Fraud incidents have increased by over 130% in the past year, resulting in significant monetary and reputational losses for financial institutions.
Many of these incidents — including high-profile crimes such as the Society for Worldwide Interbank Financial Telecommunication (“SWIFT”) attacks from last year — involved the exploitation of governance deficiencies and ineffective operating models.
Maintaining proper governance for risk management has been a major point of focus for industry groups and regulators, including the Office of the Comptroller of the Currency, the Basel Committee on Banking Supervision, the Committee of Sponsoring Organizations of the Treadway Commission, and the FFIEC. Accordingly, regulators expect that financial institutions develop an operating model assigning clear roles and responsibilities for risk management – including fraud risk management– across the “three lines of defense.”
However, the need to develop strong fraud governance practices goes beyond regulatory compliance – such practices are necessary to properly identify and defend against emerging threats that are growing in complexity, including risks related to the Cloud4 and digital transformation (e.g., mobile applications), theft of personally identifiable information through business e-mail compromise, and account takeover through mobile self-servicing.5 In addition, such practices help organizations operate more efficiently and reduce costs as they result in clear accountabilities, enhanced crosscollaboration, and fraud loss reduction.
To realize these benefits, financial institutions should take steps to establish a strong foundation for fraud risk management, including formalizing governance structures and documenting roles and responsibilities for functional groups. Taking such steps will pave the way for financial institutions to implement a robust three lines of defense operating model for fraud risk management.
This Financial crimes observer discusses key fraud governance challenges, and explains what financial institutions should be doing now.
The most significant challenge we see in achieving a sound fraud management operating model stems from functional silos for fraud prevention and detection. Financial institutions often struggle with clearly defining roles and responsibilities for fraud prevention and detection functions, and ensuring that all three lines of defense are working together effectively and not duplicating roles. As a result, we often see inefficiencies in organizations as activities are unnecessarily duplicated across multiple layers (and lines of defense).
Finally, financial institutions are challenged with navigating the vast and constantly evolving universe of fraud risks. This is especially challenging for larger organizations that have multiple business units, products, and services. As an example, larger organizations that have not dedicated enough resources to fully assess their fraud risks tend to focus their efforts on highly publicized external fraud risks such as business email compromise and account takeover, and often miss key threats facing their organization.