Internal fraud casts a long shadow over banks across Africa. With the Covid-19 crisis and home office policies, the situation will not get any better. NetGuardians’ fraud-mitigation software allows banks to shine a light on it, not only spotting and stopping instances of fraud but also acting as a deterrent, WRITE BERNARD RONO AND JONATHAN SOMERS.
Soon after a bank in Kenya implemented NetGuardians’ software, it spotted and blocked a $500,000 fraud attempt by a member of staff. Not only was the fraud averted, but the bank demonstrated to staff that all its IT systems were being monitored and that suspicious activities were being investigated immediately, acting as a deterrent to anyone thinking of making future fraud attempts.
Just as the public needs to trust a bank, the bank needs to trust its staff. NetGuardians’ fraud-mitigation software allows it to do just that. In the case of the Kenyan bank, NetGuardians’ software was able to spot the fraud as it was carried out, correctly identifying that the transfer of funds to another bank, which was then withdrawn via a digital channel, was suspicious. It’s a win-win for everyone – except the fraudsters.
Banks cannot let down their guard, not even for one second – which is the time it takes to carry out a fraud and destroy a bank’s reputation. According to ACFE’s Report To Nations 2016, 70 percent of fraud is internal thanks to weak controls. Existing internal controls can easily be overridden, and indicators of fraud are not continuously monitored, leaving the door open to the criminals. In Africa, the statistics are even gloomier, with insider frauds estimated to account for even more.
For banks worldwide, the weakest spot is often managing access to IT systems – this applies for both the front-end users as well as users with administrator privileges. Poorly guarded IT systems and the absence of accountability on those systems allows for illegitimate or nefarious access to be covered up. Such a situation provides opportunities for individuals and small groups working inside a bank to act together.
It appears that individual staff members often get away with fraud because they learn a system’s weaknesses – for example, initiating a self-authorizing transaction that will not need a second level of review. Additionally, sometimes supervisors share their credentials with juniors intentionally and these credentials are later misused to approve large-value, fraudulent payments, circumventing the bank’s security processes. Sometimes it is the administrators themselves who commit the fraud, using their unlimited access to the core IT system to steal huge amounts of money very quickly. Administrator abuse of privileged rights accounts for almost all internal fraud.
When it comes to collusion, banks rarely have adequate processes to prevent it. This makes them particularly vulnerable to criminal gangs with an insider at the bank. What is more, frauds committed by more than one person i.e. collusion are often of higher value since they are able to beat all controls put in place. It is important to do everything possible in terms of monitoring to stop them.
Banks need to be aware of these weaknesses, to monitor staff behavior and have controls to flag fraud indicators – alerts raised by the system that are triggered by suspicious activity. They need total visibility across all their IT systems as well the front and back office. They also need to be able to prevent fraud in real time, rather than spotting it after the event. Fortunately, many banks, like the Kenyan one above, are waking up to this and adopting fraud mitigation software to take care of these vulnerabilities.
This is how it works. NetGuardians’ solution compares the actions of staff in real time against a “regular” profile. It uses dynamic profiling and machine learning to build up a complete picture of a member of staff’s daily actions. If the staff member does something out of character – uses a different workstation, perhaps – an alert is raised, the action is blocked and the event can be investigated.
This type of profiling is so effective that it spots and stops more fraud than rules-based processes alone. In fact, we have demonstrated that it cuts fraud losses by 60 percent. And because the software learns as it runs, it raises fewer false alerts, saving the bank time that it would otherwise have spent investigating bona fide actions. Our research has also shown that a bank running NetGuardians’ software can reduce false alerts by up to 80 percent, with a 93 percent reduction in fraud-management time.
The dynamic profiling of staff starts at the implementation stage, which usually takes about three months, and is fine-tuned over the following couple of months using NetGuardians’ artificial intelligence and algorithms as well as live transactions. The experience of the Kenyan bank using NetGuardians software illustrates how effective this approach is, with the added benefit of being a deterrent.
For banks wanting to protect their customers’ cash and their own reputations, real-time, dynamic profiling is the only answer.