Introduction

The crisis fraud risk management is born out of a highly volatile atmosphere which can upend and overwhelm even the most structured fraud risk management program. This volatile atmosphere is here with us today and comes in the form of COVID-19. COVID-19 represents the single greatest challenge to fraud risk management (“FRM”) because pandemics and their effects were never identified as a driving force in the escalation of both existing and new types of emerging fraud. Moreover, business continuity plans had an isolated focus on operations rather than people and operations, with much shorter timeframes envisaged.

“1In a new survey conducted by the Association of Certified Fraud Examiners (ACFE) about the effect COVID-19 has on fraud, 90% of respondents reported that they have seen an increase in scams targeting consumers, with 51% believing the increase has been by a significant amount. Respondents reported seeing an immediate increase in a number of specific fraud schemes. Of those surveyed, 75% said they already have encountered an increase in phishing through government impersonation, and 71% report seeing an increase in charity fraud. They also have experienced an increase in fraudulent vaccines, cures or tests for the coronavirus (66%); third-party seller and buyer scams on legitimate online retail websites (64%); business email compromise scams (62%); and cyberbreaches (61%). Link to survey: ACFE COVID-19 survey.”

Pandemic effects

There is no doubt that a Pandemic can cause economic and financial hardship on a massive scale both on an individual and corporate scale. In times of economic crisis, employees’ personal financial pressures tend to rise, which is often where the decision to steal and embezzle is rationalized. This justification can proliferate as many key individuals are wearing multiple hats with a dilution of segregation of duties. This rationalization extends to companies that face pressure to falsify their financials in order to meet earnings targets or secure and maintain financing. Constrained supply chains and reliance on key third party vendors may increase the incidence of bribery and corruption as the need to meet and support company objectives becomes paramount.

In this threatened environment, companies may seek to cut costs which will often target non-revenuegenerating departments e.g. compliance, internal audit, while at the same time reducing budgets for control training.

The lack of fraud assessments that are integral to a comprehensive anti-fraud program only serve to leave organizations more vulnerable to the growing likelihood of fraud. As organizations make cuts in the attempt to operate with a leaner staff, they can find themselves caught in a perfect storm for fraud: mounting financial pressures motivating employees and customers alike providing a common co-operative cause, fused with a highly toxic emotional, irrational and survival based mindset acting as a powder keg.

Social distancing from the virus has increased the online risk with fraudsters having already found ways to use coronavirus warnings as a veil for malware injections and other fraud schemes. Social distancing has meant the need and increased usage for contactless payments and with it a proliferation of social engineering attempts leading to an uptick in fraud in the space of e-commerce and online payments with an incessant increase in both identity theft and account manipulation. This increase in social engineering has escalated with the reliance on home office environments, which by themselves offer fraudsters the opportunities to both degrade and infiltrate organizations’ data and information systems.

Response

The first thing is to realize that such a crisis raises the vulnerability of the organization to fraud and is a true test of the fraud resilience of the organization. Outlined below are three countermeasures that the fraud risk program should adopt and introduce in the new challenging environment.

1. Re-evaluate and reassess fraud policy and procedures
The existing FRM framework needs to be re-evaluated and reassessed knowing that a scan of the environment and the resultant ensuring pressures will create new emerging opportunities and stronger motives for the performance of fraud. The new normal will create new avenues as outlined above for the fraudster which may expose the soft operational underbelly of the organization. There may be a need to get ahead of the fraud curve and proactively amend and adapt the policy and procedures to reflect the new normal, e.g. a new fraud taxonomy. Existing policy and procedures that may now be compromised in terms of operational efficiency will have to be adapted in a timely fashion in respect to the redrawing of fraud risk appetites and tolerances, with greater insight and participation from stakeholders.

2. Review and renew the fraud control environment
The external environment will be constantly updating and changing according to the political pressures of the day, with both public and private organizations offering different and varied responses, leading to potentially confusing messaging. Temporary legislation will create loopholes and opportunities with the need to constantly rethink the identification and assessment of likely fraud risks that can emerge due to exceptional management measures, especially in the short-term. Exemptions that have been granted by the authorities to existing policies and procedures resulting in a relaxation of controls should be documented for future reviews and audits.

The external environment will be constantly updating and changing according to the political pressures of the day, with both public and private organizations offering different and varied responses, leading to potentially confusing messaging. Temporary legislation will create loopholes and opportunities with the need to constantly rethink the identification and assessment of likely fraud risks that can emerge due to exceptional management measures, especially in the short-term. Exemptions that have been granted by the authorities to existing policies and procedures resulting in a relaxation of controls should be documented for future reviews and audits.

3. Improve the fraud message, communication, and data channels
As the crisis continues, there is a greater need to engage and communicate the fraud message without overloading the individual with information. Sharing experiences and observations is paramount and can act as an early warning system. Fraud Risk will be elevated in conjunction and heavily correlated with the increased incidences and risks of cybersecurity and anti-money laundering. Information flows to understand this triage of threats need to be on a timely basis and aligned in a coordinated fashion from internal and external data sources such as Compliance, Information Technology, Audit and Third-Party Vendors. The organization must understand the interconnectedness of fraud with all the other risks facing the organization and be able to respond at the enterprise level.

One result of the new working environment has meant information flows have increased as the number of whistleblowers who are now either disengaged or emboldened from working at home have decided to come forth. According to a recent Wall Street Journal article, the U.S. Securities and Exchange Commission received about 4,000 tips from mid-March to mid-May, which is a 35% increase2 from the previous period last year. The whistleblowing hotlines mean that there is a readymade, low cost source and credible assessments that can be conducted providing the organization has the resources and resolve to investigate.

Fraud risk managers need to tailor their message to different audiences at a faster pace and need to be better communicators. Fraud communication needs to be reinforced and this extends to training needs, with the need to be creative, involving topics which are current, so the message is easily assimilated and on point. The importance of training needs to be emphasized and for once must be rigorously enforced with penalties for noncompliance.

With this information overload, fraud risk managers will have to provide clean, accessible, robust, and sustainable data with the need to keep vast amounts of data for future inspection and audit. The amount of big data being generated will enable the more astute to redesign their control processes using a comprehensive data management set of both public and private data sets. The data flows need to be treated in perspective with any anomalies explained with the number of false positives created by the increased data flow. Sanitization and regular inspection are a must to power the behavioral analysis which can detect those new and existing incidences of fraud.

Moreover, certain segments of the customer base will be more prone to high risks, and fraud investigators will have to employ key behavioral analysis to drive informed decisions on whether transactions are fraudulent or genuine. Machine Learning and Artificial intelligence will have to be woven into the fraud risk manager’s fabric, providing data analytics that can be used to understand device vulnerability and attacks.

These challenges will alter the role and responsibility of the fraud risk manager who will become data custodians, model risk managers and ad hoc technologists.

Passing thoughts

Crisis fraud risk management means that fraud risk managers must have an adaptable and credible plan and stay focused rather than become embroiled in the crisis themselves. The three countermeasures above offer insight and guidance to alleviate the vulnerability and mitigate the number of fraud incidences in a crisis.

Professional Risk Management International Association

Fraud is all around us, grabbing the headlines every single day. Fraud is a high-impact, low-probability risk with the potential to destroy a firm’s integrity and reputation very quickly. Many firms focus on the low-probability nature of fraud, and consequently fail to employ both resources and structure to address this risk. A typical fraud risk management framework includes the following components: governance, assessment, strategy and evaluation.

Let’s take a look at four steps a firm can take to develop and maintain an effective fraud risk management program.

1. Create a dedicated governance structure to manage fraud risk.

The first requirement is to build an organizational culture to combat fraud at all levels of the firm. This should demonstrate a senior-level commitment and set an anti-fraud tone that permeates the culture. To oversee all fraud risk management activities requires the development of an anti-fraud entity that, among other things, will:

2. Create a fraud risk assessment.

The next stage is to plan regular fraud risk assessments that are tailored to the fraud risk management program. To further this goal, the firm should identify specific tools, methods and sources for gathering information about fraud risks, including data on fraud schemes and trends from monitoring and detection activities. Buy‐in involves relevant stakeholders in the assessment process, including individuals responsible for the design and implementation of fraud controls.

Requirements include:

3. Design and implement an anti-fraud strategy with specific control activities.

Based on its fraud risk profile, a firm should develop, document and communicate an anti-fraud strategy to employees and stakeholders that describes the program’s activities for preventing, detecting, responding, monitoring and evaluating. The following questions can be used to guide the firm’s resource allocation in response to fraud:

4. Conduct risk-based monitoring and evaluate all components of the framework.

Collection and analysis of data — including data from reporting mechanisms and instances of detected fraud — is a must in the monitoring of fraud trends and in the identification of potential control deficiencies. Moreover, it is important to evaluate the effectiveness of preventive activities, fraud risk assessments, anti-fraud strategy, fraud controls and response efforts.

A risk-based approach to monitoring should also be implemented. This approach should consider internal and external factors (e.g., organizational changes and emerging risks) that can influence the control environment.

Every fraud risk management program can be further enhanced by fraud awareness training and by communicating results — for example, instances of fraud that have been identified and corrective actions that have been taken — to employees.

Following these four steps will help to prevent, but not eliminate, fraud. Most fraud can be staved off by a comprehensive risk management program, but as criminals and morally compromised people concoct new forms of deceit, financial institutions must remain vigilant.

This article was published on ACFE Insights

5 Hallmarks of an Effective Cybersecurity Program

This article was published on Global Association of Risk Professionals

Fraud risk management should both inform and shape any third-party risk management program in conjunction with all the other risk disciplines. Now more than ever, with increased regulation and risk, organizations must conduct vigorous, structured and regular due diligence on third-party intermediaries. The risks posed by these parties are many and varied, ranging from cybersecurity to business disaster. With third parties accessing regulated company information, the likelihood and impact of IT security incidents are on the rise.

Regulators are looking for the methodology, the approach and the sustainability of programs designed to capture and mitigate these risks. Moreover, regulators are seeking evidence on how a program and its processes are embedded and aligned within an organization’s risk culture and risk appetite.

Possessing a robust, structured program to mitigate these risks can protect corporate reputation and shield executives, board members and other management from personal and professional liability. At its core, such a program incorporates a risk-based approach, which is a methodical and systematic process of knowing the company’s business, identifying its risks and implementing measures that mitigate those risks.

The diagram below portrays the key considerations which are explained further below.

components-of-a-third-party-risk-management-system.jpg

Planning

Each third-party relationship brings with it several multidimensional risks that extend and traverse across suppliers, vendors, contractors, service providers and other parties. An effective third-party risk management process begins by comprehensively identifying third-party risks. This risk identification process should be followed by an analysis of the specific drivers that increase third-party risk. Moreover, your organization needs to understand its universe of vendors and how the third-party ecosystem engages, interacts and connects with its internal and external operating environment.

With an understanding of its risk appetite for vendor risk, a risk framework can be developed with a coherent and consistent set of policies and procedures which define the paradigm of anobjective risk assessment model, crucial in creating a risk profile for third parties. The policies and procedures will, furthermore, describe the implementation of the system, resources, acceptable mitigants, roles and responsibilities.

Selection

Your organization should take a risk-based approach to third-party screening and due diligence. Stratify your third parties into various risk categories based on the product or service, as well as the third-party’s location, countries of operation and key contributions. An important part of the process will be to mitigate an over-reliance on any key third party.

Negotiation

Standardized contracts are a must, outlining the rights and responsibilities of all parties, with suitable metrics in place to sustain the relationship. Given the importance of supply chains today, the contract should identify any subcontracting to a fourth party. The key is to contractually bind third parties to inform and get approvals on any fourth-party involvement and ensure that fourth parties are in the scope of screening and risk management processes. Understanding the business continuity process and the compliance requirements of the third party are also important considerations in the selection process.

Monitoring

Monitoring is essential as it will ensure that performance standards set by the program are being implemented and followed with the imposition of well-defined metrics to measure the effectiveness of the program. Continuous third-party monitoring and screening is the key to helping companies make informed decisions about their third parties, with screening against global sanctions lists, law enforcement, watchlists and adverse media reports.

Termination

The termination process is often overlooked, but it’s so crucial in the negotiation. It should take what-if scenarios into account, with various trigger points that allow your organization to extricate itself from the relationship in an orderly and timely fashion.

Third-party risk management is one of the top emerging risks, and fraud risk management needs a seat at the risk table to both impact and inform the program but more importantly keep it relevant with regard to outside influences. Fraud risk management can no longer be a silent partner when it comes to third-party risk management.

This article was published on ACFE Insights

The purpose of this article is to outline and explain the risks associated with cryptocurrency. The sequel to this article, next week, will examine the risk management techniques to mitigate these risks.

Cryptocurrency is a digital currency in which encryption techniques are used to regulate the generation of units of currency and verify the transfer of funds. A defining feature of a cryptocurrency is that it is not issued by any central authority, rendering it theoretically immune to government interference or manipulation.

In order to understand the risks, one must first understand the features of the platform (such as blockchain) on which the cryptocurrency is based. Blockchain is a digitized, decentralized, public ledger used for cryptocurrency transactions. Constantly growing as “completed’ blocks” (the most recent transactions) are recorded and added to it in chronological order, it allows market participants to keep track of digital currency transactions without central recordkeeping. Each node (a computer connected to the network) gets a copy of the blockchain, which is downloaded automatically.

This technology platform has the following characteristics

Thus posing the following material risks:

BUSINESS RISK

Loss of confidence in digital currencies: The nascent nature of the currencies subjects them to a high degree of uncertainty. Online platforms have generated a large trading activity by speculators seeking to profit from the short-term or long-term holding of digital currencies. Cryptocurrencies are not backed by a central bank, a national or international organization, or assets or other credit, and their value is strictly determined by the value that market participants place on them through their transactions, which means that loss of confidence may bring about a collapse of trading activities and an abrupt drop in value. 

CYBER/FRAUD RISK

Since cryptocurrency is essentially a cash currency it has attracted a large set of the criminal community. These criminals can break into crypto exchanges, drain crypto wallets, and infect individual computers with malware that steals cryptocurrency. As transactions are conducted on the Internet, the hackers target the people, the service handling, and storage areas, through means such as spoofing/phishing and malware. Investors must rely upon the strength of their own computer security systems, as well as security systems provided by third parties, to protect purchased cryptocurrencies from theft.

Moreover, cryptocurrency is highly reliant upon unregulated companies, including some that may lack appropriate internal controls and may be more susceptible to fraud and theft than regulated financial institutions. Furthermore, the software needs to be regularly updated and may be suspect at times. Sourcing the blockchain technology to vendors may result in significant third-party risk exposure.

There is very little in the way of recovery: If the keys to a user’s wallet are stolen, the thief can fully impersonate the original owner of the account and has the same access to the monies in the wallet as the original owner. Once the bitcoin is transferred out of the account and that transaction has been committed to the blockchain, those monies are lost forever to the original owner

OPERATIONAL RISK

With a centralized clearinghouse guaranteeing the validity of a transaction comes the ability to reverse a monetary transaction in a coordinated way; no such ability is possible with a cryptocurrency. This lack of permeance is further demonstrated as Bitcoin accounts are cryptographically secured, access to monies contained in an account almost certainly cannot be restored if the “keys” to an account are lost or stolen and subsequently deleted from the owner.

REGULATORY/COMPLIANCE RISK

Some countries may prevent the use of the currency or may state that transactions break anti-money laundering (AML) regulations. Due to the complexity and decentralized nature of Bitcoin and the significant number of participants — senders, receivers (possibly launderers), processors (mining and trading platforms), currency exchanges—a single AML approach does not exist.

MARKET RISKS

The market risks are idiosyncratic, as the currency trades only on demand. There is a finite amount of the currency, which means that it can suffer from liquidity concerns and limited ownership may make it susceptible to market manipulation.  Furthermore, given its limited acceptance and lack of alternatives, the currency can appear more volatile than other physical currencies, fueled by speculative demand and exacerbated by hoarding.

PASSING THOUGHTS

There is no doubt that cryptocurrencies are here to stay as technology advances. Public acceptance and confidence will take some time, but the risks will remain the same—some appearing to be more material and elevated than previously. The sequel to this article will examine the methodologies and techniques used to mitigate the risks.

This article was published on The Risk Management Association

There are now more reasons than ever to implement an effective fraud risk management framework for personnel in your organization. The focus on individual responsibility has dramatically altered and employees should now be educated as to the risks and repercussions, especially in the U.S. As a result of the memorandum titled “Individual Accountability for Corporate Wrongdoing” issued by former U.S. Deputy Attorney General (DAG) Sally Yates on September 9, 2015 — even those who merely had knowledge that something wrong was happening but didn’t report it would potentially face penalties.

Known simply as the “Yates Memo,” the directive signals the new priority in the U.S. Department of Justice’s (DOJ) pursuit of corporate wrongdoing — a priority of pursuing, punishing and deterring individual wrongdoers versus the corporation itself. According to the U.S. Security and Exchange Commission’s (SEC) annual report, issuer reporting and disclosure cases represented 20% of the SEC’s 2017 enforcement actions — the largest proportion in many years. 

What should an individual do when they suspect fraud or unethical behavior?

First, document, document and document! Keep detailed and precise records about what you are asked to do, who asked you to do it and what you did. Make sure that the records are easy to find, with clear evidence of date, time and author. Second, report your concerns through an independent, anonymous hotline or to a board member. In many cases, whistleblowers are provided meaningful protection from reprisal, and they may even be eligible for a financial reward for providing useful information to law enforcement.

But, what can you do to prevent fraud from happening in the first place? The considerations raised above should be incorporated into a five-stage risk management framework outlined below.

  1. Identify your fraud risk appetite. Design a written statement and convert into a risk-tolerance limit. A risk-tolerance limit is a quantifiable amount which is the maximum that the organization is willing to lose and is a translation of the risk appetite statement into a number. The determination of the amount is based on factors including previous history, the firm’s appetite and attitude.
  2. Ensure that the organizational culture and structure is conducive and open to fraud risk management. Create a structure with a dedicated entity, department or person to lead all fraud risk management activities
  3. Plan regular fraud risk assessments and assess risks to determine a fraud risk profile. 
  4. Design and implement a fraud hotline or reporting system. As part of managing the hotline, determine risk responses and document an anti-fraud strategy based on your fraud risk profile and develop a plan outlining how you will respond to identified instances of fraud. Remember to engage with stakeholders on a frequent basis with updates.
  5. Conduct risk-based monitoring and evaluate all components of the fraud risk management framework. Focus on measuring outcomes and communicate the results.

Fraud is pervasive, and there are risks to an organization both internally and externally. It can be seen as a symptom of an organization’s culture, and in that sense, it requires the highest sense of vigilance to ensure that it does not become endemic.

This article was published on ACFE Insights

Buoyed by news and social media coverage of online threats and cyberattacks, cybersecurity is all the rage today. Indeed, whether we’re talking about the recent Iranian online assault on worldwide universities or the cyberattack on the city of Atlanta ( which shut down wi-fi at the world’s busiest airport), cybersecurity is constantly and rightfully in the spotlight.

Much of the success of the hackers can be attributed to a lack of planning, understanding and implementation at the institutions that have been breached. This article addresses these issues and discusses the various influences that could further compound the lack of effective risk mitigation.

Cybersecurity is an all-encompassing business risk that needs to be tackled both tactically and strategically. For cybersecurity to be effective, a firm must have (1) a common taxonomy and lexicon, so the same language can be spoken by all business areas; (2) a clear understanding of its inventory of assets and its vulnerabilities; (3) a playbook for scenario events that can prepare the organization for readiness; and (4) a cybersecurity framework that is end-to-end and shared by all business areas with regard to responsibility and accountability.

Now let’s take a look at all of the factors that must be considered to monitor and manage cyber risk.

Considerations

General Data Protection Regulation.

Once the GDPR legislation becomes enforceable, any personal data breach impacting European Union citizens will need to be reported within 72 hours. The regulation will provide data owners with transparency about how their information is collected and used. Since non-compliance can result in a fine of up to 4% of gross revenue, this regulation will have a significant impact on companies that operate on a multi-national level.

Al and machine learning.

Artificial intelligence and machine learning will certainly gain a larger presence in cybersecurity as these disruptive technologies gather momentum. Machined learning models, in particular, are advancing at an exponential pace, and are expected to be able to more accurately identify and predict cyberattacks in short order. Conversely, these machines can also be harnessed to attack the very organizations they serve to protect.

Ransomware.

Over the past few years, ransomware, a cyber-extortion tactic, has grown into a significant threat. Indeed, aided by voracious news and social media coverage, Ransomware continues to claim high-profile victims. Moreover, cyber criminals interested in making a quick buck can take advantage of the variety and accessibility of ransomware from the dark web.

Data breaches.

It may prove impossible to eradicate data breaches completely, but every organization has the power to lessen the blow by handling the aftermath correctly. Practicing scenario and response planning to data breaches can help reduce damages.

Internet of Things.

The growth of cyber extortion has been greatly abetted by the common availability of anonymous payment mechanisms and by the increased usage of information sharing/gathering devices such as the Internet of Things (IOT). All too often these devices either lack basic security features or are not properly configured, relying upon outdated software that can easily be subverted.

Security practices.

Inadequate security practices – including poor passwords, identity subversion, out-of-date antivirus software and antiquated systems – are prevalent. There are simply too many poor security practices to cite, but a special mention must go to the challenge of patch management. It’s important to note that endpoint security is different from IT management: while it’s easy to roll systems out, it’s tougher to take systems offline for maintenance or to prioritize what needs to be patched.

Third-party vendors.

Organizations that are focused on building their own security defenses have come to realize that they are vulnerable to friendly fire. If any of an organization’s third-party partners have inadequate or lax security controls, hackers can exploit these trusted sources and tunnel into internal networks and systems. This supply chain also extends to the vendor of vendors, and third-party risk management is required to mitigate the risks posed to protecting internal devices and data.

Parting Thoughts

Cyber risks pose a huge threat to every financial institution. Firms that take the time to understand the various cyber threats, and that adopt the proper cybersecurity principles, can certainly mitigate these risks.

This article was published on Global Association of Risk Professionals

My previous article, “What Are the Inherent Risks Associated with Cryptocurrency?”, examined such  risks from both a currency and a business perspective.

This article looks at risk management methods in which the high inherent risks of cryptocurrency can be reduced, instilling more confidence and trust in transactions. The methods are wide ranging and, if applied in total, could confirm the acceptance and permeance of cryptocurrency, a currency for the 21st century.

REGULATORY APPROVAL

The most material reduction of inherent risk associated with cryptocurrency could be achieved by regulatory measures, which seems very ironic since cryptocurrency is a decentralized currency with no regulatory governance or framework. Some regulatory approval, if achieved, could improve and imply both acceptance and credibility in the eyes of the cryptocurrency community. The best location to start would be the home of the world’s most popular the reserve currency, the U.S. dollar. However, not all U.S. regulators are created equal. For cryptocurrency to gain traction in the United States, it must navigate diverse and differing regulatory frameworks including:

The best outcome would be regulatory confirmation from all the above. But given the vested interests of each of these regulatory bodies, a seal of approval from at least two of these organizations should be sufficient in adding credibility and trust.

ALLIANCES AND OR ACCEPTANCE AND ADOPTION BY A MAJOR TRUSTED GLOBAL ORGANIZATION

As many institutions embrace new technology, what better differential is there than to support a leading edge digital currency or at least provide support to its customers as an offering. To be first to market in pioneering a suite of offerings encompassing cryptocurrency would enhance reputation and lead to a culture predisposed to technology innovation.

A successful effort would entail greater accountability towards the consumers, portraying the improved availability, the enhanced reliability of cash exchange, and offering an affordable level of effective consumer protection. A level of acceptance will be more likely when consumers have access to innovative offerings and services through digital technology that would be cost effective and simple to utilize.

The path does not have to traveled alone. Consider the strategic partnerships formed by companies such as Coinbase and BitPay that serve as bitcoin “wallets” and payment processors for merchants. By holding the digital wallets that receive bitcoin payments from customers, and then immediately paying those merchants the cash value of those bitcoins, Coinbase and BitPay effectively enable merchants to accept cryptocurrency payments without taking on the risks of holding bitcoin on their books. Forging these types of strategic partnerships and solutions is the key to driving acceptance and trust in the currency.

STRUCTURAL MITIGANTS

Reserve Requirements for Exchanges

Enhancement of the ecosystem could include more robust cryptocurrency exchanges. These are organizations that facilitate the trading of traditional currency for cryptocurrencies. In the traditional sense, cryptocurrency exchanges operate not only as exchanges, but can also act as broker-dealers as well as custodians. If these exchanges were to hold reserves sufficient to survive any major downturn or crash—adopting the same principles as a clearing house—it would add an extra layer of protection in times of volatility and market uncertainty.

Insurance Products

The provision of a fund that would offer investor protection, such as FDIC insurance,  could help mitigate default risk and be incorporated as part of an account package, perhaps supplemented by a personal insurance policy.

MATURE ECOSYSTEM

The use of cryptocurrency has increased enormously and so too has consumers’ ability to harness the powers of technology. The mobile phone—especially in emerging markets—has increased both knowledge, transferability, and know-how. Mobile payments have increased due to the rise of Internet banking and increased consumer usage of alternative payment methods like Amazon gift cards, Apple Pay, Google Wallet, and PayPal. These advancements have paved the way for the acceptance of cryptocurrency.

As the cryptocurrency market continues to grow and mature, we may see liquidity increase. This would lead to tighter bid/ask spreads and significantly reduced exchange fees. It also would reduce price volatility, which would decrease exchange rate risk and lessen the pressure on risk-averse merchants and consumers to immediately convert cryptocurrency back into fiat currency. Increased liquidity would help cryptocurrency develop characteristics that are more like widely accepted fiat currency. The recent  introduction of cash-settled Bitcoin futures products (derivatives) by the two largest U.S. futures exchanges, the Chicago Board of Exchange (CBOE) and Chicago Mercantile Exchange (CME) should serve this purpose in addition to acting as a currency hedge.

RISK MANAGEMENT FRAMEWORK

The importance of risk documentation cannot be overstated, with all involved in the ecosystem maintaining consensus regarding risk management guidelines, standards, procedures, and industry best practices.

A standard risk management framework would cover policies, standards, and procedures relating to cyber, fraud, operational credit, physical security assets, IT security and data, third-party vendor, and anti-money laundering, and a business continuity and disaster recovery program. The framework needs to be enterprise wide,  as all these risks are highly correlated with each other. To be effective and actionable, the risk framework needs to be supplemented in large part by real-time information gathering and scenario planning. Special mention and attention must be spelled out for software upgrades, given the huge reliance on technology changes and development.  More importantly, every participant of the ecosystem chain should be risk assessed as to the adequacy and efficacy of the implementation of its documentation to aid confidence and reduce risk.

Any application of common standards like CCSS (Cryptocurrency Security Standard), which was introduced in 2014 to provide guidance specific to the secure management of cryptos, should be supported by all to engender confidence. (The CCSS is currently the go-to standard for any information system that handles and manages crypto wallets as part of its business.)

EDUCATION

Training and education can go a long way in mitigating risks and improving confidence—confidence which continues to diminish with all the cryptocurrency horror stories on social media because of the three principal concerns below:

A comprehensive education package with insight on the latest security methods backed up by anti-malware, backups, cold storage, strong and frequent password protection, and regular updates of software can help mitigate cyber and fraud risks and improve confidence.

PASSING THOUGHTS

This list is not intended to be exhaustive and homes in on material risk management techniques. The application of these techniques is very dependent on resources and the operating environment. Cryptocurrency is here to stay. One must be smart about the risks pose and manage accordingly.

This article was published on The Risk Management Association

Fraud is a pervasive problem that can yield huge financial and reputational damage. What steps can financial institutions take to implement a successful risk management program for fraud prevention?

Fraud is all around us, grabbing the headlines every single day, highlighted by recent scandals at Latvia’s ABLV Bank and India’s National Bank of Punjab. Fraud is a high impact, low-probability risk with the potential to destroy a firm’s integrity and reputation very quickly.

Many firms focus on the low probability nature of fraud, and consequently fail to employ both resources and structure to address this risk. A typical fraud risk management framework includes the following components: governance, assessment, strategy and evaluation.

Let’s now take a look at four steps a firm can take to develop and maintain an effective fraud risk management program:

1. Create a dedicated governance structure to manage fraud risk.

The first requirement is to build an organizational culture to combat fraud at all levels of the firm; this should demonstrate a senior-level commitment and set an antifraud tone that permeates the culture. To oversee all fraud risk management activities requires the development of an antifraud entity that, among other things, will (1) serve as the repository of knowledge on fraud risks and controls; (2) manage the fraud risk-assessment process; (3) lead or assist with trainings and other fraud-awareness activities; and (4) coordinate antifraud initiatives across the program.

2. Create a fraud risk assessment.

The next stage is to plan regular fraud risk assessments that are tailored to the fraud risk management program. To further this goal, the firm should identify specific tools, method, and sources for gathering information about fraud risks, including data on fraud schemes and trends from monitoring and detection activities. Buy‐in involves relevant stakeholders in the assessment process, including individuals responsible for the design and implementation of fraud controls.

Requirements include (1) identification and assessment of risks to determine the program’s fraud risk profile, starting with inherent fraud risks affecting the program; (2) assessment of the likelihood and impact of inherent fraud risks, with the consideration of the nonfinancial impact of fraud risks, including impact on reputation and compliance with laws, regulations and standards; (3) determining the firm’s’ fraud risk tolerance, examining the suitability of existing fraud controls and prioritizing residual fraud risks; and (4) documenting the program’s fraud risk profile.

3. Design and implement an anti-fraud strategy with specific control activities.

Based on its fraud risk profile, a firm should develop, document and communicate an anti-fraud strategy to employees and stakeholders that describes the program’s activities for preventing, detecting responding, monitoring and evaluation. The following questions can be used to guide the firm’s resource allocation in response to fraud:

4. Conduct risk-based monitoring and evaluate all components of the framework.

Collection and analysis of data – including data from reporting mechanisms and instances of detected fraud – is a must in the monitoring of fraud trends and in the identification of potential control deficiencies. Moreover, it is important to evaluate the effectiveness of preventive activities, fraud risk assessments, anti-fraud strategy and fraud controls/response efforts.

A risk-based approach to monitoring should also be implemented. This approach should consider internal and external factors (e.g., organizational changes and emerging risks) that can influence the control environment.

Every fraud risk management program can be further enhanced by fraud-awareness training and by communicating results (e.g., instances of fraud that have been identified and corrective actions that have been taken) to employees.

Parting Thoughts

Following these four steps will help to prevent – but not eliminate – fraud. Most fraud can be staved off by a comprehensive risk management program, but, as criminals and morally-compromised people concoct new forms of deceit, financial institutions must remain vigilant.

This article was published on Global Association of Risk Professionals