Fraud attacks force firms to improve risk management

But these improvements are relatively recent and firms can go further to protect themselves and their customers from fraud.

The report looked at how senior management is tackling fraud risk in 16 mainly larger financial services groups.

It found that CEOs or other senior figures generally recognise that the increasing threat of fraud needs to be managed in a more effective and integrated way.

The report notes several areas where firms need to work harder. Firms are encouraged to collect more detailed and accurate data and invest in systems and controls to detect mounting fraud threats at an early stage. Without this, some firms are currently not in a position to adequately assess where and why they are at risk from fraud.

Philip Robinson, financial crime sector leader at the FSA, said:

"A robust fraud strategy is one that is sponsored at the highest level within a firm and embedded within the culture. While the larger firms have been forced to wake up to fraud, those that have so far remained outside the fraudsters' radar are not as developed. Fraud threats are dynamic and fraudsters constantly devise new techniques to exploit the easiest target. Firms need to continue to invest in systems and controls and manage their responses to fraud in order to avoid being targeted as the weakest link."

The report found firms that underinvested in anti-fraud measures tended to suffer relatively high levels of losses. Investment in systems and a focus on robust anti-fraud operational processes, which are embedded in business units, are key to

improvements in fighting fraud.

Where firms are getting better at identifying, assessing, mitigating and reporting fraud risk, this is a recent improvement and needs to be sustained. Only a handful of firms were found to be developing formal risk assessment processes and, as a result, firms tended to respond to fraud in an incident-driven manner. In particular, the report warns smaller firms to analyse their vulnerability to attack and consider the threats to their business in a structured way because the impact of an attack or series of fraud events could be particularly damaging.

The report noted some unclear or inappropriate allocation of anti-fraud responsibilities within firms. For example, accountability in individual roles was not always clearly defined and responsibility may be de-prioritised in favour of other business needs. There is increased co-operation within the industry, and firms see this as critical to the success of anti-fraud measures. There was particular support for the lead taken by some trade associations and initiatives such as information sharing between firms.

Insider fraud - whether arising from collusion, coercion, infiltration or existing employee action - was cited by firms as one of the most serious threats. The most common example offered by firms was incidents of staff being approached outside

work and offered money to sell confidential information.

To counter this rising threat firms have tightened their employee vetting procedures. The intensity of vetting varied between firms but did not always apply to both temporary and permanent staff. One firm applied seven levels of screening with the degree of due diligence tailored towards the seniority of the role. Another firm stated that 8% of potential hires were rejected after vetting. The report found evidence of competing priorities between fraud mitigation and customer experience. Firms were found to be wary of putting customers off by implementing protective measures that risk causing inconvenience to them over and above what their competitors do. Firms recognise that customer education and awareness is vital to reduce fraud, but they should ensure that sufficient resources are applied to these areas.