Principle
| |
Member Organisations should define, approve, communicate, and implement a Counter-Fraud Policy to set the commitment and objectives for Counter-Fraud and provide requirements to relevant stakeholders; and associated procedures to outline the step-by-step tasks and activities that should be performed by employees.
| |
Control Requirements
| |
| a. | Counter-Fraud Policy and procedures should be defined, approved, communicated and implemented.
| |
| b. | Counter-Fraud Policy and procedures should take into consideration the risks identified in the Fraud Risk Assessment, the evolving fraud landscape and the Member Organisation’s business model and operations, and should be periodically reviewed to ensure the identified risks are managed effectively.
| |
| c. | Counter-Fraud Policy should be readily accessible to all employees, contractors and relevant third parties, including all branches and majority-owned subsidiaries.
| |
| d. | Counter-Fraud Policy should require Member Organisations to follow all applicable Counter-Fraud laws and regulations, and payment operator requirements.
| |
| e. | Counter-Fraud Policy should include at a minimum, the following:
| |
| | 1. | A defined owner of appropriate seniority and role (e.g., Head of Counter-Fraud).
|
| | 2. | The Member Organisation’s overall fraud objectives and scope.
|
| | 3. | A statement of the Board’s intent, supporting the fraud objectives.
|
| | 4. | Core requirements to provide a consistent, proportionate, and effective approach to the management of fraud risk.
|
| | 5. | Responsibilities for key stakeholders and relevant third parties who play a role in fraud governance, prevention, detection, or response across the three lines of defence (e.g., Senior Management, Compliance, Internal Audit).
|
| | 6. | Escalation and reporting requirements in the event of a policy breach.
|
| f. | Counter-Fraud procedures should outline the step-by-step tasks and activities that should be performed by employees in the operating environment for Counter-Fraud process and control operation (e.g., product risk assessment, alert handling, investigations).
| |
| g. | For Member Organisations with a headquarters in the KSA, the Counter-Fraud Policy should apply across all international branches and subsidiaries. If the law of another jurisdiction prohibits compliance, an exemption should be documented and approved.
| |
