Principle
| |
Member Organisations should conduct a Fraud Risk Assessment to identify fraud risks to which they or their customers are subject and assess the effectiveness of controls in place to mitigate the risks.
| |
Control Requirements
| |
| a. | A Member Organisation should conduct an enterprise-wide Fraud Risk Assessment as part of its Counter-Fraud Programme.
| |
| b. | The Fraud Risk Assessment should be based on a documented Fraud Risk Assessment Methodology.
| |
| c. | At a minimum, the Fraud Risk Assessment Methodology should include:
| |
| | 1. | Identification of the inherent risk of fraud the Member Organisation and its customers are exposed to.
|
| | 2. | An assessment of the likelihood of the inherent risks occurring and the impact on the Member Organisation and its customers if the inherent risks were to occur.
|
| | 3. | Testing of the effectiveness of the controls in place to prevent, detect and respond to the inherent risks identified.
|
| | 4. | Determination of the residual risk of fraud that the Member Organisation remains exposed to following testing of implemented controls.
|
| | 5. | The development of action plans to address residual risk that is outside of risk appetite or could lead to a breach of regulations.
|
| | 6. | The ongoing monitoring of action plans to validate that the risk is brought within appetite.
|
| d. | Risks identified in the Fraud Risk Assessment should be recorded in a formal centralised register.
| |
| e. | Actions to address gaps identified in the Fraud Risk Assessment should be documented in a treatment plan and reviewed for adequacy and effectiveness to reduce risks.
| |
| f. | The outcome of the Fraud Risk Assessment should be formally approved by the relevant business owner.
| |
| g. | When assessing fraud risks, Member Organisations should consider:
| |
| | 1. | Both frauds committed by persons outside the organisation (external fraud) and frauds committed by or with the assistance of people employed by the organisation (internal fraud).
|
| | 2. | The output of Intelligence Monitoring and threat assessments.
|
| | 3. | Fraud incidents and loss events.
|
| | 4. | The modelling of potential threats to the organisation through Fraud Scenario Analysis.
|
| | 5. | Product risk - Products and services offered and how they could be used to commit fraud.
|
| | 6. | Customer risk - The customer base of the organisation, including, but not limited to the type of customer (e.g., Retail customer, corporate or regulated entity); the number of customers; the level of fraud awareness; and vulnerability to fraud.
|
| | 7. | Delivery channel risk - Channels that a customer can use to contact the Member Organisation or access their products and services, with particular consideration of the risks of remote interaction as digitalisation of products increases.
|
| | 8. | Transaction risk - The methods of conducting transactions, receiving funds, or transferring value.
|
| | 9. | Jurisdiction risk - The additional risks where products and services can be used in a foreign country.
|
| | 10. | Third Party Risk - The use of third parties to deliver services to the organisation or its customers.
|
| | 11. | Wholesale Payment Endpoint Security Risk - End-to-end wholesale payments risks, including communication (Member Organisation to other Member Organisation, Member Organisation to system); systems (Workstation terminal); people; and processes.
|
| h. | Member Organisations should ensure that the Fraud Risk Assessment fully considers cyber enabled fraud, including the interaction with the member organisation's Cyber Security risk management model.
| |
| i. | The Fraud Risk Assessment should be performed at a minimum on an annual basis.
| |
| j. | Member Organisations should additionally update their Fraud Risk Assessment for changes in the internal or external fraud risk environment. These changes include, but are not limited to:
| |
| | 1. | A new gap or weakness identified in the control environment.
|
| | 2. | New regulatory requirements.
|
| | 3. | New products and services.
|
| | 4. | New channels to market and new digital platforms.
|
| | 5. | New business acquisitions.
|
| | 6. | Sale or disposals of parts of the Member Organisation's business.
|
| | 7. | Changes in the internal environment (e.g., organisational structure).
|
| | 8. | New information obtained in fraud Intelligence Monitoring.
|
