RiskFinancial CrimeDetecting internal fraud by Breaking Bad

Detecting internal fraud by Breaking Bad

The cult television series on how a mild-mannered chemistry teacher became a ruthless drugs baron offers some useful insights for companies wrestling with oversight and governance issues.

There has been no shortage of news stories around the banking sector and its vulnerability to internal fraud, particularly revelations that the industry has limited internal surveillance. Internal fraud has proven to be news-driven (and newsworthy); it’s a great feature lead-in story and scintillating red meat for mass consumption.

Internal fraud events obviously constitute a reputational risk for banks, but then take a huge turn into regulatory risk territory, before winding up squarely a legal risk – and the headline-grabbing fines that come with it. Finally, a strategic and market risk bubble up as customers are lost to competitors.

So what can be done for developing adequate governance and oversight in this space? Too often the terse reply to the question is ‘nothing’; that this type of fraud can’t be monitored, it’s too complex and there is nothing that will prove a ‘silver bullet’ and reduce all residual risk to nil. Indeed, it’s hard to disagree. Nothing can be an absolute and perfect control in the space, but we don’t really have that in the other fraud detection sciences, either. What we do have is the capability to impose a compliance culture in the space.

Certainly it’s possible to implement technology, processes and talent to ensure that internal goals are met and expanded to make certain that we evolve monitoring capabilities – in parallel with the business itself – beyond the initial scope. Indeed, many institutions may already have some capacity for monitoring in this space; but typically the tool is underweight, report-driven and measures just a few static attributes with logic that is not easily modified within. Further, suspected high risk activity investigations are frequently managed by IT, rather than compliance or operations risk (fraud) management teams.

The US-based Association of Certified Fraud Examiners (ACFE), as the world’s largest anti-fraud organization, is one body offering a matrix for understanding the motivations of a fraudster (Full disclosure: the writer is a holder of their credential, so this reads to me like the Ten Commandments). Effectively, there is a recipe for fraud and it explains why a reasonable person would choose this path. There are three ingredients that make up the formula for a “Fraud Triangle”; let’s examine each of them through the lens of that cult TV series Breaking Bad:

  1. Pressure: a financial need: gambling, drugs, debts, social or business demand or medical needs.
    • For BB fans, think back to Walter White’s diagnosis of cancer and his need to secure his family’s financial stability.
  2. Opportunity: that the fraudster will have been trusted with the tools to get to the prize. Think of it rather as a set of rails to ride this train; typically this is access to a system or even to something as simple as a cheque book.
    • Walter White is a talented chemist and thus can create a superior product to fill a market need.
  3. Rationalisation: the belief, ambition and motivation that the fraudster can perform this crime, that the victim/organisation deserved or earned it and that they won’t get caught.
    • Walter White realises his success is beyond his initial expectations and eventually becomes his alter ego, the drug lord Heisenberg.

Break any one of these sides of the triangle, and the potential for a fraud event is significantly reduced. Consider removing the financial hardship (pressure) with a mechanism that puts an alternate path forward. Had Walter White been able to treat his cancer earlier, would he still have gone on to become Heisenberg? If we take away access (opportunity) to the financial platform used for internal fraud, the crime cannot be committed. If the Breaking Bad character hadn’t had access to the materials needed to manufacture his product, there would have been no results.

Reducing  fraud potential

There are certain limitations to this approach in the real world, of course. We can’t know everyone’s financial obligations or their true debt-to-income ratios. Take away all employee access to systems and the business can no longer effectively run. However, we can make a budding criminal less likely to feel they can commit the crime with impunity and reduce the potential that the fraudster believes that they can get away with the crime. Had Walter felt that he would be detected and thus his plan thwarted (viewers will recall that brother-in-law Hank, investigating the perpetrator, took his time in figuring out the culprit), the show would have stalled before the mobile laboratory was parked in the desert. That’s exactly what we are after in the financial crimes world.

This is the space where we add the ‘secret sauce’ and we seek out the places where the application of controls makes the most impact relative to where it is creating the greatest risk. The tools to elevate the monitoring of high risk activity have to be as sophisticated as the crime itself. The tools must ingest and enhance the analytics of employees’ actions – feeding employee access of customer accounts and identifying additional key risk indicators that predict internal abuse. This space could effectively be monitoring individual performance far in excess of their peers, or repeatedly using the same demographic information for distinct and dissimilar accounts, or performing twice the average of the number of account touch points that are typical in the day-to-day operation of the employee’s role.

The sophistication of monitoring aligned to the sophistication of abuse is the key element here, and the day-to-day management of this independent process must fall outside of the IT business unit. The Drug Enforcement Agency (DEA) does its own investigations with its own resources – right Hank? Establishing a core competency in the space means setting up a team, with a dedicated detection solution that is bespoke and administered by internal fraud detection resources, empowering this teams’ enhanced logic to be deployed around the enterprise. Finally, this team must work in something of a clandestine manner, visibly surveying the environment – yet to outsiders there is little understanding of the logic that drives this enterprise governance process.

All of these elements, scaled up into controls, are capable of detecting most of the common potential internal fraud events. When this made noisy – so that all staff hear about it – a culture of compliance is fully revealed to be a control in and of itself. The organisation may not be impenetrable, so it’s not necessary to attempt to achieve impenetrability as a goal.

Rather, the goal should be to demonstrate competence in the space, use all the detection tools available and illustrate the capabilities an organisation can deploy in reducing the likelihood that the fraudster is confident they will get away with it.  These steps to kick a leg out of the Fraud Triangle will help ensure that the path of Breaking Bad is never initiated.

 

 

Related Articles

The effects of digital transformation on the bank–corporate relationship

Corporate to Bank Relationships The effects of digital transformation on the bank–corporate relationship

3d The Global Treasurer
Why Open Banking increases the need for enhanced security

Open Banking Why Open Banking increases the need for enhanced security

5d Eric van Vuuren
Mobile banking platform enhanced for treasurers

Banking Mobile banking platform enhanced for treasurers

1w Laura Noble
Liberis CEO on Open Banking and the future of SME funding

Open Banking Liberis CEO on Open Banking and the future of SME funding

2w GTNews
Two year technological forecast for European banks - an insiders account

Banking Two year technological forecast for European banks - an insiders account

4w Hans Tesselaar
The challenge that third party providers face: five important steps to becoming a TPP following PSD2

Open Banking The challenge that third party providers face: five important steps to becoming a TPP following PSD2

4w Tom Wijnen
Is disintermediation coming? A video case study into the emerging utility model

Banking Is disintermediation coming? A video case study into the emerging utility model

4w David Beach
What can banks learn from the TSB IT disaster?

Banking Risk Management What can banks learn from the TSB IT disaster?

1m Mark Hipperson