Anti-Fraud Strategy - Governing Subtle Balances

Quick Reading

• Anti-Fraud is an integral part of the corporate strategy, relating investment to risk levels

• Defining the equation between Fraud Risk Acceptance with cost of prevention is a Board Accountability.

• Anti-Fraud management is primarily based on sound governance (ESG) and should prioritize most fraud sensitive transactions

• Methods for fraud detection

  • Segregation of Duties

  • Relational KPI’s as control system

  • Exclusion of risk-sensitive transactions, clients and vendors

  • Culture & Code of Conduct

  • Exception detection of deviating transactions

  • Clear, communicated and strict deterioration policy, applied with integrity

  • New technologies

• Conclusion: the Anti-Fraud Strategy is an essential part of Corporate Governance. Clear definition of accepted and non-accepted transactions related to fraud risk are the basis for compliance, empowerment and control. Integrity in its application, supported by sound use of technology, are key in managing a good business reputation, productivity and sustainability.

Combatting fraud is fighting an invisible enemy. It is only at the stage of suspicion or actual observation that fraud comes at the surface. Cost of fraud is estimated around 5% of turnover inn studies and surveys, but these figures need to be taken with prudence, since there is a wide spread in assessment scope and results.

Anti-fraud management should however remain a central element in corporate governance: the risk is deprivation of corporate resources from serving their essence, not to mention the weighty reputation risks. An exploration about how to consider and steer a rational Anti-Fraud Strategy.

Assets of a corporation need to be used productively to achieve the desired business results, within the risk constraints set out by shareholders. Besides defining risk acceptance on intrinsic business activities, Directors have the accountability to define the strategy to protect assets, reputation and operational integrity from illicite abuse by clients, partners or staff.

There are quite a lot of regulatory constraints already in place for financial services, of which prudential control, DORA and AML/CFT are the most visible. In that perspective, having a global risk strategy is contributing to integrity, readability and tangibility of these components, which is increasing the regulatory conformity maturity. This is an excellent opportunity to consider regulatory constraints as opportunities for better performance.

Fraud is first of all a risk. Potential threats need to be identified and classified based on nature and potential impact. The strategy should identify the risk tolerance on the 3 types of damage fraud can provoke: financial loss, reputation damage and operational disruptions. It seems useful to distinct external fraud (money laundering, illicit use of services) from internal fraud (bribery, corruption, abuse of assets), because the causes, impact and prevention will be different.

Anti-Fraud strategies are also a matter of balance. On the negative impact side, the equation need to be made between the averse effect preventive actions, which are mainly cost (tools, systems, control staff), productivity reduction (administrative procedures, integrity enforcement, custody measures) and client relations (excluded markets and clients, more client administration). These need to be weighted with the positive impact of anti-fraud measures. Most obviously, prevention and recovery of fraud will reduce the loss provoked by fraud. On the positive side, fraud prevention (should) lead to better cost control and lower prices for customers, client confidence and higher reputation. The anti-fraud strategy sets out the cursor on the line of risk acceptance in relation to the cost and benefits of anti-fraud measures.

Implementing an anti-fraud strategy comes down to installing a sound compliance management system, for which ISO 37301 is a recommended set of guidelines and recommendations. A compliance management system defines, risk-based, the transaction elements which are essential for safeguarding that operations run in conformity with business goals, risk avoidance and acceptance, regulation and organizational rules. It should focus on the most fraud and risk sensitive stages of the transactions of an organization. A compliance management system is based on behavioral and transactional rules for running business, enforced by rules and conditions for empowerment, escalation and control. It precautions the integrity of operations controlled by tangible criteria and several verification points.

Best practices for anti-fraud management include:

1. Segregation of Duties: risk levels are closely related to the concentration of decision taking power. The principle of 3 lines of defense (LOD) is a largely accepted technique, though many organizations could still increase their maturity to improve the difference of interests and objectives between the three lines. Segregation of duties is also powerful on a horizontal level, separating accountabilities and creating counter-vailing powers. Though decision taking can be slowed down if the organization lacks agility, it generally increases the quality of decisions by collaboration of experts. A specific and popular format is the 4-eyes principle.

2. Relational KPI: fraud risks should be as much as possible related to tangible and measurable criteria, which are followed up, per casein aggregated, by metrics and KPI. These should be built in such a way that deviations and exceptions are detected by incoherences between KPI. An example is the concentration of purchase orders to a specific provider in a multi-provider setup, which should raise an exception.

3. Exclude Over-risked clients, vendors and transactions: though this technique can exclude a part of accepted transactions (cost of the system), it is recommended to define specific criteria under which clients, vendors and transactions are not accepted. These criteria should be tangible and mandatorily registered in criteria for exclusion. Specific attention should go to excluding also “turn-around” techniques for passing the transaction (related KPI and Exception Detection).

4. Code of Conduct: despite a strict regulatory system, anti-fraud management is tightly related to conduct and culture of staff, clients and vendors. There are 2  pitfalls with this. The first is to develop a Novel of Conduct more than a Code: so extensive that nobody ever reads it. The basic Code should be short, precise and related to in-the-field situations. The second pitfall is to develop it in an Ivory Tower. The code of conduct should be a sole expression of the corporate identity and thus be developed and committed by marketing, business development, operations, finance and HR.

5. Exception Detection: fraud-sensitive elements should be monitored by a system which creates alerts when deviating behavior or transactions are detected. This system raises 2 organizational issues to be decided by leadership of the institution. The first is defining the cursor between the number of exceptions detected and the related cost of verification on one hand and the residual risk of not detecting potential fraud. The second is to conceptualize the 4-eyes policy and set out the level of delegation to handle raised exceptions on first level, second or third, which relates to the risk of concomitance of staff.

6. Integrity of Deterioration Policy: the deterioration policy defines the custody measures and sanctions following detection of fraud events. This is a sensitive matter, because there is a direct impact on staff members, clients and vendors. The detection of fraud suspicion or event is a kind of crisis situation. The  first objective of crisis management is to get back to normal with minimal damage, which also applies in this case. Hence, it is highly recommended to have defined upfront the potential actions and the application criteria. Some freedom to assess the actual situation must be foreseen, though strict integrity in application of the deterioration policy must be(visibly) be maintained.

7. New Technologies: in a digital environment, with automated and instant transactions, the use of technology to identify fraud sensitive behavior and transactions are inevitable. On different subjects, notably AML/CFT, maturity of data and AI driven monitoring tools is growing. Technology needs to be included as an essential method for KPI collection, exception detection and deterioration management.

Anti-Fraud Management is an essential part of Corporate Governance with a tangible impact on business branding, productivity, reputation and operational integrity. An essential element for success is to integrate it in an operational risk strategy. The clear definition of accepted (business) transactions, hence the definition of borderline and non-accepted transactions, is key for good governance. The roll-out will gain maturity with sound definition of processes, empowerment, KPI and control system, in which technology and integrity are the key factors.