-Advertisement-

The BoG fraud report (4): lets clear the weeds from the grass

Dear readers, I am back again to continue my journey of creating more fraud awareness. As we have observed these days, the Chartered Institute of Bankers now call bankers “trusted professionals”, and of course that is what banking has always been about. Our currency is not necessarily the cash, but rather TRUST!

How can the public trust us when they read the annual Bank of Ghana Fraud report and see the portion on internal fraud by bank staff, and that is why we should continue to clear those weeds from the grass, so the “noble profession” still soars as the public trust in bankers is enhanced. I hope the 2024 fraud report which will be published next year will show a significant reduction in frauds.

Definition of risks

The following are simplistic definitions of various risks:

  • Market Risk – THE RETURN ON YOUR MONEY
  • Credit Risk – THE RETURN OF YOUR MONEY
  • Operational Risk – THE WASTE OF YOUR MONEY !!!

Operational risk

For the benefit of new readers, let me reiterate some of the issues around operational risk management. The proper definition of Operational Risk is “The risk of loss resulting from inadequate, failed or internal processes, people and systems or from external events”

Operationally, risk is one of the three major risks that banks face. Credit risk is usually thought to be a bank’s biggest risk. Operational risk is unique in that it touches all parts of the bank’s business – unlike market or credit risk. If one considers major credit or market risk events, it is highly likely that a significant component of any such event contains a operational risk failure. These articles will help readers:

  • Pro-actively identify signs of fraud in the working environment
  • Create awareness of the various operational risks, emerging challenges in various departments in financial institutions and how to handle them.
  • Appreciate the significance and multi dimensions of Operational Risk in banking.
  • Reduce the incidence and impact of risks in banking towards maximum organizational profitability, efficiency and credibility.

Three last three weeks, my journey has emphasized on risk and loss prevention through the people and process risks. This week, my focus is on system risk.

The system risk factor

Systems risk is the loss resulting from the insufficient protection of information technology against disruption, damage, or loss caused by hazards such as systems failure, security breaches or data theft. Events that may cause systems risk include data corruption/ computer virus, telecommunication failures, and utility disruption.

Risks that arise through the loss of confidentiality, integrity, or availability of information or information systems and consider impacts to the organization. However, as banks rapidly adopt new digital tools and solutions in response to customer expectations, they are exposed to a battery of technology risks that can bring down their operations.

Various delivery channels such as online banking, mobile banking, SWIFT transactions may be hampered by legacy systems that make IT security difficult to monitor.

According to Temenos, “The most alarming statistic in bank fraud relates to insider fraud: in 70 per cent of cases, the crime was perpetrated by a bank employee. Those with the highest levels of access to IT systems, such as systems and database administrators, are well placed to commit or facilitate it – and erase all evidence of their actions”.

Wire transfer networks such as the international SWIFT, interbank fund transfer system are targets for fraud. Once the transfer is made, it is difficult or impossible to reverse. As these networks are used by banks to settle accounts with each other, rapid or overnight wire transfer of large amounts of money are commonplace.

While banks have put checks and balances in place, there is the risk that insiders may attempt to use fraudulent or forged documents, which claim to request a bank depositor’s money be wired to another bank, often an offshore account in a distant foreign country.

I have seen and heard of forged e-mail electronic requests. Some SME customers who import items from abroad find their computers hacked and fraudulent messages sent on their behalf for transfers abroad.

Although bank systems are usually designed to prevent internal fraud, employees should be monitored through controls that require them to have certain actions validated by colleagues, or use technology that observes and records each individual’s activities on the bank’s IT systems.

This can help to flag any behaviour that is suspicious or unusual. Employee monitoring is permitted and the bank’s e-mail policy alerts users that, its usage should not be abused.

Covert monitoring is normally permitted only in very limited circumstances involving the investigation and detection of crimes. Making staff aware that their use of the organization’s IT systems will be monitored is likely to deter many potential cases of internal fraud. During investigations, computers and laptops are “grounded” for scrutiny of mails and other data saved.

 

Basic system risk fraud Prevention methods

  • Users’ Misunderstanding of the Banking Concepts embedded in the Banking Software

Technology, aided by the internet has made banking relatively easy. However, many users do not appreciate the fact that it only facilitates transactions and does not replace the human element. Not giving data entry personnel the needed training and background to the transactions they perform is really an avenue for disaster. Data entry without the requisite understanding of the implications, is the first red flag.

Customer service not only speed and accuracy, but also involves the understanding of the workings of the systems to reduce errors. Particular attention needs to be paid to the double-entry principle in Accounting, the reasons behind the creation of the suspense accounts in banking and how they should be monitored to prevent over-due transactions which can be manipulated into frauds and losses to the bank.

  • Users with Dual Access to Perform Front and Back Office Transactions

In small branches, there is a tendency for staff to do more teamwork and multi-tasking in order to close early. This is a good practice but it should be managed to ensure that data entry rights are well segregated. Unless the banking application is very much fool-proof, Tellers having access to general ledger data entry rights breach the segregation of duty principle in banking operations. We should avoid a situation where a manager equally has clerical data entry rights.

  • Managers performing data entry functions

I have witnessed some situations where branch managers perform both data entry as well as authorization and over-ride transactions! This is a definite NO! Shortage of staff may occasionally be treated as an emergency and exceptional rights given by IT department. This exception should, however, be reversed by close of day.

  • Availability of Access Rights to Users who are on transfer, leave or exited

Managers need to have regular checks on the data entry access rights of users in the branch to avoid cases of staff visiting the branch while on leave or even on transfer and checking their balances or sometimes performing data entry to assist! The e-banking facilities are there for such enquiries. Does your system continue to have names of ex-staff as data entry users?

It may sound awkward but it can be abused. Have you ever come across a system transaction list of data entry staff for a particular day including a member of your branch who is on leave? That is strange and needs quick verification and follow-up before something fishy happens. Certain events of user rights of staff on leave have caused some upsets to some banks. It may be the tip of the iceberg.

  • Leaving the Banking Application System Open
  • Is your system so slow that staff who want to be away briefly do not want to shut down?
  • Do your staff leave the system on when they go to the rest room or out for lunch?
  • Do your staff leave the system on when they close early, to enable their colleagues continue their work for them?
  • Do your staff allow interns to work in their system without the necessary close marking?

The “Long Necks”

Whether it is just an odd habit or deliberately done, there are certain people who cannot just look away when others are keying their passwords. Whether it is deliberate or not, one has to quickly change one’s password, even if the “long neck” belongs to a senior colleague.

Exchanging Passwords

This is a basic caution which is given to staff during induction on the first day at work but the directive continues to be flouted everywhere. Many friendships have been broken when one person abused the trust. In banking, we always say, “Trust but Verify”. Giving away one’s password is like giving away one’s life jacket to another person while swimming!

I will pause here for now. Next week, we will look at how external events can pose risks as well as cause losses to banks.

Leave A Comment

Your email address will not be published.

You might also like