4.1 Risk Management
Principle
A Fraud Risk Management Framework should be defined, approved and implemented, and should be aligned with the Member Organisation’s enterprise risk management process.
Control Requirements
a. The Fraud Risk Management Framework should be defined, approved and implemented.
b. The effectiveness of the Fraud Risk Management Framework should be measured and periodically evaluated using Key Performance Indicators, including at a minimum the volume and value of fraud cases.
c. The Fraud Risk Management Framework should be aligned with the Member Organisation’s enterprise risk management process.
d. The Fraud Risk Management Framework should address at a minimum:
1. Intelligence Monitoring.
2. Fraud Risk Assessment.
3. Fraud Risk Appetite.
4. Key Risk Indicators (KRIs).
e. Fraud risk management activities should involve, but not be limited to, the following stakeholders:
1. Business owners and users.
2. Operational Risk.
3. Counter-Fraud Department.
4. Cyber and IT departments.
5. HR.
6. Digital Department.
4.1.1 Intelligence Monitoring
Principle
Member Organisations should draw on a variety of internal and external data sources to identify and monitor emerging fraud threats.
Control Requirements
a. The fraud Intelligence Monitoring process should be defined, approved, and implemented.
b. When defining the Intelligence Monitoring process, Member Organisations should consider the SAMA Cyber Threat Intelligence Principles.
c. The effectiveness of fraud Intelligence Monitoring should be subject to periodic evaluation to assess whether the sources used are comprehensive and the intelligence collated is aiding the prevention of fraud.
d. The Intelligence Monitoring process should include:
1. Scanning, collation, analysis, assessment and dissemination of information on existing and emerging threats.
2. Capturing relevant details on identified threats, such as modus operandi, actors, motivation, the origin of attacks (e.g., organised crime group, jurisdiction) and type of threats.
3. Taking action to act on existing and emerging threats.
4. Sharing relevant intelligence with internal and external stakeholders (e.g., Cyber, Business Operations or SAMA).
e. Intelligence Monitoring activities should draw on a range of information sources to develop a holistic understanding of the Member Organisation’s fraud landscape. At a minimum, these should include:
1. Internal Audit reports, fraud investigation output and Fraud Scenario Analysis covering attempted and actual fraud to identify trending fraud tactics, techniques, and procedures (TTPs).
2. New and emerging fraud typologies identified by fraud detection systems, fraud investigators or the Counter-Fraud Department.
3. Insights from support functions (e.g., Internal Audit, Compliance, Cyber Security Event and Incident Management).
4. Reliable and relevant external sources on fraud trends both locally and globally, (e.g., government agencies, fraud forums and events, Counter-Fraud system vendors, open-source information, and subscription sources).
f. Member Organisations should, to the extent not prohibited by law or contractual terms, collaborate in sharing Counter-Fraud information including emerging fraud typologies, fraud threat intelligence on the groups who may be perpetrating fraud, TTPs and market trends with Saudi Central Bank and other organisations in the sector.
g. Member Organisations should share log-in information for confirmed fraud cases (e.g., mobile or Device ID, IP address) through the Sectorial Anti-Fraud Committee.
h. Member Organisations should perform analysis of log-in information shared by other Member Organisations to assess the level of exposure for their own customers and record the actions completed on an analysis log sheet which may be subject to independent review.
4.1.2 Fraud Risk Assessment
Principle
Member Organisations should conduct a Fraud Risk Assessment to identify fraud risks to which they or their customers are subject and assess the effectiveness of controls in place to mitigate the risks.
Control Requirements
a. A Member Organisation should conduct an enterprise-wide Fraud Risk Assessment as part of its Counter-Fraud Programme.
b. The Fraud Risk Assessment should be based on a documented Fraud Risk Assessment Methodology.
c. At a minimum, the Fraud Risk Assessment Methodology should include:
1. Identification of the inherent risk of fraud the Member Organisation and its customers are exposed to.
2. An assessment of the likelihood of the inherent risks occurring and the impact on the Member Organisation and its customers if the inherent risks were to occur.
3. Testing of the effectiveness of the controls in place to prevent, detect and respond to the inherent risks identified.
4. Determination of the residual risk of fraud that the Member Organisation remains exposed to following testing of implemented controls.
5. The development of action plans to address residual risk that is outside of risk appetite or could lead to a breach of regulations.
6. The ongoing monitoring of action plans to validate that the risk is brought within appetite.
d. Risks identified in the Fraud Risk Assessment should be recorded in a formal centralised register.
e. Actions to address gaps identified in the Fraud Risk Assessment should be documented in a treatment plan and reviewed for adequacy and effectiveness to reduce risks.
f. The outcome of the Fraud Risk Assessment should be formally approved by the relevant business owner.
g. When assessing fraud risks, Member Organisations should consider:
1. Both frauds committed by persons outside the organisation (external fraud) and frauds committed by or with the assistance of people employed by the organisation (internal fraud).
2. The output of Intelligence Monitoring and threat assessments.
3. Fraud incidents and loss events.
4. The modelling of potential threats to the organisation through Fraud Scenario Analysis.
5. Product risk - Products and services offered and how they could be used to commit fraud.
6. Customer risk - The customer base of the organisation, including, but not limited to the type of customer (e.g., Retail customer, corporate or regulated entity); the number of customers; the level of fraud awareness; and vulnerability to fraud.
7. Delivery channel risk - Channels that a customer can use to contact the Member Organisation or access their products and services, with particular consideration of the risks of remote interaction as digitalisation of products increases.
8. Transaction risk - The methods of conducting transactions, receiving funds, or transferring value.
9. Jurisdiction risk - The additional risks where products and services can be used in a foreign country.
10. Third Party Risk - The use of third parties to deliver services to the organisation or its customers.
11. Wholesale Payment Endpoint Security Risk - End-to-end wholesale payments risks, including communication (Member Organisation to other Member Organisation, Member Organisation to system); systems (Workstation terminal); people; and processes.
h. Member Organisations should ensure that the Fraud Risk Assessment fully considers cyber enabled fraud, including the interaction with the member organisation's Cyber Security risk management model.
i. The Fraud Risk Assessment should be performed at a minimum on an annual basis.
j. Member Organisations should additionally update their Fraud Risk Assessment for changes in the internal or external fraud risk environment. These changes include, but are not limited to:
1. A new gap or weakness identified in the control environment.
2. New regulatory requirements.
3. New products and services.
4. New channels to market and new digital platforms.
5. New business acquisitions.
6. Sale or disposals of parts of the Member Organisation's business.
7. Changes in the internal environment (e.g., organisational structure).
8. New information obtained in fraud Intelligence Monitoring.
4.1.3 Risk Appetite
Principle
Member Organisations should define, approve, and apply their Fraud Risk Appetite when designing and implementing Counter-Fraud systems and controls.
Control Requirements
a. The Fraud Risk Appetite of the Member Organisation should be defined to state the level of fraud risk the Member Organisation is willing to tolerate.
b. The Member Organisation Fraud Risk Appetite should be based on the outcome of the Fraud Risk Assessment and aligned to the overall risk appetite of the organisation.
c. When defining Fraud Risk Appetite, Member Organisations should put in place measures with associated thresholds and limits that address the impact on both:
1. The Member Organisation (e.g., fraud losses, reputational damage); and
2. Its customers (e.g., customer losses, number of fraud victims, inconvenience).
d. In the event that a Fraud Risk Appetite limit is breached with an impact on customers, a Member Organisation should escalate to Senior Management and initiate a crisis management process that should:
1. Involve the CEO and other Senior Managers in the Member Organisation.
2. Require meetings on at least a weekly basis until the issue is resolved and the measure returns to a level within appetite.
e. Fraud Risk Appetite should be reviewed on at least an annual basis and be formally endorsed by the Board.
f. Fraud Risk Appetite should be monitored and updated for material changes to the Member Organisation’s business model.
4.1.4 Key Risk Indicators
Principle
Member Organisations should define, approve, and monitor KRIs to measure and evaluate position against agreed Fraud Risk Appetite and provide an early indication of increasing fraud risk exposure.
Control Requirements
a. The KRIs defined by the Member Organisation should be based on a documented methodology which should require:
1. KRIs to monitor exposure against the risks identified in the Fraud Risk Assessment.
2. KRIs to consider risks to the organisation (e.g., fraud losses, reputational impact, operational management of fraud alerts) and its customers (e.g., customer losses).
3. KRIs to be approved by the CFGC or wider Risk Committee which governs the Counter-Fraud Programme in line with the requirements included in sub-domain 3.1.
4. All KRIs to have a documented owner who is responsible for monitoring the KRI and taking early action if risk exposure exceeds Fraud Risk Appetite.
5. KRIs to be periodically reported to Senior Management and relevant stakeholders (minimum on a quarterly basis).
6. KRIs to be reviewed and updated at a minimum on an annual basis and more frequently in response to material changes to the fraud landscape or the Member Organisation Fraud Risk Assessment.
b. KRIs should be forward looking and provide an early indication of increasing fraud risk exposure rather than simply measuring fraud volumes or losses (e.g., controls rated as ineffective in control testing; failure of employees to complete mandatory fraud training; or fraud alerts not reviewed within defined service level agreements).
c. When developing KRIs, Member Organisations should define thresholds that allow them to determine whether the actual result of measurement is below, on, or above the targeted risk appetite position.
d. Member Organisations should ensure that metrics associated with KRIs are complete, accurate and generated on a timely basis.