Principle | |
Member Organisations should establish and maintain a Counter-Fraud Department that has responsibility for the day-to-day operation of the Counter-Fraud Programme. | |
Control Requirements | |
a. | Member Organisations should establish and maintain a Counter-Fraud Department that has responsibility for the day-to-day operation of the Counter-Fraud Programme, including at a minimum: | |
| 1. | Monitoring and overseeing compliance with Counter-Fraud policies, standards, and procedures. |
| 2. | Designing and implementing organisation wide required counter-fraud controls covering people, process and technology dimensions. |
| 3. | Performing an in-depth organisation wide Fraud Risk Assessment. |
| 4. | Analysis of Counter-Fraud data and intelligence to proactively identify fraud trends. |
| 5. | Sharing Counter-Fraud Intelligence with SAMA and other organisations in the sector. |
| 6. | Proactively and reactively tuning Counter-Fraud systems. |
| 7. | Monitoring of Counter-Fraud Operations. |
| 8. | Performing comprehensive fraud investigations, identifying root causes of fraud incidents and documenting corrective actions. |
| 9. | Monitoring Fraud Risk Appetite measures and actively engaging a crisis management task force if the defined limit is breached with an impact on customers (see control requirement 4.1.3.d). |
| 10. | Ensuring alignment of Counter-Fraud capabilities with Cyber Security and Financial Crime. |
| 11. | Periodic reporting to senior management covering at minimum: |
| | a. | Fraud Risk Assessment results. | |
| | b. | Fraud typologies identified. | |
| | c. | Fraud Risk Appetite measures and performance against thresholds and limits. | |
| | d. | Operational and customer fraud losses. | |
b. | Member Organisations should assess the most appropriate reporting line for the CounterFraud Department based on organisational structure; decision making authority; visibility to the Executive Committee/Board; and Senior Management accountability and responsibilities. | |
c. | Member Organisations should evaluate the staffing requirements of the Counter-Fraud Department on a periodic basis and in response to material changes to the business, operational and fraud landscape or the Member Organisation Fraud Risk Assessment. | |
d. | Evaluation of staffing requirements should consider both the capacity (number of resources) and the capability (skills and experience) required. | |
e. | The Head of Counter-Fraud should have skills and experience at a minimum consisting of: | |
| 1. | An in-depth understanding of fraud risks in the financial sector. |
| 2. | Strong knowledge of digital fraud threats and common typologies, along with emerging trends impacting financial sector organisations and their customers. |
| 3. | Designing and implementing technology and controls based on use-cases to mitigate fraud risks and threats. |
| 4. | The use of data and analytics to proactively prevent fraud and protect customers. |
f. | The Counter-Fraud Department should at a minimum include employees with skills and experience in: | |
| 1. | Fraud risks and typologies related to the products offered by the organisation (e.g., experience in payment fraud; scams; and social engineering). |
| 2. | Fraud risks and typologies related to the delivery channels offered by the organisation, in particular digital channels such as online and mobile. |
| 3. | Counter-Fraud data analytics to enable the analysis of large volumes of transactions and proactive identification of fraud threats. |
| 4. | Counter-Fraud technology to ensure systems are operating effectively with scenarios relevant to the risks faced by the Member Organisation. |
| 5. | The analysis of intelligence and data to identify fraud trends and the root cause of fraud incidents. |
| 6. | Fraud investigations, from initial notification of a potential incident to closure and corrective actions. |
| 7. | Reporting and production of Management Information to monitor organisational fraud performance. |
g. | Member Organisations should consider fraud qualifications for roles in the Counter-Fraud Department. | |
h. | Member Organisations should establish a training plan and provide periodic training to develop and maintain the competency of the employees in the Counter-Fraud Department. | |
i. | Where third party services or resources (e.g., contractors or Managed Services) are used to fulfil responsibilities of the Counter-Fraud Department, Member Organisations should ensure the resource is appropriately vetted and monitored. | |