What are the Counter Fraud Fundamentals?

UK consumers are expected to spend a total of £9.42 million over the upcoming Black Friday weekend and police are warning shoppers to be vigilant of scam online shopping bargains. According the National Crime agency, fraud is now the most prevalent type of crime in England and Wales and a significant rising problem for businesses.

The 2017 Annual Fraud Indicator estimated fraud losses to the UK at around £190 billion every year, with the private sector hit hardest losing around £140 billion.

Research carried out on behalf of Barclays bank in 2019 found that almost one in four businesses had fallen victim to fraud in the last 12 months, and during the lockdowns of 2020, it was found that impersonation scams increased by 79% as  fraudsters capitalised on businesses working from home.

Despite business owners being advised to implement the essential steps to prevent, detect and report fraud, many have limited resources and are still dealing with issues related to the pandemic. With this in mind, survival and growth may be a priority rather than due diligence and risk controls. Could this mindset leave SME’s vulnerable to fraud?  What are the different kinds of fraud that businesses face and what kind of steps can they take to fight it?

Business fraud is simply the intent or the act of misrepresentation – fraudsters lying about themselves or their actions and service to steal money or information.  It is important that an organisation recognises that a fraud can come from anywhere, from third parties that aren’t connected to the business, from their customers, from their supply chain and even their own staff members. It is widely recognised that up to 90% of fraud is now “cyber enabled” which means fraudsters increased the scale and reach of their crimes with the use of computers.  Whereas it’s true that good cyber security can mitigate a large volume of online fraud, it is just one tool in a multi tool approach. Fraud remains very much a people problem, and this is why awareness, staff training and monitoring are crucial for counter fraud, as well as having polices and strategies in place to prevent and detect crime. Nobody can provide a single solution to prevent all business fraud, but organisations can help themselves by using controls to reduce the risk of fraud.

The Counter-Fraud Fundamentals (CFF) certification scheme was developed by a team of counter fraud experts in a collaboration between IASME and Open Banking Implementation Entity. The CFF scheme is an ideal way for any organisation dealing with financial transactions to prove to their customers and supply chain that they take their responsibility to combat fraud seriously and have the fundamentals in place regarding fraud detection, prevention and investigation.  In this article, we will break down what those counter fraud measures involve to discover how it is possible to mitigate fraud.

What are the counter fraud fundamentals for managing fraud within an organisation?

The Counter Fraud Fundamentals scheme identifies the controls an organisation can implement to help address and reduce the risk of fraud.

Assessing the fraud risks in your business

Businesses can start by making an asset register to identify and document all assets, including software and intellectual property.  Once this has been completed it is easier to identify which assets would cause the most damage to the business if impacted by fraud. This review can be completed as part of a risk assessment process which then involves considering all the fraud risks and practical steps to reduce those risks.

Once the risks associated with fraud are better understood, an estimate of the financial impact of each risk should be made. To do this the organisation will consider the frequency and potential loss that could be incurred for each risk. The combination of frequency and potential loss gives the company the estimate of the financial impact. Results from this exercise helps to place the fraud risks in the context of the business resilience and how much loss that business could afford to make.

Risk appetite is an agreed level of fraud risk willing to be accepted by the company in order to achieve its strategic objectives. This may change over the life of a business. For example, if the company is in a growth stage, the board may make a conscious decision to accept a higher level of risk to enable faster growth for that timeframe. It is important that the level of risk appetite is discussed and agreed by the board once the risk assessment and associated financial impact are understood.

It is recommended that a company assigns the day to day responsibilities of counter fraud to a named individual within the company but the final responsibility of counter fraud will sit with the board.

Tracking and Monitoring

Processes to track and monitor the actions of staff and customers creates a clear audit trail of access and activity. Many IT systems logs can show when individuals sign in and out and what activity was undertaken by them when signed in by date and time. The level of this visibility depends on the functionality of systems used by the company but they help to monitor and identify first person fraud  (when the customer or supplier defrauds the company).

If the company monitors transactions and/or customer accounts, it will be able to better identify suspicious activity. It can then potentially identify third-party fraud, (fraud conducted by an individual who uses another person’s identity or personal details to take over their account without consent).

Not all IT systems have the functionality needed to monitor activity and so it is important to consider this when selecting the technology used in the business. Suitable systems might include, continuous monitoring tools, investigation tools and data analytical software. Some of these tools will require a high level of IT expertise and so a balance between effective monitoring and easy of set-up and simple reporting should be considered. These tools will help a company identify log ons from suspicious devices, multiple password resets, and invalid invoices.

Onboarding, background checks and training

Fraud committed by members of staff often involve the misuse of funds or the manipulation of profit and loss figures where individuals overstate expenses or understate income. Discrepancies can be small and difficult to spot but, when allowed to occur undetected over a long period, have the potential to lead to huge losses. Other internal threats can be more purposeful.  For example, senior managers might take unauthorised action on-purpose and use their trusted position to steal money from the organisation.

To manage these threats, business owners must be aware of the indicators which suggest fraud such as changes in cash flow patterns, stock shrinkage, customer complaints and variations in accounting ratios.  All staff should be made aware of a whistleblowing policy where staff know they will not suffer consequences if they report fraud from a colleague or manager.

As a business grows, new members will join the team and it is essential to ensure proper background checks are conducted and references are taken up. Other preventative measures with new staff might include limiting their access to sensitive and confidential documents.

External threats

Businesses must also remain vigilant to external threats such as supplier fraud, data breaches and cyber attacks. Due diligence is crucial when completing credit and background checks on customers or potential suppliers. Reviews should check if the customer is who they say they are and, where possible, validate the information with a third-party. Checks should aim to establish if the supplier, or anyone associated with them, committed fraud in the past.

Providing staff training and awareness of fraud and especially on the use and access of protected data will help them to recognise fraud and reduce the risk of common fraud scams. The five technical cyber security controls integral to the Government approved scheme, Cyber Essentials, has been shown to help protect businesses against the majority of commodity cyber attacks.

Reporting fraud concerns

Fundamental counter fraud measures include facilitating the reporting of fraud both from within the company and from customers. This includes the staff whistleblower process mentioned above, but also a way for customers to report concerns.

Communication and Training

Once a company has a fraud policy, it must be clearly communicated to all members of staff and contractors. The company might run fraud education and awareness campaigns to help customers, staff and suppliers increase their awareness and knowledge about fraud. In addition, there needs to be specialist fraud training for staff in privileged positions (e.g. those dealing with finance)

Procedures to deal with fraud appropriately

The organisation should have a process to contact customers when there is suspected fraud on their accounts. It is also recommended that the company actively participates in obtaining and sharing fraud intelligence with the wider community and its peers.

It is increasingly common for impersonator websites/domain names/apps to be created to defraud a company and its clients. A company should regularly monitor to ensure this has not happened and be familiar with the processes to remove such fraudulent sites.  in some cases a fraud attempt will result in a criminal investigation and so companies should consider how best to meet the requirements needed for criminal standard investigations.

If fraud is spotted quickly it can sometimes be possible to recover the stolen funds. Companies should develop procedures for recovering lost money and keep records on suspected, identified and prevented fraud. This information should be regularly reported to the board to enable them to manage the business risk. In order to fully manage business fraud, the Board should track the counter fraud performance of the organisation and compare this against the fraud strategy on a regular basis.

For more information about certifying your business to the Counter Fraud Fundamentals scheme, contact Craig Wooldridge at [email protected]