Top 10 op risks 2020: theft and fraud

Theft and fraud jumps to third in this year’s survey – a sign of both its ubiquity for financial institutions of all types, from the largest global lenders to eight-person hedge funds, and likely a function of its role in five of the 10 largest reported operational risk losses of 2019.

Professionals surveyed by Risk.net this year highlighted a wide range of factors behind the rise: technological innovation, fast-changing regulatory expectations and rising institutional complexity. The category is also a broad one, encompassing a variety of crimes.

Many of the most severe frauds reported last year, particularly in emerging markets, bore a similar characteristic: namely, the help of an inside operative working for a bank. That leads one respondent to dub this simply “insider risk”. It was also the case for 2018’s biggest fraud loss – an eye-watering $12 billion hit for Chinese insurer Anbang.

Internal fraud incidents can also have a long tail. Wells Fargo’s legacy losses relating to its ‘ghost account’ fraud scandal also increased throughout 2019, with the total bill for settlements and restitutions already topping several billion dollars and counting – not to mention the long-term impact on the bank’s op risk capital requirements.

While the march of progress may produce all sorts of convoluted, tech-centric crime, naturally theft and fraud can still take place in a more mundane fashion. Earlier this month, Citi was widely reported to have suspended a senior bond trader after he was accused of stealing food from the firm’s canteen in London.

The increasing ease with which low-level crimes can be orchestrated is helping to keep the category firmly on the radar of risk professionals. One senior op risk professional cited concerns over the profusion of “information available to fraudsters from ongoing data breaches” amid the “rapid pace of digital innovation and instant money movement”.

[We’re seeing] more sophisticated fraud. What I really worry about is people taking critical customer data and putting it on the dark web. I don’t worry about a hold-up

Operational risk manager at a US bank

Data theft is a reliably high-ranking risk in itself, and a serious breach can lead to spiralling losses as financial criminals put the stolen information to use. Often, the theft of data is just the beginning.

“[We’re seeing] more sophisticated fraud,” says an operational risk manager at a US bank. “What I really worry about is people taking critical customer data and putting it on the dark web. I don’t worry about a hold-up.”

Theft and fraud losses are also closely linked to the drive to automate processes and systems. A senior risk manager at a global bank points out that automation of customer authentication, for example, gives criminals the chance to use stolen data to fool robot gatekeepers.

“The situation [with automation] is improving, but the threats are increasing. It’s like the two sides are growing together,” says the risk manager.

Institutional complexity may be a boon to fraudsters: super-intricate systems architecture can hinder a bank from understanding how and when a financial criminal has gained access. “It can make it more complex for the fraudster, of course, because they have to work with 10 systems instead of one. But it creates more points of failure, so I’m not able to say if it’s a plus or a minus. A unique system is a unique, single point of failure – and 10 systems are 10 entry points,” the risk manager says.

However, automation and digitisation are among the main tools in the fight against theft and fraud. Loan frauds may be easier to perpetuate online, but when a bank has a large digital dataset to parse, it can spot anomalies much quicker than in the days of paper-based fraud.

“With big data and correlation tools, we try to find abnormal patterns in payment systems and trading systems,” the senior risk manager says. “But it is not the panacea – it’s a work in progress.”

Regulation may be another factor in the ascent of theft and fraud in the rankings this year. Gaining access to the data used to commit theft and fraud, some argue, is becoming easier because of laws compelling financial institutions to collect larger quantities of information on customers.

Click here to return to the index