This presentation will provide you with insight into the criminal and fraudulent activities an insurance carrier is exposed to. The focus will be on the less visible and publicized crime perpetrated by its own staff and third parties and explicitly excludes the area of claims fraud. To address these risks, a comprehensive arsenal of tools is required to be developed and deployed. The intention is to share the approach Zurich Financial Services has chosen to protect itself from crime and fraud. This presentation will focus on the execution of an anti-crime framework in a multinational insurance organisation. TORSTEN WOLF, CIA Group Head of Crime and Fraud Prevention Zurich Financial Services Zurich, Switzerland Torsten Wolf is the Group Head of Crime and Fraud Prevention for Zurich Financial Services. In his role, he leads the group s efforts to prevent, detect, and respond to non-claimsrelated crime and fraud that is directed against Zurich. Torsten looks back on more than twenty years in the insurance industry where he worked across personal lines and large corporate business. Torsten is a Certified Internal Auditor and holds a Degree in Business Studies and Economics as well as a Master s Degree in Business Administration. Association of Certified Fraud Examiners, Certified Fraud Examiner, CFE, ACFE, and the ACFE Logo are trademarks owned by the Association of Certified Fraud Examiners, Inc. The contents of this paper may not be transmitted, re-published, modified, reproduced, distributed, copied, or sold without the prior consent of the author. 2012
The Economic Crime Landscape Definitions Often, the first thought that springs to mind when talking about insurance fraud relates to fraud perpetrated against an insurance company by its customers. And indeed, the largest risk for insurance carriers in terms of case numbers and monetary value by far is policyholder fraud: customers fraudulently demanding to be compensated for accidents or events that never happened or customers exaggerating the monetary damage they have suffered. The focus of this session, however, is on economic crime, which is defined as those criminal and fraudulent activities that are not claims related (unless the act is perpetrated or supported by an employee). Excluded from this view are also criminal activities that typically are under close scrutiny of a financial regulator and that would typically fall under the remit of the compliance department: money laundering/terrorist financing, bribery/corruption, and sanctions. Cost In comparison to policyholder claims fraud, direct financial losses suffered from economic crime seem relatively small. However, the indirect or invisible impact on an insurance carrier can be tremendous. These range from potential damage to reputation to heavy fines by insurance regulators; all of which may lead to a reduction of business. Key Players Various individuals and organizations are involved in the insurance industry. Arguably the most important and interesting part is the interaction between the insurance provider, the customer, and the intermediary. 2012 1
Throughout these interactions the insurer (and in many cases the customer) is exposed to crime and fraud (see Distribution Crime ). In order to deliver products and services to the customer the insurer, like any other organization, employs staff; some of which may act fraudulently to the detriment of the insurer and/or customer (see Internal Crime ). Increasingly over the last years, financial services providers have become targets of individuals that pretend to be customers and request funds to be diverted from their rightful owners (see Identity Crime ). In some instances, the insurance organization outsources non-core processes to third-party providers. In addition, it purchases products or services from external vendors or suppliers; both of these areas are not explicitly addressed in this presentation. Distribution Crime In its simplest terms, the transactions between a customer and his insurer can be reduced to the following: Once an insurance contract is signed, the customer makes (depending on the product) one single respectively frequent premium payments. From the first payment onward, the customer is on risk (i.e. any incident covered by the insurance contract will be indemnified). In the event of such an incident, the insurer will (subject to a thorough evaluation of the incident) indemnify the customer. This can either happen by arranging for the damage to be taken care of by third parties and settling the corresponding bills or by making a payment to the customer. 2012 2
Some insurance policies carry an investment element, which at the end of the contract period will be returned to the customer. Customers may also buy investment products from an insurance provider. When the respective policy has matured the investment (original principal plus investment gains) will be transferred back to the customer. In some instances, for instance, when a policy is cancelled prematurely, the customer will qualify for a premium refund. The processes described above carry an inherent risk of crime and fraud. It is common that a customer engages an intermediary to act on his behalf with the insurance carrier. Unless the intermediary is tied to one or few insurance providers, he is free to select insurance and investment products from any insurer in the market place. In most cases, the intermediary is compensated for his efforts by the insurance provider he places his customer s business with by way of a commission. Intermediaries independent or otherwise are also important for the insurer because they are instrumental in the distribution, underwriting and claims settlement. They are involved in key processes and sit in a position of trust between the insurer and the customer. Because trust can be abused, it is crucial to focus on the inherent risk of fraud in dealing with intermediaries. Upfront Commission Fraud It is common practice for intermediaries to receive a relatively high upfront commission when a life insurance policy is sold (called an indemnity commission). This is based on the assumption that the 2012 3
policyholder will remain with the insurance company and continue paying premiums for a longer period of time. For the insurer, the policy will only become profitable after a number of years (usually two to four years). If, however, the policy lapses within that period, part of the commission becomes repayable and can be clawed back. In the normal course of business any clawback is netted off against commission payable to the intermediary. To increase his upfront commission income, the criminal intermediary creates false policy applications for individuals who have not agreed to enter into a contractual relationship with the insurer. He will then submit these fake applications to the insurer, pay the required first policy premium, and then collect the upfront commission. It is not uncommon that the criminal intermediary places the same policies with several insurance companies to multiply his commission income. Once the up-front commission has been paid, he will discontinue paying the policy premium, and the policy will lapse. By the time the insurer has initiated an investigation into the matter, the intermediary has taken the money and disappeared. An interesting nuance to this fraud scheme is when the criminal intermediary uses the up-front commission to pay the first policy premium for placing additional fake applications, thereby generating further indemnity commission until he finally disappears. 2012 4
Conversion of Direct Business to Intermediary Business Most insurance carriers sell products and services either directly or through an insurance intermediary. When applications are received directly from the customer no commission payments will be made. However, if that business was reported as being placed by an intermediary, the appropriate commission would be transferred to the intermediary. The scheme requires the manipulation of the insurer s policy administration system. Unless the intermediary has access to the system, he would need to collude with someone in the insurance company. The accomplice will take legitimate policy applications and enter them into the administration system as intermediary business and ensure that the criminal intermediary will receive the unjustified commission payments. Withholding Premium In some instances, the intermediary collects and receives the policy premium (in some countries in cash) from the customer with the instruction to forward to the insurance company. The premium is simply retained by the intermediary and, although the customer believes to the contrary, he is not covered by an insurance policy. Incorrect Policy Application Intermediaries tied to one insurance company are not allowed to sell the products and services of other insurers. In this respect, they are at a disadvantage compared to brokers who are free to select from insurance providers with the most attractive premiums. In order to win business, some intermediaries will manipulate (often with the consent of the customer) on the application form information that determines the 2012 5
risk of the applicant and with that the premium amount. For instance, young and very old drivers are considered a higher risk and will pay a higher premium. The same applies to the nationality of the driver. Being a member of certain associations (e.g., an automobile club) may result in a premium discount. The submission of applications with incorrect data results in insufficient premium for the insurer to cover the real risk, but more importantly, the insurer may refuse to pay a claim. Investment Fraud Some customers entrust their intermediaries with capital to invest in the insurer s investment products. These products can either be legitimate existing products or be artificially created (on paper only), promising high rates of return to entice customers to part with their money. The money, once received, is not forwarded to the insurer but retained by the intermediary. Although the insurer is ignorant of the fraud at the time, his reputation is likely to suffer. The customer almost certainly will have lost his capital. Control Environment Insurers can counter economic crime and minimize the risk of criminal transactions in the distribution channel through the use of preventive and detective controls. Preventive Controls Implement (or review) documented procedures for the appointment of new intermediaries. The procedures should include checklists for a proper due diligence and internal approval process. Sample due diligence checklist include: Previous convictions of intermediary 2012 6
THE RISK OF ECONOMIC CRIME Professional experience Financial soundness Verification of previous employment, qualifications, training and sales records Reference checks against regulators black lists and debt registers For existing intermediaries execute: Regular sample due diligence checks to determine changes in criminal, sales, and financial records Regular checks against regulators watch lists Check of financial distress Consider second approval/counter signing by independent individual to avoid conflict of interest. Policies and renewal documents should be sent directly to the policyholder not the intermediary. Detective Controls For early detection of criminal transactions, conduct regular monitoring of new business and carry out qualitative and quantitative analyses with a view to identifying changes in intermediaries business profile. Red flags that may indicate potential fraud and justify a closer assessment include: Small insurance portfolio with large sums insured Premiums received and commission paid larger than expected for a given agent Sudden increase or drop in new business Churning of policies High number of policies with arrears of premium payments 2012 7
THE RISK OF ECONOMIC CRIME Sudden change of policy premiums being paid to unpaid High policy lapse rate High level of early cancellations or surrenders Policyholder address matches intermediary address Several policies issued for one policyholder Several policies issued to same policyholder address Information by policyholders that they did not apply for insurance coverage In addition, look out for the following: First risk premium payment made by the intermediary rather than the policyholder Payments to policyholder made via the intermediary Frequent change of intermediary s address or bank details Frequent change in ownership of intermediary Consider restricting commission exposure to intermediaries based on length of relationship and experience with each agent; any increases of agreed thresholds to be formally reviewed and agreed. Internal Crime Like other organizations, insurance carriers will have their fair share of criminals within their ranks. Most crime schemes themselves are also common across industries and institutions. Nevertheless, a couple of those are pertinent to the insurance industry. Internal Claims Fraud While claims fraud tends mainly to be considered as being perpetrated against the insurer from the outside by policyholders, certain schemes are committed by insurance employees who have access to claims data. In 2012 8
some instances, for whatever reason, a customer has not claimed to be indemnified although he was entitled to. In the hope that the customer will not do so in the future, the insurance employee processes the claim as normal but directs the money into his own bank account. The insurance employee may also invent claim events for existing customers and falsify documentation to get the go ahead from his manager to generate claims payments. The money will then be transferred into his own bank account. He may also collude with some customers he is close to (e.g., friends or family members). Fake or exaggerated claims are processed and unjustified claims payments will be transferred into their bank accounts. Another scheme involves the reopening of claims that have already been processed. The insurance employee fakes invoices for services by a third party (e.g., a car repair shop). The services were never rendered. Instead of forwarding the claims payment to the unsuspecting customer, he transfers the money into his own bank account. Often, third parties are engaged by an insurer to indemnify the customer in case of an incident (e.g., a building company to repair damage to a house or a garage to repair the damage to a car). The insurance employee colludes with the third party and artificially inflates the amount of money needed to settle a claim. The employee shares in the fraudulent proceeds. Salvage In order to offset some the cost of a claims settlement, the insurer sells the salvage goods. In the case of cars, 2012 9
these may be sold to scrap yards or garages. Sometimes when vehicles are stolen and the customer has been indemnified, the car may subsequently be recovered. The insurance employee will sell it to a friendly garage for a price that is substantially below the price that it would fetch when sold on to a normal buyer. The employee then shares in the proceeds once the car has been sold. Similarly, for cars that are written off, their scrap value is deliberately underestimated when sold to a friendly scrap dealer. The employee will be reimbursed by the buyer. Control Environment Insurers can counter economic crime and minimize the risk of criminal activities perpetrated by their own employees through the use of preventive and detective controls, such as: Conduct of preemployment screening for new recruits and vet staff when promoted into sensitive positions; the extent of screening should be tailored. Execute management controls. These controls should first act as a deterrence and second detect economic crime. Run qualitative and quantitative analyses of management information (e.g., credit card expenses). Establish and monitor red flags that may indicate potential crime. Identity Crime Fraud schemes involving the impersonation of another individual have become a major issue over the last few years and this is expected to continue to increase. In essence, identity crime is the misuse of another individual s personal information to commit fraud. The process of identity crime can be divided into three distinct phases: 2012 10
First, a criminal will choose his victim and collect information that he will need to commit the crime. There are various means of doing so. Once the criminal has collected sufficient information, he will use this information to portray himself as the victim and commit the criminal act. Finally, the victim is left with the damage, which can take a long time to repair, while the criminal enjoys the proceeds of his crime. The focus here will be on the first two phases of identity crime: the acquisition of the victim s personal information and the misuse of that information. The methods for acquiring personal data are manifold and range from very simple picking through household trash to more sophisticated ways, such as: Social engineering. The criminal may contact various parties asking innocent questions and getting minute information in return. But that is what he is after; over time, the cumulative information is being used to impersonate the victim. Job applications. People apply for jobs (maybe online) and provide detailed information about themselves to someone they don t know. Some of these applications are being used by criminal organizations as a starting point to solicit additional information. Infiltration. In the recent past, a concern was raised that criminal organizations target, for instance, financial services organizations to place individuals in positions of trust who will then have access to customer information and pass these on. The insurance provider has an obligation to prevent customer data from falling into the wrong hands. Any information about a customer may be used by a criminal to assume the identity of that customer and to commit a fraudulent act. Therefore, they need to ask themselves 2012 11
whether they do enough to prevent customer data from falling in the hands of criminals. How do they store their paper files? Are they locked away? Can outsiders enter their IT systems to access customer data? Do they destroy files and electronic devices containing customer data properly? Are electronic data carriers encrypted? Have they screened new recruits to avoid people with criminal affiliations having access to customer data? Have they trained their people, for instance in call centers, to be vigilant and to not disclose sensitive data? In simple terms, crime schemes involving the impersonation of a customer fall into two broad categories: new account fraud and existing account fraud. In the case of new account fraud, the identity thief uses personal information to open a new account in the victim s name. Insurance companies are most likely impacted by this through attempts of money laundering and terrorist financing. This topic is typically addressed by compliance. In the case of existing account fraud the identity thief uses personal information of the victim to take control of the victim s account. Especially life insurance companies are targeted by criminals because of the large monetary value of customers life insurance policies, pensions, or investment accounts. Once a fraudster has assumed the identity of a customer, he may divert the funds of the customer s account to his own personal bank account. The negative consequences to the insurer are manifold and include, besides potential damage to reputation, also financial losses when they have to reimburse the victim. Add to this the likelihood of regulatory attention and it can easily been seen that it is in the insurer s best interest to 2012 12
have adequate controls in place to prevent identity fraud from being perpetrated. Paramount is an adequate control environment. It is very important that call handlers are adequately trained and religiously follow policies and procedures. Anyone having contact with customers should be aware of behavioral patterns that may indicate a potential identity-related crime. A request to change a bank account in itself may be harmless, however, if this is followed shortly thereafter by a request to surrender the proceeds of a life insurance policy, alarm bells should ring. In these cases, additional procedures must be executed to verify that the requester is the actual customer. A common element of identity fraud is a request from the fraudster to change the address. In this way, he can receive sensitive information that he will use to impersonate the customer. A simple way to detect fraudulent requests is to send a notification letter to the old and the new address, obviously without including policy information. Finally, it is important to maintain the effectiveness of the control environment. The key here is to continue training staff, to monitor the adherence to existing policy and procedures, and to learn from mistakes. The Economic Crime Framework Important in the fight against economic crime is the development and implementation of a robust framework. Integral parts of the Economic Crime Framework at Zurich Financial Services are various components that support the effective prevention and detection of and the response to crime and fraud. Adequate governance documentation in form of an ethical policy and an anti-crime policy are the fundamentals on which the execution of the group s anti- 2012 13
crime activities rest. This is complemented with active monitoring that policy requirements are being adhered to in all of Zurich s locations. Improving the Control Environment The key focus of Zurich is to improve its control environment as it relates to crime and fraud. This is being achieved through a continuous process of identifying where crime may be perpetrated. The risk of crime occurring in these areas is then assessed in terms of likelihood and severity, and will result in the formulation and implementation of improvement actions that will further improve the control environment. Besides conducting crime risk assessments another impetus to review the control environment stems from successfully perpetrated crimes. Once these incidents have come to Group Security s attention and were investigated, a root cause analyses is performed to determine why this particular crime was not prevented or was not detected earlier. The findings will be used to further improve the control environment and help prevent similar events from occurring in the future. Organizational Setup In order to execute this process successfully across Zurich, Group Security works together with a network of anti-crime professionals. A small team of subjectmatter experts at headquarters is charged with developing strategy, policy, and framework, and providing methodology. In each country Zurich operates in, Group Security engages anti-crime professionals who are required to execute the strategy and to implement policy requirements. Among these requirements are the running of awareness trainings, 2012 14
assessing risks of economic crime, executing anti-crime controls prescribed by Zurich s Internal Control Framework, the reporting of crime incidents, the vetting of personnel, and the monitoring of compliance with policy requirements. Employee Crime Awareness Training Like in other organizations, the discovery of many fraudulent activities are the result of tips. Customer and, more often than not, employees draw attention to crime or suspected crime. In order to foster the culture to come forward and report a crime, Zurich has set up an infrastructure to report any concerns and runs awareness trainings across the group. Historically it was left up to the various countries whether they would provide awareness training and in what shape or form. In response to a global assessment that identified a lack of awareness training in some countries, Group Security developed, in close cooperation with the Compliance function, a training module that focuses on crime and fraud and is being run as part of a mandatory all employee ethical training. In addition to this ethics training, Group Security developed a Web-enabled awareness training solution and made this available to all Zurich entities. Countries without their own training packages are using this solution to fulfill their training requirements. In some countries fraud awareness training packages have been used for a long period of time and these locations are free to continue using their own awareness training as long as these meet minimum requirements. Fraud Risk Questionnaire As part of its Enterprise Risk Management, Zurich entities are required by policy to execute regular risk 2012 15
assessments of their operational processes. While fraud and crime risks have been considered during these operational risk assessments to some degree, it was not always done in a structured way. To help Zurich entities consider potential fraud risks in a consistent manner and ensure a thorough review of crime and fraud risk, Group Security developed the Fraud Risk Questionnaire. This is a tool that provides a comprehensive oversight of potential fraud risks in various operational areas of an insurance organization. It is programmed to suggest crime and fraud risk scenarios that risk managers should consider as part of operational risk assessment workshops. In addition to risk scenarios, it also suggests preventive/detective controls that may be deployed to mitigate an identified fraud risk. Internal Controls The execution of internal controls is essential to get a grip on crime and fraud. Without a system that documents what controls are to be executed by whom and when, the prevention of crime and fraud is left to chance. Zurich s processes operate within the Internal Control Framework that describes processes, their inherent risks and corresponding controls to mitigate those risks. As part of this overall control framework, Group Security documented minimum crime and fraud controls that must be executed by all Zurich entities. Reporting In order to know where to focus Zurich s scarce resources, Group Security strives to make transparent in which locations crime occurs and what type of crime is being committed. Therefore, Group Security has established a process to regularly collect crime and 2012 16
fraud statistics from all countries. The data, once received, is analyzed to determine trends and to find commonalities across countries. This information is used to produce the Economic Crime Report. Any insights from the analysis are shared with senior management, other governance functions, and also with the external auditor. In addition to requesting statistical data, Group Zurich also demands to be informed immediately of incidents that meet predefined quantitative and/or qualitative criteria. These incidents are then analyzed and, when appropriate, escalated in various steps potentially up to the board of directors. The reporting of these incidents is also the basis for performing a thorough analysis of root causes and to determine controls to mitigate the risk of similar incidents in the future. Preemployment screening Although subject to stringent regulations in some countries, vetting of new recruits should be part of every organization s arsenal against crime. In hindsight, some internal crime and fraud incidents could have been prevented if job applicants would have been subjected to a thorough review of their history. The extent of preemployment screening conducted various across Zurich is limited partly because of national restrictions. Monitoring Adherence The best policy and associated guidelines will be a waste of time if they are not being adhered to. At Zurich, Group Security conducts regular monitoring to ensure policy requirement are complied with. This is done through an array of activities that ranges from 2012 17
requests for self-assessments, Group Security representatives visiting selected high risk countries, to reviews by internal audit. 2012 18