Detecting internal fraud by Breaking Bad


There has been no shortage of news stories around the banking sector and its vulnerability to internal fraud, particularly revelations that the industry has limited internal surveillance. Internal fraud has proven to be news-driven (and newsworthy); it’s a great feature lead-in story and scintillating red meat for mass consumption.

Internal fraud events obviously constitute a reputational risk for banks, but then take a huge turn into regulatory risk territory, before winding up squarely a legal risk – and the headline-grabbing fines that come with it. Finally, a strategic and market risk bubble up as customers are lost to competitors.

So what can be done for developing adequate governance and oversight in this space? Too often the terse reply to the question is ‘nothing’; that this type of fraud can’t be monitored, it’s too complex and there is nothing that will prove a ‘silver bullet’ and reduce all residual risk to nil. Indeed, it’s hard to disagree. Nothing can be an absolute and perfect control in the space, but we don’t really have that in the other fraud detection sciences, either. What we do have is the capability to impose a compliance culture in the space.

Certainly it’s possible to implement technology, processes and talent to ensure that internal goals are met and expanded to make certain that we evolve monitoring capabilities – in parallel with the business itself – beyond the initial scope. Indeed, many institutions may already have some capacity for monitoring in this space; but typically the tool is underweight, report-driven and measures just a few static attributes with logic that is not easily modified within. Further, suspected high risk activity investigations are frequently managed by IT, rather than compliance or operations risk (fraud) management teams.

The US-based Association of Certified Fraud Examiners (ACFE), as the world’s largest anti-fraud organization, is one body offering a matrix for understanding the motivations of a fraudster (Full disclosure: the writer is a holder of their credential, so this reads to me like the Ten Commandments). Effectively, there is a recipe for fraud and it explains why a reasonable person would choose this path. There are three ingredients that make up the formula for a “Fraud Triangle”; let’s examine each of them through the lens of that cult TV series Breaking Bad:

  1. Pressure: a financial need: gambling, drugs, debts, social or business demand or medical needs.
    • For BB fans, think back to Walter White’s diagnosis of cancer and his need to secure his family’s financial stability.
  2. Opportunity: that the fraudster will have been trusted with the tools to get to the prize. Think of it rather as a set of rails to ride this train; typically this is access to a system or even to something as simple as a cheque book.
    • Walter White is a talented chemist and thus can create a superior product to fill a market need.
  3. Rationalisation: the belief, ambition and motivation that the fraudster can perform this crime, that the victim/organisation deserved or earned it and that they won’t get caught.
    • Walter White realises his success is beyond his initial expectations and eventually becomes his alter ego, the drug lord Heisenberg.

Break any one of these sides of the triangle, and the potential for a fraud event is significantly reduced. Consider removing the financial hardship (pressure) with a mechanism that puts an alternate path forward. Had Walter White been able to treat his cancer earlier, would he still have gone on to become Heisenberg? If we take away access (opportunity) to the financial platform used for internal fraud, the crime cannot be committed. If the Breaking Bad character hadn’t had access to the materials needed to manufacture his product, there would have been no results.

Reducing  fraud potential

There are certain limitations to this approach in the real world, of course. We can’t know everyone’s financial obligations or their true debt-to-income ratios. Take away all employee access to systems and the business can no longer effectively run. However, we can make a budding criminal less likely to feel they can commit the crime with impunity and reduce the potential that the fraudster believes that they can get away with the crime. Had Walter felt that he would be detected and thus his plan thwarted (viewers will recall that brother-in-law Hank, investigating the perpetrator, took his time in figuring out the culprit), the show would have stalled before the mobile laboratory was parked in the desert. That’s exactly what we are after in the financial crimes world.

This is the space where we add the ‘secret sauce’ and we seek out the places where the application of controls makes the most impact relative to where it is creating the greatest risk. The tools to elevate the monitoring of high risk activity have to be as sophisticated as the crime itself. The tools must ingest and enhance the analytics of employees’ actions – feeding employee access of customer accounts and identifying additional key risk indicators that predict internal abuse. This space could effectively be monitoring individual performance far in excess of their peers, or repeatedly using the same demographic information for distinct and dissimilar accounts, or performing twice the average of the number of account touch points that are typical in the day-to-day operation of the employee’s role.

The sophistication of monitoring aligned to the sophistication of abuse is the key element here, and the day-to-day management of this independent process must fall outside of the IT business unit. The Drug Enforcement Agency (DEA) does its own investigations with its own resources – right Hank? Establishing a core competency in the space means setting up a team, with a dedicated detection solution that is bespoke and administered by internal fraud detection resources, empowering this teams’ enhanced logic to be deployed around the enterprise. Finally, this team must work in something of a clandestine manner, visibly surveying the environment – yet to outsiders there is little understanding of the logic that drives this enterprise governance process.

All of these elements, scaled up into controls, are capable of detecting most of the common potential internal fraud events. When this made noisy – so that all staff hear about it – a culture of compliance is fully revealed to be a control in and of itself. The organisation may not be impenetrable, so it’s not necessary to attempt to achieve impenetrability as a goal.

Rather, the goal should be to demonstrate competence in the space, use all the detection tools available and illustrate the capabilities an organisation can deploy in reducing the likelihood that the fraudster is confident they will get away with it.  These steps to kick a leg out of the Fraud Triangle will help ensure that the path of Breaking Bad is never initiated.




Related reading

Cyber security