion is the move from technical attacks to social engineering.

This does not necessarily involve sophisticated hacking. Instead, it relies on:

• impersonation,

• manipulation of trust,

• and the creation of urgency or pressure to trigger action.

In such scenarios, processes are followed correctly. Transactions are approved. Systems function as designed.

The difference lies in intent.

This makes detection significantly more complex. Controls are typically designed to identify incorrect processes, but are less effective when correct processes are used for the wrong purpose.

The human factor as the primary entry point

As highlighted during the session, between 70% and 90% of successful attacks involve a human element.

This shifts the focus from systems to behaviour.

Fraud today often emerges in situations where:

• decisions are taken under time pressure,

• authority is not challenged,

• or a request appears credible enough to bypass verification.

  
  

These are not technical failures. They are organisational and behavioural vulnerabilities.

Importantly, this also means that fraud is not always external. Insider actions, mistakes, or misjudgements can play a role, further blurring the line between error and intent.

Technology accelerates both sides

The increasing use of AI adds another layer to this dynamic. While it offers significant opportunities to improve efficiency and detection, it also enables fraudsters to operate faster, at lower cost, and at greater scale.

This creates what can be described as a defender’s dilemma: institutions must continuously adapt, while attackers can rapidly leverage new tools to refine their approach.

Rethinking control in a digital back office

These developments suggest that strengthening systems alone will not be sufficient. As back-office functions become more digital, the main vulnerability is no longer the technology itself, but the interaction between people, processes and systems.

This requires a shift in perspective.

Controls must not only verify whether a process is followed, but also consider:

• whether the context is consistent,

• whether the request aligns with expected behaviour,

• and whether individuals feel able, and responsible, to challenge anomalies.

In practice, this means integrating the human dimension more explicitly into process design, governance and risk management.

A shift in mindset

The evolution of financial crime ultimately challenges a fundamental assumption: that trust can be embedded solely in systems and procedures.

In an increasingly digital environment, trust must be actively managed, across technology, processes and people.

As back offices become more efficient and interconnected, resilience will depend not only on how systems are designed, but on how they are used in practice.