Detecting Internal Fraud by ‘Breaking Bad’
There has been no shortage of news stories around the banking industry and its vulnerability to internal fraud, particularly that the industry has limited internal surveillance. Internal fraud has proven to be news-driven (and news-worthy); it’s a great feature lead-in story and scintillating red-meat for mass consumption. Internal fraud events are obviously a reputational risk for banks, but then take a huge turn into regulatory risk territory, before winding up squarely a legal risk (and the headline-grabbing fines that come with it). Finally, a strategic and market risk bubble up as customers are lost to competitors.
So what can be done for developing adequate governance and oversight in this space? Well, you’ll frequently hear “nothing”… that this type of fraud can’t be monitored; it’s too complex; there is nothing that will be a silver bullet and reduce all residual risk to nil. Fine, I’ll agree there. Nothing can be an absolute and perfect control in the space, but we don’t really have that in the other fraud detection sciences, either. What we do have is the capability to impose a compliance culture in the space.
Companies must deploy an internal fraud detection capability—and make it loud for all staff to take notice.
We certainly can implement technology, processes and talent to ensure that internal goals are met and expanded to make certain that we evolve monitoring capabilities (in parallel with the business itself) beyond the initial scope. I would argue that many institutions may already have some capacity for monitoring in this space, but as usual, the tool is underweight, report driven and measures just a few static attributes with logic that is not easily modified within the tool. Further, suspected high risk activity investigations are frequently managed by IT—as opposed to Compliance or Operations risk (fraud) management teams.
The Association of Certified Fraud Examiners provides us with a matrix for understanding the motivations of a fraudster (Full Disclosure: I am a holder of their credential, so this reads to me like the Ten Commandments). Effectively, there is a recipe for fraud and it explains why a reasonable person would choose this path. There are three ingredients that makes up the formula for a “Fraud Triangle”; let’s examine through the lens of Breaking Bad.
- Pressure – a financial need: gambling, drugs, debts, social or business demand or medical needs.
• Think back to Walter White’s diagnosis of cancer and his need to secure his family’s financial stability.
- Opportunity – that the fraudster will have been trusted with the tools to get to the prize; think of it like a set of rails to ride this train… typically this is access to a system or even to something as simple as a checkbook.
• Walter White is a talented chemist and thus can create a superior product to fill a market need.
- Rationalization – the belief, ambition and motivation that the fraudster can perform this crime, that the victim/organization deserved or earned it and that they won’t get caught.
• Walter White realizes his success is beyond his initial expectations and becomes Heisenberg.
Break any one of these sides of the triangle, and the potential for a fraud event is significantly reduced. Consider removing the financial hardship (pressure) with a mechanism that puts an alternate path forward. If Walter White could have treated his cancer earlier, would he still have gone on to become Heisenberg? If we take away access (opportunity) to the financial platform used for internal fraud, the crime cannot be committed. If Mr. White cannot access the materials he needs to manufacture his product, there are no results.
The sophistication of monitoring aligned to the sophistication of abuse is the key element here, and the day-to-day management of this independent process must fall outside of the IT business unit. The DEA does its own investigations with its own resources, right Hank? Establishing a core competency in the space means setting up a team, with a dedicated detection solution that is bespoke and administered by internal fraud detection resources, empowering this teams’ enhanced logic to be deployed around the enterprise. Finally, this team must work in a bit of a clandestine approach, visibly surveying the environment— yet to outsiders, there is little understanding of the logic that drives this enterprise governance process.
There are some limitations to this approach in the real world, of course. We can’t know everyone’s financial obligations or their true debt-to-income ratios. If we take away all employee access to systems, the business cannot effectively run. However, we can make a budding criminal less likely to feel they can commit the crime with impunity—and reduce the potential that the fraudster believes that they can get away with the crime. Had Walter felt that he would be detected and thus his plan thwarted (Hank, it sure took you a while to sort that one), the show would have stalled before the RV was parked in the desert. And that’s exactly what we are after in the financial crimes world.
This is the space where we add the secret sauce, and we seek out the places where the application of controls makes the most impact relative to where it is creating the greatest risk. The tools to elevate the monitoring of high risk activity have to be as sophisticated as the crime itself. The tools must ingest and enhance the analytics of employees’ actions—feeding employee access of customer accounts and identifying additional key risk indicators that predict internal abuse. This space could effectively be monitoring individual performance far in excess of their peers, or repeatedly using the same demographic information for distinct and dissimilar accounts, or performing twice the average of the number of account touch points that are typical in the day-to-day operation of the employee’s role.
All of these elements, scaled up into controls, are capable of detecting most of the common potential internal fraud events and when this made noisy (so that all staff hear about it), a culture of compliance is fully revealed to be a control in and of itself. The organization may not be impenetrable, so it’s not necessary to attempt to achieve impenetrability as a goal. Rather, the goal should be to demonstrate competence in the space and use all the detection tools available and illustrate the capabilities an organization can deploy to reduce the likelihood that the fraudster perceives they will get away with it. These steps to kick a leg out of the Fraud Triangle will help ensure that the path of Breaking Bad is never initiated.
Trusted persons become trust violators when they conceive of themselves as having a financial problem which is non-shareable, are aware this problem can be secretly resolved by violation of the position of financial trust, and are able to apply to their own conduct in that situation verbalizations which enable them to adjust their conceptions of themselves as trusted persons with their conceptions of themselves as users of the entrusted funds or property.
- Donald R. Cressey, Other People's Money (Montclair: Patterson Smith, 1973) p. 30
Related Blog Posts
How Italian Banks and Processors Can Capitalize on Digital Transformation
The European payments landscape is in an era of significant change thanks to PSD2 and other macro factors, but there is more than one way to deliver real-time and open payments to meet PSD2 requirements and its technical standards. Banks and processors must manage this alongside their own set of domestic challenges and opportunities.
Overcoming Cyber Threats to Payments Security
Recently, Gene Scriven, chief information security officer at ACI, spoke at NACHA Payments 2019 on the ever-changing landscape of cybersecurity. Here are a few highlights from his session, including the impacts of cybersecurity breaches, today’s emerging threats and the new strategies to keep your organization safe.
Removing Gender Bias and Enabling Women to Succeed in Leadership Roles
The recent UK Women in Payments (WIP) Symposium 2019 took place in London, recognizing unique leaders who help uplift women in the payments industry. Among those recognized was ACI’s Melissa McKendry, vice president, Retail Banking Implementation Services, who was honored by WIP as the 2019 Advocate for Women.
Regulating for Real-Time: The Role of Government in Payments Modernization
Dr. Leo Lipis and Craig Ramsey, Head of Real-Time Payments for ACI Worldwide, continue their discussion on real-time payments and the findings of the new white paper, Get More from Real-Time.
Payments and Fraud: The Paradox Twins
Digital commerce through web and mobile is where merchants predominantly experience shopper growth today. This has become a hugely important domain for their focus. It offers a means for international growth, new market penetration and a way to engage with shopper-hungry Millennials in their culture. Merchants frequently adopt a Digital-First, eCommerce-First or Mobile-First strategy to ensure full corporate buy-in to this strategy.
Open Payments Systems for Merchants: Don't Close Down Your Options
Remember “Open Systems”?
It was a big industry nom du jour in the 80s and 90s. Every IT system had to be open and therefore flexible and future-proof. Nobody can argue with the logic behind this; making systems easy to integrate with other systems, ensuring vendors could cooperate with one another; creating agility to improve time to market and drive down costs.
Issuing and Acquiring in a Real-Time and Open Payments Ecosystem – The Global Picture
Dr Leo Lipis and Craig Ramsey, Head of Real-Time Payments for ACI Worldwide, continue their discussion on real-time payments, stemming from the findings of the new white paper, Get More from Real-Time. See part one.
Why It’s Time for Women to Rise UP
As a senior software engineer at ACI Worldwide, Rawan Shawar helps to guide her team’s priorities and enhance processes at both the team and organizational level. Recently, Rawan was selected by the organizers of Money20/20 Asia to be part the Rise Up Class of 2019.
Can Digital Payments Be Kind?
There is no doubt that the era of less (or minimal) cash is truly upon us. According to the Access to Cash Review, cash could fall to just 10 percent of all payments in the UK within the next 15 years.
Other countries, such as Sweden, have already seen significant changes – cashless payments have grown so quickly that only 10 percent of the 20 SEB banks in Stockholm now hold cash. Beyond Europe, China is leading the way with USD$12.8 trillion in mobile payment transactions in 2018.