how can you build fraud resilience within your …...•financial weakness and expectation to show...
TRANSCRIPT
How can you build fraud resilience within your organisation?
6 August 2020
How can you build fraud resilience within your organisation? © 2020 Deloitte LLP. All rights reserved. 2
Welcome and introduction
How can you build fraud resilience within your organisation?
Forensic
+44 20 7303 2905
Peter MaherJules Colborne-Baber — Partner
Insurance Regulation & Strategy
+44 20 7303 7706
Peter MaherAdam Knight — Partner
Forensic
+44 20 7303 5993
Peter MaherPeter Hawkins — Director
Insurance Regulation & Strategy
+44 20 7007 4983
Peter MaherFaith Hammond — Manager
Forensic
+44 20 7007 1135
Peter MaherStephen Nicholls — Director
How can you build fraud resilience within your organisation? © 2020 Deloitte LLP. All rights reserved. 3
Agenda for the session
Welcome
1The current environment
2Fraud risks in insurance
3
5Summary and close
4
Responding to cyber-enabled fraud
Building fraud resilience
How can you build fraud resilience within your organisation? © 2020 Deloitte LLP. All rights reserved. 4
The current environment
Presentation title[To edit, click View > Slide Master > Slide Master]
Copyright © 2020 Deloitte Development LLC. All rights reserved 5 5
In terms of scale, complexity and impact,the challenge we face today is different to what has come before.
Our defense and response has to change too.
How can you build fraud resilience within your organisation? © 2020 Deloitte LLP. All rights reserved. 6
Lloyd's of London recognises that the pandemic has presented unique challenges for the firm in terms of fraud and cyber threat landscape and the cost of failing to protect customers, society and the business has never been higher
The current environment - what is the challenge?
Business Interruption small businesses in the UK pursuing legal action against insurers for non-payment of BI insurance
Disturbed control environment Any weakness in the control environment will be exposed by the crisis
Fraud opportunityIncrease in phishing attempts with COVID-19 as the hook
The Brydon Report Recommends new reporting duty on directors and auditors
External factors
How can you build fraud resilience within your organisation? © 2020 Deloitte LLP. All rights reserved. 7
The recent views of key participants highlight the connection between economic shock to firms, employees and policyholders and increased internal and external fraud risks in the sector
The current environment - how is the industry responding?
“Insider fraud is something we are going to have to consider and look at […because…] there is going to be economic
hardship on absolutely everybody as a result of COVID-19.”
Ben Fletcher, director at Insurance Fraud Bureau and chief customer officer at the Motor Insurers’ Bureau Apr 2020
“When the country becomes economically stressed, so do people. The lines between right and wrong are easily
blurred. The need to raise cash as a business or private household
may prove to be a strong motivator for insurance fraud.”
Ahmed Esat, head of investigations at Davies Group
Lloyd’s of London chief executive, John Neal
“What makes COVID-19 unique is the not just the devastating continuing human and social impact, but also the economic shock.
Taking all those factors together will challenge the industry as never before.”
“COVID-19 uncertainty could have 'significant impact' on some insurers’ capital positions.”
Charlotte Gerken and Anna Sweeney PRA executive directors
How can you build fraud resilience within your organisation? © 2020 Deloitte LLP. All rights reserved. 8
Lloyd’s Managing Agents and Brokers are faced with public and regulatory pressure to pay COVID-19 claims promptly, but may have less ‘boots on the ground’ to conduct robust investigations
The current environment – the regulatory context
• The FCA has stated that insurers should not change their risk appetite to address operational challenges
• Lloyd’s in its update to the 2020 Market Oversight Plan recognises the impact of fraud risks, and has re-prioritised its thematic fraud review
• London market insurers have seen a reduction in the value of their investments which they use to pay claims
• Lloyd’s prohibits usage of the automatic cancellation clause after 60 days of premium non-payment for consumer/SME policies
Regulatory focus
Environmental
Pressure
• New insider threats from opportunistic employees who exploit a weaker internal risk control environment and reduced headcount
• Financial weakness and expectation to show strong results can push businesses to manipulate other information
Fraud risk – Key drivers
Opportunity
Incentives and pressures
RationalisationFraud
Triangle
How can you build fraud resilience within your organisation? © 2020 Deloitte LLP. All rights reserved. 9
Fraud risks in insurance
How can you build fraud resilience within your organisation? © 2020 Deloitte LLP. All rights reserved. 10
Potential areas in which a weakened control environment may be exploited
Fraud risk factors in insurance – key areas of impact
Policies and procedures may no longer be fit
for purpose
How can you build fraud resilience within your organisation? © 2020 Deloitte LLP. All rights reserved. 11
COVID-19 is both heightening the fraud risks faced by insurers whilst also putting under strain key controls for detecting, preventing and mitigating it
Deep-dive: Internal and external fraud in insurance (including cyber)
The pandemic and resulting market and societal dynamics have presented a number of risks and challenges for insurance firms that it is key that they are able to respond to proactively and effectively.
Control environment
Segregation of duties
Call monitoring and surveillance
QA coverage
Payment controls
Workplace management
IT systems capacity
Duplication of claims payments
Inflation of reporting of expected premium
Invoice redirection
Corruption (e.g. abuse of position)
Ineffective loss adjustment of claims
Manipulation and misrepresentation
Cyber attacks and phishing emails
Identity fraud to claim benefit scheme
Scam calls from bots, automated textsand clone claims management firms
Invoice misrepresentation
Malware and ransomware
Employee account takeover
Internal fraud External fraud
How can you build fraud resilience within your organisation? © 2020 Deloitte LLP. All rights reserved. 12
Responding to the challenges of cyber-enabled fraud
How can you build fraud resilience within your organisation? © 2020 Deloitte LLP. All rights reserved. 13
Fraudsters are maximising the opportunities that exist in the uncertainty of the COVID-19 situation. As a result, the National Fraud Intelligence Bureau reports that COVID-19 related fraud is scaling and diversifying rapidly
Cyber-enabled fraud threat landscape
Given the scale of global situation, we are seeing a wide range of fraud attacks and scams continuing to target individuals and businesses:
• Authorised push payment fraud
• Service and product scams
• Phishing attacks
• Application fraud
• COVID-19 related funding fraud
Source: Avanan
1 in every 99emails is a phishing attack
94%
of malware todayoriginates in the inbox
Source: Darktrace Email Security Threat Report 2020
COVID-19The related fraud threat
How can you build fraud resilience within your organisation? © 2020 Deloitte LLP. All rights reserved. 14
Synthesis between anti-moneylaundering and fraud domains
• Consolidating transaction monitoringcapabilities (data, technology, people, processes), to drive significant effectiveness and efficiency uplifts, especially in the AML domain
• Leveraging customer data assets collected at point of on-boarding for KYC purposes to inform post-application fraud detection models
• Consolidating disparate AML and fraud processes into a single customer acceptance decision at on-boarding
COVID-19 has highlighted the synthesis between cyber risk and traditional financial crime domains. By addressing both domains, firms are developing a more robust control environment. Insurers can learn lessons from other sectors
What does this mean for firms?
Cyber AML
Fraud
Synthesis between cybersecurity and fraud domains
• Aligning domain-specific incidentresponse teams, sharing resources and expertise and executing cross-domain processes and playbooks
• Incorporating HR, cyber and physical security-related data sources (employee networks, access logs, etc.) into internal fraud detection analytics and modelling
External collaboration• Peer-to-peer intelligence sharing
• Shared KYC databases and managed services
• Multi-bank and multi-insurer transaction monitoring solutions
• Public-private partnership models, such as between law enforcement and institutions
Synthesis across all domains
• Integrating intelligence teams andsupporting third party providers, creating intelligence and delivering timely insight on criminal actors and emerging threats
• Sharing access to existing data assets, underlying infrastructure, and analytics tooling and expertise –enabling new approaches to be applied across a wider dataset to identify potentially criminal activity
How can you build fraud resilience within your organisation? © 2020 Deloitte LLP. All rights reserved. 15
Building fraud resilience
How can you build fraud resilience within your organisation? © 2020 Deloitte LLP. All rights reserved. 16
Understand and identify:
• Unrealistic to think that all processes and procedures will remain the same
• In order to keep businesses going, need to accept that some departures from the norm are inevitable. Need to identify embrace these
• Focus on understanding the changed risk landscape given disruption to business structure and operations in light of the likely risks arising from COVID-19 and more broadly
• Perform and document an enhanced fraud risk assessment
Protect and monitor:
• Identify, document and agree new procedures/changes to existing procedures
• Communicate and train as required around risks and processes
• Consider enhanced/alternative monitor procedures that may be effective
• Record decisions and departures from BAU procedures, to allow a retrospective review as required
Respond:
• As required, respond to red flags and issues as they arise to ensure facts and circumstances are understood/investigated and procedures can be enhanced as required
FRAUD RISK RESPONSE(AREAS TO CONSIDER)
Brokers, Managing Agents and ultimately the Council of Lloyd’s need to revisit their fraud risk plans in light of COVID-19, with an emphasis on governance and management of the heightened risk of fraud as businesses recover
Building fraud resilience - how you can respond to these heightened fraud risks?
How can you build fraud resilience within your organisation? © 2020 Deloitte LLP. All rights reserved. 17
Building fraud resilience - how can an effective fraud control framework account for the COVID-19 impact?
Fraud assurance activity
Material controls
Fraud risk impact assessment
IT systems
Considerations and questions you may want to ask of your fraud controls and framework:
Level of maturity
IDENTIFICATION & SCREENING
Identification and verification, and
employee, customer and supplier
screening
AUTHENTICATION& AUTHORISATION
Access and enhanced authentication,
authorisation and notification
DETECTION & ANALYTICS
System and data integration, model and rule management and
intervention
INVESTIGATION, RESOLUTION &
RESPONSE
Investigation, remediation and
resolution, control implementation,
reporting and exit
FRAUD RISK MANAGEMENT
Informed by threat intelligence and risk
assessment
VISION & STRATEGY
Shaped by risk appetite, enabled through policy and
assurance
GOVERNANCE & OVERSIGHT
Ethics and culture, organisation design,
training, and whistleblowing
PEOPLE & ETHICS
How can you build fraud resilience within your organisation? © 2020 Deloitte LLP. All rights reserved. 18
Summary and close
How can you build fraud resilience within your organisation? © 2020 Deloitte LLP. All rights reserved. 19
Summary and close
How can you build fraud resilience within your organisation?
3But, there are practical steps you can take to mitigate the risks• Effective governance, fraud risk assessments, monitoring and surveillance will help to prevent and detect any such issues• Understanding how well prepared your third parties are for managing this changing risk landscape is key
1The risk landscape has changed• COVID-19 has brought with it increased pressure, opportunity and rationalisation for internal and external fraud• Policies, systems and processes may no longer be fit for purpose and a weakened control environment may be exploited
2There is increased scrutiny by regulators on both consumer protection and fraud matters• Regulators have been vocal around their expectation, and test cases on business interruption may create further stress• Management and the board have a crucial role to play in the prevention and detection of fraud
How can you build fraud resilience within your organisation? © 2020 Deloitte LLP. All rights reserved. 20
Questions
How can you build fraud resilience within your organisation?
Forensic
+44 20 7303 2905
Peter MaherJules Colborne-Baber — Partner
Insurance Regulation & Strategy
+44 20 7303 7706
Peter MaherAdam Knight — Partner
Forensic
+44 20 7303 5993
Peter MaherPeter Hawkins — Director
Insurance Regulation & Strategy
+44 20 7007 4983
Peter MaherFaith Hammond — Manager
Forensic
+44 20 7007 1135
Peter MaherStephen Nicholls — Director
This publication has been written in general terms and we recommend that you obtain professional advice before acting or refraining from action on any of the contents of this publication. Deloitte LLP accepts no liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication.
Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 1 New Street Square, London, EC4A 3HQ, United Kingdom. Deloitte LLP is the United Kingdom affiliate of Deloitte NSE LLP, a member firm of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”). DTTL and each of its member firms are legally separate and independent entities. DTTL and Deloitte NSE LLP do not provide services to clients. Please see www.deloitte.com/about to learn more about our global network of member firms.
© 2020 Deloitte LLP. All rights reserved.