Many companies have fraud budgets in place, but these budgets are there for absorbing the costs of fraud and not preventing it. COLIN HILL, Senior Solution Manager for Financial Crimes and Risk Solutions at SAS Institute gives a few example on how IT can be used to combat fraud.
The majority of large companies have fraud budgets in place. These budgets are not, as you might expect, for detecting or combating fraud, but rather, simply, for absorbing the costs of fraud when it is committed.
I’ve had risk managers proudly tell me that they are within their fraud budget for the year, which is a disingenuous comment for them to make, considering that a fraud budget that allows for ‚”acceptable‚” levels of fraud is nothing to be proud of even if the department comes in under budget.
Of course, anti-fraud measures do exist, but they tend to take the form of careful screening of job applicants and customers, and educational campaigns. None of these are utilising the vast potential of technology to detect but more importantly to prevent fraud, and to protect the reputation of the business.
There are three key areas in which technology can make a difference:
Fraud perpetrators are becoming more sophisticated. Fraud syndicates have state-of-the-art technology, and the extremely qualified computer programmers and statisticians. In addition, the latest Kroll report published in the United States indicates that 60% of fraud committed has an internal link in the organisation.
If you take all of this into account, its absolute madness that organisations aren’t dedicating the same levels of expertise and technology to preventing and combating internal and external fraud. If a company’s controls and mechanisms are not of the latest design, this could mean that multiple layers of firewalls and authentication layers are not of a high standard.
Hackers could get into the systems, and transact, steal information or even destroy the systems. Antivirus software and detection controls should be in place and should be tested regularly by external parties specializing in hacking prevention.
Only reporting the number of attacks, and having a budget in place to absorb the fraud is leaving the company open to repeated attacks, and doing nothing to solve the ongoing problem. The impact of fraud on the company is more than just a financial loss it impacts companies much wider than just having the ability to detect the fraud and catching the perpetrator. Impacts to the company strategic objective, customer impact, data handling capability, risk management process, compliance risk etc. should be assessed as well.
It seems like a no-brainer to say that an organisation should have mechanisms in place to detect fraud. But many organisations still use the outdated model of understanding the modus operandi of a fraudster who has been caught and questioned, and using this set of rules to pick up similar activities.
The chances of another fraudster using the same mechanisms are very slim. Instead, companies should be using advanced statistical methods to scroll through large amounts of data in a short period of time and alert the business to possible acts of fraud. These methods don’t rely on previous incidents of fraud, but rather on detecting behaviour that is out of the ordinary.
The big question here is: can you do this in a big data environment, and at what cost and speed?
3. Risk Management
Many organisations do not show fraud as a line item on their balance sheet it is often hidden in credit losses or some operational loss. But fraud isn’t only a financial loss or a broken control that needs to be evaluated as part of the operational risk management process.
Any individual customer’s loss due to fraud, as well as any massive company-wide breach is a threat to a company’s reputation. Businesses are failing to measure the impact on their customers, their reputations and their entire business models of leaving themselves open to fraud by budgeting for it rather than detecting and preventing it.
Customers need to feel safe, and they need to be confident that their information is protected.
Simply put, not having the proper technology in place to detect and prevent fraud before it happens is leaving companies vulnerable, allowing fraudulent activities to continue and fraudulent employees to keep their jobs, and leaving customers feeling insecure about their assets and personal information.
Future articles in this series will look at reputation management in greater depth, company strategy and data and information management.
* Image courtesy of Shutterstock.com