A Strategic Approach to Bank Fraud

Transcription

1 Fraud Case Study A Strategic Approach to Bank Fraud How Banks Can Move From Reactive to Proactive Fraud Prevention and Detection Fraud prevention and detection remains one of the biggest and most pressing challenges facing banks and other financial institutions. Individuals looking to perpetuate fraud are becoming more sophisticated, and as a result, banks need to accurately assess their vulnerabilities and continually evolve their fraud processes. The Crowe Horwath LLP regulatory compliance risk services group has developed four tools to help banks build a strong anti-fraud program: 1. Risk assessment 2. Crowe Program Assessment Roadmap (Crowe PAR) 3. Fraud monitoring system implementation 4. Tuning of existing fraud monitoring scenarios Individually, each tool addresses specific fraud mitigating practices. However, when combined, these tools provide a robust approach to preventing, detecting, and monitoring for fraud and mitigating fraud losses. Although specific recommendations will vary for every bank, the following is a sampling of fraud solutions based on recent engagements by the Crowe regulatory compliance risk services group. Risk Assessment A fraud risk assessment provides banks with the opportunity to identify, assess, and measure the risk of fraud and the compensating control environment associated with the risk and to identify where and why certain risk may exceed the bank s tolerance for risk. Opportunity Although it had recently implemented a fraud detection solution that alerted it to fraud events, a large regional financial institution determined that it could further enhance the value of its fraud program if it could proactively identify and assess fraud threats in its products and service delivery areas and evaluate the risk of fraud in business units across its organization. Audit Tax Advisory Risk Performance 1

2 Crowe Horwath LLP Solution To analyze how the bank could align its fraud resources to maximize fraud risk identification and mitigation, the Crowe regulatory compliance risk services group began by examining the bank s risk appetite. Using its fraud threat library as a starting point for interviews with the bank s lines of business, Crowe comprehensive analysis uncovered fraud risks the bank had not considered. Armed with the documented risk appetite, Crowe coordinated with the bank to analyze quantitative data and metrics, such as incidence of fraud in the previous 12 months and percentage of alerts found to be credible. Based on Crowe in-depth knowledge of financial institution fraud, qualitative data and metrics were also used to evaluate the current system of internal controls and fraud risk awareness in the organization. By aggregating individual lines-of-business risk assessments into an enterprise-level risk assessment, Crowe identified an apparent control weakness in the bank s fraud referral process that resulted in inconsistent recognition and response to occurrences of fraud across the organization that, in some cases, delayed or precluded its recovery efforts and negatively affected its reputation risk. By improving controls, the bank increased its ability to identify and measure the impact of risk inherent in its business. Additionally, the organization increased its ability to contemplate threats against it and assess its mitigating controls. 2

3 A Strategic Approach to Bank Fraud Crowe PAR In response to regulatory pressures, banks implement various compliance programs and supporting policies and procedures. Over time, though, programs become outdated or morph into quasi programs with no recognizable traits of the original objectives. Banks need a process to manage programs during times of institutional change and growth and changing industry drivers and to respond to regulatory scrutiny. Opportunity Another financial institution was tasked with implementing a more robust anti-fraud program. Although the bank recognized fraud identification, prevention, detection, and monitoring challenges at the enterprise level, each line of business had designed its own risk assessment processes, which were inconsistent throughout the bank. There was also a lack of enterprise-level reporting of fraud-related metrics, such as losses and recoveries, making it difficult to determine the bank s overall risk exposure. In addition, documented procedures and structured training had not been consistently updated and in some cases did not exist for fraud protection and detection processes. 3

4 Crowe Horwath LLP Solution The Crowe PAR solution provides a structured approach for assessing and documenting program attributes while supplying a flexible implementation framework that allows Crowe to tailor the approach to the bank s needs and create a road map that properly aligns resources, goals, opportunities, and recommendations. Crowe included lines of business in the enterprise-level Crowe PAR, and Crowe tools facilitated building and documenting a current state profile to serve as the foundation to identify opportunities to strengthen the bank s anti-fraud program. In addition, by shadowing employees and interviewing stakeholders, Crowe identified areas where the bank s documented policies and procedures, when compared with the established practices, were inconsistent with its fraud management strategy. For example, Crowe concluded that employees did not have a clear understanding of the impact of the bank s fraud protection and detection policies. Crowe determined that the root cause for the lack of fraud knowledge training materials was an absence of institutional knowledge sharing due to employee turnover. Crowe recommended consistent training at multiple levels to verify that training requirements were monitored and training opportunities were provided per bank policy. Crowe also uncovered a lack of communication between the fraud group and the new product group. The fraud group lacked visibility to new products and the opportunity to work with the new product group to identify potential fraud risks and how to mitigate them. The business intelligence developed during the Crowe PAR process is further used when identifying opportunities and recommendations to improve the program under review. For example, Crowe was able to align the needs of the lines of business with the director s goals and the requirements of the enterprise risk management program. Crowe also created a road map with a timeline that could be executed within the time constraints of the various process owners. 4

5 A Strategic Approach to Bank Fraud Fraud Monitoring System Implementation A successful fraud monitoring system needs to prevent losses for the bank in a cost-effective manner that limits negative client experiences. Opportunity A bank had an aging fraud monitoring technology unable to keep up with evolving fraud threats to adequately identify wire fraud risks in real time to prevent funds from leaving the bank. In addition, because of the age of the fraud solution, maintenance and support costs were high. The bank was ready to upgrade its technology but was constrained by a tight budget and limited resources. Solution Using its anti-fraud framework, Crowe identified possible drivers for the bank s inability to adequately identify wire fraud risk in real time. This framework views fraud with various lenses, including the control environment; corporate governance; policy and procedure development; program oversight; customer and account management; channel management; incident response; and incident management and detection. Additionally, Crowe defined business requirements for a new fraud monitoring system that included appropriate fraud detection rules, parameters for execution of these rules, supporting data structure, and data integration between the fraud system and existing bank systems. Using its knowledge and framework, Crowe mapped the system requirements to align with the bank s budget and resource constraints to provide the bank with a clear fraud solution recommendation. During the implementation process, Crowe provided subject matter expertise about fraud best practices and developed a high-level data integration approach and action plan that facilitated transaction integrity. Crowe validated output by tracing transactions in the monitoring system and relevant downstream systems. To optimize effectiveness and yield, Crowe planned and executed rounds of preproduction tuning for fraud scenarios. 5

6 Crowe Horwath LLP Tuning of Existing Fraud Monitoring Scenarios Tuning allows banks to maximize the effectiveness of their detection systems by aligning system parameters to provide output targeted to the true transaction and customer risks. Banks can evaluate scenarios with a low escalation percentage and a high volume of alerts and adjust various parameters and thresholds. Opportunity After implementing a new fraud system, a financial institution determined that analysts were spending too much time reacting to false positive fraud alerts. Analysts were falling behind on their workloads, and many alerts were not being reviewed in a timely fashion or at all. Analysts had become numb to the alerts, and the quality of their reviews suffered. Solution Crowe evaluated the coverage, accuracy, and integrity of the bank s fraud detection system and the effectiveness of existing scenarios/parameters. These activities developed a baseline understanding of the quality of alerts being produced and determined where opportunities existed to improve the effectiveness of the detection system. Crowe provided multiple recommendations based on such factors as scenario effectiveness, SAR yield, and detection cost analysis. For example, analysis revealed that nearly 21,000 alerts were generated in one scenario. By modifying scenario parameters, the number of alerts was reduced by 55 percent to 11,500 without the loss of valuable alerts. By updating the bank s existing fraud detection scenarios and parameters, the generation of false positive fraud alerts was reduced by 27 percent, decreasing analysts workloads and improving investigations quality. The evaluation of the fraud detection system was completed by analyzing the effectiveness of the existing detection controls. 6

7 A Strategic Approach to Bank Fraud 7

8 Contact Information To learn how your bank can improve processes for identifying, preventing, detecting, and monitoring fraud, contact Troy La Huis at or for details about Crowe bank fraud consulting services. Crowe Bank Fraud Consulting Services The Crowe regulatory compliance risk services group has developed and implemented a full suite of solutions to help banks and other financial institutions identify, prevent, detect, and monitor fraud. These solutions are: Risk assessment Crowe PAR Fraud monitoring system implementation Tuning of existing fraud monitoring scenarios Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate and independent legal entity. Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any other member of Crowe Horwath International and specifically disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath International or any other Crowe Horwath International member. Accountancy services in Kansas and North Carolina are rendered by Crowe Chizek LLP, which is not a member of Crowe Horwath International Crowe Horwath LLP FS