Principle
| |
Member Organisations should implement and maintain fraud detection systems to identify anomalies in transactional and non-transactional data, and customer or employee behaviour that may be indicators of fraud.
| |
Control Requirements
| |
| a. | Member Organisations should implement and maintain fraud detection systems to monitor customer products and services, and internal systems for transactions or behaviours that may be indicative of fraud.
| |
| b. | Fraud detection systems should operate 24/7 with appropriate resources in place to manage outputs on a timely basis.
| |
| c. | Member Organisations should develop holistic and current sources of data to be used to inform detection of suspicious activity and fraud, including at a minimum:
| |
| | 1. | Customer products and services held across all lines of business.
|
| | 2. | All contact channels (e.g., online, mobile, phone).
|
| | 3. | External information (e.g., credit reference data, blacklists, vendor provided data sets).
|
| | 4. | The insights gathered from Intelligence Monitoring (see sub-section 4.1.1).
|
| | 5. | Transactional or settlement data (e.g., payment values into or out of accounts, payment recipients added, authority for payment instruction, transfer from custodian of funds).
|
| | 6. | Non-transactional data (e.g., employee behaviour, online access, device usage, geo-location, changes to static data).
|
| d. | Member Organisations should implement controls (e.g., data governance, de-duplication, data quality alerts, regular audit, integration testing, regression testing for change management) to ensure that the underlying data is:
| |
| | 1. | Timely - Supplied to the detection system at an appropriate frequency based on the rate of change and urgency of information (e.g., payment data should be real-time to allow intervention before funds are transferred, while new products sold may be updated daily, and external information refreshed when lists change).
|
| | 2. | Complete - Includes all required data from all relevant systems identified in the Counter-Fraud detection standards (e.g., data mapping from source system to the detection system should be validated).
|
| | 3. | Accurate - Of sufficient quality to enable effective monitoring (e.g., up to date, tested to ensure data quality).
|
| e. | Member Organisations should ensure fraud detection system capability includes at a minimum:
| |
| | 1. | Analysis of structured data (data in a standardised, well-structured format).
|
| | 2. | Monitoring of customer and internal accounts.
|
| | 3. | Baselining of user behaviour patterns into profiles which allow deviations from normal activity to be identified (e.g., expected frequency or value of transactions).
|
| | 4. | Definition of a library of rules based on known fraud typologies to identify activity which could be indicative of fraud (e.g., employee access patterns, unknown or remote customer location, increased frequency of transactions, new transaction type, high value amount, recurring transactions whether to one beneficiary or multiple beneficiaries, single source of transfer to many accounts).
|
| | 5. | Segmentation of customer groups to enable tailoring of rules (e.g., modifying rules and thresholds based on different expected behaviours of a high-net-worth Private Banking customer vs. a standard Retail customer or a new account opened online vs. an established relationship managed customer).
|
| | 6. | Applying a weighting to rules based on the assessed level of fraud risk and assigning risk scoring to identify activity that may be indicative of fraud.
|
| | 7. | The aggregation of risk scores to assess patterns of transactional and non-transactional activity across multiple channels that when combined may be indicators of fraud.
|
| | 8. | Linking outputs (e.g., alerts and cases for further investigation) to a Case Management System.
|
| f. | Member Organisations should use the output of Intelligence Monitoring and information from across the organisation in data analytics to deeply analyse current status, predict future fraud threats and take proactive action to prevent fraud. Analytics should use multiple data sources, including but not limited to historical and current trends, customer data, transactions and non-transactional activity.
| |
| g. | Where a higher risk of fraud is identified in the Fraud Risk Assessment or higher incidences of fraud occur, Member Organisations should additionally implement system capability of:
| |
| | 1. | Big data mining to facilitate advanced analytics over large quantities of structured and unstructured data, with associated orchestration to create a centralised data repository (e.g., using data refinement and comparison algorithms to perform queries on very large volumes of data, and storage in a data lake).
|
| | 2. | Analytical tools and capabilities to enhance rules-based monitoring (e.g., trend analysis, keyword analysis, predictive analytics, and anomaly detection).
|
| | 3. | Overlaying Artificial Intelligence and Machine Learning algorithms (e.g., decision trees, random forests, neural networks) to:
|
| | | a. | Enhance system decision making capability.
| |
| | | b. | Predict the likelihood of fraud.
| |
| | | c. | Learn from historical patterns of fraudulent and legitimate behaviour.
| |
| | 4. | Network Visualisation/Link analytics or Entity Resolution to reveal hidden or previously unknown connections and identify networks across different data sources (e.g., identify connections from devices or IP addresses known to have been used for fraudulent purposes and link with other data points to create a threat score associated with a network, by looking at location, payment cards used, beneficiaries etc.).
|
| | 5. | Analysis of additional unstructured external data (e.g., scanned customer documents) to widen data sources.
|
| h. | Where a deviation from the baselined user behaviour patterns is identified, Member Organisations should either:
| |
| | 1. | Require further authentication of the user or their instructions.
|
| | 2. | Generate an alert for further investigation to determine whether fraud has occurred.
|
| i. | To ensure the effectiveness and optimisation of fraud detection systems, Member Organisations should:
| |
| | 1. | Calibrate and test detection scenarios to validate they are working as designed and enabling monitoring in accordance with the organisations risk appetite (e.g., rule logic review, threshold testing, precision and recall testing).
|
| | 2. | Implement feedback loops to monitor and enhance the performance of systems and effectiveness of scenarios and parameters by reviewing false positives, false negatives and alerts which identified fraud.
|
| | 3. | Periodically review scenarios and parameters to ensure they remain appropriate in view of the insights gathered in Intelligence Monitoring and/or the outcome of the Fraud Risk Assessment.
|
| | 4. | Periodically test the effectiveness of systems, through ongoing tuning and calibration measures such as data mapping and input validation, model validation, scenario effectiveness testing and reporting.
|
| | 5. | Update user behaviour patterns and rules to account for the latest threats and fraud typologies.
|
| | 6. | Retain a documented record of changes made to configuration or rules and the rationale for the decision.
|
| | 7. | Monitor for unauthorised changes to the system (e.g., rule tampering or disabling of monitoring).
|
| j. | The fraud detection systems should have the capability to monitor and report metrics and Management Information in respect of:
| |
| | 1. | Data integrity.
|
| | 2. | Rule and scenario effectiveness (e.g., false positive rate).
|
| | 3. | Operational performance.
|
