Jonathan Marsh

1
Fraud Risk ManagementThe FSAs Expectations

• Jonathan Marsh
• Partner
• Berwin Leighton Paisner
• Adelaide House
• London Bridge
• London EC4R 9HA
• Tel 020 7760 1000
• Fax 020 7760 1111

2
Overview

• Where is the FSA coming from?
• What are the FSAs expectations?
• Dealing with the aftermath

3
The FSAs regulatory objectives s.2 FSMA

• Market confidence
• Public awareness
• Consumer protection
• Reduction of financial crime

4
The reduction of financial crime objective s.6
FSMA

• Reducing the extent to which regulated persons
  and businesses in breach of the general
  prohibition can be used for a purpose connected
  with financial crime
• Financial crime is any offence involving
• Fraud or dishonesty
• Market abuse
• Money laundering

5
The reduction of financial crime objective s.6
FSMA
The FSA must, in particular, have regard to the
desirability of regulated persons

• Being aware of the risk of their businesses being
  used in connection with the commission of
  financial crime
• Taking appropriate measures (in relation to their
  administration and employment practices, the
  conduct of transactions by them and otherwise) to
  prevent financial crime, facilitate its detection
  and monitor its incidence
• Devoting adequate resources to prevention,
  detection and monitoring

6
An increased focus

• October 2004 Philip Robinson speech the FSAs
  new approach to fraud fighting fraud in
  partnership
• February 2006 Firms High Level Management of
  Fraud Risk
• March 2006 Capita Financial Administrators
  Limited

7
Fighting fraud in partnership key messages
The FSA will pay more attention to firms
arrangements for managing their fraud risks

• strong anti-fraud culture led from the top
• clear allocation of responsibility for fraud risk
  management
• staff training
• KYC procedures
• capture and use of management informationon fraud

8
Firms High Level Management of Fraud Risk
Roles, Responsibilities and Resources

• High level sponsorship of fraud management at
  executive level
• Boards/board committees receive fraud reports but
  not expected to have direct involvement in
  formulation and monitoring of anti-fraud
  initiatives
• Development and monitoring of fraud strategies
  typically the responsibility of high-level
  management committees e.g. risk committee or
  fraud steering groups
• Approval of anti-fraud strategies and plans was
  sometimes informal and director level
  accountability for delivery of strategies and
  plans was unclear

9
Firms High Level Management of Fraud Risk
Roles, Responsibilities and Resources

• High risk organisation (e.g. retail banks,
  insurers) generally well defined anti-fraud
  roles and responsibilities
• Lower risk organisations (e.g. investment banks,
  asset managers) reliance on control procedures
  not specifically labelled as anti-fraud measures
• The FSAs view without formal, integrated
  anti-fraud responsibilities and structures,
  anti-fraud initiatives may be difficult to
  sustain on an ongoing basis
• Favourable comment on a hub and spoke model
  with a central team coordinating anti-fraud
  activity and dissemination of best practice

10
Firms High Level Management of Fraud Risk
Fraud Data and Reporting

• Accurate and detailed fraud data and analysis
  necessary to assess where and why there is a
  fraud risk
• Systems and controls should be capable of
  detecting fraud risk at an early stage
• Role of trade associations in collecting and
  sharing fraud related data

11
Firms High Level Management of Fraud Risk Risk
Assessment and Risk Appetite

• Generally fraud risk was reported and reviewed
  within operational risk management reporting
  channels
• Lack of formal fraud risk assessment processes
  beyond those required for operational risk
  purposes
• Firms need to assess the fraud risk that they are
  exposed to (e.g. mispricing in the derivatives
  sector) and ensure that appropriate controls are
  in place to mitigate this risk
• Allocation of anti fraud resources was generally
  not driven by a clear cost benefit or risk
  appetite analysis

12
Firms High Level Management of Fraud Risk
Business Engagement, Systems and Controls

• Investment in systems and controls and a focus on
  robustanti-fraud operational processes is key to
  risk mitigation
• Fraud threats are dynamic and the ability to meet
  emerging fraud threats depends on good analytics
  in a firms anti-fraud operations
• Focused management of internal (staff) fraud risk
• Enhanced vetting
• High profile arrests
• Communication and awareness
• Focused management of fraud risk in product
  design fraud risk identification should take
  place at an early stage

13
Firms High Level Management of Fraud Risk
Recruitment

• Insider fraud (coercion, collusion, infiltration
  or employees own initiatives) considered to be
  one of the most serious fraud threats faced by
  financial institutions
• Enhanced vetting procedures e.g. use of
  specialist agencies to conduct pre-employment
  screening with varying levels of screening
  depending on seniority
• Vetting key suppliers and insisting on agreed
  standards of employee screening which will be
  checked by random, unannounced visits
• Insider profiling working with the police to
  compare new recruits against insider profiles

14
Firms High Level Management of Fraud Risk
Anti-Fraud Training
Varying approaches to staff training

• Generally fraud awareness training given to new
  staff as part of induction
• Newsletters or staff alerts
• Computer-based training packages
• Training predicated on red flag recognition
• Good practice guidelines supported by tailored
  training on a divisional basis

15
Firms High Level Management of Fraud Risk
Resources forTackling Fraud

• Increase in the size of dedicated anti-fraud
  teams and staff
• Increase in awareness of financial crime and
  fraud risk
• High hurdle rates applied to proposals
  foranti-fraud investment and financial
  considerations outweighed qualitative concerns
  such as reputational risk

16
Firms High Level Management of Fraud Risk
Fraud Investigations

• In larger firms responsibility for significant or
  complex fraud investigations was delegated to
  specialist departments
• At other firms responsibility given to corporate
  security or audit
• Varying degrees of sophistication e.g. some fraud
  investigation units able to conduct
  investigations to criminal investigation
  standards (including computer forensics)
• Increase threat of e-fraud makes investigation
  more difficult
• Use of post-mortems to improve risk mitigation

17
Firms High Level Management of Fraud Risk
External Liaison and Communication

• Increased industry cooperation and strong support
  within firms for this but more needs to be done
  to share data and information on the perpetrators
  of fraud

18
Firms High Level Management of Fraud Risk
Educating Consumers

• Tension between implementation of anti-fraud
  measures and customer convenience
• The degree to which customer experience is
  expected to be negatively affected by an
  anti-fraud initiative was found to be a key
  factor in determining whether to proceed with the
  initiative

19
FSA Enforcement Action Capita Financial
Administrators Limited

• 300,000 fine for breaches of
• Principle 2 failing to act with due skill, care
  and diligence in considering the risks posed by
  financial crime
• Principle 3 failing to take reasonable care to
  organise and control its affairs responsibly and
  effectively, with adequate risk management
  systems
• SYSC 3.2.6R failing to take reasonable care to
  maintain effective systems and controls to
  counter the risk that the firm might be used to
  further financial crime.

20
FSA Enforcement Action Capita Financial
Administrators Limited

• Inadequate assessment of fraud risk, especially
  the risk of internal fraud
• Should have assessed the adequacy of existing
  controls and considered additional controls to
  mitigate any risks identified
• Inadequate response to discovery of fraud
  although an investigation committee was set up,
  it focused on the specific circumstances of the
  fraud rather than a wider review of fraud risks

21
Dealing with the aftermath

• Alert senior management / the board
• Investigation of (a) specific circumstances and
  (b) wider fraud risks
• Appoint appropriate individuals to investigation
  team
• Consider whether use of external consultant is
  appropriate
• Establish timetable and objectives
• Consider key legal issues
• Asset recovery
• Accessing personal data
• Suspension / dismissal
• Whether or not to provide documents to FSA
  voluntarily
• Privilege
• Money laundering reporting obligation
• Corrective action / remedial plan
• Insurance issues
• Notifying FSA

22
Conclusions

• Recognise importance of fraud risk management to
  the FSA and react accordingly
• Senior management needs to be engaged
• Formal fraud risk assessment process and
  appropriate controls to deal with identified
  risks
• Clearly defined allocation of responsibilities
  for fraud risk management
• Adequate resources
• Adequate investment in systems and controls which
  are capableof early detection
• Capture and use management information on fraud
• Ensure threat of both internal and external fraud
  is assessed and dealt with
• Anti-fraud training
• Development of fraud investigation plan