Principle
| |
Member Organisations should have defined, approved, implemented and maintained fraud detection standards which should be aligned to the fraud risks impacting the organisation and its customers.
| |
Control Requirements
| |
| a. | Member Organisations should define, approve, implement and maintain fraud detection standards addressing both internal fraud and external fraud risks impacting the organisation.
| |
| b. | Member Organisations should review and update fraud detection standards on a periodic basis and in response to material changes to the fraud landscape or the Member Organisation Fraud Risk Assessment.
| |
| c. | The compliance with fraud detection standards should be monitored.
| |
| d. | The effectiveness of fraud detection standards and related controls should be measured and periodically evaluated.
| |
| e. | The output of the Fraud Risk Assessment should be used to determine where detection activity is focused, and controls should be proportionate to the risk appetite of the organisation.
| |
| f. | Where the inherent risk of fraud is assessed as higher, the fraud detection standards should require additional detection controls (e.g., real time monitoring, additional data sources or Machine Learning models) or more stringent detection threshold criteria (e.g., lower monetary limits before an alert is raised).
| |
| g. | Fraud detection standards should include at a minimum:
| |
| | 1. | Data sources used to inform detection of suspicious activity and fraud (e.g., core customer records, transactional/payment systems, identity and access management, external databases).
|
| | 2. | The controls implemented to detect suspected fraudulent activity (e.g., escalation of high-risk events and transactions, secondary checking, reconciliations, exception reporting, internal training).
|
| | 3. | The controls implemented to detect suspected fraudulent activity relating to Wholesale Payment Endpoint Security (e.g., monitoring of payments behaviour and out-of-band reports, the creation of a counterparty white-list, anomalous payment tracking, blocking of payments in real-time).
|
| | 4. | Systems and technology implemented to detect potential fraud (e.g., fraud detection software, alerts on high-value events or transactions, access monitoring, link analysis).
|
| | 5. | Roles and responsibilities for fraud detection (e.g., system calibration, reviewing manual fraud referrals, alert triaging and management, escalation point for potentially significant incidents, supervision and oversight).
|
| | 6. | Rationale outlining why the detection systems and controls are appropriate to the risks faced by the organisation.
|
| h. | Member Organisations should consider the following areas of activity when documenting the people, process, and technology requirements for fraud detection:
| |
| | 1. | Employee activity data (e.g., system access, invoices and payments, approvals).
|
| | 2. | Customer account activity (e.g., transactions, payments, settlement).
|
| | 3. | Customer account access and management (e.g., log-in geolocation, device usage, changes to static data).
|
| | 4. | Third party activity data (e.g., access to and use of Member Organisation systems or data, instructions on behalf of customers, referrals from agents).
|
| i. | Where a Member Organisation determines a manual control is required (e.g., due to the scale of the Member Organisation, lack of systems or analytics, or coverage of products and channels), the nature of the fraud risk should be reviewed to assess the number of employees and skills required to provide adequate manual coverage.
| |
| j. | Member Organisations should have adequate resources in place to manage the outputs from manual and automated fraud detection (e.g., sufficient employees to work alerts, appropriate skills and training for employees to complete investigations, workflow system to allocate alerts).
| |
