Fraud: Prevention is better than punishment
Greater regulatory scrutiny and a more competitive market mean it’s time banks looked at how technology can help them tackle fraud before it happens, writes John Kiptum.
Fraud costs the world $3.7 trillion each year, according to the Association of Certified Fraud Examiners, the world’s largest anti-fraud organization. Nearly 75% of banking fraud in particular is internal.
Bad as that might seem, it’s certainly not the full scale of the problem. Most fraud remains undetected – and when that is added in, along with the cost of the fallout, the true total is pushed far higher.
Fines, penalties and sanctions that states levy against those organizations affected erode corporate reputation, and hit the bottom line and share price. That’s without mentioning the disruption caused by an official investigation, which can go on for months – years even – and for which the organization sometimes has to pay.
Barclays was fined $2.4bn in May 2015 for rigging foreign exchange deals in a scandal that took in some of the world’s biggest and best-known banks. Total fines for Bank of America were $455m, for UBS $1.14bn, for RBS $1.3bn, for JP Morgan $1.9bn and for Citigroup $2.32bn (Source). Meanwhile, the South African authorities have recommended the prosecution of 17 global banks, including JP Morgan, Bank of America Merrill Lynch, HSBC, Credit Suisse and Barclays, seeking to impose penalties of 10 per cent of annual revenues for rand-rate manipulation.
In the US, Wells Fargo saw earnings hit in 2016 after it was found to have opened unauthorized customer accounts to help meet aggressive sales targets. Earnings by assets fell 5.4 per cent to $5.3bn in the same year.
Basel II’s capital requirements are linked to a bank’s operational risk level, forcing them to set aside more capital to cover high levels of fraud that would be better used to create shareholder value. In the worst-case scenario, companies badly hit can go out of business, unable to regain the trust of the watchdogs and public alike.
In the past, banks have often swept the problem of fraud under the carpet. They have been able to afford the fines thanks to high profit margins and weren’t obliged to report it. All that has changed. With squeezed margins and tight balance sheets, shareholders are less relaxed about such losses while the fight against terrorism and money laundering means banks are now required to report fraud quarterly in the US, and include figures in their annual reports. Increasingly, other jurisdictions are demanding similar levels of transparency.
This means we know that in the UK, for example, financial fraud rose by 26 per cent in 2015 to £755m, according to Financial Fraud Action UK. Kroll, the business intelligence group, calculated that some 70 per cent of global financial services companies were affected by fraud in 2015, losing an average of half a per cent of revenues. Of that, 17 per cent were compliance or regulatory breaches, 18 per cent information loss and 18 per cent due to insider involvement.
The fallout of this increased regulatory scrutiny, along with a much more competitive market, has tipped the balance away from punishment towards fraud prevention. And technology is the enabler.
Only relatively recently, banks were recording every transaction on paper. Audits were time consuming, costly – and periodic. Today, technology and data warehousing, along with analytics, profiling and artificial intelligence, mean banks can record every transaction, action and communication and analyze them constantly in real time, spotting suspicious behavior and even blocking transactions before they are completed. And should a fraud occur, there is a data trail that can be followed far more easily and quickly, making recovery and successful prosecution of the perpetrators more likely.
A recent case in Switzerland is a perfect illustration of how behavioral analytics looking for suspicious activity could stop fraud. In March a Swiss company’s bank accounts were hacked and SFr1.2m fraudulently transferred to an account in Kyrgyzstan. Although four Swiss banks were involved, only one - PostFinance – stopped the transfer after spotting a spelling mistake. The company’s CEO Christoph Küng believes the others should have noted something was awry and blocked the transfers too: the destination account was an individual who had never received funds before from his company – enough to raise an alert.
Using behavioral analytics marks a step change in how banks can tackle fraud. Prevention is better than cure, as they say. No loss, no fines, reputational advantage, job done. And with the right technology, should fraud occur, banks can be seen to react swiftly. This plays far better to directors’ fiduciary duty and with the watchdogs.
Of course, no organization can totally eliminate the problem. But the Pareto principle – whereby 80 per cent of the outcomes are created by 20 per cent of the actions – means targeting efforts effectively can have a huge impact on reducing it. But if you can’t measure the efficacy of your systems, processes and controls, you can’t action it. Technology is best at measuring, monitoring and reporting.
For example, it can identify key risk and control indicators, and measure risk likelihood and impact, helping banks identify where problems might occur. Small frauds of low value might appear relatively inconsequential and therefore affordable and without major risk. But if they are highly frequent, their true impact and therefore the overall risk to the bank might be far greater. Once this knowledge is in the public domain, perhaps via social media, the public’s attention becomes focused sharply on the problem, undermining trust. Technology can calculate the risk of such a situation, and once it exceeds (say) 5 per cent, it can trigger an internal review.
Technology makes it easier to identify weak areas within an organization and those specifically responsible, so they can be reorganized, retrained or warned. The results can even become a part of performance management, making it easier to change the culture so people take their responsibilities seriously. Which brings me to the other powerful tool in the fight against fraud: culture.
Seven steps to combating fraud:
- Instigate a continual process of risk management – develop policies and procedures that are circulated to all, against which everyone is measured and monitored.
- Adopt anti-fraud technology to identify, measure and monitor internal controls. This should include behavior analytics for early possible fraud detection.
- Insist on zero tolerance of control breaches – no exceptions.
- Develop processes that allow staff to highlight and report breaches/fraud without fear of victimization – a whistle-blowing policy.
- Senior management and the board must lead from the front.
- Deploy a continuous process of awareness, training and review. People need to be reminded all time as they forget and become complacent.
- Review all reports and react accordingly in a timely and consistent manner.
Fraud is always a consequence of people within an organization failing to follow established practices and procedures, for example sharing passwords, exceeding login clearance or failing to shut down computers properly. There has to be a supportive corporate culture that includes training in best practice, monitoring behavior and reporting outcomes. A whistle-blowing policy is also essential. From this, reviews and changes to working practices can be encouraged and weaknesses eliminated. Equally, buy-in should come from the top down. The CEO and senior management must be seen to take processes and reporting seriously.
So technology facilitates monitoring and then reporting, which is key to building up and maintaining trust. It doesn’t even cost a lot. According to Gartner, with the implementation of a big data analytics platform, return on investment can be less than a year.