Skip to content

Detecting Internal Fraud by ‘Breaking Bad’

Detecting Internal Fraud by 'Breaking Bad'

There has been no shortage of news stories around the banking industry and its vulnerability to internal fraud, particularly that the industry has limited internal surveillance.  Internal fraud has proven to be news-driven (and news-worthy); it’s a great feature lead-in story and scintillating red-meat for mass consumption. Internal fraud events are obviously a reputational risk for banks, but then take a huge turn into regulatory risk territory, before winding up squarely a legal risk (and the headline-grabbing fines that come with it). Finally, a strategic and market risk bubble up as customers are lost to competitors. 

So what can be done for developing adequate governance and oversight in this space? Well, you’ll frequently hear “nothing”… that this type of fraud can’t be monitored; it’s too complex; there is nothing that will be a silver bullet and reduce all residual risk to nil. Fine, I’ll agree there. Nothing can be an absolute and perfect control in the space, but we don’t really have that in the other fraud detection sciences, either. What we do have is the capability to impose a compliance culture in the space.

Companies must deploy an internal fraud detection capability—and make it loud for all staff to take notice.

We certainly can implement technology, processes and talent to ensure that internal goals are met and expanded to make certain that we evolve monitoring capabilities (in parallel with the business itself) beyond the initial scope.  I would argue that many institutions may already have some capacity for monitoring in this space, but as usual, the tool is underweight, report driven and measures just a few static attributes with logic that is not easily modified within the tool. Further, suspected high risk activity investigations are frequently managed by IT—as opposed to Compliance or Operations risk (fraud) management teams.

The Association of Certified Fraud Examiners provides us with a matrix for understanding the motivations of a fraudster (Full Disclosure: I am a holder of their credential, so this reads to me like the Ten Commandments). Effectively, there is a recipe for fraud and it explains why a reasonable person would choose this path. There are three ingredients that makes up the formula for a “Fraud Triangle”; let’s examine through the lens of Breaking Bad.

  1. Pressure – a financial need: gambling, drugs, debts, social or business demand or medical needs.
         • Think back to Walter White’s diagnosis of cancer and his need to secure his family’s financial stability. 
  2. Opportunity – that the fraudster will have been trusted with the tools to get to the prize; think of it like a set of rails to ride this train… typically this is access to a system or even to something as simple as a checkbook.
         • Walter White is a talented chemist and thus can create a superior product to fill a market need.
  3. Rationalization – the belief, ambition and motivation that the fraudster can perform this crime, that the victim/organization deserved or earned it and that they won’t get caught.
         • Walter White realizes his success is beyond his initial expectations and becomes Heisenberg.

Break any one of these sides of the triangle, and the potential for a fraud event is significantly reduced. Consider removing the financial hardship (pressure) with a mechanism that puts an alternate path forward. If Walter White could have treated his cancer earlier, would he still have gone on to become Heisenberg? If we take away access (opportunity) to the financial platform used for internal fraud, the crime cannot be committed. If Mr. White cannot access the materials he needs to manufacture his product, there are no results.

The sophistication of monitoring aligned to the sophistication of abuse is the key element here, and the day-to-day management of this independent process must fall outside of the IT business unit. The DEA does its own investigations with its own resources, right Hank? Establishing a core competency in the space means setting up a team, with a dedicated detection solution that is bespoke and administered by internal fraud detection resources, empowering this teams’ enhanced logic to be deployed around the enterprise. Finally, this team must work in a bit of a clandestine approach, visibly surveying the environment— yet to outsiders, there is little understanding of the logic that drives this enterprise governance process. 

There are some limitations to this approach in the real world, of course. We can’t know everyone’s financial obligations or their true debt-to-income ratios. If we take away all employee access to systems, the business cannot effectively run. However, we can make a budding criminal less likely to feel they can commit the crime with impunity—and reduce the potential that the fraudster believes that they can get away with the crime. Had Walter felt that he would be detected and thus his plan thwarted (Hank, it sure took you a while to sort that one), the show would have stalled before the RV was parked in the desert. And that’s exactly what we are after in the financial crimes world.

This is the space where we add the secret sauce, and we seek out the places where the application of controls makes the most impact relative to where it is creating the greatest risk. The tools to elevate the monitoring of high risk activity have to be as sophisticated as the crime itself. The tools must ingest and enhance the analytics of employees’ actions—feeding employee access of customer accounts and identifying additional key risk indicators that predict internal abuse. This space could effectively be monitoring individual performance far in excess of their peers, or repeatedly using the same demographic information for distinct and dissimilar accounts, or performing twice the average of the number of account touch points that are typical in the day-to-day operation of the employee’s role.  

All of these elements, scaled up into controls, are capable of detecting most of the common potential internal fraud events and when this made noisy (so that all staff hear about it), a culture of compliance is fully revealed to be a control in and of itself. The organization may not be impenetrable, so it’s not necessary to attempt to achieve impenetrability as a goal. Rather, the goal should be to demonstrate competence in the space and use all the detection tools available and illustrate the capabilities an organization can deploy to reduce the likelihood that the fraudster perceives they will get away with it.  These steps to kick a leg out of the Fraud Triangle will help ensure that the path of Breaking Bad is never initiated.

Trusted persons become trust violators when they conceive of themselves as having a financial problem which is non-shareable, are aware this problem can be secretly resolved by violation of the position of financial trust, and are able to apply to their own conduct in that situation verbalizations which enable them to adjust their conceptions of themselves as trusted persons with their conceptions of themselves as users of the entrusted funds or property.

- Donald R. Cressey, Other People's Money (Montclair: Patterson Smith, 1973) p. 30