The NACHA conference meeting in Nashville this week is notable for its focus on a variety of payment types. Yes, there’s the expected focus on real-time payments and settlements, but there’s also a generous amount of time given to ACH, treasury operations and interoperability. And where there’s payments there’s always one unwanted guest: fraud.
Pick your poison when it comes to fraud. At the conference, the still-nascent issue of real-time fraud has a presence on the agenda and so does risk management and synthetic ID fraud. But there’s one type of fraud that looks more like an issue lurking under the NACHA agenda and that’s insider or employee fraud. As I continue to explore the topic and talk with banks and companies that experience insider fraud, it’s becoming clear that we still have a lot of work to do to bring insider fraud to the top of the agenda. The truth is that most insider frauds go undetected and are therefore underrated as a risk. Example: the 2021 Risk Quantum Analysis showed that, in the UK, fraud was cited as the cause behind 38% of total operational risk losses by value, on average. The year before it was 22%. But I believe the problem is bigger than finance leaders think.
We’re constantly uncovering new information about insider fraud. That tells me there’s a lot more to learn. Consider the following five takeaways from recent market findings as well as some research I’ve been doing in partnership with fraud management platform Themis. Let’s call them five things you didn’t know about insider fraud.
It’s a process not an event: When the pandemic first started and insider fraud became a unique and growing issue, I think a lot of fraud analysts saw one person in his or her home office hacking sensitive information of even capital and making a huge and deliberate haul. That’s not the case. Our work with Themis showed that insider fraud often takes place in small occasional actions over a long period of time. And rather than one employee with malicious intent behind the fraud, less intentional forms stemming from negligence, carelessness, and naivety, on the part of employees are more likely to be the source. In fact, our research with Themis showed that 77% of respondents were very concerned about non-compliance issues that lead to insider fraud.
Choices made under pressure: That phrase is actually the definition of “character” in screenwriter parlance. The pandemic and post-pandemic workforce has been a case study of vulnerability to the famous Cressey Fraud Triangle, first created in the 1930s. In essence, Cressey believed that three conditions created environments most conducive to any kind of fraud: opportunity, pressure and rationalization. Opportunity has been extended by the remote nature of work, where corporate devices are isolated and more employees need digital access to data. Pressure and rationalization for insider fraud go hand-in-hand. Health and financial issues, performance, emotional pressures, isolation – all these could create a fraud-friendly environment. Our work with Themis showed 26% of respondents identified financial strain and uncertainty as reasons for the uptick in insider fraud. And those aren’t going away anytime soon.
The pandemic has yet to be measured: The pandemic sent people away from the centralized hub of the office, taking various devices with them. No surprise then that insider fraud spiked. But there are still some remnant effects of COVID that resonate through the rise of insider fraud. We don’t know all the effects of COVID yet. What is becoming apparent at this point is that the increase in digital activity due to the pandemic created more opportunity for all fraudsters, I think. There is simply a larger pool of victims and a higher success rate for fraudsters. I think, another aspect, is what’s called the ‘Great Resignation’. The pandemic and the work-from-home culture might also have raised employee loyalty issues. According to a Microsoft survey, 41% of global workers were considering quitting or changing professions in 2021. That is not going to decrease in 2022.
Fighting insider fraud lags as a priority: As Elizabeth Humphrey, financial crime analyst for Themis, told me, banks suffer from competing priorities when it comes to insider fraud. In the Themis research 50% identified this as the main problem. Specifically, the tools aren’t always tailored to specific risks and lack targeted monitoring. Resources are often wasted on tracking what can be characterised as relatively low-risk activities, while higher-risk ones are neglected in terms of getting that real end-to-end visibility. This includes things like physical document examination, network data log reviews, and manual audits.
Data limitations must be overcome: Many firms are still relying on outdated and traditional forms of insider fraud prevention. They detect the problem when the damage is already done. Speaking to banks, I see that, if there are systems in place, they analyze the local audit files from systems. The issue with these local audit files is the quality of the data, as well as the availability of the data. These files have never been designed to discover internal fraud. So, there are limitations on the systems, the technology and data availability and quality. One of the things, for example, is employees surfing through customer data - that’s not detected at all. I also see users making use of agent-based monitoring. So, basically, they install software on every single laptop and every single desktop, to monitor employee activity. From a technical point of view, that’s a maintenance nightmare
The Bottomline: Insider fraud is underestimated in terms of its current damage to banks and companies, and it’s high time it comes out of the shadows. Maybe new terminology will help. We have people talking about employee fraud, insider fraud, bad actors and unethical behaviour, which all may signal internal weakness or a culture problem. A juicier one I heard is insider fraud is ‘the silent killer’ within the organization. So many synonyms belies the sensitivity of the subject. People don’t want to make it explicit. I think ‘employee fraud’ sounds very unfriendly. It’s as if you don’t trust your own people, or your own peers. But when you call it ‘insider risk management’ or ‘internal risk management’ and, suddenly, you have a better topic for a conversation.