Skip to main content
Back Custom print Text Only Rich Text Print / Save as PDF
Download Original PDF

  • 4.3 Training and Awareness

    Principle 
     
    A fraud awareness programme should be defined, approved, and conducted for employees, customers and third parties of the Member Organisation. 
     
    Control Requirements 
     
    a.The fraud awareness programme should be defined, approved, and conducted to promote awareness of fraud risks, provide education on preventing, detecting, and responding to potential fraud and create a positive Counter-Fraud culture.
     
    b.The fraud awareness programme should include coverage of:
     
     1.Employees of the Member Organisation.
     
     2.Customers of the Member Organisation.
     
     3.Third parties who hold relationships with the Member Organisation.
     
    c.The fraud awareness programme should consist of training, education and awareness materials directly linked to risks and threats identified in the Fraud Risk Assessment.
     
    d.The fraud awareness programme should:
     
     1.Outline the nature, scale and scope of training and education to be delivered.
     
     2.Be tailored to the different target groups.
     
     3.Be delivered via multiple channels.
     
    e.The activities of the fraud awareness programme should be conducted periodically and throughout the year.
     
    f.Member Organisations should ensure that the programme is updated at least annually to account for changes in the fraud threat landscape or in response to new fraud threats identified in Intelligence Monitoring.
     
    g.Where a new or emerging fraud typology may impact the Member Organisation and its customers, Member Organisations should take immediate action to make employees, customers and relevant third parties aware of the threat and preventive measures to be taken (where applicable).
     
    h.Member Organisations should monitor and evaluate the effectiveness of the fraud awareness programme and implement improvements where required.
     

    • 4.3.1 Employee Fraud Training and Awareness

      Principle 
       
      Member Organisations should define and deliver an employee fraud training and awareness programme to enable employees to identify fraud and report it promptly. 
       
      Control Requirements 
       
      a.Counter-Fraud training should enable employees to develop a clear understanding of the Member Organisation's Counter-Fraud policies and procedures and their personal responsibilities in relation to fraud prevention and detection.
       
      b.Training should be provided to all employees at, or shortly after, onboarding and be refreshed at regular intervals.
       
      c.The Member Organisation's fraud training and awareness programme should be risk based, including the requirement for certain employees to be provided with specialised training depending upon the fraud risk associated with their role (e.g., managers with positions of authority, customer facing staff in branches, employees operating CounterFraud controls and fraud investigators).
       
      d.Counter-Fraud training should include a knowledge check to assess whether the employee has understood the content. Employees who do not pass the knowledge check should be required to repeat the training and pass rates should be monitored, with action taken if there are repeated failures (e.g., re-training via another delivery method or removal of authority to operate a Counter-Fraud control until successful).
       
      e.The Board of Directors and Senior Management at Member Organisations should be provided with fraud training tailored to the seniority of the role (e.g., fraud awareness, setting an appropriate culture and governance).
       
      f.Formally delivered training should be augmented by ongoing employee education activity to maintain the general fraud awareness of employees (e.g., issuing reminders and circulars on potential indicators of fraud and common fraud typologies).
       
      g.Member Organisations should maintain records of fraud training delivered to employees and awareness activity conducted.
       
      h.Member Organisations should have a documented process to manage employees who are non-compliant with the training requirements for their role.
       

    • 4.3.2 Customer Fraud Awareness

      Principle 
       
      Member Organisations should define and conduct a customer fraud awareness programme of activity to increase customer understanding of fraud risks; help customers to recognise and resist fraud attempts; and inform them how to report fraud. 
       
      Control Requirements 
       
      a.Customer fraud awareness activity should deliver relevant and timely education to customers and promote fraud awareness.
       
      b.The activity delivered through the customer fraud awareness programme should include, at a minimum:
       
       1.Information on the fraud threats and scams customers may be exposed to.
       
       2.Customer responsibilities about countering fraud.
       
       3.How customers can prevent themselves from becoming victims.
       
       4.How to report to the Member Organisation if the customer believes they have been a victim of fraud.
       
      c.Customer fraud awareness activity should be tailored to the current fraud trends impacting the Member Organisation and its sector, including but not limited to the fraud typologies observed and the point of compromise which led to the fraud (e.g., SMS, email, social media).
       
      d.Customer fraud awareness activity should cover the duration of the customer lifecycle (e.g., onboarding, changes to product holdings, transactions and settlements).
       
      e.Member Organisations should deliver customer awareness materials through all communication channels offered to the customer (e.g., website, mobile app, email, post, and SMS).
       
      f.Member Organisations should provide additional education on fraud protection to customers who may be vulnerable to or have been the victim of a scam (e.g., support on the phone or additional materials via email or post).
       

    • 4.3.3 Third Party Fraud Awareness

      Principle 
       
      Member Organisations should define and deliver a proportionate fraud awareness programme to third parties outlining expectations in respect of Counter-Fraud activity and prompt reporting of suspicious activity. 
       
      Control Requirements 
       
      a.Third party fraud awareness requirements should be documented and agreed in contractual arrangements where applicable.
       
      b.Member Organisations should provide risk-based fraud awareness materials to third parties at the outset of a relationship and refresh periodically as required.
       
      c.Third party fraud awareness requirements should as a minimum include:
       
       1.The creation of a positive Counter-Fraud culture.
       
       2.Third party roles and responsibilities regarding fraud.
       
       3.Tailored messaging aligned to the fraud risks of the services provided by the third party.
       
       4.Reporting mechanisms available to the third party.