10 Golden Tenets of Fraud Prevention and Deterrence, Part 2

SPECIAL TO THE WEB

Vivek Krishnan, CFE

Possibly the toughest task for any fraud examiner is preventing and deterring fraud. Some believe that fraud control and prevention is at its best when the process of detection remains a secret. However, one of the best corollaries to this school of thought is the opposite: Be open about it. Below Krishnan continues his discussion of the remaining five golden tenets of fraud examination. (Read Part 1.)

RULE NO. 6: PRACTICE THE ART OF OBSERVATION AND LISTENING

I remember a conversation in the movie "Jurassic Park." The main characters pass the enclosures containing Velociraptors, which are extremely intelligent. The park's game warden says about one of the deadly dinosaurs, "When she looks at you, you can see she's working things out. That's why we have to feed 'em like this. She had them all attacking the fences when the feeders came." One of the scientists asks, "The fences are electrified, right?" The game warden replies, "That's right, but they never attack the same place twice. They were testing the fences for weaknesses, systematically. They remember." 

This is true in organizations, too. Fraudsters find flaws by constantly testing "the fences" of verification processes. We need to anticipate the weakest parts of the fences by:

  1. Knowing what/where/which controls to place.
  2. Knowing the effectiveness of the controls already placed.

During a visit to one of our offices, I saw an interesting ad in a nearby shop. It offered help in procuring Permanent Account Number (PAN) cards. (PANs are unique registration numbers provided by the Indian government's income tax department.) The shopkeeper assured three services: premium, regular and non-resident Indian (NRI). Premium would be delivered within a week, regular would be up to one month and NRI was for Indians who were settled abroad. This was at a time when the regular process required 45 days minimum to get a PAN card request processed.

One of the documents we were accepting for ID proof was the PAN card, so it was critical to stop locals who were forging these cards. We had to connect with officials and update our teams on identification mechanisms provided by the issuing authority to counter such schemes.

To date, such market visits help us validate the effectiveness of our controls.

RULE NO. 7: BEWARE OF DECOYS

The most important lesson for this rule is derived from rule No. 1: Never underestimate customers, support groups, internal employees, etc. The popular card game "Bluff" comes to mind. The best strategy is to be true in large turns (three to four cards at one go) and turn in single false additions. A good player spots the bluff. That's where fraud examiners come in.

I remember a time when business scaled up, the market was in its boom period and the volumes were high. Cases were bottlenecked at various stages, our teams were struggling with large volumes and the underwriters spent long hours fitting cases correctly into portfolios while also looking at their specifics and authenticity.

To ensure quality, special task forces were asked to do sampling. The sampling pattern adopted by this group was taken in the pattern 1, 4, 9, 11, 14, 19. We investigated a standard 15 percent of the cases.

The sampling was representative. The underwriters were satisfied because the results were the same — 100 percent positive on verifications. Because we knew the past history of patterns identified in that particular city, a bird's-eye view suggested that it needed deeper review.

We changed the sampling pattern slightly, and the results changed. We realized that the teams had been observing the pattern of sampling and somehow were aware of the sampling percentages. They converted these percentages into "targets." What would be the winning situation? They put the cases in the files they knew were accurate in the orders of 1, 4, 9, 11, 14, 19 so that proposals would go through smoothly without reworking them.

Many times our control mechanisms are identified without our knowledge. The executives threw in decoys knowing very well that we would catch them and therefore hoped we'd miss the loans that weren't sound investments for the banks. We checked the decoys and found them in perfect order. A sampled representative case (decoy case) that checks out is rarely checked again for other triggers of fraud. We checked the decoys and uncovered the true fraud.

Read the final golden tenets of fraud prevention on Fraud-Magazine.com.

10 Golden Tenets of Fraud Prevention and Deterrence, Part 1

SPECIAL TO THE WEB

Possibly the toughest task for any fraud examiner is preventing and deterring fraud. Some believe that fraud control and prevention is at its best when the process of detection remains a secret. However, it’s very interesting to see how people react when the mode of detection is open, and he or she knows they risk being caught.

RULE NO. 1: NEVER UNDERESTIMATE

A fraudster uses the same techniques we use for fraud prevention to find new ways to penetrate a system or process.

Regardless of your system’s complexity, it’s just a matter of time until a fraudster overcomes its protections. Periodically updating and revising your fraud identification techniques are essential.

We had this interesting training-room incident at a bank, at which we’d taught select members from a team to identify patterns in bank passbooks that could indicate fraud as they reviewed huge volumes of loan cases. We split the team into two groups: Group A (trained with special skills) and Group B (trained with basic skills).

We let Group B process the cases first, and then let Group A review the processed cases. Out of 100 proposals reviewed by Group A, 12 cases matched the patterns that we had taught them. We didn’t tell the two groups, but we then added three perfect, pre-screened, fraud-free cases. We announced to Group B that 15 cases had been turned down for loans. We allowed Group B members to review any of the cases once again.

Within an hour, a shrewd member of Group B walked up with the three cases we added, asking, “Would you please re-process these cases? I think there has been a mistake in the assessment.” We asked him why he felt so. He said, “I’ve been observing these guys [members of Group A] from across the room and felt whatever they were looking for wasn’t here." He quickly explained the pattern that we had taught Group A.

Many of us sitting inside glass walls feel secure about the processes that are our safety valves. However, it's just a matter of time before fraudsters can penetrate processes and know the triggers. Rarely, neither remains a secret. The objective is to continuously explore and never be under the impression that fraudsters won’t uncover your triggers or identification mechanisms.

RULE NO. 2: NEVER REPLACE DILIGENCE WITH AUTOMATION

Nothing can substitute for common sense and diligence. We need technological fraud prevention mechanisms, but we can’t forget that the answers we seek depend on how logically and accurately we design the questions. And if someone tampers with your logic or queries, you could be barking up the wrong tree.

The Indian people work hard to retain their culture. Many across the country have the same first names. Street, city and locality names are also very similar or exactly the same. Therefore, when investigators find a match in a credit bureau verification report of a customer, they verify all details to establish that the customer and person in the report are one and the same. Customer credentialing for granting financing or loans is one of the toughest.

I recall a verification case in which we tried to review three years of income tax return (ITR) forms. However, the preliminary verification report stated that two of the forms didn’t exist. Based on these automated reports, we were about to decline the proposal. However, we wanted to make sure that we weren’t losing a good customer because the other documents apart from the ITR didn’t show any negative patterns. It’s prudent in business not to reject good customers simply because they made mistakes in the process or documentation. In this case, we decided to investigate the matter.

The evolving story was an eyeopener. 

Read the remaining golden tenets on Fraud-Magazine.com.