Ask an executive in a typical financial institution about their organisation’s fraud risk appetite and there is usually, conceptually, some level of tolerance for external fraud, but there is no tolerance for internal fraud. However there is often a gap between the expressed zero tolerance view and the fraud risk framework that has been put in place.
To adequately prevent and detect internal fraud, there should be a close alignment between prevention, detection, mitigation processes and the risk appetite – the extent to which an organisation is prepared to accept the possibility that risks will materialise. The lower the appetite for fraud risk and losses, the greater the processes that should be put in place for higher risk areas. The quandary for financial institution executives boils down to ‘low versus no’. How much internal fraud is too much?
Financial and reputational damage
While customer experience and fraud loss optimisation is often a trade-off determined by a financial institution’s risk appetite, this usually applies to external fraud losses.
However, when addressing internal fraud, customer experience is not the most significant consideration, as it is often brand impact that hurts a financial institution most. Internal fraud and misconduct issues invariably attract the attention of media, and sometimes even regulators or government. While there may be some level of acceptance for financial loss, often there will be zero appetite for reputational damage.
The approach to setting an internal fraud risk appetite should therefore be designed to not only safeguard the organisation’s and client’s assets, but also ensure minimal damage to the brand.
Two examples of fraud
1. Misdirecting inward contributions
A super fund employee managed a relationship with a large corporate client and was responsible for processing the client’s employees’ super contributions. A regular payment file was received from the corporate client and the super fund employee altered the file to redirect the contributions to an external account held in a false name operated by the employee. As the reconciliation of contributions matched against the data (contribution file) was not conducted in a timely manner, there was no independent checking performed by the super fund to confirm the receipt of contributions. The employee was able to satisfy the corporate client’s inquiries and reporting requirements through their close relationship. The fraud was ultimately detected when a corporate client employee made their own inquiry with the super fund’s call centre regarding the balance of their own account.
2. Information theft
A retail bank suffered a number of identity takeovers of customers’ online backing accounts. The bank found that all the customers had links to a common superannuation fund. The bank contacted the super fund and provided the names of the victim customers. Forensic data analytics conducted by the super fund found that the victim customers all had either a super or insurance product, and that a single employee had accessed (viewed) all the super and insurance accounts for no apparent reason. The employee was interviewed and made admissions and their employment was terminated. The super fund believed that confidential information was ‘harvested’ by their employee, and then provided to an organised crime group to enable the group to take over and defraud the customers’ bank accounts, with sufficient information to answer the bank identity challenge questions. The super fund’s own products were not affected.
Setting the risk appetite
There are a number of metrics that can be used, beyond the dollar loss, when determining an acceptable level of fraud risk, including: the number of internal incidents; the number of fraud attempts or near misses; and the percentage of employees that have completed mandatory fraud training.
Activities should be designed to impact behaviour beyond the absolute metrics. The culture of the financial institution may drive certain behaviours and therefore the perception of acceptability of the level of internal fraud. Understanding this is as critical as analysing the absolute metrics. For example, a financial institution may mandate that all allegations of internal fraud will be subject to its disciplinary procedures.
Once the acceptable level of risk appetite has been determined, resource allocation can be broadly categorised into two areas:
1. Fraud risk management (proactive measures to prevent and detect fraud)
The correlation between proactive measures and expressed risk appetite is generally less evident in financial institutions than the reactive measures. Too often we see a stated zero tolerance for internal fraud, yet the proactive measures are either ineffective, do not cover the entire organisation or are lacking completely.
2. Fraud investigation (reactive measures when an incident occurs)
Often financial institutions defend their zero tolerance for internal fraud on the basis that they investigate all fraud matters. The flaw in this approach is that it ignores the application of preventative measures. A true low, or zero, appetite for fraud requires more than just a reactive framework.
Finding the sweet spot between ‘low and no’ appetite
A certain level of internal fraud will probably occur as a commercial reality of doing business. How does a financial institution manage the optics of a low appetite and still communicate the message to employees that it is not ‘open slather’? A key plank in a fraud risk framework is strong deterrence, with overt condemnation of internal fraud and ‘tone at the top’ messages and behaviours. It comes down to the way risk appetite is operationalised and embedded into the organisation’s day to day business.
Where should financial institutions start when determining an appropriate level of internal fraud risk and putting in a mitigating framework to align to that level?
For starters, risk appetite for fraud loss should be a standard part of the risk management planning cycle. Calculations should be based on robust information on actual experiences and predicted risks, including the risks and rewards of new products and channels. Once the level of fraud risk appetite has been agreed, it should be communicated across the institution and oversight procedures put in place.
At the other end of the cycle, reporting should occur in line with a pre-defined risk appetite, with appropriate intervention when both positive and negative variances to the plan occur. Socialisation of notable results should be supported with strong messages, reinforced from the top of the institution.
Keeping pace with change
Fraud risk management is not a set and forget exercise. Fraud risk, like other risks, is fluid and ongoing monitoring is required to capture material changes. Many financial institutions are already in the process of de-risking their books and ending customer relationships where they present too high a risk.
Similarly, as the Australian superannuation sector continues to evolve and go through further consolidation and new parties get introduced into the delivery cycle and supply chain, enhanced due diligence processes should be put in place to ensure any new acquisitions have fraud risk profiles and a defined risk appetite that align to the core business.
Tony Prior is a Director in Ernst & Young’s financial services specialist fraud investigation and dispute services team. The views expressed in this article are the views of the author, not EY. The article provides general information, does not constitute advice and should not be relied on as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Liability limited by a scheme approved under Professional Standards Legislation.