Over the last few years, the risk landscape for banks in India has undergone significant changes. There have been a number of high value frauds, leading to significant loss to the financial sector.
According to data released by the Central Bureau of Investigation (CBI), during 2008-2009, cases related to bank fraud increased by 128% to 23,917, amounting to INR18.83 billion from 10,450 cases amounting to INR7.79 billion recorded in 2004–05. “Individual fraudsters” have now turned into “hacker syndicates” that use a combination of banking knowledge, technology and insider information to execute fraudulent transactions.
Fraud continues to be one of the major problems in the banking and financial services realm.
The rapid growth of fraudulent activity is a testament to how difficult fraud is to detect and prevent — a fact that criminals take full advantage of by changing their tactics constantly to avoid detection. Fraudulent incidences that are currently daunting the Indian banking sector and rank the highest in terms of complaints received include internet and credit cards fraud, coupled with the ever-increasing issue of money laundering and its link with terrorist financing.
Traditional manual methods of control and process checklists can no longer mitigate such risks. This has resulted in fraud risk management emerging as a key practice in banks. In this scenario, the need of the hour is monitoring transactions as they occur and analyzing them for potential fraud behavior.
The regulator’s initiatives
A significant step taken by the RBI was its issuing a circular on a fraud risk management system for banks. This made their CEOs, audit committees and special committees accountable for systemic failure of controls, the absence of key controls or severe weaknesses in their existing controls, all of which facilitated exceptionally large-value frauds. Financial institutions responded well to the regulator’s requirements by undertaking significant changes in their policies and procedures, acquiring new skills and forming dedicated teams to prevent and detect frauds.
The RBI has recently released its report of the Working group on information security, electronic banking, technology risk management and cyber frauds.
Some of the key recommendations of the working group include:
- A risk-based transaction monitoring or surveillance process needs to be put in place. Banks may consider dynamic scoring models and related processes to trigger an alert in the case of transactions that are not normal in order to improve their preventive and detection capability. A study of customer transaction behavioral patterns, stopping irregular transactions or obtaining prior confirmation from customers for outlier transactions may be incorporated as part of the process by banks.
- Quick fraud-detection capabilities would enable banks to reduce their losses and also serve as a deterrent for fraudsters. Various important requirements in this regard include the generation of alerts, redressal mechanisms, and dedicated email ids and phone numbers to facilitate reporting of suspected fraud, mystery shopping and reviews.
- Banks should set up transaction monitoring units within their fraud risk management groups. Their transaction monitoring teams should be responsible for monitoring various types of transactions, especially in potentially vulnerable fraud areas, and raising an early alarm if their suspicions are raised. Banks need to put in place automated fraud-detection systems that are based on advanced statistical algorithms and techniques.
Guidelines on fraud transaction-monitoring system
Scope of coverage: For a transaction-monitoring system to be effective, the scope and complexity of the monitoring process should be determined on a risk-sensitive basis. This means that a bank or financial institution may need to undertake different levels of monitoring within its business units, depending on factors including the activities of a business unit, its customer base and the country in which it operates.
Knowing your customers: Understanding a bank or financial institution’s customers and updating their risk profiles on a risk-sensitive basis are important elements of an effective transaction-monitoring system. The better a bank or financial institution knows its customers, the greater is its ability to unearth discrepancies between a given transaction and a customer’s risk profile. This will provide it with critical information to detect and assess any unusual or suspicious activities. In addition, a good understanding of its customers is a prerequisite for a bank or financial institution, to enable it to implement the right monitoring methods for customers with different fraud risks.
Key components of fraud transaction monitoring: An effective monitoring system comprises the following two components:-
- Monitoring by front-line staff: Front-line employees know the most about customers and their typical patterns of transaction activities. They are in the best position to identify unusual activities. An effective monitoring system therefore includes provision of regular training to front-line staff to foster a high level of awareness in them. The training provided should cover the fraud risks associated with the operations for which front-line staff is responsible.
- Monitoring past transactions: Effective monitoring requires the production of periodic MIS reports and/or alerts, as well as the establishment of proper review procedures to ensure that customer transactions are a part of a bank or financial institution’s monitoring efforts on a risk-sensitive basis. Periodic transaction- monitoring reports and/or alerts should at the minimum cover cash and cheque transactions, frequent transfers from one or multiple locations, (especially in the case of newly opened accounts), a sudden surge in account activity or behavior, loan payments and prepayments, and reactivation of dormant accounts followed by unusually large or frequent transactions.
Identification of suspicious transactions: To determine whether a transaction or activity is unusual or suspicious (fraudulent), an effective transaction-monitoring system should include procedures to not only evaluate the current transactions of customers, but also the pattern of transactions and transaction flow. The current transaction should be compared with past transaction patterns and the customer’s risk profile.
Management of suspicious transactions: A monitoring system is only effective if suspicious transactions identified by the system are carefully examined and investigated, the follow-up action taken tracked and proper audit trails maintained for inspection by auditors and the regulator. It is therefore important that proper policies and procedures on transaction monitoring are developed and maintained by banks and financial institutions. The procedures should clearly set out the responsibilities of individual departments, e.g., the Business, Compliance, Fraud, Risk and Audit departments, engaged in transaction monitoring.
Regular review of system parameters: Regardless of whether an automated system is used, effective monitoring requires regular review and updating of the parameters or criteria used to generate monitoring reports or issue alerts. Regular enhancements should also be made to a bank or financial institution’s transaction-monitoring system to take into account changes in business operations and new fraud typologies. Any enhancements made to a system should be properly documented and approved by the organization’s management.
Management commitment: A prerequisite for establishing and maintaining an effective transaction-monitoring system is the support and commitment of an organization’s senior management. No transaction-monitoring system can be effective in the absence of adequate resources to maintain and operate the system.
Challenges in fraud-transaction monitoring
The financial services industry is facing significant challenges such as an increasing demand for real-time operations, the growing volume of online channel transactions, burgeoning challenges relating to security and fraud, the rising regulatory demand for enhanced credit and fraud risk management, the dire need for operational cost reduction and revenue generation — these are on top of any financial institution’s to-do list.
Provided below are some of the major challenges a financial institution could face while monitoring transactions:
- Emerging fraud trends: Rapidly evolving criminal tactics and the anonymity of e-commerce make fraud prevention a constantly moving target.
- Growing complexity: Acquisitions, growth and increased globalization make it more difficult than ever before to monitor multiple portfolios and business lines effectively.
- Technology limitations: Current systems may not support robust analytical modeling and may slow down the authentication process of transactions.
- Diverse data sources: Geographically, dispersed customers and businesses make it difficult to access the right information in the right format.
- Evolving compliance demands: Keeping up with changing regulatory requirements is a constant struggle.
Banking and financial institutions in India have begun recognizing the need for fraud transaction monitoring. The RBI’s circular emphasizes the need for robust fraud risk management practices in banks and financial institutions in light of rapidly increasing fraud. Banks are in the process of revamping their risk management frameworks and controls.
As part of this initiative, they are exploring different, new transaction monitoring and investigation solutions, since it is imperative for them to take concrete action in this direction in the current scenario.
Partner & National Director,
Fraud Investigation & Dispute Services (FIDS)