Principle |
Member Organisations should define, approve, implement and maintain a process to identify the root cause of a fraud incident, determine any lessons learnt and take corrective actions to prevent a recurrence. |
Control Requirements |
a. | Member Organisations should define, approve, implement and maintain a process to identify the root cause of a fraud incident at the conclusion of an investigation. At a minimum the process should include: |
| 1. | Understanding the point of compromise (e.g., the channel which was used to perpetrate the fraud or take control of an account). |
| 2. | Determining whether other parties could have been involved in the fraud (e.g., additional employees through collusion or persons known to the customer). |
| 3. | Reviewing whether a preventive control has failed or been bypassed by an employee. |
| 4. | Evaluating whether the fraud was identified proactively by a detective control or relied on reactive customer notification. |
b. | Following determination of the root cause, Member Organisations should define, approve and implement a process to determine lessons learnt and inform corrective actions to prevent a recurrence. At a minimum the process should include: |
| 1. | Collating data which may support the analysis of patterns in fraud cases, including but not limited to IP addresses used, beneficiary accounts, device IDs involved. |
| 2. | Assessing whether there is a gap in the current control framework. |
| 3. | Determining whether other departments of the Member Organisation have the same vulnerability. |
| 4. | Evaluating whether the issue could impact other Member Organisations and sharing relevant information that may prevent a recurrence (e.g., fake websites impersonating government entities or social media accounts). |
| 5. | Documenting corrective actions to address the root cause and prevent a recurrence. |
c. | Member Organisations should take corrective actions to remediate the root cause and/or the impact of a fraud incident, which may include but are not limited to: |
| 1. | Implementing a new control or enhancing an existing control. |
| 2. | Providing training or communicating new awareness materials to improve employee, customer or third party awareness. |
| 3. | Putting a fraud victim back into the position they were in prior to the incident (e.g., reimbursing stolen funds, chargebacks, refunding a scam payment, repaying a third party). |
| 4. | Providing support to a victim of fraud (e.g., informing of next steps, providing a new card, providing education). |
| 5. | Attempting to recover funds or assets. |
| 6. | Exiting a customer or third party relationship if they are found to be the perpetrator of a fraud. |
| 7. | Internal disciplinary action where internal fraud is identified. |
| 8. | Liaising with law enforcement. |
d. | The acceptance and implementation of corrective actions should be tracked by the Counter-Fraud Department with escalation to the CFGC where actions are rejected by the business or remedial action is delayed. |