Since the time of money’s inception, there has been fraud 1 . Fraud has taken many forms over the years since the first forged coin, but one thing has remained consistent: banking services are constantly under attack. Today, this problem requires an array of modern technology, smart client engagement strategies, highly trained professionals, optimized operational processes, and rigorous, well-constructed organizational infrastructure. While we often spend time with our clients discussing the right technologies for them, particularly as the digital rotation in banking accelerates, we have noticed that banks tend to overlook the importance of organizational infrastructure; that is, the construction of their first-line of defense (1LOD) fraud program and second-line of defense (2LOD) enterprise fraud policy.
Why Do Banks Overlook Fraud Program and Policy?
There are many reasons why banks tend to overlook their fraud program and policy when it comes to talking fraud—technology can be, frankly, more fun to discuss and more exciting to see in action, big dollars are being spent today on operations, and so forth—but it is a mistake to overlook program and policy. More broadly, some banks often view fraud as “cost of doing business” rather than a differentiator that makes their customers feel safe and secure 2 . All of this results in fraud programs that tend to grow organically, often in reaction to yesterday’s problems. Similarly, fraud policy tends to be created, shelved, and only applied and updated in reaction to significant fraud events. Both program and policy set the foundation for processes and technologies—if banks are seeking to take a proactive stance against fraud in today’s fast-paced digital world of banking, it is insufficient to focus only on process and technology and ignore the organizational infrastructure of program and policy.
We are not the only organization stressing the importance of policy and program. Banking regulators have turned their attention to the handling of fraud as a safety and soundness matter. Regulatory scrutiny has increased since OCC Bulletin 2019-37, which focuses on matters of program and policy 3 . While it is important that banks assess themselves against the bulletin’s recommendations, we advise that banks confirm that their fraud policy and program are future-ready and complement each other. The bank’s fraud program and policy together serve as the foundational infrastructure for fighting fraud in an ever-evolving digital and mobile landscape.
In our view, fraud programs and policy are closely interlinked with the policy setting forth the minimum standards from the second line of defense. The fraud program applies the minimum standards and either centrally or through any number of federated mechanisms organizes the bank’s fraud prevention and detection controls. In this post, we devote our attention to the first component of the “foundation”, a future-ready fraud policy, and how banks should apply it.
Future-Ready Fraud Policy
So, what does it take to make a future-ready fraud policy? Future-ready policies articulate clear objectives and responsibilities for the lines of business and lines of defense to manage their existing products and services, as well as the creation of new products and services. Fraud policies commonly fall short in one of four ways: 1) the policy lacks clear roles for the first-line of defense that facilitates proactive accountability for control failures and loss management; 2) the policy is written to manage what exists and fails to link in to new product, service, or vendor processes; 3) the policy does not fully define the full scope of objectives for why a bank manages its fraud risk, often omitting a range of dimensions outside of merely limiting external fraud losses; and 4) the fraud policy does not set requirements for minimum quantitative reporting standards that extend beyond the net dollars lost to fraud. Good fraud policies have language that manage these four gaps appropriately, setting minimum standards where needed that allow flexibility and speed while affording protection to both the bank and its clients.
Great policies look beyond the creation of a foundation for fraud prevention controls and also set minimum standards for employee training and fraud awareness campaigns for clients to promote a culture of awareness that can reduce both internal and external fraud. Great policies also set a vision through definition of fraud-specific roles, such as a “fraud prevention steward”, and support the fraud program to a have a broader vision beyond fraud losses, particularly addressing account opening and nonmonetary events. In essence, great policies are written not merely as a framework for testing but as a flexible document that is to be lived by the 1LOD and the business.
Living the Fraud Policy
Having a well-written policy is important but equally so is that the policy is well understood, applied, and enforced by the 2LOD at all stages of first-line activity. One key mechanism to make this occur is for open dialogue between first- and second-line fraud functions during the creation or review of a fraud policy. Open dialogue should continue between the lines of defense afterward through committees or councils, as well as less formal mechanisms. Enforcement of a fraud policy should extend beyond qualitative and reactive reviews; the second line should set clear guidelines on what it would measure to determine compliance and promote them well in advance of reviews, ideally through the policy or supporting documentation.
What Should Banks Do Now?
Fraud policies, like most policies, have a routine review cycle. Banks should consider taking advantage of their next fraud policy review to ask themselves what type of fraud policy they have. Does the policy work well with the existing fraud program? Do the lines of business understand and apply it? Would it stand up to a regulator’s scrutiny? Would it enable the bank’s business on a go forward basis or inhibit it? Is it a good policy? Is it a great policy? If the answers are not what the bank and its clients need, it’s critical that 2LOD takes up the pen even as so many other fraud-related matters vie for attention.
- More precisely, there have been counterfeit coins for well over 2,500 years, an early instance of “fraud”.
- Discover, though, differs from a lot of financial companies in that it has realized the benefits of advertising its fraud protections through a recent campaign that includes this commercial about purchasing a turtle online: https://www.youtube.com/watch?v=6IsR5Wtn6Zo&ab_channel=Discover
- OCC Bulletin 2019-37, issued July 24, 2019, stresses that “banks should have corporate governance practices that instill a corporate culture of ethical standards that promote employee accountability [to controlling the bank’s exposure to fraud].”