Friday, January 11, 2008

Fraud Preemption: Global Integrity Management...

The top ORM challenges for 2008 are starting to emerge. Oprisk & Compliance has their top ten and we would agree with most of them, especially "Legal Risk" in light of the growing subprime exposure. Our forecast is for continued convergence of the risk management functions within the institution, along with increased automation in places that human-based tasks can produce errors. These same trends will continue as we investigate the qualitative components of analyzing risk.

Analysis of qualitative data by quantitative methods is a tremendous opportunity for the Operational Risk Management profession. And for the bottom line. HSBC has invested heavily in understanding customer behavior through new systems initially designed for fraud detection and now being leveraged beyond compliance to address more effective customer service. Getting to top line revenue discussions from the center of OPS Risk units is now a given. A single framework to reduce IT systems costs while simultaneously providing new found Market Intelligence is the latest game plan.

The U.S. regulatory environment is going to get a new injection of investigators, forensic accountants and aggressive federal oversight not seen for many years. The writing is on the wall already for the hedge fund industry. They are already gearing up with the potential hiring of a political heavyweight to head up their industry non-profit on Capitol Hill.

Hedge funds are multimillion-dollar investment pools designed for wealthy individuals. They have grown enormously in recent years, collecting more than $1 trillion, seizing control of underperforming companies and increasingly drawing money from gigantic pension funds, including those of government employees. There are about 9,000 hedge funds in the country.

For years, they barely registered on the Washington agenda. But now that they are so large and aggressive, federal regulators, state authorities and lawmakers have been clamoring to learn more about them, including whether fraud and risky trading flourish in their secretive operations.


In the traditional consumer banking sector customers are leaving institutions in droves that have not implemented multi-factor authentication. The fact is that criminals have moved online and their fraud schemes are growing exponentially, except in places like Singapore. This simple set of statistics says it all.

The benefits of two-factor authentication have been proven in other jurisdictions. In 2005, the Monetary Authority of Singapore (MAS) dictated the use of :

The impact has been dramatic. In 2004, banks in Singapore lost $356,000 USD to Internet fraud that was reported. Twelve months later after implementation of two-factor authentication, the number was $5,000 USD. Organizations today in the U.S. that have implemented these capabilities will be grabbing market share, as they roll out these fraud busting measures in front of their competitors.

Fraud is at the core of Operational Risk matters and whether it's the internal employee manipulating your internal control environment or the external transnational crime syndicate flogging your customers with spam, really doesn't matter. What has your "Red Team" told you is at stake this week? The vulnerabilities they have discovered utilizing the new tools or techniques to exploit the changes in your design, implementation or configuration are real. Here is just one latest example:

To the annals of creative bank heists add this: Two Washington area banks turned over more than $850,000 in less than 24 hours this week to someone who impersonated a cash courier and claimed to be filling in for the regular guys.

On Wednesday, a man dressed as an armored truck employee with the company AT Systems walked into a BB&T bank in Wheaton about 11 a.m., was handed more than $500,000 in cash and walked out, a source familiar with the case said.


Once they catch this guy it will all come back to a classic Operational Risk failure. In this case, there are two banks who are getting some fresh reminders about process and procedures at the branch level. Yet whether we have multi-factor authentication online or in the branch with the armored car driver, the issue remains the same. The consumer and the merchants will continue to pay for this in the long run. Why are they still trying to authenticate people instead of the transaction?

"To mitigate that risk, we need to concentrate on detecting and preventing fraudulent transactions. We need to make the entity, which is in the best position to mitigate the risk, responsible for that risk. And that means making the financial institutions liable for fraudulent transactions."

Once institutions realize that they need to focus on a culture of compliance and build robust fraud detection and prevention programs, the losses may start to dwindle. Only however, if they are properly organized, deployed and funded. And finally, these integrated initiatives must include a substantial investment in systems and a systemic automation mechanism to drive awareness. Microsoft is one organization who is on the leading edge of implementing effective Global Integrity Management.