Internal fraud, fraud committed by employees, is a difficult issue to tackle since no-one wants to admit that a problem exists. While levels might differ from business to business, it is a real problem for everyone.
Take the insurance sector as an example, in 2006 the Insurance Fraud Bureau was formed to enable insurers to share data to protect against fraud. This was a milestone for insurance to unite as a sector against the rising threat of fraud. From this data, the market obtained huge amounts of insight. Between 2006 and 2015 insurance started to be purchased online. Shortly after this the ghost broker arrived, selling false insurance policies – capitalising on the virtual transaction born out of internet purchases.
As is the case in many other sectors, the emergence of so many disparate channels with their own fraud controls creates more opportunity for fraud to take place.
Most fraud investment (both time and money) is spent on external fraud and therefore the risks caused by internal fraud aren’t addressed as they should be as they are constrained by a limited investment.
There is no direct ratio between size of a customer base and fraud. In many businesses, the size of the customer universe is significant and, if you looked at the ratio of fraud against this volume, you could assume the problem is quite small. But this is not the case as seen in our Annual Fraud Indicator report that highlights the value of internal fraud and the size of the problem.
What can you do about it?
If technology is used to detect external fraud, why are we not using it in the internal space? The role of a fraud team is to assess risk and limit it. Data, technology and behavioural analytics can help you to calculate the level of risk, but simple checks can also identify patterns that are indicative of fraud. With a large proportion of the internal fraud challenge for insurers being around the payment of a claim – a simple check of the bank account the claim is being paid to, against the claimant, can identify mismatched details and give you a strong indicator as to whether the claim is being paid legitimately or not.
In a lot of roles − banking, the police etc. − a question often asked of employees during recruitment or later during their employment is whether they have any personal debt. The point of this is to see if that individual is ‘corruptible’. If they did have significant debt levels, that person could be a target for an organised crime group – not because of the debt, but because the debt may make them vulnerable. This form of checking is essential and not only at the point of onboarding, but throughout employment.
(Important to note, that while I’m talking quite overt about internal fraud as a problem, for losses, the consequences can often be as a result of a person, the member of staff, being vulnerable. By understanding this tipping point you can better help them as their employer with recovery and support – which will not only hopefully prevent the fraud happening, but stop the impact of distress occurring at such scale if it were to)
Today we see more people re-vetting employees with periodic background checks, rather than relying on the initial disclosure. This is understandable because the people who serve the company represent the company, and it is vital that the brand is not brought into disrepute. Equally, these employees know a lot about the systems and processes of a company – and this knowledge can be extremely powerful in the event of them committing fraud.
Beyond this, the customer, the data, and the assets need to be protected if you have internal fraud that is taking data out of the business, in itself a data breach. It doesn’t have to be hacked, it can be taken out by an individual. It’s still the same thing – it’s still data that is going out of your business and is then breached. The impact on your customers, in this scenario, can far surpass financial distress and in fact can be hugely damaging to your brand as people trust you to protect their data – and regulation requires you do this. (Read more on the specifics of the GDPR).
The good news is that with continual vetting of staff and employees, you can help retain control. You can better understand any risks – and calculate these in the broader risk assessment combining internal and external factors into the mix. You may not see any concerning points from this, but you may uncover some which, until this point, weren’t obviously a threat.
An example scenario of this is where a company carried out a further vetting process after a long period without any checks and highlighted driving offences across their driving fleet. They hadn’t been committed at the point of those individuals joining the company but the fact that they had been committed and discovered later in the employment, presented a real issue to the company given the nature of their business. Checking staff throughout their employment is important and ongoing checks are imperative to continually measure, and minimise, the risk.