According to Verizon's 2015 Data Breach Investigation Report, approximately 20% percent of data breaches come from an internal source. This requires a change in an issuer's culture compliance to combat the problem.
The two broadest categories of internal fraud are embezzlement, or misappropriation of funds, and customer identity theft. Globally, identity theft presents the most concerning exposure due to the emergence of online markets and the resulting shift in customer behavior.
Data breaches, which can be a result of internal fraudulent activity, continue to be in the news, as reported by merchants, payment processors, card associations and financial institutions. To address this onslaught of internal threats, companies should implement a three-pronged strategy:
Create a culture of compliance across the enterprise, clearly defining policies for anti-fraud employee conduct.
Assess system, platform controls and safe guards, monitoring activity and mitigating internal threats.
Define clear roles and responsibilities at all levels, recognizing that management and systems are the first lines of defense to flag suspicious employee activity.
The creation of a culture of compliance is not only a prudent strategy for financial institutions and card issuers, but it is also one of regulators heightened expectations for all financial institutions, regardless of segment.
Beyond the issuance of a policy, this demands an enterprise-wide adoption of the principles, concepts and requirements associated with regulations like CFPB, BSA, and even Employee Bonding provisions. It includes a top-down employee conduct strategy in which the expectations are clearly defined, communicated and acknowledged at all levels as it relates to their specific function. This also requires a coherent partnership between compliance and the individual lines of business to ensure that the first and second lines of defense operate in tandem.
The efficiency of enterprise fraud mitigation strategies is only as effective as the controls in place to prevent and/or flag suspicious activity. Effective controls and processes are paramount to expose and address fraud risk. This monitoring is essential as employees know the system and the best ways of how to circumvent the controls.Creating a profile of what constitutes a high risk employee and high risk activity will drive the detection of suspicious activity and trigger further investigation as necessary if there is an employee who repeatedly accesses specific accounts for non-bank business inquires.
Example traits of high risk employees include short time on the job, disgruntled and financially stressed. If a single employee or contractor accesses a customer information system to inquire the details of a customer account; personal data or other identifying customer information protected under the BSA and internal security policies, this indicates potentially suspicious insider behavior. Systems and controls must constantly be monitored for performance through a combination of analytics, operational/process rules and basic business knowledge. The objective is to reduce false positives and evolve with constantly changing practices used to commit internal fraud.
Once system controls and a culture of compliance culture are in place, clearly defined roles and responsibilities at all levels is the glue that brings an effective internal fraud strategy together. A system may produce alerts or even prevent suspicious activity, but it must then be addressed and resolved by the individual with the responsibility and accountability to execute the necessary action. Roles must be clearly defined at each level with appropriate performance metrics.
The roles can fall into a few categories: monitoring, investigation, enforcement and most importantly ownership of the function. The reality is that all employees at all levels have an assigned role in the prevention of internal fraud. Training, sharing information and developing a cohesive communication plan are key to ensuring that everyone understands their role in protecting the organization and its customers.
Customers often express concern that companies dont do enough to protect from within. While no system is bullet-proof, following this approach can ensure that a company prevents and detects internal fraud as effectively as possible. By cultivating a culture of compliance across the enterprise, implementing the appropriate monitoring and controls and employee training, companies will create a well-rounded system for internal fraud protection.
Edmund Tribue is the national lead for credit, risk management and compliance solutions for North Highland.