Tuesday, 9 September 2008

An 'inside' job

Posted by Anita Hawser
It's official. As we have all suspected for some time the "external bogeyman" is not the biggest fraud threat companies face. It is internal fraud, which is resulting in the largest losses, says the Association of Certified Fraud Examiners (ACFE).

Research company, Financial Insights, highlights some interesting findings from a 2004 ACFE study which found that more than 80% of internal fraud cases were committed not by "career criminals" but by first time offenders. No surprises then given recent incidents at banks like Société Générale, and a host of others, that subsequent ACFE studies have found that banks are the biggest victims of internal fraud.

According to ACFE’s 2008 Report to the Nation on Occupational Fraud & Abuse, the internal rate of fraud loss has increased to 7% of annual turnover for all companies. FinInsights cites two examples of internal fraud: SME Bank in Thailand, which included 27 loan cases involving fraud and corruption; and the rogue trading incident at Société Générale where more than 1,000 fraudulent transactions, dating back to 2004, were concealed.

The fact that these transactions at both banks bypassed internal controls and procedures, not only suggests that internal fraud controls are inadequate, but that firms have spent far too much time safeguarding the enterprise from "external bogeyman" and not from Joe Bloggs in accounts.

FinInsights then went on to outline some best practices in internal fraud control:

  • Establishing controls that reduce the opportunity for unauthorised use of organisational resources (firewalls, email scanning, ID access - most banks already have these)

  • Providing sufficient employee monitoring, segregating duties for operational processes, and regularly rotating staff in key positions

  • Thorough recruitment screening and educating employees about the legal repercussions of being involved in illegal activities to act as a deterrent (not so sure about this one as in the case of traders, it is known that they are not out to make money for themselves necessarily but for their company. Are they the kind of people investment banks want to screen out?)

  • Automated detection systems and advanced analytic technologies that look for suspicious behavior and anomalous patterns (problem with this is that technology can only do so much. If no one responds to the alerts, the technology is useless)

  • Financial institutions need to define and understand the layout of internal data and the business process data flows in order to determine the necessary sources of and data feeds for fraud solutions (highly complex given that data and business processes tend to be 'siloed' within most banks)

  • Educating both employees and upper management on security

  • Establish accountability and ownership for lax security procedures

  • Reprimand staff for breaking or failing to follow security protocol, even minor violations

  • Providing confidential and easy-to-use channels of communication for whistle blowers

So in other words, fighting internal fraud is not easy. It is not simply a case of putting up a perimeter fence and installing software that recognises unusual behaviour patterns. That is only the tip of the iceberg, and in the end educating people is likely to be more effective than a piece of technology on its own.

No comments: