READY OR NOT: CORPORATE READINESS TO FRAUD

Chris Bailes and Satinder Soni explain how financial businesses can protect themselves against the worst consequences of financial crime – both before and after the event.

It is commonly acknowledged that fraud against financial institutions is rising, but businesses in the sector also need to be aware that the methods deployed by fraudsters are changing too. The spread of technology is a major factor, including the growth of malware and computer hacking. There are also ‘new’ kinds of scams such as “social engineering” frauds. In those scenarios criminal organisations embed one of their members within a company to use inside information, particularly to obtain payments being made for fake invoices.

So what can financial businesses do to protect their customers, balance sheets and reputations from fraudsters? There are essentially three key stages to fraud management: prevention, identification and reaction. Financial organisations need to address all three to prevent exposure and serious consequences for the business.

Putting out the red flags

In terms of identification, it is not uncommon for businesses to have lost large sums of money, even over a period of months, before they become aware of a fraud. The longer it takes to identify the fraud, the more challenging it is to find the perpetrators and recover any losses.

Being able to quickly identify irregular activity is about more than just having the right financial controls in place. The best tools and procedures are only as good as the people that operate them. Fraudsters are often successful because key staff have not been sufficiently well trained and otherwise informed about what sort of behaviour to look out for on a day-to-day basis. Similarly, it is common for a company that has instituted a robust system of financial controls, but – for the convenience of some customers – has failed to make their previous system redundant. This creates a gaping window of opportunity for fraudsters and makes tracing the genesis of the crime much more difficult if two financial systems are being used in parallel.

Technology also has a role to play in flagging up suspicious transactions. Software is available to spot patterns of activity that may be fraudulent, while systems are also available to catch other online techniques used by fraudsters, such as fake emails coming from ‘spoof’ domains.  Tell-tell signs may include white ink on white background’ emails and spreadsheets with hidden columns. All of these can be used to obscure stolen information or evidence of an ongoing fraud.

The golden hours

When a company discovers that a fraud has taken place, the faster it can react, the more likely is to stem the flow of losses, recover monies lost and limit the damage to its reputation. To respond effectively, businesses need to have a clear plan in place.  This may include clear responsibilities of key stakeholders, reporting lines of key individuals and agreed processes in advance.

It also essential to identify external experts to call in the event that a fraud is discovered. These would usually include asset tracing experts, fraud investigators and lawyers, if the fraud involves client money or regulatory implications, reputation management specialists. Legal professionals and forensic IT specialists are often required to ensure that documents and computer files associated with the fraud are handled correctly – and without contravening data protection laws – so that any criminal proceedings or civil litigation that follows are not undermined by contaminated evidence.

The first 24 hours after a fraud is uncovered are the critical period if the damage is to be limited, funds recovered and the perpetrators identified. Each day that elapses thereafter makes tracing the assets and fraudsters much more difficult and increases the risk of further thefts occurring.

Nothing causes more delay to a company’s response than confusion over who should be doing what. Yet while also all financial businesses will have extensive disaster recovery plans in place to deal with events such as IT failures, many and not just smaller and mid-sized organisations do not have fraud response plans in place before the event. According to research conducted amongst 300 companies last year by Control Risks and the Economist Intelligence Unit, a third of businesses (33%) admitted that they did not have an investigation response plan in place.

Prevention versus cure

So how can financial businesses best avoid becoming victims in the first place? Firstly, as we saw earlier, the implementation of robust financial controls and technological solutions such as electronic keys and secure data encryption are invaluable and again the robust enforcement of these tools and policies is essential if they are to work effectively.

Companies would also be well-advised to keep an eye on what information about them is on the web, especially the so-called “dark web” of illicit web sites where information gained from fraudsters’ social engineering activities (such as a company’s invoicing procedures, the names of signatories and senior management, the thresholds for secondary checks on invoices, etc.) is freely traded.  Furthermore, Financial businesses should also  conduct as rigorous checks of temporary staff as they would permanent employees, as much of the inside information harvested by fraudsters is obtained through gaining casual employment at targeted companies.

Finally, it is a useful exercise for businesses to employ an expert “critical friend” to pressure test and independently evaluate a company’s governance and financial controls before a major fraud happens for real.

Striking a balance

No security or control system should lock up the day-to-day business of an organisation to the point where it affects competitiveness or restricts revenues.  However preventative measures will help organisations to reduce their exposure to potential fraud.  The consequences of being a victim of a major fraud – from a financial, regulatory and, especially, reputational point of view – is now such that protecting your business against fraud must be  both a Board (C-suite) strategic risk matter as well as a bottom line issue that cannot be ignored in pursuit of short-term profitability.

About authors:

Chris Bailes is Director of Fraud & Financial Crime, Europe & Africa at Control Risks. Prior to joining Control Risks Chris was the Chief Operating Officer at the UK Serious Fraud Office where he had day to day responsibility for all operational delivery and investigative capability.Chris.Bailes@controlrisks.com

Satinder Soni is an Associate Director for Legal Technologies & Investigations in Europe Middle East and Africa. Satinder has worked with legal and risk compliance officers from global law firms and large multi-national organisations. Satinder specialises in e-discovery / e-disclosure needs across internal investigations and litigation matters. Satinder.Soni@controlrisks.com

For further information visit http://www.controlrisks.com