4. Prevent
An effective Counter-Fraud Programme includes fraud prevention processes and controls to facilitate the identification of threats and mitigate the risk of fraud occurring. These processes and controls are proactive and have the objective of stopping a fraudster acting before they can cause harm to the organisation or its customers.
Figure 5 - Prevent Domain
4.1 Risk Management
Principle
A Fraud Risk Management Framework should be defined, approved and implemented, and should be aligned with the Member Organisation’s enterprise risk management process.
Control Requirements
a. The Fraud Risk Management Framework should be defined, approved and implemented.
b. The effectiveness of the Fraud Risk Management Framework should be measured and periodically evaluated using Key Performance Indicators, including at a minimum the volume and value of fraud cases.
c. The Fraud Risk Management Framework should be aligned with the Member Organisation’s enterprise risk management process.
d. The Fraud Risk Management Framework should address at a minimum:
1. Intelligence Monitoring.
2. Fraud Risk Assessment.
3. Fraud Risk Appetite.
4. Key Risk Indicators (KRIs).
e. Fraud risk management activities should involve, but not be limited to, the following stakeholders:
1. Business owners and users.
2. Operational Risk.
3. Counter-Fraud Department.
4. Cyber and IT departments.
5. HR.
6. Digital Department.
4.1.1 Intelligence Monitoring
Principle
Member Organisations should draw on a variety of internal and external data sources to identify and monitor emerging fraud threats.
Control Requirements
a. The fraud Intelligence Monitoring process should be defined, approved, and implemented.
b. When defining the Intelligence Monitoring process, Member Organisations should consider the SAMA Cyber Threat Intelligence Principles.
c. The effectiveness of fraud Intelligence Monitoring should be subject to periodic evaluation to assess whether the sources used are comprehensive and the intelligence collated is aiding the prevention of fraud.
d. The Intelligence Monitoring process should include:
1. Scanning, collation, analysis, assessment and dissemination of information on existing and emerging threats.
2. Capturing relevant details on identified threats, such as modus operandi, actors, motivation, the origin of attacks (e.g., organised crime group, jurisdiction) and type of threats.
3. Taking action to act on existing and emerging threats.
4. Sharing relevant intelligence with internal and external stakeholders (e.g., Cyber, Business Operations or SAMA).
e. Intelligence Monitoring activities should draw on a range of information sources to develop a holistic understanding of the Member Organisation’s fraud landscape. At a minimum, these should include:
1. Internal Audit reports, fraud investigation output and Fraud Scenario Analysis covering attempted and actual fraud to identify trending fraud tactics, techniques, and procedures (TTPs).
2. New and emerging fraud typologies identified by fraud detection systems, fraud investigators or the Counter-Fraud Department.
3. Insights from support functions (e.g., Internal Audit, Compliance, Cyber Security Event and Incident Management).
4. Reliable and relevant external sources on fraud trends both locally and globally, (e.g., government agencies, fraud forums and events, Counter-Fraud system vendors, open-source information, and subscription sources).
f. Member Organisations should, to the extent not prohibited by law or contractual terms, collaborate in sharing Counter-Fraud information including emerging fraud typologies, fraud threat intelligence on the groups who may be perpetrating fraud, TTPs and market trends with Saudi Central Bank and other organisations in the sector.
g. Member Organisations should share log-in information for confirmed fraud cases (e.g., mobile or Device ID, IP address) through the Sectorial Anti-Fraud Committee.
h. Member Organisations should perform analysis of log-in information shared by other Member Organisations to assess the level of exposure for their own customers and record the actions completed on an analysis log sheet which may be subject to independent review.
4.1.2 Fraud Risk Assessment
Principle
Member Organisations should conduct a Fraud Risk Assessment to identify fraud risks to which they or their customers are subject and assess the effectiveness of controls in place to mitigate the risks.
Control Requirements
a. A Member Organisation should conduct an enterprise-wide Fraud Risk Assessment as part of its Counter-Fraud Programme.
b. The Fraud Risk Assessment should be based on a documented Fraud Risk Assessment Methodology.
c. At a minimum, the Fraud Risk Assessment Methodology should include:
1. Identification of the inherent risk of fraud the Member Organisation and its customers are exposed to.
2. An assessment of the likelihood of the inherent risks occurring and the impact on the Member Organisation and its customers if the inherent risks were to occur.
3. Testing of the effectiveness of the controls in place to prevent, detect and respond to the inherent risks identified.
4. Determination of the residual risk of fraud that the Member Organisation remains exposed to following testing of implemented controls.
5. The development of action plans to address residual risk that is outside of risk appetite or could lead to a breach of regulations.
6. The ongoing monitoring of action plans to validate that the risk is brought within appetite.
d. Risks identified in the Fraud Risk Assessment should be recorded in a formal centralised register.
e. Actions to address gaps identified in the Fraud Risk Assessment should be documented in a treatment plan and reviewed for adequacy and effectiveness to reduce risks.
f. The outcome of the Fraud Risk Assessment should be formally approved by the relevant business owner.
g. When assessing fraud risks, Member Organisations should consider:
1. Both frauds committed by persons outside the organisation (external fraud) and frauds committed by or with the assistance of people employed by the organisation (internal fraud).
2. The output of Intelligence Monitoring and threat assessments.
3. Fraud incidents and loss events.
4. The modelling of potential threats to the organisation through Fraud Scenario Analysis.
5. Product risk - Products and services offered and how they could be used to commit fraud.
6. Customer risk - The customer base of the organisation, including, but not limited to the type of customer (e.g., Retail customer, corporate or regulated entity); the number of customers; the level of fraud awareness; and vulnerability to fraud.
7. Delivery channel risk - Channels that a customer can use to contact the Member Organisation or access their products and services, with particular consideration of the risks of remote interaction as digitalisation of products increases.
8. Transaction risk - The methods of conducting transactions, receiving funds, or transferring value.
9. Jurisdiction risk - The additional risks where products and services can be used in a foreign country.
10. Third Party Risk - The use of third parties to deliver services to the organisation or its customers.
11. Wholesale Payment Endpoint Security Risk - End-to-end wholesale payments risks, including communication (Member Organisation to other Member Organisation, Member Organisation to system); systems (Workstation terminal); people; and processes.
h. Member Organisations should ensure that the Fraud Risk Assessment fully considers cyber enabled fraud, including the interaction with the member organisation's Cyber Security risk management model.
i. The Fraud Risk Assessment should be performed at a minimum on an annual basis.
j. Member Organisations should additionally update their Fraud Risk Assessment for changes in the internal or external fraud risk environment. These changes include, but are not limited to:
1. A new gap or weakness identified in the control environment.
2. New regulatory requirements.
3. New products and services.
4. New channels to market and new digital platforms.
5. New business acquisitions.
6. Sale or disposals of parts of the Member Organisation's business.
7. Changes in the internal environment (e.g., organisational structure).
8. New information obtained in fraud Intelligence Monitoring.
4.1.3 Risk Appetite
Principle
Member Organisations should define, approve, and apply their Fraud Risk Appetite when designing and implementing Counter-Fraud systems and controls.
Control Requirements
a. The Fraud Risk Appetite of the Member Organisation should be defined to state the level of fraud risk the Member Organisation is willing to tolerate.
b. The Member Organisation Fraud Risk Appetite should be based on the outcome of the Fraud Risk Assessment and aligned to the overall risk appetite of the organisation.
c. When defining Fraud Risk Appetite, Member Organisations should put in place measures with associated thresholds and limits that address the impact on both:
1. The Member Organisation (e.g., fraud losses, reputational damage); and
2. Its customers (e.g., customer losses, number of fraud victims, inconvenience).
d. In the event that a Fraud Risk Appetite limit is breached with an impact on customers, a Member Organisation should escalate to Senior Management and initiate a crisis management process that should:
1. Involve the CEO and other Senior Managers in the Member Organisation.
2. Require meetings on at least a weekly basis until the issue is resolved and the measure returns to a level within appetite.
e. Fraud Risk Appetite should be reviewed on at least an annual basis and be formally endorsed by the Board.
f. Fraud Risk Appetite should be monitored and updated for material changes to the Member Organisation’s business model.
4.1.4 Key Risk Indicators
Principle
Member Organisations should define, approve, and monitor KRIs to measure and evaluate position against agreed Fraud Risk Appetite and provide an early indication of increasing fraud risk exposure.
Control Requirements
a. The KRIs defined by the Member Organisation should be based on a documented methodology which should require:
1. KRIs to monitor exposure against the risks identified in the Fraud Risk Assessment.
2. KRIs to consider risks to the organisation (e.g., fraud losses, reputational impact, operational management of fraud alerts) and its customers (e.g., customer losses).
3. KRIs to be approved by the CFGC or wider Risk Committee which governs the Counter-Fraud Programme in line with the requirements included in sub-domain 3.1.
4. All KRIs to have a documented owner who is responsible for monitoring the KRI and taking early action if risk exposure exceeds Fraud Risk Appetite.
5. KRIs to be periodically reported to Senior Management and relevant stakeholders (minimum on a quarterly basis).
6. KRIs to be reviewed and updated at a minimum on an annual basis and more frequently in response to material changes to the fraud landscape or the Member Organisation Fraud Risk Assessment.
b. KRIs should be forward looking and provide an early indication of increasing fraud risk exposure rather than simply measuring fraud volumes or losses (e.g., controls rated as ineffective in control testing; failure of employees to complete mandatory fraud training; or fraud alerts not reviewed within defined service level agreements).
c. When developing KRIs, Member Organisations should define thresholds that allow them to determine whether the actual result of measurement is below, on, or above the targeted risk appetite position.
d. Member Organisations should ensure that metrics associated with KRIs are complete, accurate and generated on a timely basis.
4.2 Due Diligence
Principle
Member Organisations should define, approve and implement standards for assessing the fraud risk associated with employees, customers and third parties to prevent the establishment of relationships outside risk appetite and manage fraud risks throughout the duration of the relationship.
Control Requirements
a. Due Diligence standards should be defined, communicated, and implemented.
b. Due Diligence standards should be approved by individuals of appropriate responsibility (e.g., Employee Due Diligence in HR).
c. Due Diligence standards should consider employees, customers and third parties.
d. Due Diligence standards should be aligned to the risks identified in the Fraud Risk Assessment.
e. Member Organisations should review and update Due Diligence standards on a periodic basis and in response to material changes to the fraud landscape, the Member Organisation Fraud Risk Assessment, customer groups serviced by the Member Organisation or changes to the products or services it offers.
f. The effectiveness of the fraud Due Diligence standards should be measured and periodically evaluated.
g. Due Diligence standards should include:
1. The Due Diligence checks and requirements that should be conducted to provide an informed understanding of fraud risk.
2. When Due Diligence should be conducted.
3. The role(s) responsible for conducting and approving Due Diligence.
4. Red flags or warning signs which may indicate increased fraud risk and result in the requirement for escalation or further checks to be completed.
5. Red flags or warning signs which indicate an employee, customer or third party is outside risk appetite and the relationship should be declined or exited.
6. Steps to be taken to exit relationships outside risk appetite.
4.2.1 Employee Due Diligence
Principle
Member Organisations should ensure background checks are conducted on employees, including contractors, to reduce the exposure to internal fraud risks and reputational damage resulting from the actions of staff of the Member Organisation.
Control Requirements
a. Employee Due Diligence measures should reflect the risks of internal fraud impacting the Member Organisation.
b. Employee Due Diligence should have the objective of establishing the identity, integrity, and verifying the credentials of the employee, enabling the Member Organisation to determine whether they are suitable for the position.
c. Employee Due Diligence should consist of screening and background checks on the employee, including but not limited to:
1. Confirmation of identity.
2. Criminal background checks.
3. Conflict of interest checks.
4. Verification of qualifications claimed.
5. Previous employment checks.
d. Employee Due Diligence should be:
1. Conducted as part of the hiring process.
2. Reassessed when an existing employee moves to a new role.
3. Reperformed periodically on a risk-based approach (e.g., re-performance of screening for criminal or fraudulent behaviour to validate that employees remain suitable for the position).
e. Member Organisations should assess roles which represent a high risk of fraud and document any enhanced checks required.
f. The outcome of Employee Due Diligence checks should be retained in line with the Member Organisation’s record management policies for personal information.
4.2.2 Customer Due Diligence
Principle
Member Organisations should establish controls to capture and validate the identity of customers to reduce the exposure to external fraud losses.
Control Requirements
a. When establishing a new customer relationship, Member Organisations should check and verify the identity of the customer to reasonably ensure that it is not exposed to fraud risk.
b. Customer Due Diligence should align with the Member Organisation’s policies on Anti Money Laundering (AML) and Countering Terrorist Financing (CTF).
c. Customer Due Diligence should be conducted as a part of the onboarding process and at appropriate times in the ongoing relationship with the customer (e.g., addition of new credit product).
d. Customer Due Diligence should be enhanced with additional checks for higher risk customers or in response to a perceived increased fraud threat (e.g., if impersonation is suspected or there is a concern on the validity or legitimacy of documents provided to prove identity or evidence financial history).
e. Where a customer relationship is initiated on a remote basis (e.g., online), Member Organisations should assess the risk of impersonation and the set-up of mule accounts, implementing appropriate controls to mitigate the risk, including but not limited to:
1. Ensuring a phone number or National ID/Iqama is linked to one customer application only. In the event an exception is identified (e.g., dependent family member), additional due diligence checks should be conducted to validate the authenticity of the application and monitoring use cases should be developed.
2. Authentication of the account opening request via the National Single Sign-On portal using Biometric based authentication (e.g., facial identification from national trusted party).
3. Verification that the ownership of the phone number is registered to the same user through a trusted party (i.e., the name of the account applicant and national ID match).
4. Including a one-time-password mechanism (OTP) explaining that a new account is being opened as a form of verification. The OTP must be sent to the verified phone number.
5. Notification of the completion of account opening should be sent to verified phone number that is registered for the account as well as to the phone number that is registered in the national single sign-on portal.
6. Requiring the use of a registered National Address.
7. Where a physical card is to be provided, this should be:
a. Sent to the registered National Address of the customer only; or
b. Collected from an ATM with the customer verified using biometric authentication.
8. Following initial set up, restrictions should be placed on the account (e.g., reduced transaction value limit) until such time as the Member Organisation validates that the customer is genuine (e.g., use of biometric authentication mechanism through facial identification from national trusted party periodically, physical presence in a branch or kiosk supported by biometrics, regular pattern of account activity over a period of time).
9. Developing comprehensive use cases to proactively identify potential mule accounts and implementing monitoring of the use cases through detection software (e.g., value of incoming funds, high transaction frequency, transaction patterns that do not fit expected behaviours, sudden increase in activity following dormancy).
10. Measuring and periodically evaluating the effectiveness of controls to mitigate the risk of impersonation and set-up of mule accounts.
4.2.3 Third Party Due Diligence
Principle
Member Organisations should ensure proportionate Due Diligence is conducted on third parties to develop an understanding of fraud risk associated with business relationships and ensure third parties are appropriately managed to mitigate the risk.
Control Requirements
a. Third Party Due Diligence should consist of checks and vetting procedures on a risk-based approach to allow an assessment of the fraud risks presented by the relationship.
b. Third Party Due Diligence should be conducted prior to entering into a commitment for a new relationship
c. Third Party Due Diligence should be reviewed periodically or following a trigger which indicates increased fraud risk (e.g., concerns on the conduct of a third party or its employees; or negative media articles).
d. Third Party Due Diligence should be enhanced for:
1. Higher risk third parties or their representatives
2. Third parties providing critical services to the Member Organisation.
e. Enhanced Third Party Due Diligence checks should include additional steps to assess the fraud risks presented by the relationship (e.g., additional vetting or assessing the third party approach to managing the risk of fraud).
f. Where a Member Organisation outsources services to a third party organisation, that third party should comply with the Member Organisation’s Counter-Fraud Policy or apply an equivalent approach.
4.3 Training and Awareness
Principle
A fraud awareness programme should be defined, approved, and conducted for employees, customers and third parties of the Member Organisation.
Control Requirements
a. The fraud awareness programme should be defined, approved, and conducted to promote awareness of fraud risks, provide education on preventing, detecting, and responding to potential fraud and create a positive Counter-Fraud culture.
b. The fraud awareness programme should include coverage of:
1. Employees of the Member Organisation.
2. Customers of the Member Organisation.
3. Third parties who hold relationships with the Member Organisation.
c. The fraud awareness programme should consist of training, education and awareness materials directly linked to risks and threats identified in the Fraud Risk Assessment.
d. The fraud awareness programme should:
1. Outline the nature, scale and scope of training and education to be delivered.
2. Be tailored to the different target groups.
3. Be delivered via multiple channels.
e. The activities of the fraud awareness programme should be conducted periodically and throughout the year.
f. Member Organisations should ensure that the programme is updated at least annually to account for changes in the fraud threat landscape or in response to new fraud threats identified in Intelligence Monitoring.
g. Where a new or emerging fraud typology may impact the Member Organisation and its customers, Member Organisations should take immediate action to make employees, customers and relevant third parties aware of the threat and preventive measures to be taken (where applicable).
h. Member Organisations should monitor and evaluate the effectiveness of the fraud awareness programme and implement improvements where required.
4.3.1 Employee Fraud Training and Awareness
Principle
Member Organisations should define and deliver an employee fraud training and awareness programme to enable employees to identify fraud and report it promptly.
Control Requirements
a. Counter-Fraud training should enable employees to develop a clear understanding of the Member Organisation's Counter-Fraud policies and procedures and their personal responsibilities in relation to fraud prevention and detection.
b. Training should be provided to all employees at, or shortly after, onboarding and be refreshed at regular intervals.
c. The Member Organisation's fraud training and awareness programme should be risk based, including the requirement for certain employees to be provided with specialised training depending upon the fraud risk associated with their role (e.g., managers with positions of authority, customer facing staff in branches, employees operating CounterFraud controls and fraud investigators).
d. Counter-Fraud training should include a knowledge check to assess whether the employee has understood the content. Employees who do not pass the knowledge check should be required to repeat the training and pass rates should be monitored, with action taken if there are repeated failures (e.g., re-training via another delivery method or removal of authority to operate a Counter-Fraud control until successful).
e. The Board of Directors and Senior Management at Member Organisations should be provided with fraud training tailored to the seniority of the role (e.g., fraud awareness, setting an appropriate culture and governance).
f. Formally delivered training should be augmented by ongoing employee education activity to maintain the general fraud awareness of employees (e.g., issuing reminders and circulars on potential indicators of fraud and common fraud typologies).
g. Member Organisations should maintain records of fraud training delivered to employees and awareness activity conducted.
h. Member Organisations should have a documented process to manage employees who are non-compliant with the training requirements for their role.
4.3.2 Customer Fraud Awareness
Principle
Member Organisations should define and conduct a customer fraud awareness programme of activity to increase customer understanding of fraud risks; help customers to recognise and resist fraud attempts; and inform them how to report fraud.
Control Requirements
a. Customer fraud awareness activity should deliver relevant and timely education to customers and promote fraud awareness.
b. The activity delivered through the customer fraud awareness programme should include, at a minimum:
1. Information on the fraud threats and scams customers may be exposed to.
2. Customer responsibilities about countering fraud.
3. How customers can prevent themselves from becoming victims.
4. How to report to the Member Organisation if the customer believes they have been a victim of fraud.
c. Customer fraud awareness activity should be tailored to the current fraud trends impacting the Member Organisation and its sector, including but not limited to the fraud typologies observed and the point of compromise which led to the fraud (e.g., SMS, email, social media).
d. Customer fraud awareness activity should cover the duration of the customer lifecycle (e.g., onboarding, changes to product holdings, transactions and settlements).
e. Member Organisations should deliver customer awareness materials through all communication channels offered to the customer (e.g., website, mobile app, email, post, and SMS).
f. Member Organisations should provide additional education on fraud protection to customers who may be vulnerable to or have been the victim of a scam (e.g., support on the phone or additional materials via email or post).
4.3.3 Third Party Fraud Awareness
Principle
Member Organisations should define and deliver a proportionate fraud awareness programme to third parties outlining expectations in respect of Counter-Fraud activity and prompt reporting of suspicious activity.
Control Requirements
a. Third party fraud awareness requirements should be documented and agreed in contractual arrangements where applicable.
b. Member Organisations should provide risk-based fraud awareness materials to third parties at the outset of a relationship and refresh periodically as required.
c. Third party fraud awareness requirements should as a minimum include:
1. The creation of a positive Counter-Fraud culture.
2. Third party roles and responsibilities regarding fraud.
3. Tailored messaging aligned to the fraud risks of the services provided by the third party.
4. Reporting mechanisms available to the third party.
4.4. Authentication
Principle
Member Organisations should define, approve, implement and maintain a standard for the authentication of customer, employee and third party credentials and instructions to ensure information is protected and unauthorised access or actions are prevented. This should be risk-based and utilise multi-factor authentication.
Control Requirements
a. A Member Organisation should define, approve, implement and maintain an authentication standard with input from both the Counter-Fraud Department and Cyber Security Team.
b. A Member Organisation's authentication standard should consider the risks identified in its Fraud Risk Assessment and Cyber Security Risk Assessment.
c. The authentication standard should consider both customer access to products and services, and employee and third party access to Member Organisation systems.
d. When defining the authentication standard, Member Organisations should take note of the following Control Requirements outlined in The Cyber Security Framework:
1. 3.3.5 Identity and access management
2. 3.3.13 Electronic Banking Services
e. A Member Organisation's authentication standard should cover both digital (e.g., online services and mobile app) and non-digital (e.g., phone, ATM and branch) channels.
f. Member Organisations should adopt a risk-based approach to authentication with higher risk instructions or activity subject to multi-factor authentication before they are acted upon.
g. Multi-factor authentication conducted by Member Organisations for identification or transaction verification should not solely consist of One Time Passwords (OTPs) sent via SMS. Member Organisations should implement additional factors, including but not limited to:
1. Approval of transactions through Mobile App (e.g., sending a push notification to mobile app on a trusted device).
2. Device characteristics (e.g., trusted/known mobile device).
3. Geolocation (e.g., verifying location, IP address or checking mobile network).
4. Behavioural profile (e.g., variations to usual transaction volume, value, frequency and/or currency).
5. Biometric behavioural profile (e.g., identification of changes in the way a customer or employee uses a browser or device).
h. Where an OTP is sent via SMS, the purpose, amount and merchant name should be clearly defined in line with SAMA approved notification templates.
i. OTPs sent via SMS should be in the language selected by the customer on the account (e.g., Arabic, English).
j. Member Organisations should define high-risk instructions or activity in the authentication standard which should include, but not be limited to:
1. Registration process for online or mobile app product access.
2. Activating a token on a new or additional device.
3. Adding a credit/debit card to a digital wallet on a mobile device.
4. Reset of security credentials following failed attempts to access phone, online or remote facilities.
5. Logging in to digital products from a previously unknown device or location.
6. Payments to an e-wallet or digital wallet.
7. High risk transaction, withdrawals, or transfer of funds (e.g., exceeding pre-defined limits/thresholds, transfers large relative to overall balance or remittance/international transfers).
8. Adding or modifying beneficiaries.
9. Change of account holder details (e.g., address or contact details).
10. Change of language used on the account (e.g., Arabic to English).
11. Reset of password or PIN.
12. Issue and activation of a new debit/credit card.
13. Reactivation of dormant accounts or blocked services.
14. A combination of activity(s) which may be indicative of fraud or account takeover (e.g., aggregated risk score following failed log-in attempts, buying gift cards, use of new device or new geolocation).
k. Member Organisations should require a third authentication factor (e.g., a phone call to the number on the account requiring verification of secure information, a physical visit to a branch, generating a token with a temporary password linked to a device, OTP) to validate an instruction when:
1. A user log-in attempt to mobile and online services is detected as an anomalous session (e.g., a device ID or location is different from previously known log-in parameters, or the IP address is flagged as a risk).
2. A transaction is instructed from a non-trusted device to a newly added beneficiary.
3. An abnormal transfer rate (e.g., five transfers per hour for a retail customer) is exceeded.
l. Member Organisations should restrict activity where an anomalous session is identified to low level transactions until the organisation is able to authenticate the request originates from the genuine customer and can make the device trusted.
1. Low level transactions should be defined by the Member Organisation in Fraud prevention standards (see 4.6).
4.5. Fraud, Financial Crime and Cyber Alignment
Principle
Member Organisations should ensure that Cyber Security, Counter-Fraud and Financial Crime Team operational capabilities are aligned to deter fraud.
Control Requirements
a. Member Organisations should define and implement a process for the alignment of the Counter-Fraud, Cyber Security and Financial Crime Team operational capabilities which should include at a minimum:
1. Defining clear roles and responsibilities between the Counter-Fraud Department, Financial Crime and Cyber Security teams.
2. Cross training between the Counter-Fraud Department, Financial Crime and Cyber Security Teams.
3. The establishment of multi-disciplinary contacts between Cyber, Financial Crime and Counter-Fraud Departments to regularly share knowledge.
4. Development of joint task forces between Counter-Fraud, Financial Crime and Cyber Departments to align working practice and collectively engage the wider organisation.
5. Undertaking joint threat assessment workshops or Fraud Scenario Analysis with business units to collectively identify threats and share insights from Intelligence Monitoring.
6. Storing relevant threat intelligence in a centralised repository, with access restricted to relevant stakeholders.
7. Identification of opportunities to unify fraud and cyber prevention and detection systems and tools (e.g., provision of data on user monitoring or customer location through IP address).
8. Alignment of Cyber, Financial Crime and Fraud incident response approach where incidents occur across capabilities.
9. Co-ordination of corrective actions to disrupt the organised groups orchestrating fraud (e.g., taking down fake websites set up to capture customer details).
10. Conducting joint retrospective lessons learnt exercises following fraud incidents that relate to data, systems, processes and controls spanning the Counter-Fraud, Financial Crime and Cyber capabilities.
4.6. Fraud Prevention Standards
Principle
Member Organisations should have defined, approved, implemented and maintained standards for the prevention of fraud which should be aligned to the fraud risks impacting the organisation and its customers.
Control Requirements
a. Member Organisations should define, approve, implement and maintain standards to aid the prevention of fraud addressing both internal fraud and external fraud risks impacting the organisation.
b. Member Organisations should review and update fraud prevention standards on a periodic basis and in response to material changes to the fraud landscape or the Member Organisation Fraud Risk Assessment.
c. The compliance with the fraud prevention standards should be monitored.
d. The effectiveness of the fraud prevention standards and related controls should be measured and periodically evaluated.
e. The output of the Fraud Risk Assessment should be used to determine where prevention activity is focused, and controls should be proportionate to the risk appetite of the organisation.
f. Fraud prevention standards may be manual or automated, and should include at a minimum:
1. The controls implemented to prevent fraud (e.g., segregation of duties, approval and escalations, employee training, access restrictions, due diligence and integrity checks, notification of account changes, transaction limits, underwriting checks).
2. Systems and technology implemented to prevent fraud (e.g., identity and access management, authentication, issuance of one-time-passwords, biometrics).
3. Roles and responsibilities for fraud prevention (e.g., customer application review at onboarding, training design, due diligence, system testing).
4. Rationale outlining why the prevention controls are appropriate to the risks faced by the organisation.
g. Member Organisations should define the approach to setting limits and thresholds for preventive controls (where applicable) in fraud prevention standards, considering:
1. The outcome of the Fraud Risk Assessment.
2. Fraud incidents and losses experienced.
3. Fraud Risk Appetite.
4.6.1 Internal Fraud
Principle
Member Organisation fraud prevention standards should include controls designed to prevent internal fraud.
Control Requirements
a. A Member Organisation should include in its fraud prevention standards, controls to mitigate the risk of internal fraud occurring, including but not limited to:
1. Requiring employees to adhere to a Code of Conduct.
2. Requiring all employees to take block leave of a minimum continuous period of 10 working days each year.
3. Segregation of duties in payment and fulfilment processes supported by documented authorisation matrices.
4. Dual controls or secondary checking of control operation, with an additional review or approval process for transactions above thresholds defined by the Member Organisation (e.g., value of transaction or payments to a new supplier) or higher risk transactions (e.g., access to dormant accounts).
5. Restricting access to secret customer details for all employees (e.g., online credentials, OTP messages).
6. Restricting access to confidential customer account data (e.g., account balance, loan amount) where visibility is not required in the job role (e.g., IT employees). Where access is required, activity should be logged and securely stored (see control requirement 5.3.b).
7. Requirements for appropriate handling of confidential data.
8. Controls over access to cheques and cash.
9. Controls to safeguard the physical security of assets (e.g., requiring staff identification at all times, securing and tracking equipment and restricting access to sensitive assets).
b. Member Organisations should take note of the Identity and Access Management Control Requirements relating to user access management and privileged access management outlined in The Cyber Security Framework.
c. Member Organisations should ensure that individuals responsible for operating internal fraud controls are sufficiently independent from the individuals they are monitoring.
d. Member Organisations should put in place appropriate processes and controls to deter and avoid conflicts of interest and related party transactions for their directors, managers, employees, external businesses, and contractors, including but not limited to:
1. Creating a policy that clearly outlines prohibited behaviour.
2. Limiting the flow of information between internal departments and employees through information barriers.
3. Providing guidance, instructions and examples on avoiding conflicts of interest.
4. Requiring immediate disclosure of any conflicts or potential conflicts.
4.6.2 External Fraud
Principle
Member Organisation fraud prevention standards should include controls designed to prevent external fraud.
Control Requirements
a. A Member Organisation should include in its fraud prevention standards, controls to mitigate the risk of external fraud occurring, including but not limited to:
1. Hotline available 24 hours to report suspected fraud and take immediate action to respond to the fraud (e.g., blocking account access or cards).
2. The provision of an emergency stop self-service capability for customers to immediately freeze their account and block further transactions if they suspect their account has been compromised.
3. Customer identity and access management controls for online/mobile accounts and digital products.
4. Use of blacklists to screen and block transactions, card provisioning or access from identified high risk:
a. Accounts
b. IP addresses
c. Email addresses
d. Compromised devices or those that have previously been used for fraud (e.g., mobile phone app registered to an account which has been used to conduct fraud).
5. The capability to swiftly block transactions from customer accounts/cards, with defined safeguards in place to release the block.
6. Requiring users of online and mobile services to consent to the activation of GPS during an active session to allow the organisation to monitor location.
7. The capability for mobile apps to detect use on devices which have subject to jailbreaking or rooting, and subsequently block the use of the app or restrict access to sensitive data or features.
8. Prohibiting the use of VPN services when accessing online or mobile services.
9. Device registration which allows users to register trusted devices for access management.
10. A restriction on concurrent log-ins to mobile app or a limitation on the number of devices which a mobile app can be installed and accessed.
11. The identification of mule accounts (e.g., accounts set-up to receive fraudulently obtained funds and launder the proceeds of crime).
12. User behaviour profiles which allow rules to be implemented to prevent access to customer accounts if unusual behaviour is identified.
13. Monitoring of product inactivity and dormancy, particularly where products are reactivated.
14. Notification sent to the customer when changes are made to static data to previous and new details.
15. Online, mobile and phone payments:
a. Sending an OTP to verify all payments instructed (new and existing beneficiaries), including transactions through remittance accounts.
b. Notification to the customer of new payees added (e.g., SMS, call back).
c. Setting a default limit for single and daily transactions which should be periodically reviewed and updated where required (e.g., review of customer profiles and behaviours, and actual fraud cases/customer losses).
d. Notify the customer if the default transaction limit is increased (e.g., if the customer account type is upgraded).
e. The option for customers to reduce the default limit for a single transaction.
f. The option for customers to reduce the default limit for daily transactions.
g. An immediate block on further transactions if a transaction limit is reached either through individual or recurring payments whether to one or multiple beneficiaries.
h. Additional verification checks to authenticate:
i. Unusual transactions (e.g., transactions after a period of account dormancy, changes to customer behaviours).
ii. Unusual patterns of transactions (e.g., multiple payments to the same beneficiary in a short period).
iii. Transactions exceeding a defined value threshold.
iv. Requests to increase the single or daily transaction limit.
v. Initial transactions after registration for online banking or mobile services, or registration of a new device.
i. Additional verification checks should include but not be limited to, one or more of the following:
i. Automated call-backs.
ii. Manual call-backs.
iii. SMS to registered mobile number.
iv. Authentication via biometrics on registered mobile device.
16. Credit and debit cards:
a. Adherence to all card scheme rules (e.g., mada business rules, Visa CVV2 code, Mastercard CVC2 code).
b. Use of one-time passwords (OTPs) to approve online transactions.
c. For high risk transactions, the use of extra authentication measures in addition to OTPs or mobile app approval (e.g., automated call-back to the phone number on the account).
d. Address/Postal code verification for online card payments.
e. New cards issued to require activation before use.
17. Validation controls to ensure the authenticity of cheques and similar instruments.
18. Periodic inspection of ATMs for evidence of suspicious activity or devices that could compromise card security.
19. Removal of clickable links in all emails and SMS sent to customers.
b. Member Organisations should additionally implement the following preventive controls on a risk-based approach:
1. A delay to activation when a customer requests an increase in online/mobile transaction limits.
2. Robotic prevention mechanisms prior to the instruction of a payment to mitigate the risk of automated bot activity.
3. Functionality for customers to request instant notification of all account and card transactions to their registered mobile device.
4. Geofencing when transactions occur in a location outside the customers home area (e.g., using mobile device geolocation data to require verification if a user attempts to access products and services while in a foreign country which is not in line with user behaviour profile).
5. Procedures for holding suspicious transfers to countries classed as high-risk in the organisation's jurisdiction risk model.
6. A delay to payments requested for new payees added via online/mobile services until further verification is completed.
7. Introducing a delay before a new soft token can be activated on a mobile device.
8. Notifying the customer of the registration of a new device and identifying critical services (e.g., card provisioning, addition of new payees) which should be disabled for a period following the new device registration.
c. Member Organisations providing lending and credit products should include in fraud prevention standards, controls to mitigate the risk of external fraud occurring, including but not limited to:
1. Review of applications/proposals to check for potential application fraud (e.g., manipulation of details or misrepresentation of the applicant's financial position).
2. Checks for fraudulent or counterfeit documents provided for identification or as security on lending.
3. Panel management controls for agents, intermediaries, valuers and other third parties.