Addressing Insider Fraud in Banks

The Payments Podcast transcript

Ruud Grotens: It’s a well-recognised fact that payment fraud is on the rise. Fraudsters are exploiting processes, technologies, and education gaps as fast as regulators, banks, corporates, and consumers can plug them. There is one type of fraud that, in comparison to other types, gets little attention. That’s insider fraud.

The biggest danger for banks, and corporates, is that most insider frauds go undetected, and as such, are wrongly considered less of a risk. In fact, the 2021 Risk Quantum Analysis showed that, in the UK, fraud was cited as the cause behind 38% of total operational risk losses by value, on average. The year before it was 22%, though the problem is far bigger than people think.

Hello, I’m Ruud Grotens, Head of Solution Consulting for Fraud and Financial Crime at Bottomline, and host of today’s payments podcast. On this topic, I’m delighted to welcome our guest, Elizabeth Humphrey. Elizabeth is a financial crime researcher from Themis, an anti-financial crime technology firm, which helps clients identify and manage their specific financial crime risks, through a combination of innovation, insight, and intelligence. Hi Elizabeth and thank you for joining us.

Elizabeth: Hi, Ruud and thanks so much for having me. I’m really excited to be discussing Themis and Bottomline’s latest research findings and analysis on insider fraud today with you.

Ruud Grotens: It’s great to have you. Elizabeth, you have been researching insider fraud and banks, and you worked on the joint Themis-Bottomline survey report ‘Insider Fraud and Banks: The post-COVID Trap Landscape’. So, kicking off our conversation, maybe you can talk us through the various types of insider fraud that banks should be aware of.

Elizabeth: Yes, absolutely, and thanks again for having me today.

I guess, an increase in insider fraud, really. The pandemic has made us, at least at Themis, really look more closely at the state of, typically, under-discussed issue of insider fraud.

To quickly review some of these key types of insider fraud, just so that we can all be on the same page and recognise the broad scope of the problem of insider fraud, it really does come in many forms, I think.

So, insider fraud, generally, in a lot of people’s minds, evokes an image of the malicious employee syphoning off the company wealth for private gain, in big ways. But really it can mean a lot more than that, I think. Malicious attacks are, really, only one part. There is also less intentional and more carelessness driven kinds of fraud, for example.

So, just to split this into two main groups of fraud:

There is the classic malicious internal fraud and, importantly, collusion with outside actors as well. So, this can really encompass the classic rogue trading collusion with, probably, vetted third parties; the active hiding of losses; account manipulation and intentional diversion of funds.

An important part of this, I think, is data theft and collusion with external bad actors to sell account credentials. I think, a unique part of malicious fraud is, often, that it takes place on a drip-by-drip basis, over a long period of time, and often at quite a low level, to go unnoticed.

It’s also important to recognise less malicious and less intentional forms of insider fraud stemming from negligence, carelessness, and naivety, on the part of employees.

I think it’s interesting, these are often less damaging as individual incidents, but are more prevalent in number. It’s the dominant form of fraud. In our survey research that we undertook for this project we found that 77% of respondents were very concerned about non-compliance issues that cause insider fraud in this sense.

So really, just to get into a little bit of detail, it can encompass careless behaviour towards, particularly, digital security (which was a big issue during COVID), social engineering attacks (phishing and smishing of employees), and particularly, it’s naïve employees with less of an understanding of tech, as well as agnostic fraud.

So, this is not particularly targeted at the company in a malicious sense, but still is for personal gain. That would include things like not working, or travel and expense fraud. Some of the hotspots for negligence can include call centres, where there is a high volume of calls and mistakes can easily be made, as well as the remote working environment now.

So, unencrypted devices being stolen; bring your own device policies being poorly implemented, and this sort of thing. So, yes, it’s really quite a diverse terrain. It’s important to keep in mind the more benign, or less intentional versions. I shouldn’t say ‘benign’, because they can be quite harmful, but less intentional forms of fraud that have, particularly, I think, been of importance during the pandemic.

Ruud Grotens: I think, due to the pandemic, that basic level fraud has increased. So, you’re seeing new and different weaknesses. As fast as we plug holes, fraudsters find new ones. From your research, what is driving this?

Elizabeth: Yes, absolutely. So, I think, insider fraud has always been around, and it’s always been an issue. But alarmingly, banks are really facing the highest, apparently the highest, rates of insider fraud in recent history. So, there definitely does seem to be a real uptick, particularly since the pandemic. It really does seem to be linked to that.

Just to give a bit of a sense of numbers according to our survey, 75% of banks have perceived an increase in insider fraud since this pandemic. This is really reflected in other data too. Major banks have seen a jump from 22% of all fraud being attributable to insider causes in 2018, to 38% in 2020. So, this is a pretty hefty jump.

I do think that the pandemic created a perfect storm for insider fraud, unfortunately. This can be usefully understood by referencing the classic Cressey’s Fraud Triangle, which was coined by Cressey in the 1930s, and remains very relevant today. Basically, it’s a trifactor of three factors that exacerbate, and come together to form this perfect storm.

So, that’s considered to be opportunity, pressure and rationalisation. Together they really can create an environment that’s very conducive to insider fraud. So, in the current context, there is definitely more opportunity for fraudsters. At banks it’s recognised that control and compliance tended to take a backseat, at a time when banks were forced to prioritise contingency planning, crisis response and really trying to uphold any semblance of business as usual.

Unfortunately, this led to, at times, overriding of controls. This definitely created loopholes for fraudsters. Also, the remote working conditions created new opportunities. Our research, indeed, found that 80% of respondents saw a higher risk of insider fraud and data leaks, just from the fact that so many employees are working from home.

More digital payments have also been coming to the fore. Physical case and card payments are less and less common, and digital payments are more and more common, making all that data that’s passing through digital transactions more vulnerable to attack. I would just say that I think this does call for an increase in automated solutions to fight that fight, and 75% of our respondents saw real value in automated solutions around fighting fraud, including payment fraud.

Just to complete the Cressey’s Fraud Triangle, employees are also coming under a lot more pressure and may see a lot more grounds for rationalising fraud. Health and financial issues, performance, emotional pressures, all create increased demands on employees, and they may find themselves turning towards options that they would previously not have undertaken.

Indeed 26% of our respondents saw financial strain and uncertainty as increase in fraud. So, yes, these are some of the drivers that are really present right now. In fact, Themis doesn’t really see them as likely to go away, even after the pandemic. Particularly given that COVID, I think, has really accelerated this transition to digital work, and the accompanying risks of that.

What do you think of that, Ruud?

Ruud Grotens: Yes, right. I think, due to the pandemic, we have seen an increase in fraud attacks, because of the growth of digital activity, people working from home, bank branches closed, so people had to go through the digital channels. That created more opportunity for fraudsters, I think. There is simply a larger pool of victims and a higher success rate for fraudsters.

In addition to that, I think that banking customers have - well, there is a need for speed! With faster payments and instant payments, banks only have milliseconds left to detect fraud, right? So, there is an increase of opportunity for fraudsters. Then, I think there is also the issue with impersonation fraud, like APP [Authorised Push Payment] fraud, or businesses email compromise (BEC).

So, as you mentioned, social engineering, and phishing are common fraud methods. Fraudsters are good at impersonating people, because they have access to huge amounts of digital data from individuals and organisations. That information needs to come from somewhere, and maybe it comes from legitimate websites, but it could also come from data leakages, or data theft from within a financial institution.

I think that is a weak link, and that is where the opportunity is. So, for example, a fraudster may collaborate with someone within the organisation, who helps the fraudster to gather information on a customer and then use that information to follow up with targeted phishing messages.

I think, another aspect, is what’s called the ‘Great Resignation’. So, the pandemic and the working from home culture might also have raised employee loyalty issues. So, the Great Resignation is going on and it’s at a global level. According to a Microsoft survey, 41% of global workers were considering quitting or changing professions in 2021. That is not going to decrease in 2022. I also read that in the US, more than 4.4 million people quit their jobs, according to the US Department of Labor.

This makes an impact, because that makes life harder for those who remain on the job. Knowledge is lost and, in other words, there is a combination of, I think, frustration, and less supervision. That feeds a greater rationale for undertaking illicit activity.

Elizabeth: Off the back of that, I guess I wanted to ask a bit more about your own experience Ruud. I would be very curious to see if you think banks are doing enough to combat this growing threat of insider fraud?

Ruud Grotens: That’s a good question, Elizabeth, and I think the short answer is, “Not enough,” or simply, “No.” I think, when I speak to financial institutions, to banks, the focus is often on external fraud. External attacks are easier to spot. When it comes to insider fraud, I always say, “You don’t know what you don’t know.” For example, I’ve spoken to banks in the past who told me that they have never experienced insider fraud, at all!

When speaking or asking about internal fraud, people immediately think about financial theft, and do not see leaking data as an insider fraud incident. As you refer to already, the collusion between internal staff and external bad actors, that is often very difficult to prove. What I’m hearing from banks is that there is often a suspicion, and it’s hard to get the evidence.

That’s the reason that an insider fraud incident is reported as an external fraud incident. I believe - I strongly believe - that insider fraud is often underreported, or not reported at all. That makes it very difficult for senior management to create a business case and make a decision about investing in an insider fraud solution.

So, as I said, you don’t know what you don’t know. So, if you think there is no insider fraud, then you probably do not have the intention to put measures in place! But in speaking to banks, I believe that fighting against insider fraud is equally important as fighting against external fraud. Not all fraud attacks come from the inside.

Unfortunately, numerous financial institutions are found, often too late, that their own employees were misusing debit cards issued by the financial institutions. While I think the vast majority of employees can be trusted, and are honest, the danger of the insider threat is that if you’ve got a bad apple… that can take down the entire tree.

Again, insider fraud is a very sensitive topic. Not many financial institutions like to talk about it and for good reasons, of course. There is a lot of sensitivity behind that.

Elizabeth: Yes, that makes sense.

Ruud Grotens: In the case of internal fraud, there are several reasons why better prevention practices aren’t actioned or escalated as quickly as they ought to be. Maybe we should chat about the ‘why’ behind this resistance, Elizabeth, or denial if you like, in a bit more detail?

Elizabeth: Yes, absolutely. We see it as a key issue as well, from a Themis perspective. I think it is interesting to frame resistance within the broader context first. I would say that, arguably, some of this resistance isn’t really intentional in a way, but rather the product of a pretty demanding and rapidly changing risk and business climate. There are a lot of factors, I think, going on and contributing to this overall tone towards insider fraud.

So, first of all, I would flag that banks are definitely facing a lot of competing priorities right now. I mean, take COVID and maintaining business as usual. These are just the latest of ongoing challenges that banks need to balance alongside one another. FIs also, arguably, grapple with pretty poor, might I say, existing Legacy systems. They often take a lot of time, money, skill to keep up to date, and aren’t always sufficient in doing their job.

Insufficiently strong tools are often flagged as the biggest problem from banks that we’ve spoken to. In our survey, 50% actually flagged this as the main problem, which was the highest percent among other problems that we explored. Specifically, the tools aren’t always tailored to specific risks, and lack targeted monitoring. So, resources are often wasted on tracking what can be characterised as relatively low risk activities, while higher risk ones are neglected in terms of getting that real end-to-end visibility, and yes, they are sort of lacking that holistic risk approach.

In general, we see that tech needs more attention. It’s great to have a good foundation in the basics, but the current tech trends aren’t really detecting things until it’s too late.

This includes things like physical document examination, network data log reviews, and manual audits. There is also inadequate resources and capacity and budget for these issues. 39% of FIs were found to be understaffing and those monitoring fraud having inadequate training. That being said, you still have to ask why is it that there aren’t more resources going towards this issue.

Yes, I think that it’s definitely a multi-fold challenge, and it’s arguably being reinforced by a reactive, rather than proactive response to fraud. Meanwhile, there is arguably not much of a business case in the short term for escalating suspicious activities all the time. Would you agree with that, Ruud?

Ruud Grotens: Yes. You know, I think in this business, I have never heard so many synonyms for the same. It’s also a matter of language and tone, I think. So, we have people talking about employee fraud, insider fraud, bad actors, unethical behaviour. A juicier one I heard is ‘the silent killer’ within the organisation. With so many synonyms that tells us, actually, about the sensitivity of the subject. People don’t want to make it explicit.

I think ‘employee fraud’ sounds very unfriendly. It’s as if you don’t trust your own people, or your own peers. But when you call it ‘insider risk management’ or ‘internal risk management’ and, suddenly, you have a better topic for a conversation. At least, that is my experience.

Then there is also a resistance when it comes to a ‘Big Brother is watching you’ culture. I think there is also a privacy aspect, an employee privacy aspect, but also a customer privacy aspect.

So, on the one hand banks need to protect customer data, and therefore would need to check if employees are misusing customer data, or leaking customer data. Think of an example where an employee is surfing through customer data outside business hours, without business reasons, you would like to know that, right, and take action and refine that, as it might bring the bank into trouble, because GDPR regulations are breached.

On the other hand, you need to respect employee privacy as well. So, when you are monitoring employee behaviour, there must be transparency about the nature and content of the monitoring. So, maybe you should monitor employees having access to sensitive or very privacy-related data, but not monitor their email traffic or team chats, to mention a few examples.

That depends on the business, of course. But I think, for the purpose of monitoring, it must be specified. It must be explicit, and it must be legitimate. There is also a deterrent factor. So, if you know your activities are monitored, for legitimate reasons, you might not even think about taking the opportunity, in terms of the Cressey’s Triangle.

Elizabeth, in your research, you found that 48% of banks that were interviewed, considered damage to consumer trust and branch reputation to be the most damaging consequence. So, what needs to happen, in your view?

Elizabeth: Yes, indeed there is a lot of damage coming from insider fraud. As you say, the extent of damage may actually be underrated, because of this tendency for banks to under-discuss insider fraud, or classify it as something else. So, yes, it’s a huge issue and it’s, generally, under-discussed. Damages can really span from operational impacts to direct financial loss to, as you said, reputational damage, and regulatory implications as well.

But yes, from our own internal research, it was found that the highest number of respondents said that reputational damages and consumer trust was the most serious consequence of insider fraud. In particular, I would flag data breaches as being very damaging to reputation, particularly now that so much client data is online and vulnerable to fraud.

So, it has become an increasingly sensitive space, with repercussions for consumer trust. I guess, just to pivot off of that, I think that, with all of this in mind, we really need to ask “What can we really do to improve the landscape?” There is sometimes a lot of pondering and pontificating that is done on these issues, but we really have to think about what push factors are available to us, to improve the situation.

I guess, I would like to start with mentioning regulators as playing an important role. We can put it all on banks, but we have to also discuss the broader landscape, and how others can contribute to this fight. I think, GDPR is a really good example of the positive impact that regulators can have, by requiring companies to really consider, in a deep way, who has access to personal customer data, how it can be securely stored.

We saw a real improvement compared to places where this hadn’t been undertaken, such as in the US. But in general, I think regulation has been criticised for being a little bit too ambiguous on this front. Indeed, our research reflects this with 33% of our respondents saying that they would appreciate greater clarity and guidance from regulators, and another 30% saying that regulatory expectations are quite clear, and more guidance is needed on actually how to get those done and fulfil those requirements.

I think, in this sense, COVID could actually have a silver lining. I think it could jump-start the conversation from regulators on necessary changes. So, this could be one benefit of a truly challenging situation. We’re already seeing some regulators coming forth with heightened pressure in this space.

In March 2021 we saw the UK PRA underscoring expectations to build up bank capacity, to deal with the various stresses resulting from COVID. This does include fraud and, in particular, they pushed for more prevention as a ‘means of resilience’ attitude from banks. I think this definitely speaks to insider fraud as well.

Then, simultaneously, in the same month actually, the Monetary Authority of Singapore also published recommendations on operational resilience during COVID-19, and specifically around remote working. I think that this is really encouraging. They specifically flagged the need for periodic review of insider fraud risks in a post-COVID world.

So, there are moves from regulators that are emerging. I think we can hope for more. That being said, I don’t think that banks should really wait for this regulation. There is really no reason to, particularly given that, from our research as well as from broader conversations on this subject, it’s clear that banks are the ones that have suffered the consequences of this in the end.

So, it’s really in their best interests to be proactive, even if regulators are not always ahead of the curve on this.

Ruud Grotens: Another interesting fact from the survey, Elizabeth, was that the technology quality by many banks has fallen short in its ability to prevent and detect insider fraud. I believe one of the conclusions was that many firms are still relying on outdated and traditional forms of insider fraud prevention. Actually, those technologies are no longer sufficient or detect too late, after the damage is already done.

Speaking to banks, I see that, if there are systems in place, then it’s often based on analysing the local audit files from systems. The issue with these local audit files is the quality of the data, but also the availability of the data. So, these files have never been designed to discover internal fraud. So, there are limitations on the systems, the technology out there and that all depends on data availability and quality.

One of the things, for example, is employees surfing through customer data - that’s not detected at all. It’s not clear what’s being looked at and that entire activity is not caught in local audit files. I also see users not making use of agent-based monitoring. So, basically, they install software on every single laptop and every single desktop, to monitor employee activity.

Well, from a technical point of view that’s a maintenance nightmare. I also know that from a performance nightmare it’s not suitable for largescale implementations. Plus, from an employee privacy aspect, yes, everything can be monitored. When we talk about ‘insider fraud’ or the ‘insider risk’, we have to respect privacy regulations.

It means you cannot monitor everything. Even in some countries that’s not allowed by regulation. I think, banks should be more open to exploring new technologies out there, by which they can manage the insider risk, regardless of whether the users work from their homes or from their offices. But it should not invade their employee privacy, and the focus should be on the business sensitive systems also, and not meaning email traffic.

Elizabeth: Absolutely.

Ruud Grotens: One last thing, Elizabeth, based on your research, what are the biggest takeaways for the audience?

Elizabeth: Absolutely, and it’s been an immense pleasure speaking with you about this key issue.

I think my main takeaway and what came up again and again in my research, in discussions with a lot of cutting-edge thinkers on this issue, on ‘in trends’, is that we really need to be pushing for, what I would call ‘a detection as a form of prevention agenda’.

This means taking a proactive approach on the part of banks. I really see this in the interest of banks themselves, you know, in terms of reputational, operational, financial priorities - it all aligns. I was saying that, by taking this deeply proactive detection and culture-based approach, rather than waiting for this growing problem to chase them down, it’s really in their best interests.

Ruud Grotens: Right, thank you, Elizabeth. Unfortunately, that’s all we have time for today. So, all that’s left for me is to thank you, Elizabeth, for joining us on today’s podcast on internal fraud in banks.

Elizabeth: Thank you, very much, Ruud.

Ruud Grotens: For the audience, thank you for listening. For more information on this topic please get in touch with the Bottomline team or visit our website. See you all next time, thank you.