Recently, the Office of the Comptroller of the Currency (OCC) issued a bulletin (OCC Bulletin 2019-37) outlining best practices for Fraud Risk Management Principles. The bulletin addressed an overarching framework that the OCC sees as best practices for risk management principles in the following areas:
- Corporate governance practices
- A comprehensive risk management system including: policies, procedures, personnel and controls that identify, monitor, measure and control fraud risk that is consistent with the bank's size, complexity and risk profile
- Prevention and detection of fraud
- Appropriate responses to fraud events
- Risk assessment of fraud schemes by bank management
- Active monitoring and understanding of fraud losses and appropriate tools
- Control reviews and audits that include fraud risk
Although the advisory is somewhat of a compilation of other bulletins and guidance that the OCC has sent out in the past, this latest issuance really lays the foundation for its expectations for an overall fraud framework that follows risk assessment principles. The bulletin emphasizes a sound corporate culture that discourages "impudent risk-taking, incentives or requirements to meet financial goals." Pulling together previous bulletins and advisory letters, this latest version even calls out sections from the BSA/AML exam manual.
Overall, the guidance addresses the requirements for a sound approach to fraud risk management consistent with the risk assessment and risk profile of the bank. The guidance prescribes a framework very strongly aligned with the AML/BSA compliance and risk management framework.
While many banks have much of this framework in place today, there are some that do not have all the pieces prescribed in the bulletin. Creating a separate risk management framework for fraud in the mid-size and smaller banks could cause challenges in duplication of structure and resources. The idea of creating a combined unit with a Financial Intelligence Unit (FIU) seems more practical than ever with this new bulletin. The "convergence" option is certainly not new in financial services. This bulletin gives us an opportunity to create new synergies by leveraging the existing AML framework to manage the fraud risk of an institution as well. Leveraging the risk assessment, governance, reporting, audit and even systems to streamline these processes between fraud and AML, and the use of the 314(b) information sharing capabilities for fraud use cases, also just makes sense.
While there are certainly differences in the operations side of fraud and AML, they can be summed up quickly. The major differences between fraud and AML are the direction of the funds' flow and timing. From a simplistic view, fraudsters are trying to get the money out of the bank and launderers are trying to get it in. Fraud must be in a near, real-time environment, while AML is post-transaction. But while fraud needs to respond quickly, mitigate risk and recover funds, AML needs to dive a bit deeper into the source of funds, determine the purpose of the incoming funds, and look for signs of illicit source.
The two worlds of AML and fraud are different sides of the same coin. Make no mistake that the transnational criminal organizations that we see use both worlds as mechanisms to continue their cause. Fraud is the revenue generation stage, but it must be moved into laundering for them to utilize the funds There is no separation of types of financial crime for the criminals. Criminals travel fluently between these two domains and use them to their advantage. Anything that we do within our financial institutions that limits the view or the communication between units gives the criminals an advantage. Let's use this opportunity to better connect our fraud and AML units. By doing so, it allows us to more clearly follow the money through both phases of financial crime.
This new bulletin does not say that a financial institution "must" converge its units, but much of the infrastructure addressed already exists within bank governance today – so why not think about how to move these two interrelated groups closer together. This is a great opportunity to streamline and align these two areas within a financial services organization, even when it might not lead to complete and total convergence. Providing a clear and unobstructed view and communication between fraud and AML operations will help identify and disrupt criminal organizations and better protect our customers and our institutions more completely than ever before. The OCC has laid out an interesting agenda, one which I think financial institutions might wish to consider in their ever-vigilant fight against fraud.