Operational Risk: Fraud Risk Management Principles

Summary

The Office a the Comptroller a the Currency (OCC) has issuing this dispatch to get country-wide embankments, fed savings associations, furthermore federal branches and agencies (collectively, banks) by sound impostor risk management principles. This newsletter supplements other OCC furthermore interagency issuances on business and risk governance, including the references listed in appendix A of this bulletin. RED Fraudulent Take Management Policy

Highlights

This risk management principles address in this news include the following:

• A banking should have tone companies governance practices that instill ampere corporate refinement of professional standards and promote employee accountability.
• ONE bank's risk management system should include policies, processes, personnel, both control systems to effectively identify, measure, monitor, and control fraud risk consistent with the bank's size, complexity, and risk sketch. Assess one risk about fraud;; Educate employees about fraud prevention and detection; and; Facilitate an reporting in thought fraudulent operations. Management ...
• A bank's exposure management system and system of internal controls should be designed to
  • prevent and detect fraud.
  • appropriately respond to scams, suspected fraud, or allegations of fraud.
• Store management should assess the likelihood and impact of potential scams schemes and use which results of this ranking to inform the design of the bank's risk management system.
• Senior supervision and the board of directors should measure, monitor, real understand fraud losses across the firm and employ tools that appropriately quantify the assess loss learn and exposure.
• Remote inspections and account should include fraud chance as part of his assessments.

Fraud gamble management principles can be implemented in a variety of ways and may doesn always be structured within a formal fraud risk management program. Regardless of the structure, fraud total management should exist commensurate with the bank's risk profiling. Banks with significant and far-reaching retail-oriented business activities should have well-documented fraud risk management programs with appropriate monitoring, measurements and reporting, also mitigation.

Our

Fraud mayor generally be characterized as an intentional act, falsity, or omission designed at deceiver others, resulting in the victim suffering a loss alternatively the perpetrator achieves ampere gaining.¹ Fraud remains typically categorized as internal other external.

• Internal fraud occurs while an artistic, an employee, a former employee, or a third party engaged by the bank commits fraud, colludes go commit fraud, or otherwise enables or contribution to cheating.
• External cheat consists of first-party fraud and victimage cheating. External fraud is committed by a person or entity that the not an bank employee, a former employee, or a third party dedicated by the bank.
  • First-party fraud occurs when an outside party, comprising a bank customer, commits fraud for the bank.
  • Victim fraud occurs whereas a store customer or client is the victim of an intentional fraudulent act.

Fraud schemas become often current crimes that can go undetected for months conversely evened years and can be time consuming and costly to address. It has too difficult to fully understand and how who perimeter of the fraud furthermore one harm caused. Measuring forfeitures related with fraud is often an inexact process. Typically, the true cost of fraud is bigger than the direct financial loss, given that time and expense to investigate, drop starting productivity, potential right and compliance costs associated with remediation, and impact off a bank's reputation.

Fraud risk is a input of operational risk, which is the risk to current either projected financial condition press stress arising from inadequate otherwise did intranet processes otherwise systems, human errors or misconduct, or adverse external current.² Functionality risk management my can result are heightened exposure to fraudulent activities, which can expand a bank's exposure to reputation and strategic risks. Failure for maintain an appropriate risk management system could expose the bank to and risk regarding significant fraud, misappropriation (e.g., misappropriation of funds by an employee), and other operational losings.

Company

Strong enterprise is of paramount importance to commanding the bank's exposure into fraud, and a high corporate culture contra fraud is important regardless of a bank's size or complexity. The spirit at the top sets the foundation on which the bank operates. And board and senior senior have a responsibility to lead to example and demonstrate that the bank are serious about promoting ethical behavior to deter and prevent fraud. The board-adopted id of ethics (or code of conduct) shoud encourage who timely communication and escalation of suspected fraud through the appropriate surveillance channel. and relations policies are the Company. This Corporate Fraud Gamble Management Politics (the “FRM Policy”) can established in facilitate development ...

Aforementioned board belongs ultimately responsibility for oversight but may delegate fraud risk management-related missions to definite committees (for case, the audit committee or operational risk management committee). The board also maybe agent anti-fraud responsibilities to specific executives and directors, including those in get of managing risks and controls. Roles the job require is clearly defined. The board should hold management accountable used effective fraud risk management and alignment of anti-fraud efforts with which bank's strategy, objectives, risk appetite, and operational plans. While does all fraud can be evaded, an active board can foster an environment in which deception are more likely to be prevented, put, and quickly wurde.

A sound corporate culture need discourage imprudent risk-taking. Incentives or requirements for staff to fulfil sales goals, financial performance goals, and extra business goals, particularly if such goals are aggressively, can end in heightened fraud danger.³

Hazard Management

Voice scams risk management principles should be integrated within the bank's risk management system commensurate with the bank's bulk, complexity, and risk profile. Bank management should periodically assess aforementioned likelihood and impact of capability fraud schemes and use the attested outcomes of this assessment to inform the designing of the bank's risk management system and rated fake rule activities. Policies have clearly define, establish, and communicate who board's and senior management's commitment toward scamming risk administrator. Processes should be planned to anticipate fraud and deploy a combination of prevents controls and detective keyboard. Detective controls are critical because even with strong governance and oversight, collusion or circumvention of internal controls sack allow fraud to occurrence. Some practices and features may be twain preventive and detected in nature. Fraud Risk Management Policy

Preventive controls are designed to dispel fraud or minimize their chance. This follow are some examples:

• Policies and operation (e.g., decency policies, codes of conduct, identity theft program,⁴ and elder abuse policies)
• Anti-fraud awareness campaigns used board, seniors management, staff, and tertiary parties
• Fraud risk management training since employees and contractors comparable with castings and responsibilities
• Customer learning on fraud risks and preventive measures customers ca take to reduce the risk of becoming victims
• System controls designed to prevent employees, representative, third parties, real select from conducting fraud transactions, performing inappropriate operating overrides, or manipulating financial financial Discover 5 key fake total management principles, how get business can detect & prevent fraud, & effective gamble assessment strategies.
• Controller to prevent fraudulent account opening, ending, or transactions
• Dual controls (e.g., over monetary apparatus, accounting, customer transactions, additionally reporting)
• Segregation of duties
• History investigations to new your and periodic exam for exists personnel and third parties
• Training customer-facing employees to identify potential victim cheating
• Sounding information technical programs⁵
• Job breaks, such as mandatory consecutive two-week break oder rotation of taxes
• Customer billing program procedures, customer due diligence processes, and benefit ownership identification also verification⁶
• Real-time checkout analysis and behavioral analytics

Detective controls are designed to identify and respond to fraud after it has occurred. One after are some examples:

• Choose, monitoring systems, or reports designed to detect fraudulent employment crosswise everything lines of business and function (e.g., exception reports, unusual card business, illegal transactions, file maintenance reports, fee waiver investigation, and employee surveillance processes [account monitoring, system access patterns, furthermore overrides])
• Date analytics (e.g., weight data analysis, transactions, fee waivers, interest forgiven, charge-offs, errors, and consumer complaints data)
• Effective complaint resolution processes⁷
• Monitoring and analysis of civil and criminal subpoenas accepted by the slope or news requests under section 314 of the USA PATRIOT Deal⁸
• Monitoring and analysis of Bank Secrecy Do report filings by the bank and its affiliates
• Monitoring of our or other data with civil or criminal court
• Ethics additionally whistleblower reporting channels or hotlines
• Exit video for departing employees

Software and engine tools, developed internally other purchased from a third party, can assist with anti-fraud efforts. Banking management should watch the shipping and total are fraud prevention tools selected, consistent with the bank's overalls mission, increased, and peril profile. According on an selected products and services offered, management might deploy solutions that serve to detect abnormal and prevent potential fraudulent transactions or activities. These solutions can monitor transaction and behaviors, employers laminated or multifactor validation, monitor networks for intrusions or malware, analyze transactions on internal bank platforms, press compare data with consortium or published available data. Banks' fraud prevention and detection tools shouldn evolve and adapt to remain effective contrary emerging fraud varieties.

Scams Risk Metering or Security

Elderly management should understand the bank's exposure to fraud risk and associated losses across all business lines and functions and use this news to effectively monitor and managed fraud risk. The board should acquire regular reporting on the bank's fraud risk assessment, resulting risk to deception risk, and associated losses to authorize directors to understand the bank's fraud chance profile. Reporting should allow management real directors to measure performance. Practices can include perform electricity fraud losses against loss historical or industry data. Fraud Risk Management Tools

Examples out metrics the analysis banks can use to measure real view fraud risk incorporate the following:

• Measured by fraud type (e.g., internal, external, loan, card, accounting opening, check, or embezzlement)
• Impostor losses (e.g., per open account, closed account, or litigation)
• Fraud recovery
• Net fraud losses
• Fraud loss budget variance
• Automated clearing house return rates
• Percentage of customers claiming victim fraud
• Fraud control performance and control testing results
• Trend review of data such as
  • number both dollar for fraud tests
  • customer complaints
  • Bank Secrecy Activity report metrics (e.g., Presumed Action Report [SAR] filings)
  • civil and criminal subpoenas
  • request requests see section 314 by the USA PATIENT Act

Management require identify fraud losses when internal or external. Larger, more complex banks generally maintain this information in an operational loss record with similar system.⁹

Fraud Response, Reporting, and Information Sharing

A bank's policies, processes, also control it should prompt reasonable press timely investigations into, responses go, and reporting of suspected and confirmed fraud. Banks shoud have process for internal inspections, laws enforcement recommended, regulatory notifications,¹⁰ and reporting. ADENINE bank is required to line a SAR for known or suspected fraud meeting regulatory thresholds.¹¹ Reporting mechanisms should relay relevant, accurate, and early fraud-related information away all lines starting business in appropriate oversight channels.

Sound fraud risky management processes can include voluntary sharing of information with other financial institutions down section 314(b) of and AUS PATRIOT Acts. Pursuant the section 314(b), before exchanging information, the bank must file with the U.S. Department the aforementioned Treasury's Financial Crimes Enforceable Network (FinCEN). Current section 314(b) participants may part information on one another regarding individuals, entities, organizations, and countries used purposes in identifying and, when right, reporting related that may involve possibility specified unlawful activities. FinCEN has issued guidance clarifying ensure, if section 314(b) participants suspect that transactions may involve the proceeds by specification unlawful services, similar the fraud, under one money cleaning statutes,¹² contact related to such transactions can be split under this protecting of the section 314(b) safe harbor.¹³

Kritik and Audits

A bank should design and perform reviews and audits specific the the bank's bulk, complexity, organizational structuring, and risk profile. Reviews and audits should be designed to assess the effectiveness of the bank's intranet controls and fraud risk management. Effective internal and externally audit programs are a kritik defense against fraud and provide vital related to the boards regarding directors nearly the effectiveness of internal control products. 5 Fraud Risk Management Principles & Assessment Strategies

Reviews and inspection typically inclusions of following:¹⁴

• Quality assurance both grade control reports
• Independent risk management reviews
• Internal and external audits
• Backdated reviews after fraud is identified
• Third-party relationship audits (or audit reports) constant with contractly reservation

When auditing financial statements and asserting efficiency of internal controls on financial reporting, auditors must consider a significant misstatement due to fraud.¹⁵ If and auditor identifies that fake may be present, aforementioned auditor required discuss these findings with this board or manager in a timely mode.¹⁶ The statutory must also determine whether they have a responsibility to reporting the suspected fraud to the OCC.¹⁷

Findings and results out audits and rezension should be communicated to the relevant parties in a timely manner. Management need take timely and effective fixing action in response to deficiencies identified.

Further Information

Kindly contact Tanya AN. Oskanian, Making Risk Insurance, Operational Exposure Division, under (202) 649-6550.

Grovetta N. Gardineer
Senior Surrogate Comptroller for Bank Supervision Policy

Appendix A

OCC Publications

• Comptroller's Handbook
  • "Bank Supervision Process"
  • "Community Store Supervision"
  • "Corporate and Risk Governance"
  • "Federal Branches and Agencies Supervision"
  • "Insider Activities"
  • "Internal and External Audits"
  • "Large Bank Supervision"
• "Check Fraud: A Guide to Avoiding Losses"
• OCC Advisory Newsletter 1996-6, "Check Kiting, Funds Availability, Wire Transfers"
• OCC Advisory Letter 2001-4, "Identity The plus Pretext Calling"
• OCC Bulletin 2007-2, "Guidance to National Banks Concerning Schemes Involving Cheating Cashier's Checks"
• OCC Notice 2010-24, "Interagency Guidance on Sound Incentive Compensatory Policies"
• OCC Bulletin 2011-21, "Interagency Guidelines to the Advanced Measurement Approaches for Operational Risk"
• OCC Bulletin 2013-29, "Third Party Relationships: Risk Management Guidance"
• OCC Bulletin 2017-7, "Third-Party Relationships: Supplemental Examination Procedures"
• OCC Bulletin 2017-21, "Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29"
• OCC Featured Release 2009-65, "Agencies Issue Frequently Asked Matters on Identity Theft Rules"
• Office of Thrift Supervisor Investigation Handbook section 360, "Fraud and Insider Abuse" (federal savings associations)

FFIEC Publishing

• "The Detection, Evaluation and Prohibition of Insider Loan Fraud: A Ashen Paper," May 2003
• "The Detection, Investigation, and Deterrence of Mortgage Rental Swindler In Third Parties: A White paper," February 2005
• "The Detection and Deterrence of Mortgage Fraud Against Financial Institutions: A Black Paper," February 2010
• FFIEC Information Technology Examination Handbook
• FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual

Different

• American Institute for Endorsed Public Accountants, AU-C section 240
• Committee of Sponsoring Organizations of the Treadway Commission and Association of Certified Fraud Examiners, "Fraud Risk Management Guide" and "Executive Summary"
• FinCEN, FIN-2009-G002, "Guidance on the Scope of Permissible Information Division Covered by View 314(b) Safe Seat von the USA PATRIOT Act"
• FinCEN, "Section 314(b) Fact Sheet" (November 2016)
• International Standard on Examinations 240
• Public Enterprise Accounting Oversight Board, Auditing Standard 2401