PRACTICAL TIPS REGARDING FRAUD RISK MANAGEMENT

The Office of the Comptroller of the Currency, which supervises the largest banks in the country, has a long-standing compendium of existing best practices  regarding fraud risk management. These reflect many of the basic principles set forth in the COSO fraud risk management guide. They also overlap with the Justice Department’s “Evaluation of Corporate Compliance Programs,” critical guidance for risk management professionals. 

The wide range of actions expected regarding fraud risk management is striking – they include training, consumer education, complaint resolution, information security, real-time transaction analysis and behavioral analytics, third-party risk management, and human resources matters such as job breaks and background investigations for new employees. The OCC’s guidance also overlaps with Bank Secrecy Act measures such as Section 314 information requests and, thus, reinforces the logic of seeking synergies between AML and anti-fraud functions. 

With all this in mind, imagine yourself as a risk manager tasked by a bank’s senior management with ensuring adherence to all these principles and integrating them into existing anti-fraud policies and processes. The mission is potentially overwhelming. Below are several practical measures that can help

1.     Integration of governance/ cross-functional governing board: As the OCC makes clear, proper governance is of paramount importance to controlling a bank’s exposure to fraud. But even with a proactive board of directors and senior management engagement, it’s still quite challenging to ensure implementation of organization-wide anti-fraud measures. That’s because of the breadth of the OCC’s principles combined with the stark fact that banks are complex, ever-changing organizations with a range of daily stresses that extend well beyond fraud. 

As a practical matter, fraud risk management can’t be owned by any one department. Regulators often cite the importance of having each of the three “lines of defense” – the business, the independent risk and compliance functions, and Internal Audit – address key risk issues. What’s also critical is unifying ownership organizationally across those three lines and focusing responsibility and oversight. A financial institution might have dozens of committees, subcommittees, and oversight boards that in some manner touch upon fraud. This creates the need for a dedicated anti-fraud committee or council comprised of senior representatives from key business areas, plus functions such as IT, Finance, Compliance, Risk, Vendor Management, HR, and Audit. A bank’s fraud risk management committee should have assigned to it specific key responsibilities that include defining fraud risk appetite and tolerance appropriate to each business line, reviewing anti-fraud policies and procedures, addressing relevant regulatory findings, ensuring a strong anti-fraud control infrastructure, and establishing and taking advantage of MIS systems for identifying and reporting fraud risks and deficiencies. The committee needs to have the resources, stature, and authority appropriate to discharge its responsibilities, including ready access to the bank’s senior Risk and Audit Committees to be able to report significant findings together with management's responses and follow-ups. 

2.     Culture: As emphasized by the OCC, a foundation for proper governance is instilling a strong corporate culture that promotes ethical behavior and appropriate tone at the top. “Culture” is a concept that is sometimes neglected because it’s hard to define, measure, or quantify. But the need for strong culture should be intuitive, as fraud mitigation ultimately is addressed by people, not systems, and all staff must understand fraud risks and controls and view them as requiring active supervision. Of course, setting a proper culture begins with a clear commitment from the board of directors and senior management (“tone at the top”). Employees who view their managers as honest, ethical, respectful, and fair are more inclined to emulate that behavior. A positive working environment also will help avoid perceived wrongs that can be the motivation for fraud. Other important measures to fostering an anti-fraud culture include mandatory employee fraud awareness training, establishing an easily used and understood whistle-blowing process, setting up an effective fraud hotline, disseminating a clear written code of practice covering issues such as the acceptance of gifts, and consistently implementing disciplinary processes for violation of anti-fraud policies. 

3.     Control Matrix: The OCC’s list of expected detective and preventive controls is wide-ranging and exhaustive. How will implementation of each of the controls be tracked, much less assured? A useful step is to meticulously map them out, including which persons and areas are responsible for specific tasks. Most financial institutions plot on a heat map the likelihood and significance of various types of fraud, including “Black Swan” events, as well as ordinary risks such as mortgage fraud, insider trading, and identity theft. For regulatory compliance purposes, what’s needed as a complement to this is a matrix that documents a bank’s fraud risks matched against attendant controls. This should be done for each business process and then aggregated to create the basis for an overall risk appetite statement for fraud. 

4.     Metrics and scorecard: The OCC’s principles cannot be implemented or demonstrated without the availability of a common view on issues, controls, and residual risk that is accessible and able to be monitored. A monthly fraud risk scorecard can be a useful tool in this regard. The key is to identify a dozen or so critical metrics that quantify actual risk against established risk limits and thresholds. Examples include loss amounts, detection and recovery rates, false positives, call response times, and complaints. These help you best manage fraud while keeping customer impact low. Attendant to identifying key metrics is determining what constitutes good, average, and poor performance for each metric and assigning a positive or negative point value based on importance. Periodically, you weight each metric based on range, sum up the scores, and evaluate that score. 

5.     Independent audit and review: The first line of defense is, of course, critical to fraud risk management through measures such as regular testing of controls, analysis of complaint and whistle blower data, and root cause analysis on identified fraud. The second and third lines of defense also are important to ensuring a sound fraud risk management infrastructure, including evaluating processes, vulnerabilities, exposures, and the effectiveness and design of controls. A part of this is analyzing data and assessing where fraud risk is highest, and then auditing or reviewing the OCC-recommended controls in that area. Where fraud has occurred, they should review specifically how the detective and preventative controls failed, and identify opportunities for improvement. These functions also should continuously consider the probability of further errors, fraud, or noncompliance across the organization.

The bottom line is that a cookie cutter, siloed approach to fraud risk management will not suffice. The key principles need to be weaved into the bank’s organizational structure in a manner such that all who need to contribute can do so, are motivated to do so, are held accountable for doing so, and have their efforts evaluated, measured, reported out, and coordinated logically with all other contributors.

#occ #bsa #aml #fraud #riskmanagement #fraudrisk #compliance #identitytheft #transactionfraud #regulations