low vs no: setting a risk appetite for internal fraud...fraud processes and risk management...
TRANSCRIPT
Page 1 ©2015 Association of Certified Fraud Examiners, Inc.
WELCOME Low Versus No: Setting a Risk
Appetite for Internal Fraud
Tony Prior, CFE, CAMS
Director
Ernst & Young
Low vs No: Setting a Risk Appetite for Internal Fraud
ACFE Asia-Pacific Conference, Singapore
November 2015
Tony Prior, Director
Ernst & Young, Fraud Investigation & Dispute Services
Sydney, Australia
Page 3
Agenda
► Introduction
► Managing internal fraud vs. external fraud
► Risk appetite in the broader risk governance framework
► Setting the fraud risk appetite
► Determining fraud controls and activities
► Putting fraud risk appetite into operation
► Keeping pace with change
► Case studies
Low versus No: Setting a Risk Appetite for Internal Fraud
Page 4
Introduction
► An often stated mantra about an organisation’s fraud risk
appetite:
► “Some tolerance for external fraud”
► “No tolerance for internal fraud”
► However, often:
► A gap exists between that statement and the necessary fraud risk
framework in place
► Commensurate controls are not there to support the statement
► To adequately manage internal fraud, close alignment
required between prevention, detection and mitigation
processes, and the risk appetite:
The extent to which an organisation is prepared to accept the
possibility that risks will materialise
Low versus No: Setting a Risk Appetite for Internal Fraud
Page 5
Introduction (cont’d)
► The lower the appetite for fraud risk and losses, the
greater the number and coverage of processes in place
for the higher risk area.
► Consider the different dynamics in play between
managing internal fraud versus external fraud.
► The quandary for the financial institution “low fraud versus
no fraud dichotomy”:
How much internal fraud is too much?
Low versus No: Setting a Risk Appetite for Internal Fraud
Page 6
Introduction (cont’d)
Why financial services?
► With a strong regulatory environment existing, financial
services have mature fraud risk operating models
compared to other sectors.
► Financial services are well represented in ACFE’s recent
Report to the Nations on Occupation Fraud and Abuse:
► Victim organisation--the sector had the highest reported cases with
nearly 18% of all cases reported.
► Corruption was the highest fraud type for the sector.
► The concepts discussed are transferable to other sectors.
Low versus No: Setting a Risk Appetite for Internal Fraud
Page 7
Case Study # 1
Retail, business, and institutional bank
► What: The fraud risk strategy was designed with the consideration of
risk appetite.
► How: “Customer experience” was a narrative commonly expressed
across the entire bank, and the bank’s fraud risk strategy recognised
this when it was developed.
► Risk Appetite: The bank expressed a desire not to impact the
customer experience when managing a low risk, and this position was
incorporated into a fraud risk strategy and its underlying plans. This
also created a very well understood challenge when managing the
low appetite or high fraud risk areas without impacting legitimate
customers.
Bank staff colloquially referred to this as …..….
Low versus No: Setting a Risk Appetite for Internal Fraud
Page 8
….preferring an ambulance at the bottom of the cliff, than a fence at the top
Low versus No: Setting a Risk Appetite for Internal Fraud
Page 9
Internal Fraud Versus External Fraud
Should they be managed differently?
► Let’s consider a retail bank. A likely key performance
indicator is to achieve high customer satisfaction.
► Customer satisfaction is achieved to some extent by the
customers’:
► Individual experiences with the bank
► Ease to transact
► Level and nature of communication with the bank
► Perceived adequacy and promptness of the bank’s response to
requests
► Anecdotal experiences with competitor banks
Low versus No: Setting a Risk Appetite for Internal Fraud
Page 10
Internal fraud versus external fraud (cont’d)
Customer experience and fraud loss optimisation becomes a
trade-off when managing external fraud losses
Let’s discuss a typical external ‘fraud’ scenario:
► Fraud monitoring and alerts suggest that the customer’s
transaction card may have been compromised.
► Bank – how much loss are they prepared to incur so as
not to disrupt the customer?
Low versus No: Setting a Risk Appetite for Internal Fraud
Page 11
Internal fraud versus external fraud (cont’d)
► The bank’s options:
► Permit transaction to proceed
► Telephone customer
► SMS to customer
► Decline the transaction
► Suspend or cancel the card
Low versus No: Setting a Risk Appetite for Internal Fraud
Page 12
Internal fraud versus external fraud (cont’d)
How a fraud risk framework may look for managing external fraud
Low versus No: Setting a Risk Appetite for Internal Fraud
Deter
Prevent
Detect Respond
Report
Remediate & recover
Customer impact
Page 13
Internal fraud versus external fraud (cont’d)
► The financial institution’s risk appetite and associated
controls will:
► Determine the nature of its response.
► Create a corollary interruption and inconvenience to the customer.
► Genuine transactions that are declined may impact the
customer experience.
► Conversely, a ‘courtesy’ telephone call or SMS to the
legitimate customer may create a positive customer
experience.
► Financial institutions have become smarter, increasing
customer satisfaction, and might ‘whitelist’ certain
customers.
Low versus No: Setting a Risk Appetite for Internal Fraud
Page 14
Internal fraud versus external fraud (cont’d)
Let’s consider internal fraud:
► The same choices do not always present themselves to
the financial institution.
► When combating internal fraud, the customer’s
experience is not the most significant consideration.
► Internal fraud incidents often do not lend themselves to
impacting customers, and there is less chance of
customer detection.
► Often, brand impact hurts a financial institution most when
the internal fraud occurs.
► Internal fraud and misconduct issues invariably attract
media, and sometimes regulators and the government.
Low versus No: Setting a Risk Appetite for Internal Fraud
Page 15
Internal fraud versus external fraud (cont’d)
► Relatively modestly-sized frauds can be newsworthy
► So whilst there may be some level of acceptance for
financial loss, often zero appetite for:
► Reputational impact
► Risk facing a regulatory or government inquiry
Low versus No: Setting a Risk Appetite for Internal Fraud
Page 16
Deter
Prevent
Detect Respond
Report
Remediate & recover
Internal fraud versus external fraud (cont’d)
How a fraud risk framework may look like for managing internal fraud
Low versus No: Setting a Risk Appetite for Internal Fraud
Reputation
Page 17
Internal fraud versus external fraud (cont’d)
► Setting an internal fraud risk appetite should therefore be
designed to not only safeguard the financial institution and
clients’ assets, but also to ensure minimal damage to the
financial institution’s brand.
► The effect of this could be that controls are designed to
eradicate internal fraud, but are more relaxed on potential
external fraud (where customer impact comes into play).
Low versus No: Setting a Risk Appetite for Internal Fraud
Page 18
Risk Appetite in the Broader Risk Governance Framework
Understanding an organisation’s risk appetite framework
► Let’s consider how to set the appetite, that is the “low
versus no” dilemma: how much internal fraud is too
much?
► But first, let’s look at little further risk appetite: what is it
and how it fits broadly into the organisation?
► The risk appetite is the extent to which an organisation is
prepared to accept the possibility that risks will
materialise.
► How does it fit within the overall approach to risk
governance?
Low versus No: Setting a Risk Appetite for Internal Fraud
Page 19
Risk Appetite in the Broader Risk Governance Framework
Low versus No: Setting a Risk Appetite for Internal Fraud
EY Risk Governance 2020
Page 20
Risk appetite in the broader risk governance framework
► The risk appetite framework encompasses the overall
approach taken.
► It must pass the “use” test:
► Do your employees appreciate and understand how the risk
appetite both enables and constrains their day-to-day activities?
► That is, can they easily use it?
An effective, embedded framework makes it clear to
employees what they are accountable for in relation to
the risk appetite for their business unit or business
activity.
Low versus No: Setting a Risk Appetite for Internal Fraud
Page 21
Setting the fraud risk appetite
► A number of metrics are available, beyond dollar loss,
determining the acceptable level of fraud risk
► ‘Forward loss’--what organisation is willing to sustain in a
severe environment--is a common measure:
► It allows common targets to agree
► Enables comparison amongst business units
► Other metrics also applicable, including:
► Incidents
► Attempts
► Customer complaints
► Completion rates of employee mandatory training
► Genuine declines
Low versus No: Setting a Risk Appetite for Internal Fraud
Page 22
Setting the Fraud Risk Appetite (cont’d)
Cultural risk appetite plays a role in managing internal fraud
and misconduct:
► Recent high profile conduct failings and regulatory
scrutiny has placed more emphasis on risk culture:
review, assess, and make changes to improve it.
► Qualitative measures designed to reinforce the
organisational tone become just as important.
► Consideration should be given to activities designed to
impact behaviour beyond absolute metrics.
Low versus No: Setting a Risk Appetite for Internal Fraud
Page 23
Setting the Fraud Risk Appetite (cont’d)
► Understanding this is as critical as analysing absolute
metrics.
The culture of the financial institution may drive certain
behaviours and therefore the perception of acceptability
of the level of internal fraud.
Low versus No: Setting a Risk Appetite for Internal Fraud
Page 24
Fraud Controls and Activities
► Once an acceptable level of risk appetite has been
determined, resources can then be directed to particular
fraud processes and risk management activities.
► Fraud risk resource allocation can be broadly categorised
into two activities:
1. Reactive measures--respond after incident occurs
2. Proactive measures--to prevent and detect fraud
Low versus No: Setting a Risk Appetite for Internal Fraud
Page 25
Fraud Controls and Activities (cont’d)
1. Fraud investigation (reactive measures)
Typically appearing in most financial institutions’ overall fraud risk
framework to manage fraud; a reactive aspect is important:
► Deterrent
► Quantify the loss or magnitude
► Uncover the control gaps or weaknesses
Low versus No: Setting a Risk Appetite for Internal Fraud
Page 26
Fraud Controls and Activities (cont’d)
2. Fraud risk management (proactive measures)
Often less evident in financial institutions than the reactive measures.
Proactive measures include:
► Fraud risk assessment
► Forensic data analytics
► Deep dives
► Communication--training, raise awareness, sharing lessons learnt,
tone at the top messaging
Low versus No: Setting a Risk Appetite for Internal Fraud
Page 27
Putting Fraud Risk Appetite into Operation
Where should financial institutions start when it comes to
determining an appropriate level of internal fraud risk and
putting in a mitigating framework to align to that level?
Maturity of FI: Some financial institutions have come from a
low base--their fraud risk appetite is nothing more than
planning for next year's fraud losses to not exceed this
year’s losses.
Low versus No: Setting a Risk Appetite for Internal Fraud
Page 28
Putting Fraud Risk Appetite into Operation (cont’d)
► Risk management planning cycle–risk appetite for fraud
loss should be part of planning cycle
► Calculations should:
► Be based on management information of actual experiences and
predicted risks
► Consider the risks and rewards of any new products and channels
► Be communicated across the institution with appropriate oversight
procedures in place
Low versus No: Setting a Risk Appetite for Internal Fraud
Page 29
Putting Fraud Risk Appetite into Operation (cont’d)
► At the other end of the cycle:
► Reporting should occur in line with a financial institution’s pre-
defined risk appetite
► Appropriate intervention when both positive and negative variance
to plan occurs
► Socialisation of notable results should be supported with strong
messages, reinforced from the top of the institution
Low versus No: Setting a Risk Appetite for Internal Fraud
Page 30
Finding the Sweet Spot Between a Low Appetite and No Appetite for Internal Fraud
► The fraud risk framework required to adequately prevent
and detect internal fraud can be challenging for financial
institutions to achieve.
► So can you accept a low appetite for internal fraud?
► How do they manage the ‘optics’ of a low appetite and still
communicate the message to employees that it is not
“open slather”?
► A key plank is strong deterrence, with overt condemnation
of internal fraud and "tone at the top” messages and
behaviours:
It all comes down to the way risk appetite is operationalised and
embedded into the organisation’s day to day business.
Low versus No: Setting a Risk Appetite for Internal Fraud
Page 31
Keeping Pace With Change
► Regulators and other external stakeholders are becoming
increasingly interested in an institution's risk appetite
statement.
► External scrutiny is evident when internal fraud and
associate misconduct incidents occur.
► Difficult questions may be asked about how and why it
happened:
► Why was there not adequate oversight?
► Why didn’t the controls detect it earlier?
Low versus No: Setting a Risk Appetite for Internal Fraud
Page 32
Keeping Pace With Change
1. Monitoring through:
► Appetite statement both quantitative and qualitative
► Agreed metrics
► Triggers for management action and escalation
2. Review and refresh:
► Fraud risk management is not a ‘set and forget’ exercise
► Fraud risk is dynamic, and ongoing monitoring is required
capturing material changes to fraud risk profiles
► Many financial institutions already de-risked their books and
end customer relationships where they present too high a risk
► Similarly the upfront ‘declines’ of new client applications are
now common part of the broader fraud risk framework
Low versus No: Setting a Risk Appetite for Internal Fraud
Page 33
Checklist for Risk Framework
An approach entailing core mechanisms of a risk framework:
► Tone at the top
► Risk behaviour standards
► Roles and responsibilities
► Risk governance
► Risk appetite
► Risk transparency
► Rewards
► Employee life cycle
Low versus No: Setting a Risk Appetite for Internal Fraud
EY Risk Governance 2020
Page 34
Case Studies
Low versus No: Setting a Risk Appetite for Internal Fraud
Page 35
Case Studies
Low versus No: Setting a Risk Appetite for Internal Fraud
Operating Without a Fraud Risk Appetite
Page 36
Case Study # 2
Retail Bank
► What: Bank detected customers being used as ‘mules’ to launder
tainted funds.
► How: Customers claimed they were duped. In return for a fee they
would provide their bank account details to allow funds to pass
though.
► Risk appetite: The bank’s appetite on this type of customer
behaviour was unclear. Whilst it tolerated one-off occurrences, it had
no way of dealing with customers who were re-offenders (even
though customers denied they knew that money was obtained
fraudulently). An impromptu response was based on the ‘worth’ of the
individual customer to the bank. That is, what other products did the
customer have with the bank and the customer’s ‘worth’ to the bank.
Low versus No: Setting a Risk Appetite for Internal Fraud
Page 37
Case study #3
Wealth Manager
► What: A financial planner (FP) was assisting superannuation
members to obtain early access to their superannuation
► How committed: Creation of sham superannuation funds and
money was transferred (rolled over) to these sham funds then
withdrawn
► Risk appetite: Level of complicity--wealth manager needed
decision about how to deal with the FP when the FP’s role in the
scheme was not clear. It had to balance adverse media and
reputation impacting the wealth manager (who issued product issuer)
with whether or not to retain the planner. How should it respond if it is
one or off, opposed to occurring repeatedly with many of the FP’s
customers?
Low versus No: Setting a Risk Appetite for Internal Fraud
Page 38
Case Study # 4
Retail Bank
► What: A fraud detection and alert investigation operated in isolation.
► How: Alert setting team determined the rules to detect anomalies,
but worked in conjunction with the alert investigating team, so alert
volume never exceeded the capacity of team to investigate them. The
product owner had no visibility.
► Risk appetite: Fraud risk appetite was not articulated, or if fraud
risk appetite has been set within bank’s broader risk appetite, it was
not cascaded appropriately, and not visible to the relevant teams.
Management reporting did not track against risk appetite and only
compared this year’s fraud losses to last year’s losses.
Low versus No: Setting a Risk Appetite for Internal Fraud
Page 39
Case Study # 5
Wealth Manager
► What: Sensitive data of many of their customers were used to
commit fraud in another unrelated bank.
► How: An employee was ‘farmed’ customer data and provided it to
third parties who in turn conducted identity takeovers of the customers
with their own bank.
► Risk Appetite: Decision to be made in the aftermath. What was the
risk appetite to implement detection tool to identify this happening?
Cost of audit logs versus cost of fraud event reoccurring.
Low versus No: Setting a Risk Appetite for Internal Fraud
Page 40
Conclusion
► There is no quick fix to finding the sweet spot between a
low appetite and no appetite for internal fraud. This will
change for every single financial institution.
► A mature fraud risk management framework must include
both proactive measures (to deter, prevent, and detect
fraud), and not solely rely upon reactive measures.
► Financial institutions with success in managing internal
fraud risk have demonstrated:
► Ability to articulate the fraud risk appetite
► ‘Operationalising’ the fraud risk appetite
► Embedded fraud risk appetite
Low versus No: Setting a Risk Appetite for Internal Fraud
Page 41
Conclusion (cont’d)
► Success can be measured by the “use” test:
Do your employees appreciate and understand how the
risk appetite both enables and constrains their day-to-day
activities?
Low versus No: Setting a Risk Appetite for Internal Fraud
Page 42
Contact Details
Low versus No: Setting a Risk Appetite for Internal Fraud
Tony Prior, Director
Ernst & Young, Fraud Investigation and Dispute Services
Sydney, Australia Phone: + 61 2 8295 6597 Mobile: + 61 411 696 415 [email protected] [email protected] au.linkedin.com/in/tonyprior1
Page 43
Questions?
Low versus No: Setting a Risk Appetite for Internal Fraud
Page 44 ©2015 Association of Certified Fraud Examiners, Inc.
WELCOME Low Versus No: Setting a Risk
Appetite for Internal Fraud
Tony Prior, CFE, CAMS
Director
Ernst & Young