Skip to main content
Back Custom print Text Only Rich Text Print / Save as PDF
Download Original PDF

  • 2.4. Counter-Fraud Maturity Model

    The Counter-Fraud maturity level will be measured with the help of a predefined maturity model. The Counter-Fraud Maturity Model distinguishes 6 maturity levels (0, 1, 2, 3, 4 and 5), which are summarised in the table below. In order to achieve levels 3, 4 or 5, Member Organisations should first meet all criteria of the preceding maturity levels.
     
    Maturity LevelDefinition and CriteriaExplanation
    0
    Non-existent
    • No documentation.
    • There is no awareness or attention for certain Counter-Fraud controls.
    • Counter-Fraud controls are not in place. There may be no awareness of the particular risk area or no current plans to implement such Counter-
      Fraud controls.
    1
    Ad-hoc
    • Counter-Fraud controls are not or partially defined.
    • Counter-Fraud controls are performed in an inconsistent way.
    • Counter-Fraud controls are not fully defined.
    • Counter-Fraud control design and execution varies by department or owner.
    • Counter-Fraud control design may only partially mitigate the identified risk and execution may be inconsistent.
    2
    Repeatable but
    informal
    • The execution of the Counter-Fraud controls is based on an informal and unwritten, though standardised, practice.
    • Repeatable Counter-Fraud controls are in place. However, the control objectives and design are not formally defined or approved.
    • There is limited consideration for a structured review or testing of a control.
    3
    Structured and
    formalised
    • Counter-Fraud controls are defined, approved, and implemented in a structured and formalised way.
    • Fraud detection system capability is implemented and embedded.
    • The implementation of Counter-Fraud controls can be demonstrated.
    • Reporting is in place to monitor Counter-Fraud control performance.
    • Counter-Fraud policies, standards and procedures are established
    • Counter-Fraud controls are implemented and embedded.
    • Fraud detection system capability is in place to prevent and proactively detect fraud across all products and channels.
    • Compliance with Counter-Fraud documentation (i.e., policies, standards, and procedures) is monitored, preferably using a governance, risk, and compliance tool (GRC).
    • Key Performance Indicators are defined and reported to monitor the implementation of controls.
    4
    Managed and
    measurable
    • The effectiveness of Counter-Fraud controls is periodically assessed and improved when necessary.
    • This periodic measurement, evaluations and opportunities for improvement are documented.
    • Effectiveness of implemented Counter- Fraud controls is measured and periodically evaluated.
    • Key Risk Indicators and trend reporting are used to monitor position against risk appetite and give an early warning of potential emerging issues.
    • Results of measurement and evaluation are used to identify opportunities for improvement of the Counter-Fraud controls.
    5
    Adaptive
    • Counter-Fraud controls are subject to a continuous improvement plan.
    • The enterprise-wide Counter-Fraud Programme focuses on continuous compliance, effectiveness, and improvement of the Counter-Fraud controls.
    • Counter-Fraud controls are integrated with enterprise risk management framework and practices.
     
    Table 1 - Counter-Fraud Maturity Model
     
    The objective of the Framework is to create an effective approach for addressing and managing Counter-Fraud risks within the financial sector. To achieve an appropriate CounterFraud maturity level, the Member Organisations should at least operate at maturity level 3 or higher as explained below.

    • 2.4.1. Maturity Level 3

      To achieve level 3 maturity, a Member Organisation should define, approve, and implement Counter-Fraud controls in line with the Control Requirements of this Framework. This includes the implementation of fraud detection system capability to prevent and proactively detect fraud.

      In addition, a Member Organisation should monitor compliance with the Counter-Fraud documentation. The Counter-Fraud documentation should clearly indicate "why", "what" and "how" Counter-Fraud controls should be implemented. The Counter-Fraud documentation consists of Counter-Fraud policies, standards, and procedures.
       


       
      Figure 3 - Counter-Fraud Documentation Pyramid
       

      The Counter-Fraud Policy should be endorsed and mandated by the Board of the Member Organisation and state "why" countering fraud and protecting customers is important to the Member Organisation. The policy should highlight the overall scope of the Counter-Fraud

      Programme, key Counter-Fraud responsibilities and “what” Counter-Fraud principles and objectives should be established.

      Based on the Counter-Fraud Policy, Counter-Fraud standards should be developed. These standards define "what" Counter-Fraud controls should be implemented, such as, Due Diligence, authentication, prevention, and detection etc. The standards support and reinforce the Counter-Fraud Policy and are to be considered as Counter-Fraud baselines.

      The step-by-step tasks and activities that should be performed by staff of the Member Organisation are detailed in the Counter-Fraud procedures. These procedures prescribe "how" the Counter-Fraud controls, tasks and activities have to be executed in the operating environment.

      The actual progress of the implementation, performance and compliance of the Counter-Fraud controls should be periodically monitored using Key Performance Indicators (KPIs).

    • 2.4.2. Maturity Level 4

      To achieve maturity level 4, Member Organisations should periodically measure and evaluate the effectiveness of the Counter-Fraud controls implemented to achieve maturity level 3. In order to measure and evaluate whether the Counter-Fraud controls are effective, Key Risk Indicators (KRIs) should be defined. A KRI indicates the norm for effectiveness measurement and should define thresholds to determine whether the actual result of measurement is below, on, or above the targeted norm. KRIs are used to monitor a potential increase in fraud risk exposure and allow actions to be taken to mitigate the risk before an increase in fraud cases occurs.

    • 2.4.3. Maturity Level 5

      Maturity level 5 focuses on the continuous improvement of Counter-Fraud controls. Continuous improvement is achieved through continuously analysing the goals and achievements of Counter-Fraud governance and identifying structural improvements. Counter-Fraud controls should be integrated with enterprise risk management practices and supported with automated real-time monitoring to assess control effectiveness. Business process owners should be accountable for monitoring the compliance of the Counter-Fraud controls, measuring the effectiveness of the Counter-Fraud controls, and incorporating the Counter-Fraud controls within the enterprise risk management framework.