Staff are the major perpetrators of fraud on companies. Michael Imeson outlines the importance of sound operational risk policies and procedures in preventing, detecting and investigating internal fraud.

If you’re looking for a good example of bare-faced cheek, then look no further than Hong Kong this March. For there you will find Nick Leeson, the disgraced ex-Barings trader, plying his new trade as a keynote speaker at the Fraud, Oprisk and Security World Asia 2006 event.

Leeson will be talking about how he brought down Britain’s oldest merchant bank in 1995 with his illegal dealings in Singapore. The title of his presentation is “Understanding the Barings Bank disaster from the man who caused it”. Later, he’s taking part in a panel discussion on “How to control ambitious reward-focused employees when they are the engines of profit and subject to fraud opportunities”.

To be fair, Leeson has paid his dues, having served several years in a Singapore jail, lost his first wife and contracted colon cancer. He has since recovered from cancer, rebuilt his life and is living in Ireland. He wrote the book Rogue Trader (later turned into a film), remarried, is working as commercial manager of Galway United football club and is firmly established on the conference and after-dinner speaking circuit.

Not only that but he is also providing a valuable educational service to operational risk and compliance professionals in the financial services sector. When asked to name the most threatening type of risk to an organisation, risk and compliance managers nearly always say “people”. This includes staff committing deliberate fraud, but also making unintended errors in activities such as derivatives or forex trading, which they then try to cover up.

Nick Leeson is, of course, far from unique. Maybe the others are not yet making money from recounting their exploits, but it is worth mentioning a few of them:

  • Phillip Bennett, chief executive of Refco, the US brokerage, who was charged with fraud in October 2005.
  • John Rusnak, a trader at Allfirst in Baltimore, an Allied Irish Bank subsidiary, who lost the bank $631m in a foreign currency fraud in 2002.
  • Yasuo Hamanaka, a copper trader at Sumitomo, who, it was revealed in 1996, lost the company nearly $2bn over a 10-year period.
  • The directors of Bank of Credit and Commerce International (BCCI) – when the bank was closed down by international regulators in 1991 it owed £9.07bn.

High-profile corporate fraud has been one of the drivers of Basel II, the Sarbanes-Oxley Act and other measures, all of which seek to remedy the problem and force managers to learn more about how this particular form of risk affects their business.

It’s no use looking at it from a departmental or business unit perspective. An enterprise-wide approach to operational risk management is required, bringing together risk and security specialists throughout the organisation to create a seamless solution.

Brendon Young, chief executive of the Operational Risk Research Forum (ORRF), and founding president of the Institute of Operational Risk, says that most organisations are thought to lose an amount equivalent to 2%-5% of their annual turnover through fraud committed either by staff, customers or outsiders. “About four out of five frauds are committed by staff, and it is thought that over 25% of employees would become involved in fraudulent activity, given the opportunity,” he says.

“It is impossible to be precise about the true scale of the problem, but the World Bank has identified fraud and corruption as the greatest obstacles to economic and social development. They undermine growth and development by reducing available resources, distorting the rule of law and weakening the institutional foundations on which economic growth depends.”

Basel II

It is instructive to look at what the Basel II capital accord says about operational risk and internal fraud. “Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events,” it says. It adds that any internal operational risk measurement system “must be consistent” with this definition and with the loss event types defined in Annex 7.

Annex 7 defines seven categories of loss event:

  • Internal fraud.
  • External fraud.
  • Employment practices and workplace safety.
  • Clients, products and business practices.
  • Damage to physical assets.
  • Business disruption and systems failures.
  • Execution, delivery and process management.

So, having defined operational risk and broken it down into its various types, Basel II is precise about how these risks should be measured and how capital allocated is against them. It gives banks a choice of three approaches: the Basic Indicator Approach, the Standardised Approach and the Advanced Measurement Approach.

Financial Services Authority

In Europe, the Capital Requirements Directive (CRD) will transpose the Basel II guidelines into EU law, and then it will be up to national banking supervisors to set the precise rules for their banks. In the UK for instance, the Financial Services Authority (FSA) is already taking applications from banks that want to use the more advanced operational and credit risk approaches.

However, the FSA is doing more to combat fraud than rely on CRD operational risk requirements. It has a financial crime unit and runs an annual conference on the subject. Callum McCarthy, the FSA’s chairman, pointed out at the latest event, in November 2005, that reducing financial crime is one of the authority’s four statutory objectives.

“We expect firms to recognise that financial crime risk is one aspect, and an important aspect, of business risk, and to manage it accordingly,” said Mr McCarthy. “That means senior management ensuring that their firm identifies the financial crime risks associated with the type of business they do, the parts of the world where they operate, and those specific to the firm itself. It means senior management ensuring that they have systems and controls in place to mitigate the risks they have identified, with clear accountabilities for the day-to-day management of those risks, and appropriate reporting to top management and the board.”

He stressed that financial crime risk should not be regarded as something to be dealt with entirely by the compliance function, but should be a senior management responsibility.

On staff fraud, Mr McCarthy said the FSA was working with industry groups on the issue, and that it was something that had been highlighted as a growing risk by law enforcement agencies in recent months. “Many of us will have read press stories about approaches made by criminal gangs to staff,” he said. “There is increasing evidence that organised criminal groups are placing their own people in financial services firms so that they can increase their knowledge of firms’ systems and controls and thus learn how to circumvent them to commit their frauds.”

He said it was important that banks, the FSA and law enforcement agencies should be able to share data between themselves, but that UK data protection laws made that difficult. This was an irony that was not lost on his audience – a major regulator complaining about someone else’s excessive red tape – and Mr McCarthy said a “resolution to the problem” was being sought.

The FSA has just started rolling out a financial crime training package for its staff, which includes a module on fraud. An adapted version of the computer based-element of the package will be made available to banks and other financial organisations to use as part of their own staff training.

Philip Robinson, the FSA’s financial crime sector leader, outlined how the Association for Payment Clearing Services (APACS) is leading an initiative on staff fraud in which the FSA and other organisations are involved. The objective is “to start collecting reliable data on internal fraud and to identify and disseminate best practice for combating it,” said Mr Robinson.

He added that Cifas, the UK’s fraud prevention service, “is looking at how better to share data about staff dismissed for reasons connected with dishonesty”, which presumably depends on the data protection problems highlighted by Mr McCarthy being resolved.

An IT solution to insider fraud

“Well-executed fraud or money laundering operations, run from inside the business, can severely damage or destroy even the largest company,” says David Porter, head of security and risk at IT consultancy Detica. One of the company’s specialisms is helping organisations prevent and detect employee fraud.

“The statistics on internal fraud are startling. For some organisations it is estimated that the cost can be as high as 6% of turnover. The role of chance in the discovery of fraud is telling in itself, and the number of reported cases is likely to be the tip of a large iceberg.

“Tackling internal fraud is high on the political agenda, with the FSA in the UK and the Securities and Exchange Commission in the US both setting down specific requirements for companies to deal with the issue. Over and above this, the Basel II accord is laying down tough requirements for banks on this matter.”

Mr Porter says technology has a key role to play in demonstrating good corporate governance and fraud prevention. “In the long term, regulatory bodies will look favourably on companies that are able to demonstrate good corporate governance and best practice operational risk management. Technology, judiciously selected and innovatively applied, will be key to achieving this. Management and staff of such companies will then spend less time worrying about regulations and more time adding value to their brand and business.”

Internal fraud prevention measures are based on controls that reduce the opportunity for unauthorised use of corporate resources, including perimeter defence technology such as firewalls, e-mail scanners and identity card access. They are also based on “softer” procedures, such as recruitment screening and training.

Internal fraud detection measures are based on controls that alert security staff to the fact that a fraud has been committed, such as automated detection systems that look for suspicious behaviour, authorisation processes, internal auditing and whistleblower hotlines.

Much of this detection activity can now be handled by intelligent analysis engines that use advanced data warehousing and analytics techniques. These systems take in audit trails from key systems around the company, personnel records from the human resources and finance departments.

“The data is then enriched with further details and stored in a data warehouse. It is then subjected to advanced analytical techniques that detect anomalous patterns that may need investigations, such as excessive hours worked by staff, deviations in patterns of behaviour from other employees in similar roles, copying large amounts of data, attempts to over-ride controls, unusual transactions and inadequate documentation about a transaction. Information from any investigation is fed back into the detection system, so it learns.

“Most insiders work in collusion with organised criminals on the outside. Hence, while insider profiling is important, organisations also need to take a stand back, join the dots and look for wider patterns of criminal networks – like spotting constellations in the night sky.”

No system is perfect

If that all sounds too good to be true, that’s because it is. No fraud prevention, detection or investigation system is perfect. “The best frauds are never discovered,” says Brendon Young of the Operational Risk Research Forum.

“It’s bad enough reading about the ones we know of. But it’s even more alarming when you consider how many more there are likely to be that we don’t know of. Measuring fraud risk with any degree of accuracy is at best difficult if not impossible, despite the requirements of Basel II.”

However, if you take an enterprise-wide approach to operational risk management – one that brings together risk, security, compliance and IT specialists from across the organisation to create a seamless solution – you will vastly increase your success rate in the fight against internal fraud.

As Mr Young says: “Prevention is certainly the best approach and this begins with corporate governance culture and ethics, the responsibility for which rests with the board.”

PLEASE ENTER YOUR DETAILS TO WATCH THIS VIDEO

All fields are mandatory

The Banker is a service from the Financial Times. The Financial Times Ltd takes your privacy seriously.

Choose how you want us to contact you.

Invites and Offers from The Banker

Receive exclusive personalised event invitations, carefully curated offers and promotions from The Banker



For more information about how we use your data, please refer to our privacy and cookie policies.

Terms and conditions

Join our community

The Banker on Twitter