The opportunity for internal fraud springs from firms' lack of
ability to see all and know all under their own roofs. When a star
performer suddenly becomes a major foe after a secret scam is
revealed, business leaders can only kick themselves. Can
organisations ever be expected to plug loopholes that may only be
obvious to a mercenary opportunist?
Companies have much lose to when they fail to do so. The money
at stake is huge, and the shame is almost as bad. That is what
family man - Donald Mackenzie - inflicted on the Royal Bank of
Scotland when he carried out a £21m fraud based on fake loan
accounts. The father of two was one of the bank's best: voted
manager of the year for three years in a row with a talent for
bolstering the loan business. But a new system revealed that he had
set up more than 1,000 false loan accounts with names similar to
those of real customers.
Matthew Pemble was involved in the investigation of the case.
"Although MacKenzie got the commission, the fraud was done to help
his friends," says Pemble, who is now a security consultant at
Vizuri. "A lot of insider fraud is carried out because someone is
tempted by something that drops into their lap. MacKenzie was
caught when a new system for dealing with loan applications was put
in. He got away with it until then by using the system and being so
successful at his job. The sort of people who commit internal fraud
know the bank's system very well, and catching them can often be
down to luck or carelessness."
MacKenzie's complex fraud went undetected for five years until
March 2004, but Pemble says signs of odd behaviour were there all
along in retrospect. MacKenzie wrote about 200 apology letters to
customers every year - another strand of his intricate web. The
norm would be fewer than 10. Although many apology letters would
not automatically trigger red alert warnings, it is an anomaly.
Pemble said another sure sign of a possible cheat is keenness.
"Some fraudsters are always in work, as they are scared that they
may be caught if their back is turned, he says.
"As every fraudulent transaction is a risk for them, they will
often opt for figures below limits to avoid dectecion."
Both honest and deceitful staff should be told clearly what
fraud is, according to Pemble. "There is always the chance that
employees do not realise they are doing it," he says. " Minor
expenses fraud was normal in the 1970s. The vast majority of your
employees are not trying to defraud you. Also, employees do not
want to report on their colleagues, and are unlikely to suspect
them of any untoward behaviour, but a fraud hotline should be set
up so they have the option." He also recommends all authorisations
should involve two people, and there should be stringent vetting
and personal controls.
Pemble says internal fraud deserves such attention because it
eclipses the external threat as once inside, those at the heart of
a firm can hit where it hurts.
French bank Societe Generale is still reeling from the £3.9bn it
lost at the hands of alleged rogue trader Jerome Kerviel. He spent
time in jail for breach of trust, fabricating documents and
illegally accessing computers, but now is out in bail. France's
second bank says Kerviel's insider's knowledge of the systems
allegedly allowed him to commit the fraud.
Adrian Davis, a senior security researcher at ISF, agrees that
companies are more vulnerable to corrupt insiders. "When someone
works for you they automatically bypass 95% of security defences
deployed," he says.
Kerviel has now launched court proceedings saying that he was
unlawfully sacked. It is clear that companies face a maze when
proceeding through the courts and no wonder it is seen as a last
option. "It is easier to fire someone than to go through a court
room," says Davis. "But policies need to strongly state what the
company will not tolerate so sacking that is lawful."
Davis also advocates segregation of duties and management of
user accounts to keep a lid on opportunities presented to would-be
con artists.
"Once inside, companies rely on giving people the right access,"
he says. "People need access to e-mail, file servers, print servers
and so on." Davis notes that another loophole that can be easily
closed with a little care is permissions. Staff are often allowed
to keep permissions despite switching positions, meaning that
employees inherit access rights that are not needed for their
jobs.
The Financial Services Authority (FSA) also stresses that access
rights should be carefully monitored. FSA financial crime sector
leader Philip Robinson says, "It is up to individual firms to
decide how to manage the risk of insider fraud. However, examples
of good practice found in the industry include good vetting of
staff, segregation of duties and IT controls to prevent access to
systems or data that could be used to commit fraud.
"Generally, the industry has improved in this area but can do
more to manage the risks. There is a lot of work going on, but
firms should not be complacent. In particular they should consider
whether their vetting standards are adequate in higher risk areas
such as call centres and IT."
Financial services firms are required to notify the FSA of
significant fraud and it has the power to issue fines. But it says
further action depends on the firm and the fraud involved. Those
that are thought to have inadvertently caused fraud through weak
security get rapped. Last May the FSA fined BNP Paribas Private
Bank £350,000 for weaknesses in systems and controls, which enabled
an employee to transfer £1.4 million out of clients' accounts.
Robinson says that discovery of internal fraud is thwarted by
determined insiders knowing how to manipulate systems to cover
their tracks but refused to comment on how much fraud goes
undetected.
But Bart Patrick, head of risk at fraud software supplier SAS
estimates that few scams are actually unearthed. "Close one loop
hole and another opens," he says. "The systems currently
implemented do not make best use of all the information available
such as e-mails, telephone calls, entry and exit logs, system-usage
logs, website tracking and usage logs. Analysis of previous fraud
types and the development of big-picture fraud models seem to be
absent, even though the technology to do this is available.
Internal fraud still seems to be the hairy copper, which is lacking
sophistication."
He recommends software that strings together disparate data.
"Advanced modelling of diverse data is giving companies the edge in
real-time discovery," he says.
Patrick points to forward-looking technologies such as advanced
analytics and neural network analysis as good ideas. And he
advocates a few basic steps to thwart internal fraud:
• Sort out what data sources the organisation has.
• Employ advanced analytics across the data to statistically
understand fraud patterns.
• Create and use fraud models to interrogate the data on an
ongoing basis to uncover fraud in real-time.
• Then evolve these models in suitable timescales, as fraud
evolves.
An even bolder step would be datamining, but is taken by very
few, he says. "I would go so far as to say that datamining and text
mining, with the associated modelling of this information is the
most significant step a complex financial institution can take to
counter internal fraud," he says.
Mark Girolami, of Glasgow University, delved into the use of
datamining to counter telecoms fraud among customers. His research
- Data Mining Tools for Fraud Detection - was designed to work on
call data record logging systems and was conducted in alliance with
software developer Memex. Even though it was geared at detecting
external fraud the methods are general and could be applied
elsewhere.
"We were seeking to address the problem of characterising the
'behaviour' or 'patterns of usage' of individuals (or groups of
individuals) in terms of a statistical model (for each individual)
that could be used to answer questions such as 'what range of
actions is this individual most likely to make next or under
certain conditions," Girolami says.
"The models can then be used to assess the likelihood of actions
or characteristics that were discordant with previous persistent
activities and possibly similar to activities suggestive of
potential malfeasance. The use of a statistical model meant that
ranked lists of red alerts could be generated which were optimal in
the sense of returning, for example, fraudulent behaviours at the
top of the ranked list."
The aim of the system was to detect "deviations from normal
activity that potentially would suggest malfeasance (given some
idea of the distinction between harmless anomalies and anomalies
suggestive of fraud)."
Keeping track of deviations from normal activity is a huge job
especially across a diverse landscape of systems typical of large
companies. Datamining techniques such as Girolami's expect most
users to conform to certain types of behaviour. If they sway from
the protocol, then the system is alerted. As opportunities for
colossal frauds continue to emerge in complex systems, it is clear
that unexplained employee decorum should raise eyebrows. And as
model bank manager MacKenzie's elaborate betrayal of RBS shows,
your enemy is closer than you think.