CONTROLLING FRAUD IN THE FINANCIAL SERVICES SECTOR. Aub Chapman Chief Manager Operational Control, Westpac Banking Corporation

Transcription

1 CONTROLLING FRAUD IN THE FINANCIAL SERVICES SECTOR Aub Chapman Chief Manager Operational Control, Westpac Banking Corporation Paper presented at the Fraud Prevention and Control Conference convened by the Australian Institute of Criminology in association with the Commonwealth Attorney-General s Department and held in Surfers Paradise, August 2000

2 Introduction Fraud can be described as deceit or trickery deliberately practiced in order to gain some advantage dishonestly. If we were to describe fraud as an industry, it would clearly be one of the growth areas in the economy. It is also one of the least understood areas of the economy and, because it is often viewed as a victimless crime, it does not draw community reaction like other crimes. At this point in time there does not appear to be any coordinated political focus on measures that will address the very serious losses resulting from fraud. One hardened criminal who has served several periods of imprisonment for armed hold-up offences was reported to have recently expressed an opinion to senior police that he wished he had understood how easy it was to commit fraud earlier in his criminal life. He now considers that fraud involves less trauma, the rewards are far greater and the penalties substantially less than in other forms of crime. Unfortunately, the quantum of fraud being attempted is not readily identified. Different industry sectors and institutions within sectors have traditionally categorised financial losses under a number of headings to suit internal management reporting and this has hindered the establishment of aggregated figures which would assist in identifying the magnitude and types of fraud losses. Changes in business practices have occurred without revision of loss categorisation and this has also impeded the identification of losses incurred as a result of fraud. As an example, within the financial services sector, it is only in the last two to three years that institutions have come to recognise the need to more thoroughly examine loan write-offs to identify those which clearly are fraud based losses as opposed to genuine lending losses. There is little doubt that the financial services sector is one of the fastest changing areas in the community. The combination of industry deregulation and the exploitation of new and emerging technologies is resulting in financial institutions having the ability to deliver a vast array of products and services utilising an increasing number of delivery channels. The benefits and flexibility now being provided to customers is unfortunately also being exploited by those seeking to gain an advantage through dishonest behaviour. New opportunities for fraud are emerging almost daily. The decision to engage in any business function is usually based on a cost/benefit equation which aligns with the relevant enterprise s business objectives and appetite for risk. The business of controlling fraud risk is no different in that the assessment will include a number of known factors and a number of unknown elements. However, in order to manage fraud risk, we must be able to track and understand it. The competitive demand for fast to market product development introduces a major challenge in creating cost-effective and efficient controls which do not impede the need for flexibility in product features and delivery mechanisms. This challenge will only increase with the introduction of new and emerging technologies. Types of Fraud Within Financial Services A. Transaction Fraud While it is necessary to try and predict the fraud risks associated with the future direction of business practices, it is also important to recognise that the more traditional financial services products remain a major area of fraud risk. At the BAI Check Fraud Conference held in the US in November 1999, it was reported that Check Fraud in the United States was growing at 17% per 2

3 annum. My research within the Australian financial services sector indicates that the exposure to loss from paper based fraud has also grown substantially on a 1998 / 1999 comparison. Negotiation of valueless cheques, stolen cheques, forged cheques, altered cheques and counterfeit cheques remain fertile ground for those attempting to commit fraud. It is obvious that in a number of instances, the scams are well organised and involve a number of parties. Theft of cheques in the mail system, the use of scanners, colour photocopies and chemicals to alter existing or even create false documents clearly demonstrate a growing trend away from single opportunists to more deliberate wide-spread attacks on the financial services industry. The introduction of credit and debit cards which can be used in an ever increasing marketplace has facilitated new forms of fraud. Lost and stolen cards, lost / misused Personal Identification Numbers (PIN s) and corrupt Card Merchants have provided fraudsters with new channels through which to conduct attacks on financial institutions. Turnover in the workforce of financial institutions has added to community knowledge of financial systems and the inherent weaknesses in some products and services which are on offer. The ATM off-host facility provided by financial institutions as a means of continuous service to customers has been and continues to be exploited by those seeking to defraud financial institutions. The skimming of account and personal information contained in the magnetic strip on the back of a credit card has been made relatively easy by modern cheap technology. This leads to a lucrative market in duplicate/counterfeit cards. The use of facsimile machines by clients to transmit instructions to financial institutions is another area where fraud losses are occurring. High quality desktop publishing outputs are now widely available through the use of personal computers and laser printers. The ability to produce near perfect copies of legitimate business documents, many containing company signatures which have been scanned from annual reports or other official papers, is relatively easy. Such documents can be forwarded by facsimile to a financial institution instructing that funds be remitted, usually offshore via some irrevocable channel such as the SWIFT system. Over recent years, there have been a number of cases involving organised scams using this simple technique resulting in substantial losses for financial institutions. The imperative to compete in a fast changing market has placed strains on financial institutions to limit time-consuming validation and verification checks. This pressure has presented new opportunities for those seeking to benefit through fraud at the transactional level. B. Identity Fraud Stolen and False Identity Over recent years a more serious area of fraud has started to come into prominence. This is the area of identity fraud. Mobility within the community means that business no longer relies on local knowledge as to who it deals with. A customer/ business relationship is usually commenced by the prospective customer presenting documents by which his or her identity is established. Through the theft of documents, it is possible for one person to assume the identity of another and where reasonable similarity is present (eg same gender, similar age, etc) it is not difficult to undertake business dealings in the other person s name. The use of good quality and cheap technology facilitates the creation of documents which do not represent a real person. When these techniques are used to create a document or to falsify an original document, it becomes somewhat easy for a person to use that document to procure other documents and thereby create a new, yet false identity. 3

4 Under British and Australian law, the use of a false or alternate identity is not necessarily illegal and the use of an alias is common in entertainment and literary circles. Many women choose to use both their maiden and married names. The advent of the Cash Transaction Reports Act in 1988 (subsequently changed to the Financial Transaction Report Act) introduced a requirement for cash dealers (which includes many of the major financial institutions) to identify all signatories to accounts and made it an offence to open or operate an account in a false name. To support this regime, a process was established whereby numeric values are assigned to a defined group of documents, albeit none of them are officially considered to be forms of identification in their own right. The 100 point system, as it is known, provides for cash dealers to accept a combination of these documents as evidence of a person s identity unless there are obvious discrepancies. The use of modern technology to falsify documents, which to the average person appear to be genuine, has exposed a major flaw in the underlying veracity of the documents acceptable under the 100 point scheme. There has been a disturbing trend in identity fraud and financial institutions are now seeking to more accurately quantify losses from this particular type of fraud. The future poses even greater risk of loss through fraud. The explosion in remote delivery channels such a telephone banking and on-line banking means that face to face contact between financial institutions and their customers is becoming less frequent and in some cases may never exist. The use of intermediaries such as financial brokers, loan introducers, third party agents and outsourcing initiatives present new challenges in controlling fraud. The impact of the Internet on the conduct of commerce involving financial transactions is not well understood. Questions surrounding sovereign and judicial borders, powers to undertake transborder investigations and the ability to successfully mount prosecutions for fraud have yet to be answered. Existing and Potential Fraud Controls What Financial Institutions are Doing Having outlined the growing problem that fraud presents to financial institutions, it is important to examine what has been done, what is being done and what needs to be done if financial institutions are to contain fraud losses. I will address this under three headings within the individual financial institution, within the industry and finally the need for cooperation between the financial services sector, law enforcement agencies and government. A. Controls Within the Financial Institution Within the individual financial institution, there needs to be a model or framework which defines the fraud control functions in a way which ensures that all risks are covered. This framework must align with the institution s appetite for risk and because of the diverse nature of the larger financial services groups it will not necessarily be consistent across all products, services, systems or delivery channels. An obvious starting point is to group the fraud control functions into three categories. I would suggest that the first is prevention and detection, the second addresses investigations and the third should cover case management and recovery as well as the embedding of all learning into new products and services. 4

5 Preventative functions should include fraud training and awareness programs, fraud risk assessment on all new products and processes, automated fraud detection systems and a policy which mandates embedded fraud prevention controls in all products and systems. Unfortunately, traditional methods have been reactive relying on manual and inefficient controls at touchpoints to identify fraud. Within Westpac, we have recognised that this approach is no longer viable nor supportive of the group s business drivers. Our fraud prevention and detection toolkit is now heavily weighted in favour of embedded controls supported by an increasing array of automated analysis tools which identify and report fraud attempts in a timely manner. We are utilising a mix of in-house developed programs and vendor supplied packages which interrogate transactions in either an online/realtime mode or by overnight batch processing dependent upon the risk profile of the product or process. The payback on this investment has been quite remarkable with the gap continuing to widen between fraud identified and prevented and the actual losses being experienced. This gap is being influenced by both factors an increase in fraud detected and prevented and in a reduction in actual fraud losses. However, we are not resting on our laurels, the challenge will continue while ever our business responds to customer demand for more sophistication and flexibility in products and services. Just as the credit processes within financial institutions were advanced through the introduction of automated credit scoring, so too will fraud controls benefit from software which identifies transactions with a high probability of fraud. Packages such as Fraud Detect and Hunter are good examples. To manage the investigations workload, we have installed a case management tool known as ASIS and this is proving to be valuable in monitoring progress and linking cases. We will shortly be installing the I2 software package which will also assist in establishing fraud patterns. Funding for fraud control initiatives continues to compete with other business initiatives and is not always easy to justify on a cost/benefit basis. Within Westpac, we have revised our fraud control management information reporting to no longer simply report on actual losses but to now also focus on the level of fraud identified and prevented. This approach has enabled us to quantify the value-add being achieved by our investments in skilled resources and automated tools. B. Industry Interaction There have been a number of attempts to achieve uniformity in the categorisation of fraud within the financial services sector. Over recent years, the Australian Bankers Association Fraud Working Group has been successful in addressing a number of issues common to all members. However, attempts at sharing actual fraud data have proven very difficult with various obstacles being raised. Confidentiality of corporate data and privacy of customer information have often been proffered as reasons for declining to submit information which could be aggregated at industry level. These barriers have broken down over the past two to three years and there is now a commonly held view that fraud is not a competitive issue and industry-wide initiatives are required to support the internal controls and processes employed within individual institutions. One of the most urgent needs is the creation of a national fraud database into which financial institutions can input existing fraud data and against which new data can be tested to identify fraud attempts. This can be achieved through the matching new data with data known to be 5

6 fraudulent or where the transaction elements suggest a high probability of fraud. Outputs from such a database can place the inquiring institution on notice that further investigation may be prudent before proceeding with the transaction. The Australian Bankers Association established a national fraud database research project with a number of commercial packages being evaluated and the impacts of the proposed extension of the Privacy Act to cover the private sector were taken into consideration. As yet no financial industry-wide fraud database has been established. The National Hunter product from Experian and the FraudCheck product from Data Advantage are two packages currently under consideration or trial by various financial institutions seeking to assess the value-add that industry level data comparison provides beyond internal checking. We are aware that the Australian Bureau of Criminal Intelligence has established a national fraud database for use by Federal, State and Territory police services. I consider that, in the fullness of time, there would be substantial community benefits arising from some form of data sharing between the law enforcement national fraud database and the yet to emerge financial services national fraud database. Under the auspices of the Olympic Security Command Centre, an industry-wide group known as the Australian Credit Card Industry Fraud Forum was established to examine the potential fraud risks which may emerge at the time of the Olympic Games. This group comprises banks, credit card scheme providers and law enforcement personnel and has developed and delivered fraud training materials to retailers, financial institutions and law enforcement agencies. Agreement has been reached on the monitoring and reporting of fraud during the period just prior to, during and immediately after the games. An industry-wide fraud alert process has been established as a means of mitigating any fraud scams which are identified. There is general consensus that the establishment of this group has been beneficial and that it should continue beyond the Olympic Games to address other fraud control issues on an industrywide basis. This proposal is to be discussed by the participants at the next meeting in November. C. Co-operation Between Financial Institutions, Law Enforcement Agencies and Government The Australian National Audit Office report into the Australian Taxation Office management of Tax File Numbers has highlighted the pervasive nature of fraud within the community. Benefits fraud remains a major concern to Centrelink and many of the elements are common with the types of fraud being experienced by financial institutions. In New South Wales, a pilot program between the Registry of Births Deaths and Marriages and Westpac and a concurrent pilot between the Registry and the Roads and Traffic Authority identified a number of false birth certificates that had been presented as part of the identification process. The New South Wales Attorney General subsequently announced the formalisation of this verification process and it is now under active investigation for extension to other States and Territories. A national scheme linking State and Territory drivers licence databases is also underway. As one outcome from the last Australian Crime Commissioners Conference, the Major Fraud Group of the Victorian Police has progressed the Challenge Response project which is an Australia-wide approach to identification issues. As part of this project, a Financial 6

7 Institutions Group Consultative Committee has been convened to bring together a range of initiatives including those I referred to earlier. A pilot program involving Vic Roads and the ANZ Bank will examine the level of fraud in Victorian licences presented as part of identification process. As I alluded to earlier, such verification processes would help address the key flaw underlying the 100 point system required under the Financial Transaction Reports Act. In submissions before the House of Representatives Standing Committee on Economics, Finance and Public Administration during its Review of the Australian Taxation Office Management of Tax File Numbers, the ABA and Westpac representatives proposed a scheme whereby financial institutions could utilise a single independent conduit to coordinate data transfers between individual financial institutions and specific government authorities for verifying the authenticity of key documents presented for identification purposes when establishing accounts. Such a scheme would preserve customer privacy, reduce fraud and provide the relevant authorities with an ongoing quality assurance process regarding the level of fraudulent documents in the community. The suggested scope of this scheme covers birth certificates, drivers licences and passports. In closing, I would like to introduce one further matter for consideration. In the current environment, financial institutions carry an unacceptable proportion of losses resulting from fraud. There is a critical need to redress this position with responsibility being shifted to the party in the best position to prevent fraud occurring. In the United States of America, the introduction of the Uniform Commercial Code has produced a more balanced outcome with the concepts of Contributory Negligence and Comparative Negligence now influencing court findings. We would do well to seriously consider a similar regime for Australia. 7