Detecting Internal Fraud by ‘Breaking Bad’
There has been no shortage of news stories around the banking industry and its vulnerability to internal fraud, particularly that the industry has limited internal surveillance. Internal fraud has proven to be news-driven (and news-worthy); it’s a great feature lead-in story and scintillating red-meat for mass consumption. Internal fraud events are obviously a reputational risk for banks, but then take a huge turn into regulatory risk territory, before winding up squarely a legal risk (and the headline-grabbing fines that come with it). Finally, a strategic and market risk bubble up as customers are lost to competitors.
So what can be done for developing adequate governance and oversight in this space? Well, you’ll frequently hear “nothing”… that this type of fraud can’t be monitored; it’s too complex; there is nothing that will be a silver bullet and reduce all residual risk to nil. Fine, I’ll agree there. Nothing can be an absolute and perfect control in the space, but we don’t really have that in the other fraud detection sciences, either. What we do have is the capability to impose a compliance culture in the space.
Companies must deploy an internal fraud detection capability—and make it loud for all staff to take notice.
We certainly can implement technology, processes and talent to ensure that internal goals are met and expanded to make certain that we evolve monitoring capabilities (in parallel with the business itself) beyond the initial scope. I would argue that many institutions may already have some capacity for monitoring in this space, but as usual, the tool is underweight, report driven and measures just a few static attributes with logic that is not easily modified within the tool. Further, suspected high risk activity investigations are frequently managed by IT—as opposed to Compliance or Operations risk (fraud) management teams.
The Association of Certified Fraud Examiners provides us with a matrix for understanding the motivations of a fraudster (Full Disclosure: I am a holder of their credential, so this reads to me like the Ten Commandments). Effectively, there is a recipe for fraud and it explains why a reasonable person would choose this path. There are three ingredients that makes up the formula for a “Fraud Triangle”; let’s examine through the lens of Breaking Bad.
- Pressure – a financial need: gambling, drugs, debts, social or business demand or medical needs.
• Think back to Walter White’s diagnosis of cancer and his need to secure his family’s financial stability.
- Opportunity – that the fraudster will have been trusted with the tools to get to the prize; think of it like a set of rails to ride this train… typically this is access to a system or even to something as simple as a checkbook.
• Walter White is a talented chemist and thus can create a superior product to fill a market need.
- Rationalization – the belief, ambition and motivation that the fraudster can perform this crime, that the victim/organization deserved or earned it and that they won’t get caught.
• Walter White realizes his success is beyond his initial expectations and becomes Heisenberg.
Break any one of these sides of the triangle, and the potential for a fraud event is significantly reduced. Consider removing the financial hardship (pressure) with a mechanism that puts an alternate path forward. If Walter White could have treated his cancer earlier, would he still have gone on to become Heisenberg? If we take away access (opportunity) to the financial platform used for internal fraud, the crime cannot be committed. If Mr. White cannot access the materials he needs to manufacture his product, there are no results.
The sophistication of monitoring aligned to the sophistication of abuse is the key element here, and the day-to-day management of this independent process must fall outside of the IT business unit. The DEA does its own investigations with its own resources, right Hank? Establishing a core competency in the space means setting up a team, with a dedicated detection solution that is bespoke and administered by internal fraud detection resources, empowering this teams’ enhanced logic to be deployed around the enterprise. Finally, this team must work in a bit of a clandestine approach, visibly surveying the environment— yet to outsiders, there is little understanding of the logic that drives this enterprise governance process.
There are some limitations to this approach in the real world, of course. We can’t know everyone’s financial obligations or their true debt-to-income ratios. If we take away all employee access to systems, the business cannot effectively run. However, we can make a budding criminal less likely to feel they can commit the crime with impunity—and reduce the potential that the fraudster believes that they can get away with the crime. Had Walter felt that he would be detected and thus his plan thwarted (Hank, it sure took you a while to sort that one), the show would have stalled before the RV was parked in the desert. And that’s exactly what we are after in the financial crimes world.
This is the space where we add the secret sauce, and we seek out the places where the application of controls makes the most impact relative to where it is creating the greatest risk. The tools to elevate the monitoring of high risk activity have to be as sophisticated as the crime itself. The tools must ingest and enhance the analytics of employees’ actions—feeding employee access of customer accounts and identifying additional key risk indicators that predict internal abuse. This space could effectively be monitoring individual performance far in excess of their peers, or repeatedly using the same demographic information for distinct and dissimilar accounts, or performing twice the average of the number of account touch points that are typical in the day-to-day operation of the employee’s role.
All of these elements, scaled up into controls, are capable of detecting most of the common potential internal fraud events and when this made noisy (so that all staff hear about it), a culture of compliance is fully revealed to be a control in and of itself. The organization may not be impenetrable, so it’s not necessary to attempt to achieve impenetrability as a goal. Rather, the goal should be to demonstrate competence in the space and use all the detection tools available and illustrate the capabilities an organization can deploy to reduce the likelihood that the fraudster perceives they will get away with it. These steps to kick a leg out of the Fraud Triangle will help ensure that the path of Breaking Bad is never initiated.
Trusted persons become trust violators when they conceive of themselves as having a financial problem which is non-shareable, are aware this problem can be secretly resolved by violation of the position of financial trust, and are able to apply to their own conduct in that situation verbalizations which enable them to adjust their conceptions of themselves as trusted persons with their conceptions of themselves as users of the entrusted funds or property.
- Donald R. Cressey, Other People's Money (Montclair: Patterson Smith, 1973) p. 30
Related Blog Posts
How to be a Payments Trailblazer – The Seven Habits of Highly Innovative Organizations
The new Culture of Innovation Index from Ovum and ACI identified segments—from banks to intermediaries to merchants to corporates—at the cutting edge (of innovation) across the payments ecosystem. But what is most notable about those segments that have reached ‘trailblazing’ status is the apparent lack of commonality between them. No one segment, nor one region fosters better innovation. In fact, what’s driving these segments/organizations to be best of breed is their own culture of excellence. The only thing they have in common is their attitude.
Customer Innovation: Erste Bank [Q&A]
The global banking sector is becoming both more strategically focused and technologically advanced, responding to rising consumer expectations while trying to defend market share against an increasing array of competitors. A great deal of emphasis is being placed on digitizing core business processes, and reassessing organizational structures and internal talent to be better prepared for the future of banking.
Regulating for Real-Time: The Role of Government in Payments Modernization
Dr. Leo Lipis and Craig Ramsey, Head of Real-Time Payments for ACI Worldwide, continue their discussion on real-time payments and the findings of the new white paper, Get More from Real-Time.
Issuing and Acquiring in a Real-Time and Open Payments Ecosystem – The Global Picture
Dr Leo Lipis and Craig Ramsey, Head of Real-Time Payments for ACI Worldwide, continue their discussion on real-time payments, stemming from the findings of the new white paper, Get More from Real-Time. See part one.
Four Questions to Drive Your Retail Banking Payments Strategy in 2019
I keep hearing that it’s “an exciting time to be in payments,” and I certainly agree that there is a lot of noise. However, when I look below the surface, I’d argue that the interesting activity is not with the payment itself, but with all the related events and steps in the value chain.
What Can the Re-Regulation of Other Industries Tell Us About Open Banking One Year On?
UK Open Banking just reached its first birthday milestone (on January 13 to be precise) and given my own commentary – including in the ACI blog – on this topic, the first anniversary of Open Banking in the UK certainly won’t pass without a debrief on the progress that’s been made and what challenges lie ahead.
Instant Payments in Italy – And Beyond: Lessons from Il Salone dei Pagamenti
ACI was invited back to Il Salone dei Pagamenti – Italy’s premier payments event organized by the Italian Banking Association (ABI) – to participate in a panel, “SEPA Inst – the Future.” As expected, the session was packed with stats and advice for a more efficient roll out of instant payments – in Italy and beyond.
To Regulate Or Not To Regulate – Is That Thy Question?
Debates are healthy, and as someone who spent a little time during my college years dabbling around the edges of the speech and debate team, I can tell you it’s something that I personally relish. A chance to really talk through the pros and cons of an argument and lay out the bare facts… and then be judged based not only on those facts, but on the presentation and power of persuasion—sign me up!
Request for Pay – What Does It Mean For Financial Institutions?
What do banks – one with $60B+ in assets, one a mid-size regional bank, and one, a small innovative credit union – have in common with payment networks and the ‘Big 4’ consulting firms? They were all part of the first ACI #PaymentsForBreakfast event in North America! The theme was real-time payments, but the focus was more specifically on Request for Pay.
Why Open Banking Might Need to Rely on a Magic Illusion of 24x7 Availability
The adage “the more things change, the more they stay the same” appears to ring true when applied to the early phases of the evolution of open banking (or open payments). Especially when you contrast it with the early days of ATM withdrawals; particularly those made in the dead of night so you could pay cash for your after-party greasy feast.