In 1993, the accounting firm KPMG conducted a fraud survey of six countries-the United States, Canada, Australia, the Netherlands, Ireland, and Bermuda. This study found that, on average, approximately 80% of all frauds committed were perpetrated by employees, 60% by non-managerial personnel and 20% by managers. In all of the countries surveyed, misappropriation of cash was the most common form of employee fraud. This would appear to fit the situation currently being encountered by Saudi banks, since most employee fraud losses have come from the theft of cash and or travelers checks from. branches and ATMs. Consistent with international trends Fraud currently represents the single largest area of operational loss within the Kingdom's banking system. During the past five years, approximately 85% of all operational losses sustained by banks in the Kingdom involved employee dishonesty.

Recovery of funds lost due to fraud (particularly cash) is, at best, difficult and in many cases simply impossible. This highlights the fact that programs designed to prevent fraud are significantly more effective and less expensive than are attempts to recover the funds once stolen.

During the period 1988-1993, in the Kingdom, forgery (including check fraud) was the second largest area of operational loss, accounting for approximately 12% of total reported losses. This is entirely consistent with the results of the KPMG study in which losses in this area averaged between 10% and 18% for the six countries surveyed. Within the Kingdom the majority of crimes in this area appear to represent either simple check forgery or the forgery of negotiable instruments such as letters of credit and generally involved the failure of bank employees to adequately verify the authenticity of the documents before negotiation.

From a cash-based system, the Kingdom is rapidly moving into electronic-banking thus minimizing the intermediate state represented by the paper check. These actions have the long term potential of reducing the incidence of the relatively simple forgeries currently being encountered. However, document technology such as optical scanners, color laser printers, and powerful desktop publishing software now allows the creation of forgeries which are virtually undetectable except by highly sophisticated technical means. Therefore, while the number of simple document forgeries will probably decrease in the future, the level of technical sophistication and monetary value of forgeries may be expected to increase significantly.

With the increasing use of electronic imaging used in verification of signatures in many banking transactions, transfers etc. banks' risk management policies and procedures should include preventation of forgery through electronic means. This will become even more important with further advances in payment cards and payment systems technologies.

Counterfeit currency does not currently appear to be a major area of potential loss to Saudi banks. However, two current trends should be noted:

• 1- Technology - As with forgers, the counterfeiters of both currency and negotiable securities are also the beneficiary of new document processing technology. A recent incident involving the counterfeiting of a major international currency using color laser printers was of such a magnitude as to cause the Central Bank to redesign the currency to incorporate various anticounterfeiting measures into the new currency. However, it is expected that despite advances in design and manufacture of currencies, counterfeiting activities will continue to increase. Consequently banks must remain vigilant to these trends.

• 2-  State Supported Counterfeiting - State supported counterfeiting is assuming importance specifically for the US Dollars. US Government estimates the amount of this currency-$20, $50, and $100 notes at approximately US$ 1 billion. This bogus currency is of extremely high quality, virtually undetectable by even experienced personnel, and is primarily circulated outside the United States.

Although a highly "cash rich" society, robbery and burglary do not currently represent a significant source of operational risk in Saudi Arabia. This can be attributed to the deterrent effect of physical security measures taken by banks and law enforcement agencies, the severity of judicial punishment, and cultural factors within Saudi society, and the lack of significant illegal drug problem within the Kingdom. Studies in other countries have shown that the majority of robberies and burglaries directed against bank branches and ATMs are drug related. Therefore, barring significant social or political changes within the Kingdom, it seems unlikely that robbery or burglary will present a major operational exposure to Saudi banks within the foreseeable future. In recognition of these trends the Agency has issued detailed rules in 1995 entitled "Minimum Physical Security Standards".

Although no different except for mode of execution than any other form of criminal activity, electronic crime represents the fastest growing form of criminal activity currently facing both the international and Saudi banks. This presents itself in four major areas as given below

ATMs - While major shifts are taking place, Saudi Arabia is still a highly cash oriented society. This, in turn, drives the exposure to operational loss presented by ATMs. High daily cash withdrawal limits or no limits at all mean that ATMs routinely are stocked with far more cash than that normally found in other developed countries. This presents both a lucrative and tempting target for either employee fraud or third-party burglary. In addition, these high cash withdrawal limits also expose banks to potentially higher losses from customer fraud. As banks add additional functionality’s to ATMs (foreign currency, travellers checks, airline tickets, etc.) and connect their ATMs internationally through shared network such as CIRRUS, new opportunities for fraud against Saudi banks both from within and outside the Kingdom increase significantly.

Credit Cards - Based on experience both within the Kingdom and outside, credit cards represent a major and a rapidly growing' operational risk. This risk may be divided into two areas:

Internal Fraud - As with most other types of fraud, credit card fraud involving employees (either working along or in collusion with outsiders) is the most common and most costly. All credit card issuers are subject to internal fraud risks associated with application generation /approval, account setup / activation, card embossing, and statement preparation / distribution.

External Fraud - Although far less common than internal fraud, external credit card fraud is growing rapidly as a result of large scale international trafficking in stolen cards and obtaining valid cards through fraudulent applications.

Point of Sale (POS) - As the use and acceptance of POS grows within the Kingdom, so too will merchant fraud in number, level of sophistication, and monetary value. This type of criminal activity may range from an employee of the merchant generating fraudulent transactions (generally in collusion with a third party) to large scale and highly organized activities by the merchant himself. Therefore, prevention and detection of this type of criminal activity by banks will become increasingly more complex and costly.

Commercial Services - The extension of electronic payment and trade services to commercial customers represents a major source of fee for service income. This is income which represents virtually no credit risk. However, these systems and products may represent a major exposure to costly and embarrassing losses to corporate customers. Two areas present especially high potential exposures to third party fraud.

Cash Management Services - While providing both a greatly enhanced financial management tool to corporate customers and a significant source of both cost savings and fee for service income to the banks, electronic cash management services also represent a major source of operational risk from both third party penetration and customer fraud. By their very nature these services allow the conduct of transactions with the bank in which the only security present is that provided by technical means such as encryption, message authentication, and logical access checking of passwords and user ID's. While powerful, these technical controls are not infallible. Therefore, given the high monetary value represented by corporate cash management transactions, the potential for a "long tailed risk" (i.e. low probability of occurrence with extremely high monetary value) presents the potential for both a catastrophic financial loss as well as severe damage to reputation and credibility of the bank.

Electronic Data Interchange (EDI) - As both banks and corporate customers move toward the use of electronic communications to replace paper based trade documents (i.e. invoices, receiving reports, bills of lading, warehouse receipts, etc.), traditional forms of controlling these transactions will no longer apply. EDI systems have generally been designed with less stringent levels of both access control and authentication of transactions. This has been based on the assumption that since these transactions were "non-monetary" in nature they present less exposure. While this may be technically correct, the non-monetary aspect of an EDI transaction - a receiving report. bill of lading, or warehouse receipt - ultimately generates a payment (electronic or manual) to settle the transaction. Therefore, these systems also present the potential for. "long-tailed" risks from both third parties and employees of either the customer or the vendor of good and services.

As with a bank's commercial customer base, electronic banking is also penetrating the retail market. Services such as telephone bill payments, PC based home banking, and the use of "smart" telephones combining the features of both a conventional telephone and a microcomputers present significant opportunities for enhancing both the level of customer service and revenue in the highly competitive retail sector. However, at the same time, these new electronic products open new avenues of exposure to both third party and employee fraud as well as potential areas of professional liability exposure. In future this will become an increasingly important risk exposure area for the banks. The increased use of telephone services that permit computer access to banks' systems also provide an increasing opportunity to "hackers” and other criminals. These require improvements in security measures and additional risk management techniques to minimize losses.