Patience Increases Enterprise Fraud Risks in Asia

enterprise risk management

The Asian culture of patience may inevitably put enterprises at risk of enterprise fraud, warned anti-fraud consultancy UKFraud Managing Director Bill Trueman.

“In terms of fraud, this means that fraudsters will also be less impatient, and feel happy to ‘take their time’ with the fraud to make sure that it is right and for the biggest sum,” he said

One way to mitigate this is for Asian enterprises to support or drive the business into making sure that IT supports the relevant processes.

“Every new product or programme change should have ‘fraud thinking’ in it as the fraud losses will be high if the deterrents, protections and processes are not planned for up front.”

He stressed that Asian businesses need to be more aware and pre-emptive, and have a longer time-span in its thinking about fraud and fraudsters.

“Asian business will need to take the same precautions as any other business around the world – not least as they will have the similar issues of technology, systems, processes and of course, people too.”

Other tips he offered for strengthening enterprise IT infrastructures are:

  • Focus attention and efforts on the payments and money transmission areas of the business, and in particular the authorisation of payments, and the tendering for business and projects.

“Make sure that all such transactions are dual-controlled. At least two people need to be involved in payments and these people need to be within a hierarchy and graded by the payment sizes.”

  • Use business technology solutions along with strong operational processes and procedures to monitor what the team is doing. Review the monitoring and exceptions 100% of the time and ensure that there is a system and process for dealing with the problems that occur. And lastly as a deterrent, communicate to the team that the monitoring is happening.
  • Retain, keep, store and back-up data and transactions.

“Nothing should be deletable and people should see and know that this is the case – again as a deterrent.”

Bill Trueman (an independent fraud and risk specialist) is director of RiskSkill and UKFraud.

This article originally published here.

Other Useful Posts You Would also Like:

11 FAQs on EMV Chip & Pin Credit Card Technology

Is EMV Chip and Pin Really the ‘Money Pit’ for Retailers?

Riskskill Appointed by Visa Inc. as an Approved GARS Reviewer

Is EMV ‘A Colossal Waste of Time’ for Retailers?

Top Technology Trends in Payments, Risk and Fraud in 2014

25 FAQs on Risk Review and Risk Management

Fraud Prevention Strategies for Business & Corporates

Strategies for Fraud Prevention in Business & Corporates

Strategies For Defeating The Cheats Within an Organization or Business

How Companies of All Sizes Can Prevent Fraud

Tips to Prevent Employee Theft and Fraud

Ways to Protect Your Business Against Employee Fraud

Strategies for Fraud Prevention in Your Business

Tips to Prevent Employee Theft and Fraud

How to Prevent Employee Fraud

How to Prevent Corporate Fraud

By Bill Trueman, Fraud & Risk Management Specialist.

With the recent high profile cases of senior fraud and online security managers being caught perpetrating fraudulent activity, there has been a degree of shock across the corporate world, combined with an initial feeling of helplessness. This is the worst thing that can happen in financial and banking organisations where one would expect the very tightest security to prevail. After a ll, if you can’t trust those executives in the most credible organisations who were specifically recruited to identify and counter fraudulent financial behaviour, then what can you do to ensure that your own organisation does not become a victim. The word victim is used advisedly, as internal fraud is not a victimless crime; rather it impacts in varying degrees on management, staff, shareholders and customers.

fraud and risk management specialist

Any crime committed by those in a position of trust is far more serious, so the penalties should surely be far higher than normal. This is particularly true with fraud prevention mangers that cheat. However, it does seem that once an internal fraudster is caught, that any offer to ‘return funds in return for a leverage for legal plea bargaining should be disallowed. The ideal must be for companies to find ways to decipher and identify such practices and to eradicate them at ground level.

Still reeling from the shock of the media coverage of the latest betrayals, UKFraud asked its independent corporate fraud prevention SIG (Special Interest Group) to draw up a new set of benchmarks which will help organisations identify the signs that something is awry from ground level up. The SIG also defined and deciphered the most effective strategies for countering these risks. The Corporate Fraud Prevention SIG consists of leading fraud prevention consultants from across a range of industries, coupled with a wide range of fraud industry skill sets. The aim of the SIG is to analyse approaches taken to fraud in the corporate sector and to make recommendations for change at local, national and global levels.

According to the SIG’s research, the most likely signs of wayward behaviour by fraud and security management are relatively easy to spot and yet often overlooked. They include:

  • Fraud Systems that are below par. The fraud systems chosen by an organisation can be unfit for purpose and may not deliver what is required. There is also often an unwillingness, due to the influence of the internal fraudster, to consider competitive fraud technology products that do deliver or that can deliver more quickly. Often, the SIG says, it is easy enough with hindsight to see that a change to effective systems had been deliberately avoided, and typically, career minded employees are reluctant to blow whistles.
  • Erratic,  incomplete, late or excuse laden management and system reporting is a classic sign that line managers are covering something up and says the SIG, this is just as likely to be the case with those fraudulently managing the security and anti-fraud systems of a company. Normally, further investigation will reveal that ‘lip service’ and increasingly tenuous explanations are given assertively to thwart follow up activity. When though one is dealing with an errant fraud manager, these explanations are more difficult to see through and more than likely to pass the plausibility test. Often the blame for the cause of any suspicion will be thrown onto inadequate IT systems or on the political gaps between corporate silos.
  • Frequent excuses are often based around IT related issues, such as technology compatibility problems between different company systems or even between international systems.
  • Unexplained wealth of managers outside of work. There will be plenty of evidence of the rewards of wrong-doing with fraudsters purchasing luxury housing, wardrobes, holidays, cars and home computing equipment together with other rewards for family and friends which can even extend to private school fees for children.
  • Work place rumours, jokes and tip-offs. These are often dismissed as political jibes but often this is a tell tale sign that something is wrong and that staff are too afraid to ‘blow the whistle’ formally.
  • Frequent use of the ‘privileged rank’ of Security or Anti-Fraud Manager to divert questions or to avoid enquiries from those who might raise suspicion, such as the internal or financial auditors. This also includes the robust use of the ‘we don’t want to compromise security by answering your questions’ excuse.
  • Where fraud specialists know the latest trick, for example how on-line fraud works, the unique symptoms of that particular scam will show up in the company where the internal fraudster is using it themselves.

UKFraud’s Corporate Fraud Prevention SIG believes that ‘maintaining an independent review perspective managed by those with the greatest experience’ is the most effective solution for combating inside jobs by fraud and security management. Amongst the strategies the SIG would recommend are:

  1. A greater emphasis on the use of Non-Executive Directors. This is crucial, says the SIG, as usually Non-Execs are appointed for their experience of skills and operations in other organisations and sectors. They have that ‘other worldly’ eye that is able to cast a different perspective. They should have the ability to review all aspects of a company’s anti-fraud strategy and to ask awkward questions ‘from the top’ as this carries more weight.
  2. Up-to-date reporting must be a core mantra of good company management, with the details of repeated exceptions thoroughly investigated. Organizations should also ensure that reports are not only timely but that they are also complete, real and updated as required. These processes should also then be built into the internal audit schedule for checking. This in turn should feed into the main GRC (Governance Risk and Compliance) systems. In addition, wherever appropriate, organisations should adopt an enterprise-wide approach to technology as this will help with systems issues. Thus, if the technology works well in all other parts of an enterprise, it is highly noticeable if it fails in the management of the fraud department or the control of online and financial systems.
  3. From the ground up, organizations need to establish records both electronically and on paper. This should include specifying where documents are and when they should and should not be stored. One should identify who is in control of these systems, processes and procedures and who has ownership of specific records. Organizations also need to decide who is responsible for checking that these measures are followed. The scanning, and indexing of work needs to be carried out to professional standards and there must be rules to ensure that no-one can intercept/edit documents at an inappropriate stage or in a fraudulent way. It is also important, the SIG believes, to ensure that your storage capacity is controlled properly.
  4. Where acquisitions and mergers are concerned, organizations need to ensure that all documents are available and stored appropriately and securely, especially those that relate to IP protection, IP development records, audit trails and staff contracts. In particular, when acquiring a business, companies must make sure that they have indemnities and penalty clauses built into the acquisition agreements which relate to the availability of data, logs, audit trails and so forth.
  5. An extra fraud prevention ‘task-set’ should be drawn up for auditors and IT auditors whether they are internal or external. This can have a real impact, although sadly most auditors are simply there to either report on financial results or check asset lists and software licence compliance. There are though many specialists that can undertake ‘special’ tailored checks to find frauds within all manner of business systems including: payroll, invoicing or payments. By turning them towards checking the efficacy of the security and fraud systems in place, says the SIG, it is not only a greater deterrent but also a far more certain way of catching wrong doing whilst in flight.
  6. Getting HR more involved. This allows organisations to define responsibilities and handle warnings for non-compliance and to do so at all ranks from the ground level upwards.
  7. Organisations should actively consider the use of external risk consultants who can offer solutions which benefit from an independent viewpoint that resides outside of a company or   its politics.
  8. Where doubts exist, organisations should contemplate the use of private investigators to look deeper into the processes used by those who are deemed to be high risk people. These need to be the breed of computer literate investigators with corporate fraud experience.

A leading member of the SIF is Malcolm Gardner. He believes that the situation may be worse than many fear. In his view, “Typically, when fraud or security managers are caught, it is either because they went too far, having become complacent, or where there has been a tip off. This tends to suggest that those who are caught might simply be the tip of the iceberg. With sectors such as the online market, now so very tempting to fraudster, it can also be tempting for internal cheats too. Corporations need to be sure of their staff and need to put the right systems in place to help the loyal staff who are the ones still working for the good of the company.”

So to conclude it is especially negative situation whenever any fraudster is identified within a business as they are the person who has the responsibility for fraud prevention themselves. IT is a complete betrayal.  The first step in planning the fight back is finding these people and then managing the problem. The trouble is that many of them are exceptionally well hidden. Whether one can ever be 100% certain that there is no problem internally is probably too much to expect. However my belief,  is that if you start to introduce the kind of checks and measures the Corporate Fraud Prevention SIG has outlined, there is every chance that the risk will be minimised or driven away.

 Bill Trueman (an independent fraud and risk specialist) is director of RiskSkill and UKFraud.

This article originally published here.

Other Useful Posts You Would also Like:

11 FAQs on EMV Chip & Pin Credit Card Technology

Is EMV Chip and Pin Really the ‘Money Pit’ for Retailers?

Riskskill Appointed by Visa Inc. as an Approved GARS Reviewer

Is EMV ‘A Colossal Waste of Time’ for Retailers?

Top Technology Trends in Payments, Risk and Fraud in 2014

25 FAQs on Risk Review and Risk Management

RiskSkill Warns That Risks Will Grow Together With The Mobile Payments Sector

fraud and risk management specialist

The leading UK corporate risk prevention consultancy and analyst Riskskill is warning that the expected rapid growth of the global mobile payments market will create a potential cocktail of different risks that pose new challenges for risk managers and other stakeholders in the sector.

In its latest research, Riskskill studied developments in the mobile payments (M-Commerce) arena, i.e. all types of mobile payment services including mobile money and mobile wallets, which are subject to financial regulation and performed from or by mobile devices.

Riskskill identified where it feels the key areas of risk lie in the sector, including:

1. The scale of sector growth and technology change

With commentators suggesting that the mobile payments sector will reach US $1 trillion in global transactions by 2015, the Riskskill research highlights that many risk professionals are concerned by the sector’s significant rate of growth. In Riskskill’s view, this rapid growth could mean that many proven risk strategies, once thought of as realistic and elastic, could be left out of touch in the medium term and lack the solid infrastructure required to be able to accommodate such growth.

Riskskill recognizes that as a consequence of this growth, one of the greatest challenges to the development of plans and strategies that align organizations within the mobile payments sector is not only the diversity of sources of change but also the sheer speed of technology change be this hardware, software or the technology platforms used.

According to Riskskill, the main ‘mobile payment’ players are now extremely keen to produce the next ‘big thing’ and this is reflected in the significant investment being made. Many feel that Apple with its i-infrastructure and significant market presence has the potential to launch something ground-breaking within iOS7. Other market leading names such as PayPal, Google and Amazon are also likely to have a significant and positive market impact with upcoming developments of their own, as will global and EU based telecom infrastructure owners. The international card schemes too, believes Riskskill, have a positive influence on the development route(s) in the sector, as will many other highly innovative and respected third parties including: iZettle and mpowa.

Riskskill believes that it is the technology organizations that act the most responsibly and altruistically now that will help minimize market risks over time. They are concerned though that in the rush to ‘jump on the bandwagon’, smaller players will adopt solutions that are based upon outmoded foundations and infrastructures. If this happens some regulators and stakeholders could struggle to keep up with the pace of technology change. This could mean that they might be unable to introduce the safeguards, protected environments and fraud prevention methodologies that are required at this early stage of market evolution. Fraud is deemed to be the greatest risk here. The fraudster thrives in such fast-paced environments, especially when there is no history, formality, process standards, anti-risk architecture or common IT foundations. Typically, fraudsters just ‘adapt’ and outsmart their targets.

2. Globalization of mobile payments

Riskskill also points to the rapid spread of mobile payments globally, with the explosive growth of M-Commerce in China, India, Latin America and the Far East. Recent data from the ITU (International Telecommunication Union) reveals that global mobile subscriptions are now reaching 6 billion. In some of these newer territories, the mobile payments sector is compensating for the lack of a physical and sufficiently robust banking structure and therefore proves extremely popular. Consequently, whilst the growth figures are impressive, the rate of growth could draw into question whether the existing and on occasion nascent regulatory systems and controls are sufficient to cope. Indeed, Riskskill believes that the most worrying aspect of this global spread is whether the technical and security infrastructures are built and based upon the solid foundations required.

3. Consumer communication and information risks

Riskskill believes, in addition, that in the mobile payments sector there is a continuous stream of new financial products that are all seeking to outdo each other in the eyes of providers and consumers. Riskskill is concerned that, alongside other areas of rapid market change, a fast churn of product lifecycles and the sheer variety of product nomenclature might cause consumers to become confused, and thus more vulnerable to fraudsters exploiting their confusion. This will also be compounded by the absence of adequate fraud systems, which will not have been put in place by all the main players at an early stage, as some will only just have kept up with competitive product development.

4. Standards and regulation outpaced?

The impact of such a rapid evolution of technology and financial products could threaten the applicability and implementations of many existing ‘standards’ programs. Other newer standards will need to be evolved, although these too might still struggle to keep up with the rate of change. Riskskill believes that as there is such a broad range of organizations and bodies from which such standards might come, that this in itself could cause confusion for market stakeholders and consumers alike. Once again, the most likely beneficiary of such confusion could well be ‘professional’ fraudsters. The hope is then, says Riskskill, that standards bodies will harmonize with other similar organizations around them, especially those who take a lead.

According to Riskskill there are a number of widely regarded bodies whose intervention could have a major impact in reducing market risk. This includes highly respected organizations such as UK Payments (formerly APACS), the ISO or the European Payments Council, which could potentially, some feel, develop a new SEPA-type regulation for the mobile payment sector. Other widely acclaimed and respected card schemes (such as Visa / MasterCard etc.) might also take a lead as they have a strong commitment to acting responsibly and correctly in the market.

Riskskill believes that if the standards that do emerge could drive the right risk–reduced conditions, it could in turn lead to both an evolution and a revolution in M-commerce practice and risk management. This could then prove to be a facilitator for wider adoption of mobile-based NFC /contactless payments.

RiskSkill has also studied whether the effects of the ‘potential standards debacle’ might also have a ‘knock-on’ effect upon government regulation too, as there is always the possibility that more interventionist governments might take the opportunity to play a constructive role. The company feels that with the respected EU Cyber Security Directive, focusing on setting good foundations with the Network and Information Security standards in individual member states, the current thrust seems potentially a long way from specifically addressing mobile payments.

In the UK, Riskskill questions whether the government is likely to drive innovation in this area, as the risk, payments and fraud skills within the leading departments (Cabinet Office, FED and the National Fraud Bureau) might not be those required to lead direction and strategy in the mobile payment sector.

Riskskill’s CEO Bill Trueman believes that whilst the risk in each of these areas can be incorporated into risk strategies, the combined effects are harder to predict. In his view, “It is easy to plan for many risks individually – however, the wide and varied nature of the risks associated with the changing and rapidly growing mobile payments sector creates a whole array of risks that will challenge even the best of plans and strategies for addressing problems within the mobile payments sector. This is a simply enormous issue to address. Organizations, and indeed many governments, are often now too ‘silo based’ to evolve direction and protection from the attacks in a market that is so rapidly evolving. The ideal solution for leading sector stakeholders should be to drive proper standards through appropriate bodies that will in turn drive both a governmental and a business response globally. It’s a ‘tall order’ and only time will tell if it is possible.” 

News Source

Judges Pave Way for Banks in US to Sue Target over 2013 Data Breach

I read with interest that news in Finextra and elsewhere that the banks have been given the go-ahead to sue Target for $30m for the reissue costs associated with the data compromise in 2013. This puzzles me, as I then want to know how the figure of $1200 per card is calculated.

The cost of re-issue will be less than a tenth of that per card. How they can justify that size of loss based upon a reissue alone is not conceivable.

To continue reading visit here.

Bank Fraud Charges Against Former President of Rural Bank of Subangdaku Inc.

Another case of bank fraud surfaced this time in Phillipines. The Bangko Sentral ng Pilipinas has filed criminal charges against Radaza, the ex president of the mentioned bank, for allegedly taking part in creating fictitious loans amounting to P2.6 billion when she was the president of the defunct Rural Bank of Subangdaku Inc.

To read full coverage, please read here.

 

Is EMV ‘A Colossal Waste of Time’ for Retailers?

Source: Is EMV ‘A Colossal Waste of Time’ for Retailers?

Is EMV Chip and Pin Really the ‘Money Pit’ for Retailers?

Source: Is EMV Chip and Pin Really the ‘Money Pit’ for Retailers?

Follow

Get every new post delivered to your Inbox.