Christopher Cowin, Director
The rapidly increasing pace of technological integration into the day-to-day operations of the Financial Services (FS) industry has made interactions with customers much easier, but has also presented multiple points of access to fraudsters.
FS firms are consequently under increased pressure to manage fraud risk in an effective manner which minimises fraud being perpetrated. Meanwhile, new regulations in the UK, such as the Senior Managers and Certification Regime (“SMCR”), require senior management to identify and manage risks, which in turn requires them to conduct fraud risk assessments.
Senior managers with responsibility and accountability for preventing financial crime have the ultimate responsibility to ensure that effective fraud risk assessments are carried out and that the results are acted upon. Yet according to PwC’s Global Economic Crime Survey 2016, 1 in 5 respondents had never carried out a fraud risk assessment, and those that have often treat this as a “tick-box” compliance exercise.
The Financial Conduct Authority has an expectation that firms “consider the full implications of the breadth of fraud risks” they face. At the same time, the regulator has been highlighting the need for firms to operate under a risk-based approach. This approach is closely linked to conducting adequate risk assessments, the output of which dictates how strict the control environment should be.
Managing fraud risk is not just a compliance issue. Fraud risk is a business risk that has a direct impact on a firm’s profitability. Failure to undertake regular fraud risk assessments can lead to severe financial and reputational damage.
Firms often fail to incorporate fraud into their overall risk management strategy, and instead undertake one-off fraud risk assessments. Lacking the bigger picture of the firm’s overall risk landscape makes it hard to make decisions about the fraud programme. This is why FS firms need to integrate fraud, including fraud risk assessments, into their overall risk management programmes. An added benefit of this approach is that it often leads to increased operational effectiveness and cost reductions through leveraging the wider financial crime control framework.
This is not enough though. FS firms need to conduct regular fraud-specific risk assessments, at least once a year, to provide senior management with the necessary information to understand the scope of fraud risk and calibrate the control environment as appropriate.
A robust fraud risk assessment includes an:
When conducting a fraud risk assessment, FS firms should consider how the outcome of the assessment links to its overall risk appetite and strategy.
As mentioned earlier, it is easy for a fraud risk assessment to be seen as a “tick-box” exercise. To prevent this, firms should use the outcome of the assessment to adjust their anti-fraud controls, so they adequately address the identified risks in such a way that the overall residual fraud risk is within the firm’s risk appetite.
Whilst undertaking a fraud risk assessment may not immediately stand out as an urgent or high priority item on the “To Do” list of many FS firms, it is a key piece of the fraud risk management puzzle, without which the picture cannot be complete.