David Dixon, Managing director of global solutions, Norkom
John Flynn, Group financial crime director, Aviva
James H. Freis, Jr, Director, Financial Crimes Enforcement Network (FinCEN)
Fraud and financial crime is the number-one generator of operational risk losses for financial services firms and, during times of economic crisis, incidences of fraud increase fourfold. Uncertain market conditions can often drive some employees to perpetrate fraud to maintain a certain standard of living, or professional fraudsters can take advantage of the turmoil to perpetrate attacks on banks and businesses when they are more vulnerable to attack. In times when capital is at a premium, firms are often pressured to cut operational costs, which can leave them open to increasing fraud attacks.
Fraudsters employ very sophisticated methods, and quickly adapt to shifting control environments. Banks and financial services firms need to stop regarding their fraud control systems as proprietary information and being used as a key selling point, and working together with regulators to halt financial crime on a worldwide basis to help stop displacement. Internally for financial institutions, having an enterprise-wide approach to fraud management can stop displacement occurring within a single firm, which can often occur in global banking groups. Although regulatory requirements in the UK and the US have prompted firms to begin to take a more integrated approach, there is still a way to go.
How has the financial crisis and the changed market environment affected fraud levels and fraud management at financial institutions?
John Flynn, Aviva: Many commentators have reported that there has been an overall increase in the number of cases of detected fraud. Research conducted by KPMG under their annual fraud barometer demonstrates that the number of cases and the value of fraud brought before the courts have significantly increased. Fraud is influenced by a number of factors, with opportunity and rationale being two of the main drivers. The opportunity to commit fraud will always be present, organisations need to balance the risk of fraud occurring against the controls that may prevent and detect the fraud. However, this needs to be commercially viable – a control that prevents fraud but costs more than the fraud itself is not effective.
The rationale to commit fraud can be driven by a number of factors; individually the maintenance of one’s lifestyle is a powerful incentive to maintain one’s position and prestige.
From an organisational perspective, in difficult times, the reduction of operational costs becomes paramount, however, there are several consequences, First, employees become fearful as to their position and there is a loss of trust within the firm. The greater level of vulnerability a person feels may increase their level of resentment towards the firm, and this resentment may manifest in creating a sense of justification to commit fraud. There is a converse effect in that those left behind after redundancy may feel aggrieved that they are now undertaking multiple roles, which may also lead to the sense of mistreatment and thus may lead to fraud as they feel that they are not been properly remunerated.
David Dixon, Norkom: During the financial crisis, fraud attack levels increased significantly, but even more damaging was the fact that the crisis caused many financial institutions to ‘pause’ their investments in fraud management solutions. So fraudsters were escalating their activities at a time when the financial institutions were at their most vulnerable, resulting in increased losses. A ‘catch-up’ phase is now kicking in, resulting in increased activity in the procurement of financial crime technology solutions across all regions in an effort to enhance defences.
James H. Freis, Jr, Financial Crimes Enforcement Network (FinCEN): Two developments come to mind in light of the financial crisis and how financial institutions’ fraud management has been affected. First – and more broadly – financial institutions, having become keenly aware of fraud, have focused on spotting red flags at their institutions – activity that would point to potential fraud. During a weaker economy, many firms are looking for ways to minimise losses and the wreckage fraud leaves is one area that has received greater attention.
For instance, we’ve seen an increase in mortgage-related fraud for several years now, and one of the reasons is that people have become more aware of the scams and are reporting them with greater frequency than in prior years, while another reason is that only when a loan has gone bad in the economic downturn has the institution gone back to uncover fraud in the original loan application. FinCEN has released a number of advisories to raise awareness about the types of mortgage foreclosure rescue schemes people need to be made aware of so that they and their companies do not fall victim to promises of a quick or inexpensive remedy during times of financial difficulty.
Second, financial institutions are seeing benefits in leveraging their fraud resources with their anti-money-laundering (AML) efforts and are starting to take advantage of the significant efficiencies available through this leverage.
A corollary to leveraging anti-fraud and AML resources is that nothing should prevent a bank from multi-tasking regulatory tools. That is, using them for both compliance and either cost-reduction or increased profitability.
What are the main areas that firms need to improve to be able to detect and stop fraud on a more timely basis?
Dixon: Three areas are critical to successful fraud risk management: flexible fast fraud detection to find the fraudulent transactions early; mass compromise capability to rapidly identify other compromised cards, customers and accounts; and integrated effective alert/case workflow management to limit losses, protect clients, produce accurate regulatory reports and contain costs. Financial institutions need to collapse the timescale of their fraud response from weeks/days to hours/minutes/seconds. End-to-end speed is the key to addressing fraud risk because it facilitates a focus on the highest-risk fraud events and the movement to proactive fraud loss prevention.
Freis: There’s no magic bullet to stop fraud. Due diligence, careful planning, proper training of employees, commitment from management are all key elements to preventing or minimising fraud.
Financial institutions that are subject to FinCEN’s regulations implementing the US Bank Secrecy Act (BSA) should carefully and in a timely manner prepare and submit a suspicious activity report (SAR), providing as much detail as possible in narrative form. A well-constructed SAR serves law enforcement particularly well as lead information. In addition, one of the advantages of today’s internet technology is the ability to quickly and easily access FinCEN’s publications, which are filled with information and guidance to help mitigate fraud and other illicit activity.
For any financial institution, the cornerstone of prevention is having the appropriate programmes and information available to develop the intelligence for detection. Aggressive action at the earliest stages will make it more difficult for bad actors to engage in fraudulent activity. A complete and correct risk assessment, customer identification programme, and transaction monitoring process can pay for itself through the prevention and detection of fraud committed against the institution.
Flynn: The key issue is one of culture. A company that has the right ethical standards that are part of its DNA and evident from top to bottom within the organisation is better prevention that numerous controls.
Does having a more integrated approach to fraud management within an organisation help manage and mitigate fraud more effectively? How does it work?
Dixon: An integrated approach to fraud management can help financial institutions minimise fraud losses and manage initial and ongoing costs with better fraud risk governance. There is a direct bottom-line benefit to doing this. A Norkom-sponsored survey conducted in September 2009 among 250 global financial institutions illustrated a clear move towards an integrated approach to fraud management. Of those that had commenced integration, 56% of them had experienced substantive reductions in fraud losses, while 63% had also experienced significant reductions in costs. In most instances, financial institutions were either already using or moving towards a multi-year approach to managing their fraud risk programmes, with 77% of respondents expecting to have in place a multi-year fraud management plan within two years. By establishing a robust infrastructure for fraud case management, financial institutions can benefit from more effective fraud risk governance through the provision of timely, accurate information on changes to fraud risks and the effectiveness of fraud controls. This, in turn, puts management teams in a stronger position to effectively manage emerging risks by being able to adjust fraud controls to address the new attack methodologies coming on-stream.
Flynn: Fraud affects all parts of an organisation and, like water, a fraudster will find the weakest point. To have an integrated fraud approach all participants must understand the role that they play in first preventing and second identifying and detecting where fraud has occurred. Communication and education are key components of an anti-fraud strategy aligned with controls that are proportionate to the risk.
Freis: FinCEN has long advocated for an integrated approach to combating fraud as well as money laundering and, more generally, risk management.
For instance, FinCEN’s work in this area illustrates that, while fraud and money laundering are often viewed as separate criminal enterprises, acts of fraud and acts of money laundering are often quite interconnected. Because the financial gain of the fraudulent activity ultimately needs to be integrated into the financial system, money laundering is often a product of fraud.
From a risk management perspective, the information that financial institutions have available and collect to comply with their AML programme requirements mirrors the information they would already gather for anti-fraud purposes. Customer and transactional information used for AML purposes is often the same customer and transactional information needed for fraud investigations. As a result, the resources being spent on fraud detection and prevention within financial institutions may well support the AML program, and vice versa.
What is more damaging to a firm – internal or external fraud?
Dixon: Damage arising from fraud can mean many things to a financial institution: financial loss, reputational damage, shareholder value destruction or regulatory sanction. Fraud of any type – whether external or internal – has the capacity to negatively impact an institution. It is important to remember that the two are not necessarily mutually exclusive; very often internal fraud, in the form of information compromise, forms an integral part of external fraud. Internal elements to fraud attacks can have a stronger impact in terms of the reputational risk to the financial institution, as it becomes an issue of trust in the financial institution, its services and its people, which can subsequently damage the morale of its entire employee base. However, both external and internal frauds must be managed to industry standards at the very least.
Flynn: Either, depending on the circumstances, external fraud can impact on the value of the brand and customer confidence, internal fraud can damage morale and trust within the company.
Freis: Fraud of any kind hurts a firm. The question may really be what does being defrauded by an external scammer or an insider reveal about a firm’s defences and controls in fighting fraud. A firm could have excellent anti-fraud measures in place to prevent attacks from an external scammer but, without internal controls, the effort is incomplete.
Conversely, internal controls at a firm may be excellent but, without proper awareness and training of management and employees of potential scams and fraud prevention as well as redundancy controls, a company could be exposing itself needlessly to risk and become the victim of illicit activity.
Internal fraud potentially shows a systemic breakdown of internal controls, a challenge that financial institutions must face and remedy. The cost of fraud can be enormous and will be paid for in financial losses and reputation.
As an example, the American Bankers Association 2009 Deposit Account Fraud Survey Report reflects $788 million in card fraud-related losses and $1 billion in cheque fraud-related losses, with 80% of the bank population experiencing a loss in 2008. The Federal Bureau of Investigation’s Internet Crime Complaint Center reported $100 million in automated clearing-house fraud-related losses for 2008, while noting that only one in seven internet-based crimes was reported to law enforcement. Revenue lost to banks because of the need to investigate, document and properly respond to consumer fraud allegations that do not represent a loss event for the bank is not accounted for.
Any banker knows that customers who lose money are not good for business, and may even be tempted to blame the bank for the loss, even to the extent of seeking redress by legal means. Looking at these facts, it is ironic to FinCEN that, while the cost of implementing compliance is calculated to the penny, some banks seem to consider $2 billion in annual losses to fraud as a type of inevitable cost of doing business. A complete and correct risk assessment, customer identification programme and transaction monitoring process can pay for itself in the prevention and detection of identity theft and corporate account hijacking, the accurate evaluation and pricing of new products and services, the discovery of market segments not properly served, and even in leveraging the cost of compliance with non-BSA regulations, such as consumer protection.
What more can firms do to help protect the organisation from internal and external fraud?
Flynn: Firms need to understand their risks, which will differ from company to company depending on their market. Firms need to implement a control framework that is commensurate to their risk assessment and their appetite for risk. Companies have differing appetite for risk and the market that they are in will affect their vulnerability to fraud. The fraud risk varies significantly depending on market, product and geography, but in all instances companies that become complacent and do not regularly review their risk will increase their risk of fraud occurring.
Dixon: To protect their organisation from fraud, firms must:
- Clearly understand their exposure and controls to prevent fraud. They must constantly measure and monitor this to determine, in a timely fashion, if the level of attack has increased and/or the effectiveness of their controls has been compromised.
- Operate a robust infrastructure for fraud case management and effective fraud process execution. Effective integrated case and workflow management speeds up the fraud process, reduces losses and helps identify the point of compromise to assist in preventing losses, while reducing operating and technology costs.
- Introduce flexible and controllable analytics. Fraud, especially the high-risk fraud driven by international criminal organisations, is characterised by constant innovation. Leading financial institutions require analytics that can not only identify known patterns of fraud but also can identify ‘unusual and suspicious activity’ – whether at a card, account, customer, employee, device, network address, merchant or internet service provider. Analytics that can profile in real time across multiple entities and then apply rules, scenarios and models can be managed to yield superior fraud loss results. In an environment with multiple layers of security, fraud analytics should be considered as an extra layer of defence and should be integrated with other authentication and authorisation components.
- Deploy an end-to-end defence capability including the capability to know your employee and third-party provider, identify patterns across multiple channels and product systems, facilitate investigations, speed the identification of compromises with mass compromise analytics and link analysis tools, automate fraud loss interdiction and produce management and regulatory reporting.
Freis: Because of the connection between fraud and money laundering, information sharing in cases of suspected fraud is critical and it is important that financial institutions take advantage of the tools available to share information appropriately. Additionally, it is vital to work as a partner with law enforcement, and in the US with FinCEN, or with your own country’s financial intelligence unit (FIU). Information shared with law enforcement confidentially and through an FIU could provide a lead or tip to initiate or jump-start an investigation.
At FinCEN, we recognise the importance of institutions communicating with each other with respect to illicit activity, which by its very nature will rarely impact only a single institution. To facilitate greater efficiency in this and other industry best practices, FinCEN desires to open the door to such sharing in every way possible that would not ultimately compromise the confidentiality afforded SARs.
To this end, FinCEN has taken steps within the US to promote sharing among affiliates of diverse financial institutions. For instance, FinCEN is working to expand the sharing of SAR information and issued for consultation guidance to ensure that the appropriate affiliated parties – but only those parties – have access to SARs.
We are also working with our international partners to promote better information sharing within components of global financial institutions to better protect themselves and to get better information to government authorities.
Click here to view the article in PDF format