It may be slightly melodramatic to refer to internal fraud as being poisonous to the banking industry, but this is not a comparison without merit. The topic is a perennial news story, and one that is particularly scintillating for the masses. The industry has limited internal surveillance, which makes it vulnerable to internal fraud.
While internal fraud incidents have major reputational repercussions for banks, they also result in regulatory risks as well as legal risks – along with headline-grabbing fines. In turn, strategic and market risks develop, as customers are lost to competitors.
This then begs the question: what can be done to develop adequate governance and oversight in this space? Many in the industry have decided that the answer is “nothing;” internal fraud is too complex, it can’t be monitored, and there is no silver bullet that reduces the risk of internal fraud to zero. Indeed, nothing can provide absolute and perfect control in the space – although the same could be said for other spheres of fraud detection too.
What can be acted upon instead is the capability to impose a compliance culture. It is imperative that companies deploy internal fraud detection capabilities and ensure that all staff know about it.
Organisations can implement technology and processes, and engage talent to make certain that internal goals are met. These should also be expanded upon, to ensure that businesses continue to develop monitoring capabilities beyond the initial scope, in parallel with the business itself.
Many institutions may already have monitoring capabilities with regard to internal fraud, but these tools are often underweight, report-driven and only measure a few static attributes with logic that is not easily modified within the tool. In many instances, suspected high risk activity investigations are handled by IT, as opposed to compliance or operations risk (fraud) management teams.
The Association of Certified Fraud Examiners (ACFE) has developed a matrix, through which we can understand the typical motivations of a fraudster. The Fraud Triangle identifies three factors that explain why a reasonable person might choose to engage in such fraud:
1. Pressure: The fraudster has developed a financial problem – such as gambling, drugs, debts or medical needs – which they feel is unsolvable through legitimate means. This is then the primary motivation behind the act of fraud.
2. Opportunity: This is the avenue through which the crime is committed. By abusing a position of trust, the fraudster feels that he/she is able to carry out the fraudulent act and solve their financial issues with a low risk of getting caught. Examples include having access to a system, or even something as simple as a chequebook.
3. Rationalisation: The belief, ambition and motivation that the fraudster should commit their crime. Most fraudsters are first-time offenders; often perceiving themselves to be normal and otherwise honest people, who have run into bad situations from which they must escape. They may also reason to themselves that the victim, or organisation, deserved to be targeted.
It is the potent combination of all three factors that often leads to fraud, and taking away any of these significantly reduces the potential for a fraud event. For example, a reasonable loan with achievable repayment terms may alleviate the individual’s financial issues (pressure). Without access (opportunity) to the financial platform, the crime cannot be committed.
The sophistication of monitoring being aligned to the sophistication of abuse is the key element in properly addressing internal fraud risks, and it is critical that the day-to-day management of this independent process falls outside of the IT business unit. This entails setting up a specialised team and empowering them with a detection solution that has been tailored to match the needs and circumstances of the organisation, as well as administered by internal fraud detection resources.
The strategy allows the team’s enhanced logic to be deployed throughout the business. The team must also tread a delicate line between being a visible force that unceasingly monitors the environment, yet at the same time baffles attempts at understanding and subsequently subverting the logic that drives the governance process.
Detection and prevention
As mentioned, there is of course no perfect panacea for fraud. For example, even if it was possible to know every employee’s financial obligations or their true debt-to-income ratios, this would be a massive invasion of privacy. Eliminating all access to systems would mean that a business would be slowed to snail’s pace. However, an environment can be created in which potential criminals are less likely to feel that they can commit fraud and get away with it.
Companies need to identify the places where the application of controls makes the most impact relative to where it is creating the greatest risk, and this is where the secret ingredient in counteracting fraud comes into play. Tools to elevate the monitoring of high-risk activities must be as sophisticated as the crime itself. These tools have to provide minute analysis of employees’ actions through data such as employee access of customer accounts, and be able to identify additional risk indicators that predict internal abuse.
Examples of the symptoms of fraud include individuals with performance far in excess of their peers, or repeatedly using the same demographic information for distinct and dissimilar accounts, or performing twice the average number of account touch points that would be typical in the day-to-day operation of that employee’s role. The analysis of these elements, scaled up into controls, is capable of detecting most of the common potential internal fraud events; when organisations ensure that such capabilities are clearly known to all staff, a culture of compliance is fully revealed to be a control in and of itself.
No organisation can be completely impenetrable, so it is not necessary to set impenetrability as a goal. Organisations should instead aim to demonstrate competence in fraud detection, use the most sophisticated tools available, and take the necessary steps to reduce the likelihood that potential fraudsters perceive they can get away with their crime. All this ensures that one of the major components of the Fraud Triangle is neutralised, and helps prevent employees from heading down the path of internal fraud.
Many banks around the world, large and small, continue to experience major security failures. Biometric systems such as pay-by-selfie, iris scanners and vein pattern authentication can help.
The implementation date of Europe's revised Markets in Financial Instruments Directive, aka MiFID II, is fast approaching. Yet evidence suggests that awareness about the impact of Brexit on MiFID II is, at best, only patchy and there are some alarming misconceptions.
Despite all the automation and improvements that digital banking has the potential to achieve, customers and their needs still form the very core of the banking sector.
Banks might feel justified in victim blaming when fraud occurs, but it does little for customer confidence.