The Threat from Within
By Laura Hutton, Director of Banking Solutions, Advanced Analytics Business Unit, SAS
Fraud is a growing problem for businesses – and one of the biggest threats comes from an organisation’s own employees. In many countries, the incidence of internal fraud is rising. According to the Credit Industry Fraud Avoidance System (CIFAS), in the UK alone there was an 18% rise in the total number of staff frauds recorded in 2013 when compared to 2012.
It is a problem that differs from territory to territory. PwC’s 2014 Global Economic Crime Surveyrevealed that South African organisations suffer “significantly more procurement fraud, human resources fraud, bribery and financial statement fraud than organisations globally.” Equally, according to CIFAS’s Employee Fraudscape report, published in April 2014, the number of unsuccessful employment application frauds in the UK increased by over 70% in 2013 compared with 2012.
The problem is becoming a priority for many organisations – but the main area of focus differs from country to country. The spectre of financial loss is critical everywhere – but in many places it’s outweighed by the fear of reputational damage. In the UK and the US, where we have recently seen multiple market abuse and unauthorised trading cases hitting the headlines, there is a strong emphasis on addressing regulatory requirements.
Finding a Way in
The nature of internal fraud is changing fast. As detection systems and strategies have evolved, it’s become harder for externally-based fraudsters to operate. That’s driven them to look for other ways to elicit funds. In some countries, fraudsters have placed people inside the organisation to facilitate fraud. Employees that defraud organisations sometimes act as part of criminal gangs and collaborate with external parties – and they sometimes act in isolation. But what kinds of individuals typically get involved?
There are no set rules – but the typical internal fraudster has been in their institution for ten-plus years and is familiar with the systems and their shortcomings. Often, they are driven by a simple desire for financial gain: perhaps a life event has resulted in an urgent need for cash, or a gambling problem has escalated. Opportunism can also play a role – with employees seeing a flawed policy or system they can exploit, or it could be a simple case of an employee making a mistake, trying to cover it up and the situation then spiralling out of control.
Many organisations struggle to tackle the problem, either because they have not yet implemented any systems and processes to tackle internal fraud or because they have implemented simple rules-based approaches that can be circumvented. A more sophisticated approach to fraud detection and management is needed and delivering a comprehensive solution involves several key steps. The ability to access and analyse data from multiple sources, is critical. Moving forward, organisations will need to do this on an ongoing basis. They must also be able to monitor and, where necessary, enhance data quality.
The next step is to make more sense of the data by coherently linking it together. This can be achieved through social network analysis (SNA). Organisations need to pinpoint all of the accounts touched, and applications opened, by employees; as well as work out how individuals connect with customers and colleagues. Taken together, this analysis will help reveal high-risk employees.
Organisations may also need to implement detection logic. Used in context, rules-based processes can create a holistic view, enabling organisations to view evolving behavioural patterns. They can then start to implement more analytically-based techniques and deploy functionality ranging from advanced modelling algorithms to decision trees, to achieve more accurate assessment and earlier detection of risk.
Text analysis takes this one step further, enabling businesses to harness the power of semi-structured and unstructured data to analyse online content and pinpoint whether negative sentiment is being spread. With the detection phase complete, alerts are presented for investigation. Best practice involves case management and triaging, but also in-memory processing tools that allow users to configure reports, query data and define answers.
At the same time, companies must put processes in place to address the internal fraud issue. Key staff need to be trained to spot the signs and whistleblowing policies need to be implemented to encourage staff to raise concerns.
Getting the Right Mix
The application of technology alone is not sufficient to solve the issue of internal fraud. The true concept of protection is to apply policy alongside technology, ensuring everyone within the organisation is aware of what is permitted and what isn’t. It’s also important to ensure that access rights align with the role of each individual and that, when someone leaves, their rights are cut off.
A balance has to be struck in the battle with internal fraud. Putting the right culture in place is crucial, but technology is also fundamental to the overall mix. Internal fraud may be growing today but the systems and solutions to tackle it and bring it to heel are increasingly available in the market today.
Most organisations take a fragmented approach to fraud prevention. This leaves them vulnerable to even more attacks, as criminals are quick to find and exploit any points of weakness. Find out more about internal fraud prevention from our recent report.