The Fraud Risk Management Puzzle

It’s no surprise that the recent pandemic brought a new way of living to us all and largely changed customer behaviours leading to an “enrichment” of the fraud landscape. Financial Services (“FS”) firms were amongst the first ones to be presented with the challenge of adapting to these changes and protecting their customers from the quickly evolving frauds. 

Decreased face-to-face contact with customers, as well as remote working, provides a number of opportunities for fraudsters, both external and internal. Government schemes meant to support businesses through the pandemic, for instance, are being exploited by criminals for banks to only recognise the fraudulent behaviour in the years to come. In parallel, sophisticated schemes are being used to trick customers out of their funds into purchasing fake medicines, bogus vaccines or non-existing holiday homes, to name a few. This gives rise to even higher volumes of Authorised Push Payment (“APP”) fraud - the type of payment fraud that currently presents a tougher challenge to banks than unauthorised payment fraud as it is their genuine customers who initiate transactions that eventually end up with fraudsters.

Achieving the right balance between implementing additional fraud controls and making sure the customer has a smooth experience is key. One example is the payment verification process where banks need to think of more innovative ways to ensure the authenticity of payments as the traditional call-back mechanisms do not always meet customer expectations for a smooth journey.

The increase in regulation makes banks’ fraud risk management even more complex. In the EU the 2nd Payments Services Directive is now in place, which introduced new requirements around customer authentication, transaction monitoring, timelines for investigating claims, etc. In other parts of Europe, like the UK, regulators are formalising their expectations of FS firms around fraud. A recent example is the “Dear CEO” letter issued to retail banks last month specifying their obligation to report to the regulator any fraudulent activity identified as part of the government-backed loan scheme. 

These challenges can only be addressed with a holistic approach to fraud risk management. Let’s explore what this actually means. 

At PwC we work with organisations across the world to help them manage fraud risk holistically leveraging any crossovers with other risk areas where possible. This starts with support in shaping a firm’s anti-fraud strategy considering:

• The company’s vision, 
• The fraud risks specific to the organisation and
• Its fraud risk appetite 

Fraud Vision

A company's fraud strategy needs to be in line with its values and what it wants to achieve in terms of its customers, employees and society. It is important that the fraud vision is clearly defined and communicated both internally and externally to showcase the company’s commitment to fighting fraud.

Fraud risks specific to the organisation

Undertaking a fraud risk assessment is the first step in any transformational initiative to ensure the firm has a full understanding of its current risk landscape. It serves as a basis for a more focused risk mitigation approach and its outcome informs the rest of the fraud risk management activities. When undertaking a fraud risk assessment it’s important to:

• Qualify and quantify the inherent fraud risks relevant to the organisation
• Identify and assess the existing fraud controls and their effectiveness
• Determine residual risks.

Fraud risk appetite 

Setting the fraud risk appetite is an integral part of the fraud strategy as it allows management to quickly identify situations, in which the firm exceeds its risk exposure beyond what the company is willing to accept. It brings alignment between 1st and 2nd Line of Defence (“LoD”) as to both what acceptable risk levels are but also whether the organisation’s controls are adequate enough to ensure no deviations from the norm. 

This strategy is then brought to life with its practical application into the people, processes and technology at the organisation, making sure the right organisational structures and governance are in place. Defining the responsibilities of each of the three LoD is an important part of fraud risk management. Although we see this as an area that many financial institutions are still struggling with, setting the right 3LoD model is a must for a clear risk ownership and leads to an overall increase in fraud risk awareness within business.

We see each component of the fraud operating model as part of a puzzle, which is only complete once each element is working effectively and in line with the rest. This includes processes such as: fraud monitoring, investigations, reporting and many others. 

We pay special attention to the way fraud technology is deployed to ensure strong risk coverage but also efficiency that minimises operational costs. The first step in any fraud technology enhancement initiative is the performance assessment as it is key in informing what optimisation activities need to take place. Even though we frequently see FS firms considering replacing their anti-fraud technology due to being unsatisfied with its performance, this is often unnecessary and leads to further costs that can be avoided. Instead, optimising a firm’s existing technology could make the difference by finding the right balance between the cost of compliance and appropriate coverage of fraud risks.

If you are interested to hear more about managing fraud risk holistically, please get in touch with our team.