Forethought beats the fraudsters
There is pressure for banks to act on fraud prevention but this does not end at regulators’ demands.
Michael Peer, partner, forensic at KPMG in Central and Eastern Europe, argues that banks must look closely
at the financial and reputation risks in order to ensure the best tools, processes and people are in place.
 The pressure is on banks to combat
fraud and money laundering, mostly
from regulators. The industry
continues to respond to the EU’s anti-money
laundering directives and the matter has
risen up the agenda but many feel that fraud
prevention cannot be classed simply as a
compliance matter.
The potential damage to banks, not
only in terms of financial losses but also
regarding harm to their reputation, is great.
Such harm could not come at a worse
time, given that the past two years have
left confidence in the banking industry
more fragile than ever. To compound the
matter further, the fact that the industry is
in a transitional phase means the potential
for fraud is growing.
‘I don’t necessarily see an overall
increase in fraud, but there is more
demand for my services because cash
flows are contracting,’ says Michael Peer,
partner, forensic at KPMG. ‘More issues are
coming to the surface because they are
harder to hide when cash flow is falling.
Take the Ponzi schemes that have been in
the headlines recently.
‘Fraud is not necessarily easier to
commit but growing pressure to commit
fraud is being placed on individuals. More
people are being laid off but they still need
to feed their families. There are fewer jobs
out there but there is pressure to maintain
a lifestyle. Even people who still have jobs
will be asking themselves whether they
will be laid off next week, so they hoard
cash and accumulate what wealth they can.
Bonuses are not as big this year, and there
are fewer salary increases, but the cost of
living has not fallen,’ he adds.
Peer advises on the prevention and
detection of many kinds of fraud, from
instances where obligations between parties
have been broken – such as cases of breach
of contract and arbitrations where bilateral
treaties have not been honoured – to
cases where behaviour has not met agreed
policies or standards, as when employees
have helped themselves to a little more from
the kitty than was their due.
Peer warns that there are many types
of fraud to watch out for, with growing
sophistication among perpetrators at
the top end. He has seen instances in
which people have been funded to study
methods of fraud and groomed for
specific roles within a target organisation.
When they are placed in the role they
obtain information or perpetrate a fraud
and disappear.
There is an arms race between
fraudsters and banks, and to win the war
the banking industry requires proactive
rather than reactive thinking.
Winning the race
The matter of fraud prevention should
take centre stage, not only because
regulators demand it but because the
banking sector is undergoing great change
with restructuring and consolidation.
‘Companies in a state of upheaval face
greater risk and fraud prevention becomes
just another ball to juggle,’ says Peer. ‘If
people are laid off, information about your
organisation is walking out the door. Those
people may be annoyed and want revenge.
Even if they are not intending to commit
fraud themselves, they could disclose
information – even without knowing it –
to people who would.
‘I’ve seen an example where someone
knew all the approvals needed for an
invoice, which they got from a former
employee, so they could submit an invoice
and have it paid. The skills among people
who commit fraud are higher now, and
people know how to use technology to
produce good-quality forgeries, so things
are harder to spot.’
Only a proactive, preventative approach
can help banks protect assets and revenue.
‘Some organisations are restructuring
and want to re-examine the risks of fraud.
The environment in which they work has
changed, so they are reassessing the risk
and how to manage it. They have a view to
reducing wastage that way.
‘Unfor tunately, most companies
only react when they have had their
fingers burnt. The focus on preventative
measures – such as better due diligence
and corporate intelligence towards
business partners – is much higher when a
company has had a bad experience. They
suddenly want to know who’s who in the
zoo,’ remarks Peer.
‘Having said that, preventative measures
are not always easy. Due diligence depends
on where a corporate partner is based
and how much information is available.
There is no cookie cutter solution to
fraud prevention. It needs a more tailored
approach. Organisations must look at
where the potential damage is too great
or the risk too high.’
Technology is par t of the answer and
banks are investing in systems to improve
real-time monitoring of transactions.
This is par t of their compliance effor ts
for AML and anti-fraud regulations but
Peer warns that, while technology is a
vital par t of any response, it provides
tools rather than solutions.
‘There is technology out there to flag
up suspicious transactions, but there must
still be a person to interpret them. Some
systems flag up so much that banks have
needed huge teams to analyse the data,’
he comments.
KPMG ’s global AML survey in 2007
showed banks that had put systems in
place had not reduced the number of staff
working on fraud prevention but often
had to add people with higher skill sets.
‘There is a need for systems to reduce
the number of false positives. Vendors can
tweak these systems but often the client
company has to do it. We can help by
identifying the kind of data and analysis that
are needed. Ultimately, the end user needs
a feedback loop to see why some concerns
that are flagged are not relevant and tweak
the test to reduce false positives,’ Peer adds.
Ask the experts
Successful fraud prevention requires
people, processes and technology tools, but
above all it needs mindfulness and diligence.
‘One problem is that companies’
defences are eroding as they lay people
off. Controls may disappear as they
might not have been written down
and the people responsible for them
may no longer be in the organisation.
Fur thermore, the people who are left
have a higher workload, so they may not
be as thorough in checking before they
authorise a transaction,’ notes Peer.
Banks also have to accept that they are
chasing a moving target. The capability
of fraudsters continues to evolve, as do
the tools at their disposal. Their greatest
weapon, however, is the information they
can glean about target organisations and,
as the industry restructures, it may become
more porous and leak more sensitive data.
‘This is far from a static situation. It is
like hacking – you can constantly improve
your defences but the fraudster always
has an advantage. He has no overheads,
no need to focus on customer service
or please shareholders, and no need to
maintain a website 24-7,’ observes Peer.
Peer’s advice for banks is to keep a close
eye on where the most likely fraud risks
arise and which of them have the potential
to do great and lasting damage to the
organisation. That is where risk mitigation
strategies begin but there are many other
elements to put in place.
Peer stresses the importance of a clear
chain of command. One person should be in
control of decisions about how and where
to mitigate risk. However he also warns
that a single person cannot carry all the
responsibility for fraud prevention. There must
be training in place for customers, employees
and business partners in terms of what
constitutes fraud and what the response to
suspicious transactions should be. Everyone
must be jointly responsible, even if that means
linking fraud prevention to remuneration and
bonus payments.
He also reminds clients that the
potential cost of failing to prevent fraud
could be astronomical.
‘A recent case that went to trial involved
individuals who entered a bank and
implemented keyloggers, from which they
tried to use the data. The potential hit could
have been massive – hundreds of millions
of dollars. The potential loss from fraud is
unlimited. Look at Barings Bank,’ he comments.
‘We talk to clients about the likelihood of
fraud, the potential for reputational damage
and the possible magnitude of losses.
We tell them that they need the right
technology tools and process, but above
all they need vigilance.’ |
