low vs no: setting a risk appetite for internal fraud...fraud processes and risk management...

©2015 Association of Certified Fraud Examiners, Inc.

WELCOME Low Versus No: Setting a Risk

Appetite for Internal Fraud

Tony Prior, CFE, CAMS

Director

Ernst & Young

Low vs No: Setting a Risk Appetite for Internal Fraud

ACFE Asia-Pacific Conference, Singapore

November 2015

Tony Prior, Director

Ernst & Young, Fraud Investigation & Dispute Services

Sydney, Australia

Agenda

► Introduction

► Managing internal fraud vs. external fraud

► Risk appetite in the broader risk governance framework

► Setting the fraud risk appetite

► Determining fraud controls and activities

► Putting fraud risk appetite into operation

► Keeping pace with change

► Case studies

Low versus No: Setting a Risk Appetite for Internal Fraud

Introduction

► An often stated mantra about an organisation’s fraud risk

appetite:

► “Some tolerance for external fraud”

► “No tolerance for internal fraud”

► However, often:

► A gap exists between that statement and the necessary fraud risk

framework in place

► Commensurate controls are not there to support the statement

► To adequately manage internal fraud, close alignment

required between prevention, detection and mitigation

processes, and the risk appetite:

The extent to which an organisation is prepared to accept the

possibility that risks will materialise


Introduction (cont’d)

► The lower the appetite for fraud risk and losses, the

greater the number and coverage of processes in place

for the higher risk area.

► Consider the different dynamics in play between

managing internal fraud versus external fraud.

► The quandary for the financial institution “low fraud versus

no fraud dichotomy”:

How much internal fraud is too much?


Introduction (cont’d)

Why financial services?

► With a strong regulatory environment existing, financial

services have mature fraud risk operating models

compared to other sectors.

► Financial services are well represented in ACFE’s recent

Report to the Nations on Occupation Fraud and Abuse:

► Victim organisation--the sector had the highest reported cases with

nearly 18% of all cases reported.

► Corruption was the highest fraud type for the sector.

► The concepts discussed are transferable to other sectors.


Case Study # 1

Retail, business, and institutional bank

► What: The fraud risk strategy was designed with the consideration of

risk appetite.

► How: “Customer experience” was a narrative commonly expressed

across the entire bank, and the bank’s fraud risk strategy recognised

this when it was developed.

► Risk Appetite: The bank expressed a desire not to impact the

customer experience when managing a low risk, and this position was

incorporated into a fraud risk strategy and its underlying plans. This

also created a very well understood challenge when managing the

low appetite or high fraud risk areas without impacting legitimate

customers.

Bank staff colloquially referred to this as …..….


….preferring an ambulance at the bottom of the cliff, than a fence at the top


Internal Fraud Versus External Fraud

Should they be managed differently?

► Let’s consider a retail bank. A likely key performance

indicator is to achieve high customer satisfaction.

► Customer satisfaction is achieved to some extent by the

customers’:

► Individual experiences with the bank

► Ease to transact

► Level and nature of communication with the bank

► Perceived adequacy and promptness of the bank’s response to

requests

► Anecdotal experiences with competitor banks


Internal fraud versus external fraud (cont’d)

Customer experience and fraud loss optimisation becomes a

trade-off when managing external fraud losses

Let’s discuss a typical external ‘fraud’ scenario:

► Fraud monitoring and alerts suggest that the customer’s

transaction card may have been compromised.

► Bank – how much loss are they prepared to incur so as

not to disrupt the customer?



► The bank’s options:

► Permit transaction to proceed

► Telephone customer

► SMS to customer

► Decline the transaction

► Suspend or cancel the card



How a fraud risk framework may look for managing external fraud


Deter

Prevent

Detect Respond

Report

Remediate & recover

Customer impact


► The financial institution’s risk appetite and associated

controls will:

► Determine the nature of its response.

► Create a corollary interruption and inconvenience to the customer.

► Genuine transactions that are declined may impact the

customer experience.

► Conversely, a ‘courtesy’ telephone call or SMS to the

legitimate customer may create a positive customer

experience.

► Financial institutions have become smarter, increasing

customer satisfaction, and might ‘whitelist’ certain

customers.



Let’s consider internal fraud:

► The same choices do not always present themselves to

the financial institution.

► When combating internal fraud, the customer’s

experience is not the most significant consideration.

► Internal fraud incidents often do not lend themselves to

impacting customers, and there is less chance of

customer detection.

► Often, brand impact hurts a financial institution most when

the internal fraud occurs.

► Internal fraud and misconduct issues invariably attract

media, and sometimes regulators and the government.



► Relatively modestly-sized frauds can be newsworthy

► So whilst there may be some level of acceptance for

financial loss, often zero appetite for:

► Reputational impact

► Risk facing a regulatory or government inquiry


Deter

Prevent

Detect Respond

Report

Remediate & recover


How a fraud risk framework may look like for managing internal fraud


Reputation


► Setting an internal fraud risk appetite should therefore be

designed to not only safeguard the financial institution and

clients’ assets, but also to ensure minimal damage to the

financial institution’s brand.

► The effect of this could be that controls are designed to

eradicate internal fraud, but are more relaxed on potential

external fraud (where customer impact comes into play).


Risk Appetite in the Broader Risk Governance Framework

Understanding an organisation’s risk appetite framework

► Let’s consider how to set the appetite, that is the “low

versus no” dilemma: how much internal fraud is too

much?

► But first, let’s look at little further risk appetite: what is it

and how it fits broadly into the organisation?

► The risk appetite is the extent to which an organisation is

prepared to accept the possibility that risks will

materialise.

► How does it fit within the overall approach to risk

governance?


Risk Appetite in the Broader Risk Governance Framework


EY Risk Governance 2020

http://www.ey.com/GL/en/Industries/Financial-Services/Banking---Capital-Markets/ey-risk-governance-2020

Risk appetite in the broader risk governance framework

► The risk appetite framework encompasses the overall

approach taken.

► It must pass the “use” test:

► Do your employees appreciate and understand how the risk

appetite both enables and constrains their day-to-day activities?

► That is, can they easily use it?

An effective, embedded framework makes it clear to

employees what they are accountable for in relation to

the risk appetite for their business unit or business

activity.


Setting the fraud risk appetite

► A number of metrics are available, beyond dollar loss,

determining the acceptable level of fraud risk

► ‘Forward loss’--what organisation is willing to sustain in a

severe environment--is a common measure:

► It allows common targets to agree

► Enables comparison amongst business units

► Other metrics also applicable, including:

► Incidents

► Attempts

► Customer complaints

► Completion rates of employee mandatory training

► Genuine declines


Setting the Fraud Risk Appetite (cont’d)

Cultural risk appetite plays a role in managing internal fraud

and misconduct:

► Recent high profile conduct failings and regulatory

scrutiny has placed more emphasis on risk culture:

review, assess, and make changes to improve it.

► Qualitative measures designed to reinforce the

organisational tone become just as important.

► Consideration should be given to activities designed to

impact behaviour beyond absolute metrics.


Setting the Fraud Risk Appetite (cont’d)

► Understanding this is as critical as analysing absolute

metrics.

The culture of the financial institution may drive certain

behaviours and therefore the perception of acceptability

of the level of internal fraud.


Fraud Controls and Activities

► Once an acceptable level of risk appetite has been

determined, resources can then be directed to particular

fraud processes and risk management activities.

► Fraud risk resource allocation can be broadly categorised

into two activities:

1. Reactive measures--respond after incident occurs

2. Proactive measures--to prevent and detect fraud


Fraud Controls and Activities (cont’d)

1. Fraud investigation (reactive measures)

Typically appearing in most financial institutions’ overall fraud risk

framework to manage fraud; a reactive aspect is important:

► Deterrent

► Quantify the loss or magnitude

► Uncover the control gaps or weaknesses


Fraud Controls and Activities (cont’d)

2. Fraud risk management (proactive measures)

Often less evident in financial institutions than the reactive measures.

Proactive measures include:

► Fraud risk assessment

► Forensic data analytics

► Deep dives

► Communication--training, raise awareness, sharing lessons learnt,

tone at the top messaging


Putting Fraud Risk Appetite into Operation

Where should financial institutions start when it comes to

determining an appropriate level of internal fraud risk and

putting in a mitigating framework to align to that level?

Maturity of FI: Some financial institutions have come from a

low base--their fraud risk appetite is nothing more than

planning for next year's fraud losses to not exceed this

year’s losses.


Putting Fraud Risk Appetite into Operation (cont’d)

► Risk management planning cycle–risk appetite for fraud

loss should be part of planning cycle

► Calculations should:

► Be based on management information of actual experiences and

predicted risks

► Consider the risks and rewards of any new products and channels

► Be communicated across the institution with appropriate oversight

procedures in place


Putting Fraud Risk Appetite into Operation (cont’d)

► At the other end of the cycle:

► Reporting should occur in line with a financial institution’s pre-

defined risk appetite

► Appropriate intervention when both positive and negative variance

to plan occurs

► Socialisation of notable results should be supported with strong

messages, reinforced from the top of the institution


Finding the Sweet Spot Between a Low Appetite and No Appetite for Internal Fraud

► The fraud risk framework required to adequately prevent

and detect internal fraud can be challenging for financial

institutions to achieve.

► So can you accept a low appetite for internal fraud?

► How do they manage the ‘optics’ of a low appetite and still

communicate the message to employees that it is not

“open slather”?

► A key plank is strong deterrence, with overt condemnation

of internal fraud and "tone at the top” messages and

behaviours:

It all comes down to the way risk appetite is operationalised and

embedded into the organisation’s day to day business.


Keeping Pace With Change

► Regulators and other external stakeholders are becoming

increasingly interested in an institution's risk appetite

statement.

► External scrutiny is evident when internal fraud and

associate misconduct incidents occur.

► Difficult questions may be asked about how and why it

happened:

► Why was there not adequate oversight?

► Why didn’t the controls detect it earlier?


Keeping Pace With Change

1. Monitoring through:

► Appetite statement both quantitative and qualitative

► Agreed metrics

► Triggers for management action and escalation

2. Review and refresh:

► Fraud risk management is not a ‘set and forget’ exercise

► Fraud risk is dynamic, and ongoing monitoring is required

capturing material changes to fraud risk profiles

► Many financial institutions already de-risked their books and

end customer relationships where they present too high a risk

► Similarly the upfront ‘declines’ of new client applications are

now common part of the broader fraud risk framework


Checklist for Risk Framework

An approach entailing core mechanisms of a risk framework:

► Tone at the top

► Risk behaviour standards

► Roles and responsibilities

► Risk governance

► Risk appetite

► Risk transparency

► Rewards

► Employee life cycle


EY Risk Governance 2020

Case Studies


Case Studies


Operating Without a Fraud Risk Appetite

http://www.ey.com/GL/en/Services/Advisory/Risk-appetite--the-strategic-balancing-act

Case Study # 2

Retail Bank

► What: Bank detected customers being used as ‘mules’ to launder

tainted funds.

► How: Customers claimed they were duped. In return for a fee they

would provide their bank account details to allow funds to pass

though.

► Risk appetite: The bank’s appetite on this type of customer

behaviour was unclear. Whilst it tolerated one-off occurrences, it had

no way of dealing with customers who were re-offenders (even

though customers denied they knew that money was obtained

fraudulently). An impromptu response was based on the ‘worth’ of the

individual customer to the bank. That is, what other products did the

customer have with the bank and the customer’s ‘worth’ to the bank.


Case study #3

Wealth Manager

► What: A financial planner (FP) was assisting superannuation

members to obtain early access to their superannuation

► How committed: Creation of sham superannuation funds and

money was transferred (rolled over) to these sham funds then

withdrawn

► Risk appetite: Level of complicity--wealth manager needed

decision about how to deal with the FP when the FP’s role in the

scheme was not clear. It had to balance adverse media and

reputation impacting the wealth manager (who issued product issuer)

with whether or not to retain the planner. How should it respond if it is

one or off, opposed to occurring repeatedly with many of the FP’s

customers?


Case Study # 4

Retail Bank

► What: A fraud detection and alert investigation operated in isolation.

► How: Alert setting team determined the rules to detect anomalies,

but worked in conjunction with the alert investigating team, so alert

volume never exceeded the capacity of team to investigate them. The

product owner had no visibility.

► Risk appetite: Fraud risk appetite was not articulated, or if fraud

risk appetite has been set within bank’s broader risk appetite, it was

not cascaded appropriately, and not visible to the relevant teams.

Management reporting did not track against risk appetite and only

compared this year’s fraud losses to last year’s losses.


Case Study # 5

Wealth Manager

► What: Sensitive data of many of their customers were used to

commit fraud in another unrelated bank.

► How: An employee was ‘farmed’ customer data and provided it to

third parties who in turn conducted identity takeovers of the customers

with their own bank.

► Risk Appetite: Decision to be made in the aftermath. What was the

risk appetite to implement detection tool to identify this happening?

Cost of audit logs versus cost of fraud event reoccurring.


Conclusion

► There is no quick fix to finding the sweet spot between a

low appetite and no appetite for internal fraud. This will

change for every single financial institution.

► A mature fraud risk management framework must include

both proactive measures (to deter, prevent, and detect

fraud), and not solely rely upon reactive measures.

► Financial institutions with success in managing internal

fraud risk have demonstrated:

► Ability to articulate the fraud risk appetite

► ‘Operationalising’ the fraud risk appetite

► Embedded fraud risk appetite


Conclusion (cont’d)

► Success can be measured by the “use” test:

Do your employees appreciate and understand how the

risk appetite both enables and constrains their day-to-day

activities?


Contact Details


Tony Prior, Director

Ernst & Young, Fraud Investigation and Dispute Services

Sydney, Australia Phone: + 61 2 8295 6597 Mobile: + 61 411 696 415 [email protected] [email protected] au.linkedin.com/in/tonyprior1

mailto:[email protected]

mailto:[email protected]

au.linkedin.com/in/tonyprior1

Questions?


©2015 Association of Certified Fraud Examiners, Inc.

WELCOME Low Versus No: Setting a Risk

Appetite for Internal Fraud

Tony Prior, CFE, CAMS

Director

Ernst & Young

low vs no: setting a risk appetite for internal fraud...fraud processes and risk management...

Documents