Employee surveillance: minimising operational risk and fraud through enhanced company-wide monitoring

For financial enterprises, the full scope of the insider fraud threat to banking operations is hard to quantify. This is due both to the variety of threats that fall under the umbrella of employee fraud and the ripple effect of a single insider fraud attack as it manifests itself in a broad range of risks to the targeted financial institution. For each form of external fraud challenge that financial institutions must defend against, here are numerous ways in which an insider might facilitate and accelerate external fraud attacks.
In addition, there are a number of insider fraud activities that have no direct impact on customers but have a significant negative effect on the financial performance of the financial institution, including sophisticated attacks on the institution’s assets. And finally, many forms of insider fraud, including data theft, rogue trading and a broad range of policy violations, represent major areas of regulatory and operational risk and are one of the core challenges to the maintenance of a process of effective governance and ethical culture in highly critical parts of banking operations.
Indeed, the scope and impact of the insider or employee fraud problem is complex and far-reaching. And although it is important to understand the problem in all its complexities, if we don’t take a practical approach to the insider threat and to its solution, things are as likely to remain as static as if we did nothing at all. Put differently, to provide a business case for developing and extending an employee surveillance programme, in order to align that programme with an enterprise-wide process of corporate governance, to achieve regulatory compliance and ultimately to reduce fraud losses, an effective programme of governance and employee surveillance must focus on the four greatest practical threats to a financial institution.

The four practical challenges ofemployee surveillance

1. Protecting customer data

Although embezzlement and violation of bank policy have been a risk for financial institutions for almost as long as they have been in business, the risks associated with customer data are a new challenge for banks. In certain respects, the risk of customer data theft is a by-product of the extraordinary technical advances that financial institutions have made in the waythey market to and service their customers.The fact that a customer of a multilinefinancial institution can call a singlecall centre representative, who can provideaccurate information on account activityacross multiple business lines, is a majorimprovement in the way banks do business;in addition, the constantly improvingprocess of analysing transactional andother data to identify attractive marketingopportunities continues to drive growthacross many areas of the finance business.Although these developments are positivewith regard to profitability andcustomer experience, the data infrastructurecreated to support these new capabilitieshas put customer data at significantrisk. The same customer service representativeswho can provide their customers withan account balance and change an addresswithin seconds of a customer’s request can just as easily steal all or part of the customer’sidentifying data, including accountnumbers, national ID numbers, name,address, balances and recent transactions.
The value of this data to a criminalcomes not only from the ability to sell iton web-based black markets but ultimatelythe ability to convert the data into fundsby using the data in attacks on accountsat the bank from which it was stolen,and in synthetic identity and applicationfraud schemes at other institutions. This isperhaps the clearest example of the rippleeffect caused by insider fraud: a singlepoint of compromise at an operationscentre can negatively affect every aspect ofa customer’s financial life, including theirrelationship with their bank and beyond.
The involvement of organised crime in thedata theft business has increased the risksfaced by financial institutions. Whereas 12months ago it was more typical for a singleindividual to be recruited to steal multiplecomplete customer records, organisedcriminals have changed their strategy andnow recruit and co-ordinate multiple individualseach to steal individual componentsof a customer’s identity, thereby frustratingsimpler detection schemes.
The good news is that some of the samemodern analytical techniques that havebeen used effectively in controlling creditcard fraud and in mining customer activityfor marketing opportunities can be used toidentify employees who are interacting withcustomer accounts in a way that indicatesdata theft is in progress. Actimize employs astatistical model to identify data thieves earlyin their attack. For example, by comparingcertain specific aspects of an employee’sbehavioural patterns to those of their peers,it is possible to identify employees who areexhibiting outlier behaviour in a way thatindicates they are engaged in fraud attacks.

2. Reducing false positives

The use of analytics is not only importantbecause it is an effective way to identifyemployees engaged in some of thenewer and more sophisticated frauds, butbecause of the ability to reduce false positives.One of the greatest challenges introducedby a system of surveilling employeesis that, according to explicit regulation inthe US and field-level regulatory guidancein the UK and other European countries,financial institutions have an obligation toinvestigate any evidence of illegal activityby an employee that the audit or securityorganisation is made aware of. This is oneof the core missions of a comprehensivegovernance process.
The challenge is that many existingautomated techniques for surveillingemployee behaviour rely on rules. Forexample, it might seem logical to usea rule against data theft to check to seewhen a bank teller is accessing accountsassociated with a branch that is geographicallydistant from where they work. Theproblem with this type of rule is that, atlow levels of activity, this type of action isso common that such a rule could generatehundreds of false alerts a week causedsimply because of its flexibility. Raisingthe threshold on this rule to reduce alertsto a manageable level will result in thedetection of only the most egregious,least-sophisticated cases of data theft andaccount takeover.
Investigators relying on this type ofapproach are given two unattractiveoptions: 1) produce too many alerts,thereby overwhelming available staff withfalse positives and run the risk that a regulatoror auditor will object that those alertshave not been completely or thoroughlyinvestigated; or 2) reduce the number ofalerts but create a systemic tolerance fora certain level of fraud against financialinstitution customers. The added regulatorycomponent of this problem ensuresthat internal investigators face an eventougher challenge than their externalfraud counterparts who, for the most part,don’t share that burden.
While scenarios and rules are an importantpart of an employee surveillanceprogramme, only a system that employsanalytical models can resolve the falsepositive dilemma faced by internal fraudinvestigators. The peer analysis describedin the customer data theft above can beused to answer the question: “Of all ofthese employees accessing geographicallyremote accounts, which ones are doing soin a way that is also unusual for their jobtypes in other ways? Which ones exhibitbehaviour that might be changing overtime, indicating successful recruitment bya criminal organisation?”
With an analytical solution that isable to answer these questions, investigatorscan spend more time investigating asmaller number of high-risk employees,resolving the operational, risk and fraudloss challenges inherent in the problem offalse positives.

3. Risks to the financial institution

Looking back over the past 10 years, inaddition to an overall growth of the insiderthreat, there has been a diversification ofthat threat across banking operations. Thecore challenge of employee surveillanceis no longer limited to scenarios involvingtellers skimming from cash drawers,manipulating deposits or improperly servicingtheir own accounts (although theseremain a constant challenge).
Financial institution internal investigationand fraud groups are now faced by athreat that extends across not only branchand call centre operations but trading, loan,trust services and brokerage operations.And, for better or worse, the financial and regulatory requirements of an employeesurveillance system apply to all aspects ofthe business.
Although there are a number of goodexamples of how this specific challenge hasmanifested itself over the past few years,there are two that are in high focus today:firstly, the problem of employee tradingfraud (sometimes also referred to as roguetrading) has received new attention afterthe incident at Société Générale earlierthis year; secondly, elder abuse, in whichan employee targets the most vulnerablemembers of our society, has receivedincreasing scrutiny and attention.
And although these two phenomenacouldn’t be more different in the makeupof the fraud event, lessons learned inthe effective detection of one can be usedto combat the other. Employee tradingfraud occurs when an institutional traderdeliberately subverts financial institutionpolicies to pursue a trading strategy thatexposes the institution to a level of risknot consistent with its risk strategy. In theJérome Kerviel incident, the trader hid alarge un-hedged position that exposed thebank to massive potential losses. Whilethe potential for large losses is at thecore of the problem with this type ofactivity, the real threat is to the institutions’ability to establish a system ofgovernance that extends to all aspects ofits business strategy. A financial institutionthat enforces policies is one that triesto manage risk to achieve profitability.An institution that allows trading fraudto occur exposes itself to the pure luckinvolved in simple betting.
A common characteristic of rogue tradingincidents, not just the Kerviel case butthe scores of smaller events that happenevery year and the other major events thathappen a few times a year, is that theseincidents are often identified by one of themany siloed systems of control currentlyin place at the company. When a traderuses an unauthorised system access toerase evidence of the high risk positionhe/she has taken, evidence of that systemactivity is logged by the bank. In addition,for many types of traders it is possible tocompare different aspects of their tradingbehaviour, physical and systems accesspatterns and risk profiles with other similartraders to refine further an analysis oftrading that is not simply odd but likely tobe part of a fraud scheme.
By connecting the risk analysis doneacross different silos of the institution,whether in risk management, operations,trading compliance, and corporate/ITsecurity as well as putting in place severallayers of analytics to spot specific anomaliescharacteristic of rogue trading schemes, aninstitution can take a practical approachto employee surveillance across the enterprisethat positions it well to spot roguetraders early on.
Although elder abuse, in which a bankemployee exploits an elderly customerof the bank for personal financial gain,follows a very different pattern from tradingfraud, the techniques used to establishan effective process of surveillance forelder abuse incidents share many commoncharacteristics. Although elder abuse isonly now gaining widespread attentionin UK and US financial communities, ithas long been a problem in banking incountries such as Turkey, where elderlybanking customers do practically all oftheir banking in person with a teller andoften establish a trusted relationship witha single teller than can be exploited.
The lessons learned in these geographicaldifferences can be transported successfullyto other markets and the processesthat have proven effective bear a strikingresemblance to those that show promisein combating rogue trading. Just as roguetrading will often exhibit unusual concentrationsof transaction activity between atrader and specific internal accounts andspecific counterparties, elder abuse oftenshows up in transactional data in a unusualconcentration of activity between one ormore accounts held by elderly customersand a specific employee. Especially whencombined with peer analysis, elder abusecan be detected as it occurs and before itgets very far.
An effective employee surveillanceprogramme, together with an overall processof governance, must look at employeebehaviour from a number of perspectives.Attempts to evade detection by oneprocess will often show up as anomaliesin another.

4. Resolving and prosecutinginsider crimes

Much of what we have looked at so far hasto do with establishing a surveillance andgovernance programme that can detecta range of insider threats. Detection,however, is only the beginning of a longand complex process of mitigating thedamage done by employee fraud. Once acase of employee fraud has been confirmedby an investigator, the institution faces anumber of challenges in resolving crimeand prosecuting major offenders.
There are a number of options availableto a corporate security organisationin resolving cases of employee fraud. Thekey factor is often the investigators’ abilityto accumulate quickly comprehensive dataon the employee’s suspect behaviour. Withthis type of information, the investigatorcan confront the employee in close proximityto the crime, giving the employeethe impression that the investigator knowsmore about the scheme than the employeecould have anticipated and try to move thecase to a resolution.
The best outcome in this situation is a signed confession and termination. Asigned confession often allows the institutionto share information on the employeewith other institutions to frustrate theirability to engage in fraud elsewhere or toseek re-employment with the bank itself.Signed confessions are also a neat way totie up regulatory issues created by the incident.And although easy access to an audittrail of employee activity can be a valuabletool in the investigation process, confessionsare by no means easy to achieve.
Serious cases that the bank might wishto prosecute present even greater challenges.Defence barristers are becomingincreasingly sophisticated over how to takeadvantage of highly technical weaknessesin bank processes to defend their clients.In some recent cases, the defence has, forexample, argued that the complexity ofmainframe data means that it is next toimpossible to establish a coherent record ofemployee activity.
The challenges of resolving employeefraud incidents are not limited to theseexamples but they give a good sense of therange of issues and they point to the capabilitiesfinancial institutions should requireof any system they put in place to combatthe insider threat as well as the processesthat investigators can follow to increase thelikelihood of an outcome favourable to thebank and its customers.
Of the challenges, firstly, data integrationmust be performed in a way thatensures not only a complete and effectiveimport of data into a detection and investigationsystem, but also allows investigatorsto demonstrate how data is mappedfrom the many complex systems requiredto establish an employee surveillancesystem.
Secondly, investigators must be givenfast, complete, business-user access toall the data required to establish a completeaudit trail and gain an informational advantageover employees suspected of fraud.Thirdly, a solution must offer a comprehensiveaudit function in order to establishan unimpeachable record of fraud analystand investigator activity. This record mustshow every step of the process from thereview of employee or transaction-levelalerts to the collection of documentsrelevant to the investigative workflow andrequired approvals at each stage.
An employee surveillance system mustnot only be effective in detecting anomalousemployee activity but also must makeit easier for investigators to do their jobs,both during the initial phases of investigativework and the later phases of providingdocumentation and explanations of thecrime that has occurred.
These four challenges faced by financialinstitutions are not the only issues facedby risk and security professionals in establishingeffective governance processes,but they do represent some of the biggestissues and potential opportunities for theinstitution in putting in place an effectiveemployee surveillance programme. Thepurpose of the programme, at the end ofthe day, must be to enable security andrisk departments to focus their efforts onidentifying and remedying the full rangeof insider threats while minimising impacton the many legitimate employees workingto help the bank serve its customers.
Although these challenges cannot beavoided, the promise of a truly comprehensiveemployee surveillance programmeis to increase the effectiveness of all riskmanagement and investigation effortsacross the bank and at each phase of thegovernance process.

Sponsored content