Not all fraud perpetrators strike from afar. Some are employees looking to rip off their own employers and customers while on the clock.
Financial institutions are largely susceptible to internal fraud, especially during a recession, experts say. And because of legacy system constraints, the actual severity of internal fraud is likely worse than what financial institutions publicize, according to independent research and advisory firm Aite Group in Boston.
A new Aite Group report, "Internal Fraud: The Devil Within," which is based on a recent survey with 35 financial institution fraud and product executives in the U.S. and Canada, finds that internal fraud accounts for an average of 4% of all financial institution fraud losses, and more than half of the financial institutions surveyed report that internal fraud accounts for between 5% and 10% of their fraud losses.
Researchers warn these statistics are likely an underestimation of the truth.
"We discovered that internal fraud remains a serious issue that results in significant hard-dollar losses, regulatory actions and damage to a firm's financial brand," report author and analyst Julie Conroy McNelley said. "Internal fraud is likely worse than the official statistics indicate, as fraud losses are usually assigned by cost center, and the employee involvement in the loss is not recorded."
Regardless of how rampant internal fraud really is, financial institutions don't foresee it disappearing any time soon. A full 60% of those surveyed said they expect internal fraud to hold steady over the next three years, and 40% expect it to increase by 2014.
"Financial institution executives believe that internal fraud will only worsen, even as more technology solutions are deployed against it," McNelley said.
According to Aite Group, internal fraud (committed by a financial institution employee or contractor) falls into one of three classifications: stealing from the financial institution, stealing from a customer and abusing one's position.
Aite Group found that negotiable item fraud, which is classified as customer theft and defined as "perpetrating fraud on a customer account by means of official check, money order, business check or personal check," was the most prevalent type of internal fraud, accounting for 29% of internal fraud losses. Trailing closely behind is card fraud, which can be classified as customer or financial institution theft and accounts for 23% of all internal fraud losses.
How can financial institutions fight this growing problem? Just as with combating external fraud, a layered approach is key, McNelley said.
First, perform a comprehensive screening of each potential employee, which may include a criminal background check, a credit check, application data verification and a drug test. Aite Group points out that recent legislation prohibits employers from performing job applicant credit checks in some states and recommends financial institutions closely monitor emerging credit check regulations.
Since many internal fraud cases are not prosecuted (reputation risk and litigation expenses are often to blame), background screenings do not always pinpoint potential fraudsters. Aite Group recommends that in addition to background screening, financial institutions consider accessing the Internal Fraud Protection Service database hosted by Early Warning Services.
The database contains identity information for roughly 12,000 employees who perpetuated fraud, a list contributed by participating financial institutions. However, only chartered financial institutions can currently participate, and Aite Group believes Early Warning Services should expand its pool.
"Alternative payment providers and other FSIs that don't currently qualify for participation have significant levels of internal fraud, and could benefit from the solution while providing value to the existing participant base," McNelley said.
Finally, Aite Group recommends financial institutions invest in analytic software that monitors employee behavior and activity. The report said 20% of surveyed financial institutions currently employ an enterprise-level employee monitoring system, and more than half plan to implement one within three years.
McNelley added that small and mid-sized financial institutions should go to their technology vendors for access to an internal fraud solution.
In addition to this three-layer strategy, financial institutions might also consider using vendor services designed to help prevent internal fraud, such as device fingerprinting, employee identity verification screening and "hot lists" of known fraudsters. Company policy and procedure implementation can also keep internal fraud at bay and is often a small financial institution's only line of defense, McNelley's report said.
These internal controls may include separating employee duties, implementing data and system access controls and cutting off system access for terminated employees.
"Financial services firms need to examine their current internal fraud prevention environment and determine what can be done to bolster it," McNelley said. "As competitors build more robust defenses, fraudsters will migrate to the path of least resistance."