Driven by illicit activities like money laundering and cyberattacks, fraud has been a constant challenge for financial institutions, which must regularly adapt to keep up with the growing sophistication of criminals and the evolution of disruptive technologies. But this battle has been made even more difficult by a post-pandemic surge in fraud perpetrated by internal staff.
The COVID-19 crisis resulted in economic hardships, increased pressure to meet financial targets, compromised supply chains and an explosion in remote work. This complex blend of factors greased the wheel for a spike in insider fraud, covering everything from embezzlement, theft and data breaches to check fraud, CEO fraud and payment and receipt fraud.
Internal fraud demands a heightened level of control to prevent its pervasive growth. Instances of internal fraud can be seen as a symptom of a failing culture, whether it’s the result of willful blindness, ignorance or simple greed. Extreme vigilance is required to ensure that it does not become endemic.
Recalibration: Responding to the New Normal
Financial institutions must now recalibrate the way they think about fraud. They can achieve this through the following steps:
1. Reevaluate Governance
The existing fraud risk management framework needs to be thoroughly reviewed to identify emerging opportunities for fraud. Policies and procedures must be adapted to reflect the "new normal," taking into account the transformed risk landscape.
It is crucial to redraw fraud-risk appetites and tolerances by incorporating the perspectives and insights of stakeholders. Proactive measures, such as adopting a new fraud taxonomy, can assist organizations in staying ahead of evolving fraud schemes.
2. Review (and, If Necessary, Renew) Fraud Assessment
The frequency of fraud assessments should increase to align with the changing external environment, including political pressures and evolving responses from public and private organizations. Any exemptions that relax risk controls should be documented for future reviews and audits.
3. Improve Messaging and Communication
In the aftermath of the pandemic, it is vital to disseminate the fraud risk message without inundating individuals with excessive information.
Fraud risks are closely linked to the increased incidences of cybersecurity threats and money laundering. Therefore, it is crucial for timely and coordinated information to flow through internal and external data sources, including compliance, IT, audit and third-party vendors.
By understanding the interdependencies between fraud and other risks, organizations can respond to them holistically at the enterprise level.
4. Establish a Whistleblowing Hotline
The shift toward remote work (both during and after the pandemic) has resulted in an increase in the number of whistleblowers reporting fraudulent activities. Whistleblowing hotlines provide low cost and credible channels for reporting fraud incidents.
The U.S. Securities and Exchange Commission has experienced a significant rise in tips on fraud, emphasizing the importance of whistleblowing mechanisms. Financial institutions must ensure that they have the necessary resources and determination to investigate these reports and take appropriate actions.
5. Make Proper Use of Big Data
Leveraging big data can provide fraud risk managers with clean, accessible, robust and sustainable information for inspection and audit purposes. Advanced data analytics techniques enable behavioral analysis and the detection of both new and existing fraud patterns.
However, organizations should be cautious about false positives resulting from the increased flow of data. To properly analyze the vast amounts of information generated, data must be regularly inspected and sanitized.
Parting Thoughts
Internal fraud poses substantial risks to organizations, necessitating constant adaptation in risk management practices. Failing to address fraud adequately can result in severe consequences, including reputational damage.
Successful management of fraud risks requires robust information management practices. Organizations must remain ever vigilant, continuously reassessing their risk frameworks to adapt to evolving threats and to mitigate the impact of internal fraud.
In its annual State of Fraud Benchmark Report, Alloy contended that 70% of financial institutions lost at least $500,000 to fraud in 2022. That same report, moreover, stated that six- and seven-figure data breaches are becoming more common.
Regulators cannot be expected to come to the rescue of financial institutions that do not have the proper risk controls in place to mitigate fraud. Firms that do not want their names besmirched on the front page of the Wall Street Journal must follow best practices.
John Thackeray is a risk and compliance practitioner and writer. His firm, RiskInk, helps businesses control their risks by writing policies and procedures to mitigate them. As a former senior risk executive at Citigroup, Deutsche Bank AG and Société Générale, he has had firsthand engagement with U.S. and European regulators.