Skip to main content
Back Custom print Text Only Rich Text Print / Save as PDF
Download Original PDF

  • 4.6. Fraud Prevention Standards

    Principle 
         		 
    Member Organisations should have defined, approved, implemented and maintained standards for the prevention of fraud which should be aligned to the fraud risks impacting the organisation and its customers. 
         		 
    Control Requirements 
         		 
    a.Member Organisations should define, approve, implement and maintain standards to aid the prevention of fraud addressing both internal fraud and external fraud risks impacting the organisation.
         		 
    b.Member Organisations should review and update fraud prevention standards on a periodic basis and in response to material changes to the fraud landscape or the Member Organisation Fraud Risk Assessment.
         		 
    c.The compliance with the fraud prevention standards should be monitored.
         		 
    d.The effectiveness of the fraud prevention standards and related controls should be measured and periodically evaluated.
         		 
    e.The output of the Fraud Risk Assessment should be used to determine where prevention activity is focused, and controls should be proportionate to the risk appetite of the organisation.
         		 
    f.Fraud prevention standards may be manual or automated, and should include at a minimum:
         		 
     1.The controls implemented to prevent fraud (e.g., segregation of duties, approval and escalations, employee training, access restrictions, due diligence and integrity checks, notification of account changes, transaction limits, underwriting checks).
     
     2.Systems and technology implemented to prevent fraud (e.g., identity and access management, authentication, issuance of one-time-passwords, biometrics).
     
     3.Roles and responsibilities for fraud prevention (e.g., customer application review at onboarding, training design, due diligence, system testing).
     
     4.Rationale outlining why the prevention controls are appropriate to the risks faced by the organisation.
     
    g.Member Organisations should define the approach to setting limits and thresholds for preventive controls (where applicable) in fraud prevention standards, considering:
         		 
     1.The outcome of the Fraud Risk Assessment.
     
     2.Fraud incidents and losses experienced.
     
     3.Fraud Risk Appetite.
     

    • 4.6.1 Internal Fraud

      Principle 
             		 
      Member Organisation fraud prevention standards should include controls designed to prevent internal fraud
             		 
      Control Requirements 
             		 
      a.A Member Organisation should include in its fraud prevention standards, controls to mitigate the risk of internal fraud occurring, including but not limited to:
             		 
       1.Requiring employees to adhere to a Code of Conduct.
       
       2.Requiring all employees to take block leave of a minimum continuous period of 10 working days each year.
       
       3.Segregation of duties in payment and fulfilment processes supported by documented authorisation matrices.
       
       4.Dual controls or secondary checking of control operation, with an additional review or approval process for transactions above thresholds defined by the Member Organisation (e.g., value of transaction or payments to a new supplier) or higher risk transactions (e.g., access to dormant accounts).
       
       5.Restricting access to secret customer details for all employees (e.g., online credentials, OTP messages).
       
       6.Restricting access to confidential customer account data (e.g., account balance, loan amount) where visibility is not required in the job role (e.g., IT employees). Where access is required, activity should be logged and securely stored (see control requirement 5.3.b).
       
       7.Requirements for appropriate handling of confidential data.
       
       8.Controls over access to cheques and cash.
       
       9.Controls to safeguard the physical security of assets (e.g., requiring staff identification at all times, securing and tracking equipment and restricting access to sensitive assets).
       
      b.Member Organisations should take note of the Identity and Access Management Control Requirements relating to user access management and privileged access management outlined in The Cyber Security Framework.
             		 
      c.Member Organisations should ensure that individuals responsible for operating internal fraud controls are sufficiently independent from the individuals they are monitoring.
             		 
      d.Member Organisations should put in place appropriate processes and controls to deter and avoid conflicts of interest and related party transactions for their directors, managers, employees, external businesses, and contractors, including but not limited to:
             		 
       1.Creating a policy that clearly outlines prohibited behaviour.
       
       2.Limiting the flow of information between internal departments and employees through information barriers.
       
       3.Providing guidance, instructions and examples on avoiding conflicts of interest.
       
       4.Requiring immediate disclosure of any conflicts or potential conflicts.
       

    • 4.6.2 External Fraud

      Principle 
             		  
      Member Organisation fraud prevention standards should include controls designed to prevent external fraud
             		  
      Control Requirements 
             		  
      a.A Member Organisation should include in its fraud prevention standards, controls to mitigate the risk of external fraud occurring, including but not limited to:
             		  
       1.Hotline available 24 hours to report suspected fraud and take immediate action to respond to the fraud (e.g., blocking account access or cards).
             		 
       2.The provision of an emergency stop self-service capability for customers to immediately freeze their account and block further transactions if they suspect their account has been compromised.
             		 
       3.Customer identity and access management controls for online/mobile accounts and digital products.
             		 
       4.Use of blacklists to screen and block transactions, card provisioning or access from identified high risk:
             		 
        a.Accounts
       
        b.IP addresses
       
        c.Email addresses
       
        d.Compromised devices or those that have previously been used for fraud (e.g., mobile phone app registered to an account which has been used to conduct fraud).
       
       5.The capability to swiftly block transactions from customer accounts/cards, with defined safeguards in place to release the block.
             		 
       6.Requiring users of online and mobile services to consent to the activation of GPS during an active session to allow the organisation to monitor location.
             		 
       7.The capability for mobile apps to detect use on devices which have subject to jailbreaking or rooting, and subsequently block the use of the app or restrict access to sensitive data or features.
             		 
       8.Prohibiting the use of VPN services when accessing online or mobile services.
             		 
       9.Device registration which allows users to register trusted devices for access management.
             		 
       10.A restriction on concurrent log-ins to mobile app or a limitation on the number of devices which a mobile app can be installed and accessed.
             		 
       11.The identification of mule accounts (e.g., accounts set-up to receive fraudulently obtained funds and launder the proceeds of crime).
             		 
       12.User behaviour profiles which allow rules to be implemented to prevent access to customer accounts if unusual behaviour is identified.
             		 
       13.Monitoring of product inactivity and dormancy, particularly where products are reactivated.
             		 
       14.Notification sent to the customer when changes are made to static data to previous and new details.
             		 
       15.Online, mobile and phone payments:
             		 
        a.Sending an OTP to verify all payments instructed (new and existing beneficiaries), including transactions through remittance accounts.
       
        b.Notification to the customer of new payees added (e.g., SMS, call back).
       
        c.Setting a default limit for single and daily transactions which should be periodically reviewed and updated where required (e.g., review of customer profiles and behaviours, and actual fraud cases/customer losses).
       
        d.Notify the customer if the default transaction limit is increased (e.g., if the customer account type is upgraded).
       
        e.The option for customers to reduce the default limit for a single transaction.
       
        f.The option for customers to reduce the default limit for daily transactions.
       
        g.An immediate block on further transactions if a transaction limit is reached either through individual or recurring payments whether to one or multiple beneficiaries.
       
        h.Additional verification checks to authenticate:
       
         i.Unusual transactions (e.g., transactions after a period of account dormancy, changes to customer behaviours).
             		  
         ii.Unusual patterns of transactions (e.g., multiple payments to the same beneficiary in a short period).
             		  
         iii.Transactions exceeding a defined value threshold.
             		  
         iv.Requests to increase the single or daily transaction limit.
             		  
         v.Initial transactions after registration for online banking or mobile services, or registration of a new device.
             		  
        i.Additional verification checks should include but not be limited to, one or more of the following:
       
         i.Automated call-backs.
             		  
         ii.Manual call-backs.
             		  
         iii.SMS to registered mobile number.
             		  
         iv.Authentication via biometrics on registered mobile device.
             		  
       16.Credit and debit cards:
             		 
        a.Adherence to all card scheme rules (e.g., mada business rules, Visa CVV2 code, Mastercard CVC2 code).
       
        b.Use of one-time passwords (OTPs) to approve online transactions.
       
        c.For high risk transactions, the use of extra authentication measures in addition to OTPs or mobile app approval (e.g., automated call-back to the phone number on the account).
       
        d.Address/Postal code verification for online card payments.
       
        e.New cards issued to require activation before use.
       
       17.Validation controls to ensure the authenticity of cheques and similar instruments.
             		 
       18.Periodic inspection of ATMs for evidence of suspicious activity or devices that could compromise card security.
             		 
       19.Removal of clickable links in all emails and SMS sent to customers.
             		 
      b.Member Organisations should additionally implement the following preventive controls on a risk-based approach:
             		  
       1.A delay to activation when a customer requests an increase in online/mobile transaction limits.
             		 
       2.Robotic prevention mechanisms prior to the instruction of a payment to mitigate the risk of automated bot activity.
             		 
       3.Functionality for customers to request instant notification of all account and card transactions to their registered mobile device.
             		 
       4.Geofencing when transactions occur in a location outside the customers home area (e.g., using mobile device geolocation data to require verification if a user attempts to access products and services while in a foreign country which is not in line with user behaviour profile).
             		 
       5.Procedures for holding suspicious transfers to countries classed as high-risk in the organisation's jurisdiction risk model.
             		 
       6.A delay to payments requested for new payees added via online/mobile services until further verification is completed.
             		 
       7.Introducing a delay before a new soft token can be activated on a mobile device.
             		 
       8.Notifying the customer of the registration of a new device and identifying critical services (e.g., card provisioning, addition of new payees) which should be disabled for a period following the new device registration.
             		 
      c.Member Organisations providing lending and credit products should include in fraud prevention standards, controls to mitigate the risk of external fraud occurring, including but not limited to:
             		  
       1.Review of applications/proposals to check for potential application fraud (e.g., manipulation of details or misrepresentation of the applicant's financial position).
             		 
       2.Checks for fraudulent or counterfeit documents provided for identification or as security on lending.
             		 
       3.Panel management controls for agents, intermediaries, valuers and other third parties.