Internal Fraud is something most banks hate to talk about but they all have experienced. Whether they know it or not, they have.
It could be one bad employee, or thousands of errant employees like the recent case at Wells Fargo. Internal Fraud impacts everyone. Unfortunately since no one likes to talk about, best practices and prevention are something that can be hard to come by.
I spent 2 years as an Internal Fraud Investigator with a major bank. My job was to develop policies and procedures for dealing with internal fraud and for monitoring home grown detection programs to find employees that were stealing data or misusing the host system to commit credit card fraud.
What I learned during those two years was that internal fraud is not well understood or accepted by banks. The bank I worked with quickly disbanded the automated detection program I built because they simply didn’t think it was a high priority. I was surprised to hear that news after I left because I was detecting 5-7 cases of internal fraud each month. How were they continuing to find the fraud?
They weren’t. They just simply let it slip under the radar. I can’t really blame them I guess. That’s what many banks do I have found.
Many Banks simply let internal fraud slip under the radar because they do not believe they have a problem, or they have no idea how to detect when it is occurring. That is a big mistake.
I decided to write this article on best practices to help banks understand what they should consider when building an internal fraud prevention program.
Internal Fraud is More Common Than You Think
Internal fraud is more common than people think. Several years ago, I performed some data analysis which suggested that the frequency rate of internal fraud was quite high. For banks, we found the following
Tenured Employee Fraud Rate – The fraud rate for employees at banks with tenures great than 1 year was 3,000:1 each month. This means that banks will typically have about a single case of internal fraud each month for every 3,000 employees they have. If the bank has 10,000 employees, they should expect that there are about 3 internal fraud cases that are happening each month.
Short Term Employees and Contractors – Employees with shorter tenure at banks have a much higher rate of fraud. Banks can expect about 1 fraud case per 300 short tenured employees or contractors. The fraud rate of short term employees is approximately 10 times higher than for long tenured employees. The reason for this is simple. Short term employees have less loyalty to the company and less to lose by losing their jobs so they are more likely to steal.
Banks are Targeted By Internal Fraud, CIFAS reporting Internal Fraud Has Doubled in the Last Year
I read a great research report on Internal Fraud which can download here from CIFAS – Internal Fraud Landscape.
CIFAS established the worlds first Internal Fraud Employee database which was exclusively for financial services, insurance and IT companies. Their database is a goldmine of data regarding fraud attempts by employees at financial institutions.
Their findings for last year were grim. Fraud committed in banks by employees more than doubled in 2015 from 2014. Their latest report tracked reports from 153 separate organizations and received 585 reports of confirmed internal fraud.
They also point out that there is no such thing as a typical fraudster. Their advice is to monitor all employees because anyone could be committing fraud against a bank
According to our database there is no such thing as a ‘typical’ internal fraudster. Length of service ranges from less than a month to over 30 years and although the overall gender split is 63% male and 37% female, ages recorded in 2015 range from 18 to 67 years
Not surprisingly, their statistics also showed that 50% of the attempts were by employees trying to apply for new accounts or dishonest actions to steal (which I take to mean using the system to pilfer money from the bank)
Billions of Dollars Are Lost Due to Employee Fraud
So why should banks care about internal fraud? Because they lose hundreds of millions to the problem annually. They probably do not even realize it because it is not reported. But the losses are real.
The Most Popular Internal Fraud Scams By Employees
The Certified Fraud Examiners Analysis suggest that a whopping 5% of organizations revenue is lost to internal theft and fraud. If you took Global GDP that equates to over $3.5 Trillion dollars that is lost to employees.
Analysis conducted by BasePoint Analytics suggested that approximately 1% to 3% of credit card losses are caused by internal fraud which equates to approximately 480 million annually.
Best Practice #1 – Setup an Internal Fraud Detection Function
The first thing you need to do as a bank is have a dedicated internal fraud function. The person(s) responsible for the group will focus on building a bank policy around internal fraud, developing fraud prevention controls, monitoring transaction reports, conducting internal investigations, interviewing employees and interfacing with law enforcement.
The Internal Fraud function often sits in corporate security however I typically recommend that business units have a fraud specialist for their own area that monitor the transaction reports and be very involved with the day to day operations of the group.
Best Practice #2 – Establish an Internal Fraud Policy Document
I am surprised most banks have no formal policy around what they do for internal fraud. My recommendation is that banks establish a formal policy document for internal fraud. The document should outline
- Who is responsible for monitoring internal fraud
- What monitoring tools and reports are used
- What groups need to agree on regarding the termination of employees (HR, Operations, Customer Service)
- How investigations are conducted
- Orientation Training and what information is given to employees about internal fraud awareness
- Fraud Hotline Processes
- Fraud Reporting around internal fraud
- Decisions on when to refer cases to law enforcement
Policy documents are critical to an internal fraud prevention program.
Best Practice #3 – Get a Fraud Monitoring Tool
This is important. It is fundamental. You absolutely cannot stop internal fraud if you do not have a monitoring tool in your bank.
A monitoring tool takes in transaction level information from the host system and tracks keystroke level activity from each employee that accesses the system. The monitoring system produces exception or risk reports that can flag employees that appear to be stealing account information.
Some of the better systems for monitoring internal fraud are FDR Footprints, Fiserv Fraud Risk Manager, Memento, Actimize and Intellinx. These are software that are used at most of the largest banks in the US and across the globe.
Best Practice #4 – Implement Key Transaction Reports
After you have purchased monitoring software it is important to make sure that you turn on key reports that can help you identify internal fraud. I believe the following types of reports are the most effective in detecting internal fraud.
- Fraud Touches – Report that indicates employees that accessed an inordinate number of fraud accounts prior to the first fraud date.
- Alpha Search Own Name – Employees that searched the system for their own name excessively. This is alway an indicator of potential identity theft.
- Alpha Search Same Name over Many Days – Employees that search for the same customer account name over and over are often committing fraud against that account
- AVS Match to Employee Address – Match card request, address changes, credit card online orders up against your employee address. You will often find that employees will ship fraudulent cards or online orders from customers accounts to their own address.
- Shipped to Local Address Near Call Center – Customers that have online fraud orders that are shipped closed to the bank’s operations center when they live out of state are often fraudulent orders
- Ani Match to Employee – Monitor your call center records and identify accounts accessed from employees phone numbers or any numbers listed on their initial application
- Access Same Account Number Many Times – Employees that access the same account number over multiple days many times.
- New Account Opened To Employee or Relative Address – Match employee address to new accounts opened.
- Celebrity Lookup – Employees that search for celebrity names. This is often a compliance issue
- Reversals – Employees that reverse any charges on their own account such as transactions, finance charges, over limit charges or other fees
- Re-Age Request – Employees that re-age their own account or account of a relative.
These are just a few of the reports but starting with these are important because they are often the first indicators of employee fraud
Best Practice #5 – New Hire Orientation Presentation
It is critical that you have a 15 minute spot at all new hire orientation to clearly outline to each new employee or contractor your monitoring efforts and the ramifications for getting caught.
When I used to interview employees they often told me that they would have never committed internal fraud if they had known the extent to which we monitor their activity.
Best Practice #6 – Prosecute All Cases of Internal Fraud
This is a tough one. Many banks simply terminate employees after they discover fraud. It is important that if you have the evidence to prosecute that you do so. And not only should you do it, but you should broadcast it internally so every employee is aware of the consequence.
We even went so far as arresting people on-site when we discovered the fraud they perpetrated. It was very effective in stopping fraud.
Best Practice #7 – Interview Every Employee before Termination
It is important that you do not simply terminate the employee without discussing what they had done.
In many investigations, I was able to establish links with other employees that had been recruited by third parties and we were able to avoid further losses with this intelligence.
Exit investigation interviews are critical for reducing future risk. Remember, the employee you are terminating could have hundreds or thousands of account numbers they could continue to use if you just let them walk out the door.
Best Practice #8 – Establish A 48 Hour Investigation Cycle
I cannot emphasize how important this is. I have seen far too many corporate investigations of internal fraud cases span months. I worked at a bank once and the investigators detected an internal fraud case immediately after it had started. They spent the next 9 months tracking the employee’s behavior, watching him commit fraud, building up evidence before terminating him. In the end what should have been a loss of less than $2,000 to the bank turned into a $250,000 loss to the bank.
You need to establish a 48 hour turnaround coordinating between the manager, HR, corporate security and law enforcement. The name of the game is speed to get the employee off the system and reducing fraud.
Best Practice #9 – Establish A Fraud HotLine and Physical Security Presence
Employees that are caught almost always think their suspicious activity was picked up on video. This was never the case but I realized that cameras are an excellent deterrent for fraud. Physical security presence is a must for internal fraud detection.
In addition to strong physical security, establish an awareness program and fraud hotline where employees can anonymously whistle blow when they suspect internal fraud. These may not always lead to a positive detection however they are a good deterrent.
Best Practice #10 – Educate Executives, Report the Fraud
One big pitfall to internal fraud is that no banks want to talk about it. This is wrong. This is exactly what the fraudsters want.
It is important to bring internal fraud out to the open by educating executives of just how common it is and reporting the fraud on a monthly basis.
Too many banks do not do this and choose to sweep it under the rug or hide it. That is why it continues to result in billions in losses annually. My recommendation is to report on each and every case of fraud and make your executive team very aware of fraud as it occurs.
If you would like to discuss internal fraud programs and strategies, please contact me at [email protected] I am always happy to help stop the bad guys.
Thanks for reading!