It’s Saturday night at 11 p.m., and your cellphone rings. It’s your information security manager, fraud manager, and public relations manager. The information security manager informs you of suspicious activity on several accounts. The fraud manager indicates the company’s security hotline has also received calls from consumers, law enforcement agencies, and industry fraud/security colleagues for assistance on activities around these same accounts. In addition, the media has also called your public relations manager and would like to know if your company can comment on the story they’re preparing for the Monday newspaper regarding fraudulent activities. Does this scenario sound familiar? Do you have an operational fraud program? Does your operational fraud program link to your enterprise-wide incident response plan?
In the wake of financial bailouts and financial crises, are organizations equipped to meet the demands of fraudulent activities and identity theft and insider threats? How does an operational fraud program or anti-fraud program play a pivotal role in reducing fraud? Recently, the Federal Bureau of Investigation announced that the number of open mortgage fraud investigations was more than 1,600 (Zipkin, 2009) at the end of fiscal 2008, which ended September 30, 2008, compared with 881 in 2006.
Audience – Entities and personnel with responsibility for corporate fraud or investigations programs
Learning Objectives – Includes 2 learning objectives for the participants
- Understand operational fraud
- Establish an operational fraud program
Keywords – Fraud, FACTA Identity Theft Red Flags, Operational Fraud, Fraud Investigations, Identity Theft, Fraudulent Transactions, Incident Response
What is Operational Fraud?
Operational fraud is the risk of incurring fraudulent loss to assets due to an organization’s exposure to deception, theft, diversion or mismanagement of transactions, customer information, account information, and data transfers. Operational fraud detection requires the blending of traditional fraud, corporate security, forensic investigation, and information security disciplines coupled with the infusion of information sharing with the law enforcement community and industry colleagues to reduce potential fraudulent risks and fraud losses. As the evolving cyber terrorist manipulates business processes to create new fraudulent schemes and risks, such as phishing, identity theft, or account takeovers, it is incumbent on fraud or security departments to encompass anti-fraud activities at the organizational and process levels to recognize warning signs of fraudulent activities. As warning signs and fraudulent incidents are recognized, fraud departments should leverage information sharing with local, state, and federal stakeholders, and other fraud departments to establish and maintain a data sharing platform to track, trend, and analyze fraudulent patterns to reduce or mitigate risk to their organizations. Unfortunately, not all companies have the in-house expertise or bandwidth to identify, detect, monitor, or mitigate fraudulent risks and may require the chief security officer (CSO), security director, or fraud director to adopt a centralized strategy or seek the assistance of a third party vendor with expertise in financial crimes, identity theft, intellectual property investigations, technology investigations, account takeover fraud, transaction fraud, or digital forensic investigations.
An operational fraud program should have three core program areas: a Governance, Tactical, and Compliance phase. These core program areas can create and support a fraud resilience culture.
Governance: An effective operational fraud program should start with a tone at the top charter and policy, which creates a control environment. An operational fraud policy should be devised by leveraging elements of the Code of Conduct/Ethics statement to provide the policy with the appropriate authority and visibility. In the governance phase, the CSO or security director should be instrumental in developing and implementing a charter or policy based on defining and documenting an anti-fraud strategy and promoting the importance of anti-fraud programs to executive management and employees. Once governance is established, the implementation or tactical phase should begin.
Tactical: The tactical or implementation phase is the “how is the program implemented phase.” The operational fraud implementation phase should incorporate the following elements:
- Risk assessment
- Anti-fraud procedures and practices
- Anti-fraud countermeasures
- Communication strategy for anti-fraud programs to employees
- Anti-fraud and social engineering awareness training for employees
- Continuous event monitoring strategy to identify, detect, monitor, and mitigate fraud risks
- Communication strategy and memorandum of understanding to share information with industry colleagues and the law enforcement community
- A repeatable, measurable, and actionable information sharing platform with industry colleagues and the law enforcement community
In the tactical phase, information sharing is a significant hurdle for organizations and law enforcement agencies to overcome. In some cases, information sharing is a sizeable internal challenge for organizations. With balancing priorities and competing projects, business units may have individual fraud data points (i.e. credit card fraud, anti money laundering activities, account takeover fraud, identity fraud, deposit fraud, mortgage fraud, etc.), but no centralized depository for housing, analyzing, and sharing fraud data or information with other business units, let alone government or law enforcement agencies. While each business unit has a specific mission and respective mandate (i.e. Bank Secrecy Act, anti money laundering, FACTA identity theft red flags, credit card fraud, etc.), internal organizational structures or policies can place limitation on information sharing. In contrast, the bad guys or fraudsters have a clearer understanding of the limitation by organizations to share data. The fraudsters have demonstrated the value of sharing fraud data with other fraudsters by identifying solutions to circumvent anti-fraud programs. Although there are a number of information sharing initiatives (Government Account Office Report, 2006), organizations and law enforcement agencies have begun to implement prudent strategies and methods to sharing and analyzing fraudulent information through adhoc operational fraud concepts like financial information sharing and analysis center (www.fsisac.com, 1999).
The security or fraud department can play a vital role in information sharing, performing a fraud risk assessment, providing awareness training, and implementing a continuous event monitoring protocol. The focus of the fraud risk assessment is identifying potential threats or risks related to fraud controls or safeguards, and recommending new preventative fraud solutions to further reduce risk in this area. The development of a fraud assessment team with traditional fraud investigation, corporate security, forensic investigation, account takeover, account set-up, account maintenance, customer service, information technology, and information security disciplines is crucial. In my experience with assessment teams, it was important to bring in many skill sets and diverse backgrounds. For example, during critical infrastructure assessments, I have worked with or bounced risk concepts off of David Hiscott, Jack Platt, Chris Albright, Justin Wilson, and Rich Baich. David is an oil/gas industry safety, security, and emergency response advisor. Jack is a former US Marine, although, he would adamantly argue, “once a marine, always a marine.” He is an intelligence & counter-surveillance advisor. Chris is former military and now a digital forensic investigative advisor. Justin Wilson is not the famous chef from Louisiana, although he cooks a mean steak. He is a police officer and a Homeland Security Coordinator. Rich Baich is a former CISO and is now an information security advisor. All of these individuals bring a different value and skill set to the assessment process. More importantly, each of these individuals understands the impact of fraud on critical infrastructure (i.e. banking, oil/gas, telecommunication, information, transportation, etc.) as fraud relates to his respective area of expertise. In my assessment experience, the best way to reduce risk is having a lot of varying views and sets of eyes with different disciplines. If you have two people in a room with the same thought process, one of them is not needed.
Compliance: The compliance phase is a crucial pillar. Once the operational fraud program has governance and a tactical approach, it is critical to maintain the anti-fraud program by delivering balance of people, processes, and technology. The compliance phase should include, but not be limited to:
- Program Testing (drills and tabletop exercises)
- Program Audit
- Risk Management Integration with your company’s enterprise risk management plan (i.e. incident response plan, disaster recovery plan, business continuity plan)
- Program Adjustment (Change management process)
- Metrics and Reporting
- General annual anti-fraud awareness training for employees
- Detailed annual anti-fraud awareness training for employees with anti-fraud responsibilities
- Periodic self-assessment to identify, detect, and mitigate fraud risks associated with the overall program
Again, the security or fraud department can play a key role in performing self-assessments, managing and reporting operational fraud metrics, testing the elements of the fraud program, and providing annual employee awareness training.
The operational fraud strategy is aligned with the existing company’s enterprise-wide security model. This fraud strategy supports the security “protection in-depth concept” of deterring, delaying, detecting, denying, and preventing an adversary from exposing an organization to losses resulting from fraudulent activities or events. Operational Fraud risks will continue to evolve and will require organizations to evaluate and expand capabilities to maximize the value and effectiveness of anti-fraud controls. There are several key regulatory or industry mandates requiring fraud control reviews to reduce or mitigate fraud. The key focal point to reducing fraud risk from emerging threats is transitioning toward a resilient fraud enterprise. Challenging economic conditions will continue to impact and contribute to the increase in fraudulent activities from mortgage fraud, credit card fraud, identity theft, and insider threats. As local, state, and federal law enforcement resources reach full capacity to investigate and enforce fraud, the CSO or security director may be required to adapt additional proactive in-house solutions or data analytics to reduce and manage operational fraud activities in the future.
Financial Services Information and Analysis Center (FS-ISAC). (1999). Retrieved from www.fsisac.com.
Government Account Office Report. (2006). GAO-06-3805. http://www.gao.gov/
Zipkin, A. (2009, March 21). A Help-Wanted Sign for Fraud Investigators. New York Times. Retrieved from www.nytimes.com/2009/03/22/jobs/22fraud.html?_r=0 3/21/2009.