Fraud Risk Management for the Ever-Present and Evolving Threat to the Payment Systems
by Julie Williams, Executive Vice President, Supervision and Regulation, Federal Reserve Bank of Chicago
As the global pandemic has brought transformational changes to the way we live and function as a society, we’ve seen this crisis bring out the best in humanity. Many people, like our frontline responders, have demonstrated diligence and ingenuity in the face of these challenges. Similarly, Federal Reserve supervisors have had to adapt to a remote working environment and shift supervision priorities to address the risks arising from the COVID-19 pandemic. However, the pandemic has also created a breeding ground for fraudsters seeking to exploit the financial industry and, consequently, the general public. We have seen firms and their clients targeted by these “bad actors”; therefore, I thought I would share my views on fraud risk management that would be relevant for bankers across the Federal Reserve System.
As an illustration, during the COVID-19 pandemic, a Nigerian crime ring used identity theft to steal millions of dollars from U.S. unemployment programs by filing for benefits with stolen information.1 The crime ring diverted the funds to unsuspecting individuals who were unaware that the funds were fraudulently obtained. The crime ring then used social engineering techniques, such as online romance scams and phony job postings, to trick these individuals into unwittingly laundering the funds. The State of Washington lost so much money that it had to temporarily halt unemployment payments to crack down on the fraud.2 This fraud is suspected to have leveraged personal data stolen from previous cyberattacks. This scheme, and others like it, only add to a diverse set of fraudulent events afflicting the financial services industry.
Community banks play a vital role in identifying and preventing fraud, including instances similar to that just described. Therefore, community banks need to ensure that their controls are effective in this ever-changing threat landscape to protect their organizations and customers from fraud.
According to an American Bankers Association (ABA) Deposit Account Fraud Survey, deposit account fraud totaled $25.1 billion in 2018, an increase from $19.1 billion in 2016.3 Commercial and savings banks surveyed experienced $2.8 billion in fraud losses, while their fraud risk management efforts identified and prevented $22.3 billion in losses. As fraud schemes increase in quantity and sophistication, banks are challenged with remaining steadfast in their response to protecting their reputations and assets, as well as those of their customers. Community bankers benefit from strong relationships with their customers built through consistent interaction and community engagement. This affords community bankers a heightened ability to recognize out-of-pattern transactions and educate staff and customers on fraud awareness. While there is no uniform approach to fraud risk management, there are basic principles and recommendations endorsed by industry leaders in fraud awareness and internal controls that provide solutions that can be tailored to meet the needs of any organization.
Types of Fraud Seen in the Industry
According to the ABA survey, check fraud made up 47 percent, or $1.3 billion, of deposit account fraud losses in the industry in 2018.4 What is old is new again, as banks see a rise in counterfeit checks presented through inclearing or deposit fraud on new accounts, especially accounts opened online, which are on the rise in the current operating environment.
As the 2018 survey noted, banks continue to suffer losses from debit card fraud. Signature, personal identification number, and automated teller machine fraud accounted for $1.2 billion, or 44 percent of industry losses, in 2018.5 Recent declines of in-person spending and increased reliance on technology have created an environment ripe for additional online fraud attempts.
Further, the survey indicated that the remaining $265 million of bank losses occurred in electronic banking transactions, including online bill payments, person-to-person (P2P) and wire transfers, and transactions through automated clearinghouses.6 Online banking exposes institutions and their customers to account takeovers as cybercriminals use various methods of social engineering, such as phishing emails with website links that appear authentic, to obtain an individual’s authentication information, resulting in unauthorized online bill payments, P2P transfers, and even wire transfers.
Despite these disconcerting figures, the ABA survey does not account for consumer losses. According to the 2019 Federal Trade Commission (FTC) Consumer Sentinel Network Data Book, there were over 3.2 million reports of fraud resulting in over $1.9 billion in consumer losses in 2019 alone.7 As a result of the pandemic, 2020 consumer losses could be even greater as cybercriminals exploit pandemic fears to steal personally identifiable or financial information.8 Therefore, banks are under immeasurable pressure to protect themselves and their customers from fraud. Fortunately, management can take steps to prevent and detect fraud.
Industry Fraud Risk Management Practices
As a supervisor of a variety of banking organizations, the Federal Reserve is well positioned to observe industry fraud risk management practices and assess their relative effectiveness. Examiners have noted that many well-managed banks monitor and control fraud exposures using five main principles: (1) risk governance, (2) risk assessment, (3) control activities, (4) investigation and corrective action, and (5) risk monitoring activities. These principles are reinforced and outlined in the Office of the Comptroller of the Currency’s (OCC) 2019 bulletin “Operational Risk: Fraud Risk Management Principles.”9 Further, the broader financial community is guided by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the Association of Certified Fraud Examiners (ACFE), which published a fraud risk management guide10 in 2016 that offers a blueprint to help organizations understand the current state of their fraud risk management tools and explore potential enhancements. The guide introduced five Fraud Risk Management Principles that align with the COSO Integrated Framework.11 The ACFE subsequently partnered with Grant Thornton, an accounting and advisory organization, in 2020 to produce the Anti-Fraud Playbook,12 providing actionable practices for these fraud risk management principles.
Although there is no one-size-fits-all approach, the Anti-Fraud Playbook outlines guidance based on these five risk management principles, which may assist bankers seeking to build or expand their fraud risk management programs.
1. Fraud Risk Governance. Effective fraud risk governance should be tailored to the specific needs and risk profile of an organization. Regardless of an institution’s asset size or risk profile, sound risk management practices promote employee accountability. When an institution incorporates measures such as ongoing employee training, an ethics policy, an employee code of conduct, an identity theft program, or an elder abuse policy into organizational governance, a culture of fraud awareness and deterrence is established. Fraud prevention has greater success in banks that empower and reward employees for identifying and preventing fraudulent transactions.
2. Fraud Risk Assessment. A fraud risk assessment or data from existing reports can help identify activities that make a bank vulnerable to fraud and assess the likelihood and impact of potential fraud schemes on the institution. Consider how a fraudster may capitalize on vulnerabilities in banking processes to perpetrate fraud. Bankers can leverage data used in a Bank Secrecy Act/Anti-Money Laundering risk assessment, such as a change in the number of clients or new accounts, fraud Suspicious Activity Report (SAR) filings, changes in product offerings, and increases in cash or wire activity to identify emerging fraud risks or evaluate current controls.
3. Fraud Control Activities. The results of a fraud risk assessment (or related data) can drive strategy in developing heightened internal controls to prevent and detect fraud. Controls to consider include:
Preventive controls
- Fraud awareness training for employees
- Dual controls over activities such as monetary instruments, general ledger entries, and vault access
- Segregation of duties for confirming payments or loan distributions
Detective controls
- Monitoring systems or reports designed to detect suspicious activity (e.g., unauthorized activity, exception reports, fee waiver analysis, and employee access reports)
- Fraud trend monitoring, which can be a simple Excel spreadsheet using existing data and does not require sophisticated machine learning programs (e.g., fraud to transaction volume ratios and charge-offs for a branch or banker)
- Effective complaint resolution processes
- Ethics and whistleblower reporting channels or hotline
- Mandatory vacation policy13
4. Fraud Investigation and Corrective Action. Once a process is in place to detect fraud, banks can develop a structure for an effective investigation that will help identify the root cause of the fraud and implement corrective actions. Banks should designate responsibilities for monitoring suspicious activity, escalating complaints received through an ethics hotline or other means, and conducting an investigation when a fraud event occurs. An effective investigative process provides for a comprehensive review of a fraudulent incident and considers communication of the results and remediation of the incident and related internal control weaknesses.
Additionally, fraud attempts against a bank or its customers, even if unsuccessful, are criminal acts. An organization should have a process to determine if a SAR filing is needed. Consult guidance from the U.S. Treasury’s Financial Crime Enforcement Network (FinCEN) that describes when banks, bank holding companies, and subsidiaries are required to file a SAR or to notify law enforcement or regulators.14
5. Fraud Risk Management Monitoring Activities. Sound fraud risk management includes regular reporting to the board of directors or senior management on the organization’s assessment of fraud risk, compensating controls, as well as any incidents and associated exposure. Monitoring reports allow management and the board of directors to measure performance and ascertain appropriate fraud prevention measures. Best practices can include benchmarking current fraud losses against loss history or industry data, such as:
- Fraud losses (e.g., per open account, closed account, or litigation), fraud recoveries, and net fraud losses
- Metrics by fraud type; for example, the Federal Reserve recently released the FraudClassifier Model in an effort to encourage consistent classification of payments fraud15
- Automated clearinghouse return rates
- Customers claiming unauthorized activity
- SAR filings related to fraud
Fraud Risk Management Principles in Action
Assume a personal banker receives an email from Mr. Baker, an authorized signer on a well-known commercial account, requesting a wire transfer. The language in this new email request is similar to previous requests and appears to be from Mr. Baker’s legitimate business email account, so the wire is processed. The next day, the bank learns that the email was compromised as a result of a spear-phishing attack. Such fraudulent emails typically appear to come from a client and contain a time-sensitive request for payment, which can result in a loss to the bank.
How can these incidents be prevented? The post-incident review might identify that the employee was overdue for fraud awareness training or might have been suspicious about the urgency of the request. This would be a gap in fraud risk governance (principle 1). This incident could have been included in the fraud risk assessment (principle 2) noting the increased risk to the bank given the year-over-year increase in volume and dollars of outgoing wire activity and any previous wire transfer fraud attempts. The investigation of this incident results in corrective actions (principle 4), such as an additional control to have a different client specialist (segregation of duties, also mitigating internal fraud) call the client at a number on file to authenticate all payment requests received via email (principle 3). Finally, reporting to the board of directors or management could include this incident through SAR reporting, if required, or a “significant case” summary (principle 5) to ensure transparency of exposure, compensating controls, and the associated losses. From there, management can ensure employee training is enhanced, past-due training is completed, and the newly implemented controls are documented and executed, thus restarting the circle of fraud risk management principles.
Know, Educate, and Engage Your Customers
ABA survey respondents rated consumer victimization scams (e.g., fake check scams, internet job scams, and lottery scams), phishing emails, business email compromise schemes, and social engineering among the leading risks to the industry and its customers in 2020, and, as expected, these scams appear to have increased throughout the pandemic.
Community bankers have the benefit of knowing their customers and the ability to identify out-of-pattern activity. Bankers can train customer-facing employees to identify potential fraud victims (i.e., discuss large cash transactions or unusual wire requests to see if the reason for the transaction appears suspicious) and understand how to escalate incidents in which customers may have acted under fraudulent pretenses.
Do you remember the Nigerian unemployment scam discussed earlier? Many community banks successfully identify similar situations because they know their clients and recognize large wire or cashier’s check requests to be out of pattern. Upon further review, banks could determine that the funds were received from an unemployment agency in a different state then given to a differently named beneficiary. This awareness can result in the return of funds and prevent losses to unemployment programs.
To further combat fraud, bankers can educate customers about fraud risks and preventive measures their customers can take to reduce the risk of becoming victims. Bankers can provide their customers with information on common fraud schemes, tips for transacting safely and effectively using authentication controls, and ways to identify and report a fraudulent transaction. For example, banks can use their own websites to share current scams, such as the Nigerian crime ring unemployment fraud, or reference external resources. The FTC website, www.consumer.ftc.gov, provides guidance on identity theft, and the Federal Bureau of Investigation’s Internet Crimes Complaint Center website, www.ic3.gov, identifies current scams and options for reporting fraud. These websites outline the types of fraud scammers have used during the pandemic.
What to Do After Fraud Is Identified
Even the best fraud risk management program cannot stop all fraud; however, recovery is possible when the fraud is identified in a timely manner. A bank’s incident response process should outline options to recover funds that left the institution. This includes losses experienced by the bank as well as incidents in which a customer was targeted that may result in bank exposure. Again, community banks have the advantage of knowing their customers, which helps to identify unusual activity, and the likelihood of material recovery is higher if the fraud is identified quickly and the proper recovery steps are followed.
Recovery processes vary for different transactions, and it is important to understand all available options, such as wire recalls, late check returns, or indemnification agreements obligating the receiving bank to return fraudulently obtained funds. One of the most effective recovery methods is contacting the recipient bank to discuss the fraudulent transaction and take timely corrective measures, especially when working with another community bank. Educating bank staff on these options will inevitably improve response time and result in higher recovery rates.
Fighting Fraud at Your Institution
At the Federal Reserve Bank of Chicago, the Supervision and Regulation Department understands that fraud threats against financial institutions and consumers continue to evolve. We have established a fraud awareness initiative to keep our supervisory staff and internal stakeholders abreast of fraud trends. Although it is impossible to identify and prevent all attempted fraud, successful fraud risk management starts with awareness and education regarding the fraud risks for your bank employees and customers. We encourage our state member banks to report significant fraud incidents to their respective supervisory points of contact. Knowing these risks and considering how the recommendations of the regulatory agencies, COSO, and the ACFE may be incorporated into your fraud risk management processes can go a long way toward protecting your bank and your customers from falling victim to fraud. Going above and beyond to protect your customer may result in a customer for life.
- 1 See Brian Krebs, “U.S. Secret Service: ‘Massive Fraud’ Against State Unemployment Insurance Programs,” Krebs on Security blog, May 16, 2020, available at https://krebsonsecurity.com/2020/05/u-s-secret-service-massive-fraud-against-state-unemployment-insurance-programs/.
- 2 See Tony Romm, “Unemployed Workers Face New Delays and Paused Payments as States Race to Stamp Out Massive Nationwide Scam,” Washington Post, June 12, 2020, available at www.washingtonpost.com/business/2020/06/12/unemployment-benefits-fraud-delays/.
- 3 See the ABA Deposit Account Fraud Survey published January 1, 2020, available at www.aba.com/news-research/research-analysis/deposit-account-fraud-survey-report.
- 4 See the ABA Deposit Account Fraud Survey.
- 5 See the ABA Deposit Account Fraud Survey.
- 6 See the ABA Deposit Account Fraud Survey.
- 7 See the 2019 FTC Consumer Sentinel Network Data Book, available at www.ftc.gov/system/files/documents/reports/consumer-sentinel-network-data-book-2019/consumer_sentinel_network_data_book_2019.pdf.
- 8 See “Coronavirus Advice for Consumers,” available at www.ftc.gov/coronavirus/scams-consumer-advice.
- 9 See OCC Bulletin 2019-37, available at www.occ.treas.gov/news-issuances/bulletins/2019/bulletin-2019-37.html.
- 10 See “Fraud Risk Management Guide Executive Summary,” September 2016, available at www.coso.org/documents/COSO-Fraud-Risk-Management-Guide-Executive-Summary.pdf.
- 11 See “Enterprise Risk Management — Integrating with Strategy and Performance,” available at www.coso.org/Pages/erm.aspx.
- 12 See the Anti-Fraud Playbook, available at www.grantthornton.com/services/advisory-services/risk-advisory-services/ACFE-global-fraudcon-and-playbook.aspx.
- 13 See Supervision and Regulation letter 96-37, “Supervisory Guidance on Required Absences from Sensitive Positions,” available at https://spweb.frb.gov/sites/BSRWeb/SR/Policy/PolLtrDocs/sr9637.pdf.
- 14 See “FinCEN SAR Electronic Filing Instructions,” release date October 2012, available at www.fincen.gov/sites/default/files/shared/FinCEN%20SAR%20ElectronicFilingInstructions-%20Stand%20Alone%20doc.pdf.
- 15 See the Federal Reserve FedPayments Improvements FraudClassifier Model, available at https://fedpaymentsimprovement.org/strategic-initiatives/payments-security/fraudclassifier-model/.