6. Respond
A timely and effective response to incidents of actual or suspected fraud is key to minimising losses and maximising the opportunity for recovery. Where fraud is suspected or detected, a robust Fraud Response Plan including clear procedures is required to manage the response, enabling effective investigation; a prompt, fair resolution; and corrective action where required. Following resolution, it is key to evaluate the root cause of an incident and assess effectiveness of control frameworks to avoid recurrence.
Figure 7 - Respond Domain
6.1. Fraud Response Plan
Principle
Member Organisations should define, approve, implement and maintain a Fraud Response Plan to outline the organisational response to an actual or suspected fraud incident.
Control Requirements
a. The Fraud Response Plan should be defined, approved, implemented, maintained and where appropriate aligned with the enterprise incident management process.
b. The compliance with the Fraud Response Plan should be monitored.
c. The effectiveness of the Fraud Response Plan and related controls should be measured and periodically evaluated.
d. The Fraud Response Plan should require prompt and competent assessment, investigation, and resolution of all suspected or identified fraud.
e. The Fraud Response Plan should include at a minimum:
1. The methods through which the Member Organisation is alerted to suspected or identified fraud, including reporting channels available to customers, employees and third parties.
2. Roles and responsibilities for individuals and teams required to respond to a potential fraud.
3. Decision making authority and referral procedures for escalations within and outside the Member Organisation (e.g., referral to specialists for complex cases, Senior Management for potentially material frauds, external counsel if there are legal concerns).
4. Service Level Agreements (SLAs) for response to initial fraud reports.
5. Procedures to quickly respond to potential fraud cases identified by the Member Organisation, informed by the customer or notified by other organisations. This should include precautionary measures to freeze funds received until the integrity of the source is verified if it is suspected that inbound transactions are the result of fraud.
6. The actions the Member Organisation will take when fraud is suspected or has been identified, including but not limited to:
a. Coordinating appropriate resources to manage alert and case volumes.
b. Recording and performing an initial assessment of all alerts or formally submitted reports of fraud.
c. Where an alert or referral is assessed as not requiring further investigation, recording a rationale explaining the decision.
d. Investigating all instances where it is suspected fraud may have been committed or has been identified.
e. Keeping a comprehensive record of all evidence and investigations of potential and actual fraud for a period defined in the record retention schedule of the Member Organisation and in compliance with Article 12 of the Anti-Money Laundering Law.
7. The process to be followed in the event a potential fraud incident is detected outside of the normal working hours of the Member Organisation.
8. The requirement to initiate an immediate response when a potential Wholesale Payment Endpoint Security fraud is identified.
9. Where an actual or potential fraud relates to services offered to a customer or a payment to/from a Member Organisation or a customer, the Fraud Response Plan should require Member Organisations to:
a. Identify if a potentially fraudulent transaction has been completed or is in the process of being completed.
b. If a transaction has not been completed: Take immediate action to block or hold the transaction and proactively coordinate with any corresponding Member Organisations to take the required actions taking into consideration the role of Sharing Room - Operational Centre.
c. Proactively respond to requests relating to suspected fraudulent transactions when receiving a notification from another Member Organisation based on agreed protocols for the Sharing Room - Operational Centre.
d. Block or freeze the product (or any associated services such as compromised credit or debit cards) to prevent further transactions until the investigation is complete and where necessary security credentials are reset or a new card is issued.
e. Block any further transactions to or from any IBANs outside the Member Organisation which were used to perpetrate the fraud and share the IBAN with the external organisation to freeze the account.
f. Cooperate with other organisations if a request for freezing a product is received and there are justifications for suspicion.
g. If a transaction has been completed and an investigation confirms a transaction is fraudulent: Reverse the transaction or seek return of funds where possible.
h. Contact the customer or third party to communicate actions taken and next steps.
i. Verify the identity of the customer before re-activating services after an account has been frozen due to exposure to fraud.
6.2. Alert and Case Management
Principle
Member Organisations should implement and maintain a Case Management System to manage the response to fraud. This should facilitate the recording, monitoring and storage of data on the assessment, investigation, and resolution of suspected and identified fraud.
Control Requirements
a. Member Organisations should implement and maintain a Case Management System to manage the response to fraud and act as a database for fraud case data.
b. The Case Management System should be used to record and monitor suspected fraud alerts, internal and external reports, and case investigations from initial assessment to resolution.
c. The Case Management System should have the capability to:
1. Restrict user access to authorised individuals and roles.
2. Create a workflow aligned to the operating model of the Member Organisation.
3. Be configurable to adapt to changes in the Member Organisation operating model or Fraud Response Plan.
4. Allocate cases to owners.
5. Categorise suspicions of fraud to inform reporting and trend analysis.
6. Track a case from initial alert or report to resolution.
7. Record investigative steps followed.
8. Act as a repository for all information required to investigate and resolve the fraud case (e.g., related party information, case notes, documentary evidence, customer communication, rationale for decision).
9. Capture an outcome at resolution of the case, including any losses and corrective actions.
10. Maintain records in line with the Member Organisation’s record retention schedule.
d. The Case Management System should require the capture and allow the extract of Management Information for reporting on fraud cases, including but not limited to:
1. Alert unique identifier (where applicable).
2. Fraud transaction unique identifier.
3. Date of alert or initial notification.
4. Date and time of fraudulent transactions.
5. Customer name and account number.
6. Case status.
7. Origin of the incident (e.g., website, social media account or phone number used by the fraudster).
8. Channel used for fraudulent transactions.
9. Related parties.
10. Information on the fraudster (e.g., IP address, Device ID, Geolocation).
11. Outcome of the investigation.
12. Corrective actions.
13. Value of the fraud.
14. Losses (business and non-business).
15. The methods used to conduct the fraud/fraud typology (e.g., how the fraud was committed, where the funds were transferred if lost).
6.3. Fraud Investigation
Principle
Member Organisations should define, approve, implement and maintain a fraud investigation standard to direct a consistent approach to fraud investigation.
Control Requirements
a. Member Organisations should define, approve, implement and maintain a fraud investigation standard.
b. The compliance with the fraud investigation standard should be monitored.
c. The effectiveness of the Fraud Investigation standard and related controls should be measured and periodically evaluated.
d. The fraud investigation standard should direct a consistent approach to fraud investigation, including but not limited to:
1. Allocation of the case to an individual or team with the required skills and experience.
2. Assessing the time sensitivity of the fraud or potential fraud (e.g., will losses increase if the case is not resolved, has a customer been left without access to funds).
3. Assessing the materiality of the fraud or potential fraud (e.g., number of customers impacted, potential losses, systemic threat).
4. Gathering and analysing information to review the suspicion of fraud (e.g., transaction information, IP addresses used, phone recordings, CCTV footage).
5. Collaborating with relevant internal subject matter experts and stakeholders (e.g., Legal, Cyber, HR, Financial Crime) and where relevant forming a multi-disciplinary investigation team.
6. Assessing the skills required to conduct the investigation in more complex cases (e.g., forensic accounting, data analysis).
7. Contacting the customer or third parties to obtain further information.
8. Liaising with other Member Organisations to share information.
9. Documenting the investigative steps taken.
10. Managing and retaining information gathered.
11. Evaluating whether fraud has occurred and resolving or closing the investigation.
12. Recording an outcome of the investigation.
13. Producing a case report and internally reporting the outcome of the investigation where required.
14. Taking corrective action at the conclusion of the investigation.
15. Determining external notifications required (e.g., liaising with law enforcement, notifying credit reference agencies, reporting to SAMA, reporting to the General Directorate of Financial Intelligence (FIU) if the Member Organisation has any suspicion that rises to the level stated in article 15 of AML Law and article 17 of CTF law).
16. Identifying the root cause of fraud incidents and near misses.
17. Extracting lessons learnt and providing feedback to:
a. The Counter-Fraud Department.
b. Team responsible for developing and maintaining Counter-Fraud systems.
c. Business owners of standards, processes, and controls where a vulnerability is identified.
d. Intelligence Monitoring.
e. The fraud investigation standard should require corrective action to be taken where relevant at the resolution of a fraud investigation.
6.4. Fraud Remediation
Principle
Member Organisations should define, approve, implement and maintain a process to identify the root cause of a fraud incident, determine any lessons learnt and take corrective actions to prevent a recurrence.
Control Requirements
a. Member Organisations should define, approve, implement and maintain a process to identify the root cause of a fraud incident at the conclusion of an investigation. At a minimum the process should include:
1. Understanding the point of compromise (e.g., the channel which was used to perpetrate the fraud or take control of an account).
2. Determining whether other parties could have been involved in the fraud (e.g., additional employees through collusion or persons known to the customer).
3. Reviewing whether a preventive control has failed or been bypassed by an employee.
4. Evaluating whether the fraud was identified proactively by a detective control or relied on reactive customer notification.
b. Following determination of the root cause, Member Organisations should define, approve and implement a process to determine lessons learnt and inform corrective actions to prevent a recurrence. At a minimum the process should include:
1. Collating data which may support the analysis of patterns in fraud cases, including but not limited to IP addresses used, beneficiary accounts, device IDs involved.
2. Assessing whether there is a gap in the current control framework.
3. Determining whether other departments of the Member Organisation have the same vulnerability.
4. Evaluating whether the issue could impact other Member Organisations and sharing relevant information that may prevent a recurrence (e.g., fake websites impersonating government entities or social media accounts).
5. Documenting corrective actions to address the root cause and prevent a recurrence.
c. Member Organisations should take corrective actions to remediate the root cause and/or the impact of a fraud incident, which may include but are not limited to:
1. Implementing a new control or enhancing an existing control.
2. Providing training or communicating new awareness materials to improve employee, customer or third party awareness.
3. Putting a fraud victim back into the position they were in prior to the incident (e.g., reimbursing stolen funds, chargebacks, refunding a scam payment, repaying a third party).
4. Providing support to a victim of fraud (e.g., informing of next steps, providing a new card, providing education).
5. Attempting to recover funds or assets.
6. Exiting a customer or third party relationship if they are found to be the perpetrator of a fraud.
7. Internal disciplinary action where internal fraud is identified.
8. Liaising with law enforcement.
d. The acceptance and implementation of corrective actions should be tracked by the Counter-Fraud Department with escalation to the CFGC where actions are rejected by the business or remedial action is delayed.