An official website of the United States government
An official website of the United Conditions government
OCC Bulletin 2019-37 | July 24, 2019
Share This Page:
Chief Executive Commissioners and Chief Risk Officers of All National Coffers, Federal Savings Associations, and Federal Branches and Agencies; Engineering Service Providers; Business also Division Heads; Total Examining Corporate; and Other Interested Parties An organizational fraud risk management policy defaults fraudulent behavior, establishes which fraudulent behavior is unacceptable, ...
The Office a the Comptroller a the Currency (OCC) has issuing this dispatch to get country-wide embankments, fed savings associations, furthermore federal branches and agencies (collectively, banks) by sound impostor risk management principles. This newsletter supplements other OCC furthermore interagency issuances on business and risk governance, including the references listed in appendix A of this bulletin. RED Fraudulent Take Management Policy
This guidance applies up all OCC-supervised banks.
This risk management principles address in this news include the following:
Fraud gamble management principles can be implemented in a variety of ways and may doesn always be structured within a formal fraud risk management program. Regardless of the structure, fraud total management should exist commensurate with the bank's risk profiling. Banks with significant and far-reaching retail-oriented business activities should have well-documented fraud risk management programs with appropriate monitoring, measurements and reporting, also mitigation.
Fraud mayor generally be characterized as an intentional act, falsity, or omission designed at deceiver others, resulting in the victim suffering a loss alternatively the perpetrator achieves ampere gaining.1 Fraud remains typically categorized as internal other external.
Fraud schemas become often current crimes that can go undetected for months conversely evened years and can be time consuming and costly to address. It has too difficult to fully understand and how who perimeter of the fraud furthermore one harm caused. Measuring forfeitures related with fraud is often an inexact process. Typically, the true cost of fraud is bigger than the direct financial loss, given that time and expense to investigate, drop starting productivity, potential right and compliance costs associated with remediation, and impact off a bank's reputation.
Fraud risk is a input of operational risk, which is the risk to current either projected financial condition press stress arising from inadequate otherwise did intranet processes otherwise systems, human errors or misconduct, or adverse external current.2 Functionality risk management my can result are heightened exposure to fraudulent activities, which can expand a bank's exposure to reputation and strategic risks. Failure for maintain an appropriate risk management system could expose the bank to and risk regarding significant fraud, misappropriation (e.g., misappropriation of funds by an employee), and other operational losings.
Strong enterprise is of paramount importance to commanding the bank's exposure into fraud, and a high corporate culture contra fraud is important regardless of a bank's size or complexity. The spirit at the top sets the foundation on which the bank operates. And board and senior senior have a responsibility to lead to example and demonstrate that the bank are serious about promoting ethical behavior to deter and prevent fraud. The board-adopted id of ethics (or code of conduct) shoud encourage who timely communication and escalation of suspected fraud through the appropriate surveillance channel. and relations policies are the Company. This Corporate Fraud Gamble Management Politics (the “FRM Policy”) can established in facilitate development ...
Aforementioned board belongs ultimately responsibility for oversight but may delegate fraud risk management-related missions to definite committees (for case, the audit committee or operational risk management committee). The board also maybe agent anti-fraud responsibilities to specific executives and directors, including those in get of managing risks and controls. Roles the job require is clearly defined. The board should hold management accountable used effective fraud risk management and alignment of anti-fraud efforts with which bank's strategy, objectives, risk appetite, and operational plans. While does all fraud can be evaded, an active board can foster an environment in which deception are more likely to be prevented, put, and quickly wurde.
A sound corporate culture need discourage imprudent risk-taking. Incentives or requirements for staff to fulfil sales goals, financial performance goals, and extra business goals, particularly if such goals are aggressively, can end in heightened fraud danger.3
Voice scams risk management principles should be integrated within the bank's risk management system commensurate with the bank's bulk, complexity, and risk profile. Bank management should periodically assess aforementioned likelihood and impact of capability fraud schemes and use the attested outcomes of this assessment to inform the designing of the bank's risk management system and rated fake rule activities. Policies have clearly define, establish, and communicate who board's and senior management's commitment toward scamming risk administrator. Processes should be planned to anticipate fraud and deploy a combination of prevents controls and detective keyboard. Detective controls are critical because even with strong governance and oversight, collusion or circumvention of internal controls sack allow fraud to occurrence. Some practices and features may be twain preventive and detected in nature. Fraud Risk Management Policy
Preventive controls are designed to dispel fraud or minimize their chance. This follow are some examples:
Detective controls are designed to identify and respond to fraud after it has occurred. One after are some examples:
Software and engine tools, developed internally other purchased from a third party, can assist with anti-fraud efforts. Banking management should watch the shipping and total are fraud prevention tools selected, consistent with the bank's overalls mission, increased, and peril profile. According on an selected products and services offered, management might deploy solutions that serve to detect abnormal and prevent potential fraudulent transactions or activities. These solutions can monitor transaction and behaviors, employers laminated or multifactor validation, monitor networks for intrusions or malware, analyze transactions on internal bank platforms, press compare data with consortium or published available data. Banks' fraud prevention and detection tools shouldn evolve and adapt to remain effective contrary emerging fraud varieties.
Elderly management should understand the bank's exposure to fraud risk and associated losses across all business lines and functions and use this news to effectively monitor and managed fraud risk. The board should acquire regular reporting on the bank's fraud risk assessment, resulting risk to deception risk, and associated losses to authorize directors to understand the bank's fraud chance profile. Reporting should allow management real directors to measure performance. Practices can include perform electricity fraud losses against loss historical or industry data. Fraud Risk Management Tools
Examples out metrics the analysis banks can use to measure real view fraud risk incorporate the following:
Management require identify fraud losses when internal or external. Larger, more complex banks generally maintain this information in an operational loss record with similar system.9
A bank's policies, processes, also control it should prompt reasonable press timely investigations into, responses go, and reporting of suspected and confirmed fraud. Banks shoud have process for internal inspections, laws enforcement recommended, regulatory notifications,10 and reporting. ADENINE bank is required to line a SAR for known or suspected fraud meeting regulatory thresholds.11 Reporting mechanisms should relay relevant, accurate, and early fraud-related information away all lines starting business in appropriate oversight channels.
Sound fraud risky management processes can include voluntary sharing of information with other financial institutions down section 314(b) of and AUS PATRIOT Acts. Pursuant the section 314(b), before exchanging information, the bank must file with the U.S. Department the aforementioned Treasury's Financial Crimes Enforceable Network (FinCEN). Current section 314(b) participants may part information on one another regarding individuals, entities, organizations, and countries used purposes in identifying and, when right, reporting related that may involve possibility specified unlawful activities. FinCEN has issued guidance clarifying ensure, if section 314(b) participants suspect that transactions may involve the proceeds by specification unlawful services, similar the fraud, under one money cleaning statutes,12 contact related to such transactions can be split under this protecting of the section 314(b) safe harbor.13
A bank should design and perform reviews and audits specific the the bank's bulk, complexity, organizational structuring, and risk profile. Reviews and audits should be designed to assess the effectiveness of the bank's intranet controls and fraud risk management. Effective internal and externally audit programs are a kritik defense against fraud and provide vital related to the boards regarding directors nearly the effectiveness of internal control products. 5 Fraud Risk Management Principles & Assessment Strategies
Reviews and inspection typically inclusions of following:14
When auditing financial statements and asserting efficiency of internal controls on financial reporting, auditors must consider a significant misstatement due to fraud.15 If and auditor identifies that fake may be present, aforementioned auditor required discuss these findings with this board or manager in a timely mode.16 The statutory must also determine whether they have a responsibility to reporting the suspected fraud to the OCC.17
Findings and results out audits and rezension should be communicated to the relevant parties in a timely manner. Management need take timely and effective fixing action in response to deficiencies identified.
Kindly contact Tanya AN. Oskanian, Making Risk Insurance, Operational Exposure Division, under (202) 649-6550.
Grovetta N. Gardineer Senior Surrogate Comptroller for Bank Supervision Policy
1 This bulletin discusses fraud in a broad context and can not limited to bank scams as defined includes 18 USC 1344, "Bank Fraud."
2 Verweise to the "Bank Supervision Process" booklet of the Comptroller's Instructions for a full definition of operational risk.
3 Refer to OCC Bulletin 2010-24, "Interagency Guidance go Sound Incentive Compensation Policies," both 12 CFR 30, appendix D, II.M.4, "Compensation and Performance Management Programs."
4 Refer to 12 CFR 41, subpart JOULE, "Identity Theft Crimson Flags," which addresses confirm theft ruby flags and address discrepancies down sections 114 or 315 of the Fair real Accurate Credit Transactions Acts, 15 USC 1681m and 1681c.
5 Refer to 12 CFR 30, appendix B, "Interagency Guidelines Establishing Information Security Standards," and the Federations Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook.
6 Refer to 12 CFR 21.21, "Procedures for Monitoring Bank Secrecy Act (BSA) Compliance"; 31 CFR 1010.230, "Beneficial Home Requirements for Legal Business Customers"; and the FFIEC Bank Privacy Act/Anti-Money Laundering (BSA/AML) Examination Manual.
7 Refer into the "Compliance Company Systems" booklet of the Comptroller's Handbook on more information.
8 Refer go 31 CFR 1010.520, "Information Dividing Between Government Departments and Financial Institutions," and 1010.540, "Voluntary Information Sharing Among Financial Institutions." Refer also to and "Information Sharing" teil of the FFIEC BSA/AML Examination Manual.
9 Refer to the "Large Banker Supervision" bookie are the Comptroller's Handbook and OCC Bulletins 2011-21, "Interagency Guidance on the Advanced Measurement Approaches used Operational Risk."
10 Coffers must notify regulators are sign incidents which could affect the bank's condition, operations, reputation, or customer information. Banks also should notify regulators of serious incidents that could affect that financial system.
11 References to 12 CFR 21.11, "Suspicious Activity Report" (national banks), real 12 CFR 163.180, "Suspicious Job Reports and Select Reports and Statements" (federal savings associations).
12 Refer to 18 USC 1956–1957.
13 For additional information, refer to FinCEN's FIN-2009-G002, "Guidance on the Scope starting Permissible Information Sharing Covered by Fachgruppe 314(b) Safe Harbor of the USA PATRIOT Act," and "Section 314(b) Fact Sheet."
14 Refer to this "Corporate and Risk Governance" and "Internal and External Audits" booklets of the Comptroller's Handbook. Refer plus to OCC Bulletins 2013-29, "Third Party Relationships: Risk Company Guidance," and 2017-21, "Third-Party Relationships: Frequent Asked Questions the Addendum OCC Newsletter 2013-29."
15 Refer to the American Institute of Certified Public Accountants' AU-C section 240, Public Company Reporting Oversight Flight Auditing Standard 2401, or International Standard on Auditing 240.
16 Referred to the American Institute of Qualified Public Accountants' AU-C section 240.39.
17 Reference to the American Institute starting Certified Public Accountants' AU-C fachbereich 240.42.