For years as a fraud advisor, I would attend bank risk management steering committee meetings and ask this question first: “Who is laid off if the fraud losses go up?” It would amuse me when fingers would start to point at colleagues and it would draw a chuckle throughout the room. The general tone was “not me!” In fact, most of the time I would find that many risk executives, including the CEO, were a bit naive about fraud in their organizations and so they often became the unwitting protégé of the “fraud” risk director, learning from these experts about fraud risks their organization faced.
But things have changed a lot in the past few years and fraud is no longer a laughing matter. Think the fingers have stopped pointing? This week, a bank CEO ”resigned” over a “1 Billion Dollar Heist” that might have been stopped had there been a better fraud risk strategy in place.
The former CEO might have missed those mentoring sessions with the fraud team, and he also might have benefited from knowing some of the basic rules of fraud strategy and planning:
- Fraud losses today do not predict your fraud losses of tomorrow. Threats change, the speed of money movement changes, as do products, people, the environment and the economy. Stay on top of change, or you will be in trouble down the road.
- The fraudsters’ mindset has become increasingly sophisticated, if not a bit scary. His access to an organizations processes and procedures has deepened. In this digital world, think global as you arm yourself for attacks.
- It takes people, process and technology together to prevent, detect and protect institutions and their customers. The cyber fraud SME is invaluable. Get yourself a team of these guys!
- There is no silver bullet. The boardroom cannot expect that a one-time investment for fraud will do the trick. Manage their expectations and help them understand the costs – and the costs of not doing something. Leveraging that investment is key, but ongoing evaluation of a cyber-fraud strategy and roadmap is no longer an option, but a mission critical need. If you can, counsel the board to add a cyber expert to the table when the next seat opens up.
- Cyber-Fraud catastrophic loss stress testing is a strategic component to the bank’s gap analysis routine. This process ensures that the right tools and scoring algorithms are there to detect a possible large loss or catastrophic attacks. Banks have many kinds of stress testing, so the concept is not unfamiliar. Add this one to your list of action items.
Sadly, I don’t think this is the last time we will hear of a C-level executive’s position being affected due to a lack of a robust cyber-fraud risk strategy, vision and roadmap investment. My advice to any C-level executive reading this blog is to have a strategic, cyber-fraud internal conversation – and follow up with a staffing and sufficient budget to support a successful execution.