Principle
| |
Member Organisation fraud prevention standards should include controls designed to prevent internal fraud.
| |
Control Requirements
| |
| a. | A Member Organisation should include in its fraud prevention standards, controls to mitigate the risk of internal fraud occurring, including but not limited to:
| |
| | 1. | Requiring employees to adhere to a Code of Conduct.
|
| | 2. | Requiring all employees to take block leave of a minimum continuous period of 10 working days each year.
|
| | 3. | Segregation of duties in payment and fulfilment processes supported by documented authorisation matrices.
|
| | 4. | Dual controls or secondary checking of control operation, with an additional review or approval process for transactions above thresholds defined by the Member Organisation (e.g., value of transaction or payments to a new supplier) or higher risk transactions (e.g., access to dormant accounts).
|
| | 5. | Restricting access to secret customer details for all employees (e.g., online credentials, OTP messages).
|
| | 6. | Restricting access to confidential customer account data (e.g., account balance, loan amount) where visibility is not required in the job role (e.g., IT employees). Where access is required, activity should be logged and securely stored (see control requirement 5.3.b).
|
| | 7. | Requirements for appropriate handling of confidential data.
|
| | 8. | Controls over access to cheques and cash.
|
| | 9. | Controls to safeguard the physical security of assets (e.g., requiring staff identification at all times, securing and tracking equipment and restricting access to sensitive assets).
|
| b. | Member Organisations should take note of the Identity and Access Management Control Requirements relating to user access management and privileged access management outlined in The Cyber Security Framework.
| |
| c. | Member Organisations should ensure that individuals responsible for operating internal fraud controls are sufficiently independent from the individuals they are monitoring.
| |
| d. | Member Organisations should put in place appropriate processes and controls to deter and avoid conflicts of interest and related party transactions for their directors, managers, employees, external businesses, and contractors, including but not limited to:
| |
| | 1. | Creating a policy that clearly outlines prohibited behaviour.
|
| | 2. | Limiting the flow of information between internal departments and employees through information barriers.
|
| | 3. | Providing guidance, instructions and examples on avoiding conflicts of interest.
|
| | 4. | Requiring immediate disclosure of any conflicts or potential conflicts.
|
