Best Practice Guide: Fraud Risk Assessment

Recently, ACAMS released a best practice guide on fraud risk assessment and given the constant headlines about scams and fraud, we thought it would be a good topic of discussion to provide you all with some best practices in identifying, assessing, and mitigating fraud risks.

Many financial institutions are focusing on mitigating fraud losses or merely want to conduct a more comprehensive and holistic fraud risk assessment. Regardless of the reason, this blog will help your credit union examine how to collect data, conduct a fraud risk assessment, and analyze outputs to prioritize key areas of risk for investment. This will ultimately help any financial institution defend against fraud.

The guide begins with a discussion on the different types of fraud risk assessment a credit union can use to assess their fraud risk both for the member and the business.

First, there is a customer risk assessment (CRA) which is generally used where there are regulatory requirements to assess customer risk. For example, application fraud which has a BSA/AML focus.

Second, is the product risk assessment which consists of assessing the level or risk associated with financial products. For example, a credit union may consider factors such as the delivery channel (i.e., cross-border wire transfers) which may involve a higher risk.

Third, is an enterprise-wide risk assessment which is the practice of assessing risk controls for the organization and then prioritizing the risks based on how probable and impactful each risk is. This allows an organization to allocate resources appropriately. Ultimately, a fraud risk assessment will help your credit union to make effective risk-based decisions, allow prioritization of effort and resources, reduce fraud losses and other associated costs, such as operational and management costs, while providing a stable and comprehensive base.

So how can a credit union conduct a fraud assessment? The guide goes through a four-step approach.

Step one is risk identification which documents all historical, current, and potential future fraud scenarios that could impact your organization. This includes surveying all staff that work with fraud and fraud controls, reconciling survey data with existing fraud data which will provide a baseline and allow for future reviews to focus on any business changes.

Step two is risk and control analysis which assesses the effectiveness of current controls against identified risks. It involves estimating the likelihood and consequence of each risk, using a risk prioritization matrix to rate risks based on these factors as well as identifying key controls to determine control effectiveness. It is also useful to review the risk prioritization matrix with business owners. For more details, Appendix B in the guide has a sample matrix.

Step three is residual risk evaluation which addresses the risks that remain after applying the controls in comparison to the credit unions tolerance levels as defined in its risk management policy. Any risks that are above the tolerance threshold should consider options such as:

• Discontinuing the risky activity
• Accepting the risk within tolerance by maintaining current controls and monitoring
• Analyzing further with an audit or control "pressure test"
• Treating the risk by adding controls to reduce the likelihood or impact

Next, balancing the costs against the benefits while accepting risks outside of tolerance if benefits of the activity outweigh the risk consequences. It is beneficial to involve senior business owners in this step to guide actions based on fraud risk levels.

Step four is risk treatment which focuses on strategies to reduce residual risks to an acceptable level. Options include maintaining existing controls, enhancing current controls, or developing new controls and updating processes. Controls fall into three categories:

• Detection such as identifying the fraud when it occurs,
• Prevention such as cybersecurity protocols blocking unfamiliar logins, and
• Response such as blocking future card transactions.

Then, determine which controls aim to reduce the likelihood of fraud and which controls target reducing the consequences of fraud. Afterward, score and prioritize residual risk for further action. This will help to build new controls or enhance existing controls as needed.

Finally, with the information from the assessment process, a credit union can draft a fraud risk assessment report in order to present the report to relevant committees such as the board, senior management and other staff (internal audit or specialists) for review and action.

The guide continues with a discussion on how frequently a credit union may want to conduct a risk assessment of this nature stating that "frequency will depend on the nature and growth trajectory of an organization." If a credit union is growing in size and complexity, the guide recommends it may need to adapt and refine its approach suggesting that a dashboard which automatically assesses risks and controls may be beneficial. This framework can provide meaningful improvements in its fraud risk assessment over time. However, the guide further notes that organizations that have not invested time, energy, and resources into combating fraud may have to play catch up.

Lastly, the guide offers information on live dashboards and how to break up silos stating that dashboards can be automated and make information more accessible to decision makers. It can summarize a variety of risks including changes in the threat landscape, provide a summary of recent fraud risk events and what was done about them. Additionally, it can show an organization's top fraud risks and a plan of the counter-risk initiatives in place. Ultimately, a fraud risk assessment can benefit organizations of all sizes by building resilience, helping safeguard financial assets by addressing potential vulnerabilities before they can be exploited and protect an organization's reputation and trust. For more details on this guide, including the Appendices, you can review it in its entirety here. Additionally, here is a link to the ACAMS Fraud Hub which may provide more information.

Questions? Suggestions for future blog posts? Please reach out to the Compliance Team at compliance@americascreditunions.org.