Top 10 op risks: fraud and customer data abuse

Internal fraud remains, as ever, a high priority for risk managers across the financial sector. Economic downturns are known to generate fraud: as employees come under real or anticipated financial pressure, they face the temptation to steal, or to concoct favourable-looking sales and profits in order to reap higher bonuses or simply to ensure they remain employed.

While national economies remain sluggish, margins tight and unemployment levels high, fraud will continue to be a significant problem. It’s also worth remembering that the average fraud at a financial institution takes between two and three years from inception to discovery – the frauds which began at the nadir of the crisis in 2009 will only now be coming to light – and the lag means that discoveries of losses to fraud will continue to be high for some time, even after (or if) economic growth picks up again.

The long-anticipated rise of Big Data, however, makes fraud an especially dangerous threat in 2013. Financial institutions have welcomed advances in customer data capture and processing – the depth of data available to payment service providers in particular, which have visibility from both the merchant and the customer side, is a godsend for marketing, merchant financing and customer loyalty programmes. But it also represents a tempting target for criminals.

Cifas, the UK fraud prevention service, has tracked a steady and rapid rise in insider fraud over the last five years: it was up 52% in the first half of 2012 compared with the same period in 2011, with theft of customer data up 53% over the same time. This is particularly worrying, Cifas noted, as it reversed the trend seen in late 2011: rings of employees were starting to circumvent anti-data-theft precautions by acting together, preventing the system from noticing a single large data transfer by carrying out several smaller transfers.

Criminal software aimed at data theft such as Flame has also become far more common, now available in kit form, effectively reducing the expertise barrier to entry for this type of crime. And personal data storage devices – MP3 players, smartphones, USB sticks and so on – are now ubiquitous, and represent a dangerous new vector for infection as well as a risk for data loss.

Cifas has also detected a rise in the next step in the chain: identity theft or account takeover, both made far more straightforward by the use of stolen customer data. Identity fraud was up 17% and account takeover up 73% in the first nine months of 2012, the latest period for which figures are available.

Greater mandated information exchange, under legislation such as Fatca and the intergovernmental agreements supporting it, opens the door still further to data theft or misuse. It may also leave banks and other financial institutions vulnerable to penalties under national data protection laws, if their information exchanges are not conducted carefully. Increased reliance on outsourcing involves the same danger, with customer data being sent outside the company’s control to a service provider located in a different country, with less intrinsic assurance of data security, and subject to different laws on privacy – and government oversight.

Top 10 operational risks 2013: Back to introduction

IT sabotage
 

Reputational damage

Incentives and compensation

Fraud and customer data abuse

NEXT: Epidemic disease

Political intervention

Sanctions and AML compliance

Emerging market operating risks

Business continuity and disaster recovery

Failure to enforce internal controls