Principle
| |
Member Organisations should have defined, approved, implemented and maintained standards for the prevention of fraud which should be aligned to the fraud risks impacting the organisation and its customers.
| |
Control Requirements
| |
| a. | Member Organisations should define, approve, implement and maintain standards to aid the prevention of fraud addressing both internal fraud and external fraud risks impacting the organisation.
| |
| b. | Member Organisations should review and update fraud prevention standards on a periodic basis and in response to material changes to the fraud landscape or the Member Organisation Fraud Risk Assessment.
| |
| c. | The compliance with the fraud prevention standards should be monitored.
| |
| d. | The effectiveness of the fraud prevention standards and related controls should be measured and periodically evaluated.
| |
| e. | The output of the Fraud Risk Assessment should be used to determine where prevention activity is focused, and controls should be proportionate to the risk appetite of the organisation.
| |
| f. | Fraud prevention standards may be manual or automated, and should include at a minimum:
| |
| | 1. | The controls implemented to prevent fraud (e.g., segregation of duties, approval and escalations, employee training, access restrictions, due diligence and integrity checks, notification of account changes, transaction limits, underwriting checks).
|
| | 2. | Systems and technology implemented to prevent fraud (e.g., identity and access management, authentication, issuance of one-time-passwords, biometrics).
|
| | 3. | Roles and responsibilities for fraud prevention (e.g., customer application review at onboarding, training design, due diligence, system testing).
|
| | 4. | Rationale outlining why the prevention controls are appropriate to the risks faced by the organisation.
|
| g. | Member Organisations should define the approach to setting limits and thresholds for preventive controls (where applicable) in fraud prevention standards, considering:
| |
| | 1. | The outcome of the Fraud Risk Assessment.
|
| | 2. | Fraud incidents and losses experienced.
|
| | 3. | Fraud Risk Appetite.
|
