Principle
|
Member Organisations should define, approve, implement and maintain a process to identify the root cause of a fraud incident, determine any lessons learnt and take corrective actions to prevent a recurrence.
|
Control Requirements
|
| a. | Member Organisations should define, approve, implement and maintain a process to identify the root cause of a fraud incident at the conclusion of an investigation. At a minimum the process should include:
|
| | 1. | Understanding the point of compromise (e.g., the channel which was used to perpetrate the fraud or take control of an account).
|
| | 2. | Determining whether other parties could have been involved in the fraud (e.g., additional employees through collusion or persons known to the customer).
|
| | 3. | Reviewing whether a preventive control has failed or been bypassed by an employee.
|
| | 4. | Evaluating whether the fraud was identified proactively by a detective control or relied on reactive customer notification.
|
| b. | Following determination of the root cause, Member Organisations should define, approve and implement a process to determine lessons learnt and inform corrective actions to prevent a recurrence. At a minimum the process should include:
|
| | 1. | Collating data which may support the analysis of patterns in fraud cases, including but not limited to IP addresses used, beneficiary accounts, device IDs involved.
|
| | 2. | Assessing whether there is a gap in the current control framework.
|
| | 3. | Determining whether other departments of the Member Organisation have the same vulnerability.
|
| | 4. | Evaluating whether the issue could impact other Member Organisations and sharing relevant information that may prevent a recurrence (e.g., fake websites impersonating government entities or social media accounts).
|
| | 5. | Documenting corrective actions to address the root cause and prevent a recurrence.
|
| c. | Member Organisations should take corrective actions to remediate the root cause and/or the impact of a fraud incident, which may include but are not limited to:
|
| | 1. | Implementing a new control or enhancing an existing control.
|
| | 2. | Providing training or communicating new awareness materials to improve employee, customer or third party awareness.
|
| | 3. | Putting a fraud victim back into the position they were in prior to the incident (e.g., reimbursing stolen funds, chargebacks, refunding a scam payment, repaying a third party).
|
| | 4. | Providing support to a victim of fraud (e.g., informing of next steps, providing a new card, providing education).
|
| | 5. | Attempting to recover funds or assets.
|
| | 6. | Exiting a customer or third party relationship if they are found to be the perpetrator of a fraud.
|
| | 7. | Internal disciplinary action where internal fraud is identified.
|
| | 8. | Liaising with law enforcement.
|
| d. | The acceptance and implementation of corrective actions should be tracked by the Counter-Fraud Department with escalation to the CFGC where actions are rejected by the business or remedial action is delayed.
|
