Norwich Union estimates fraud cost the UK £16bn in 2004. KPMG’s annual Fraud Barometer shows that the two biggest classes of perpetrators of fraud were managers and organized crime, which together accounted for almost 90% of UK fraud cases, namely £14.4bn in losses. A significant proportion of bank-related fraud is committed by, or with, the collusion of internal employees. There are even cases of fraudsters being inadvertently re-employed in the industry. Fraudulent activity may be initiated by staff. Some estimates suggest that over 80 per cent of computer-based frauds involve employees.

The FSA reports that there had been a number of cases in which individuals working for financial services firms were coerced into providing information for outsiders who have then used the information to commit fraud.

Two levels of insider fraud:
a. Paper- based data or information stolen
b. Electronic access to customer data stored on computer system, e.g. database hacking or theft.

Early warning signs of suspicuous “insider” behaviour (from CIFAS):

a Staff showing stress and personality changes without having an especially high workload
b. Staff who always work late and are reluctant to take leave
c. Evidence of staff living beyond their apparent means or having wealth not in keeping with their salary level; or staff undergoing a sudden change of lifestyle
d. New staff resigning quickly ? Staff with keen external business interests

Other early signs in the System:
a. Customer complaints of missing statements, unrecognised transactions
b. Suppliers / contractors who insist on dealing with just one individual or staff who have “cosy” relationships with suppliers/contractors
c. Rising costs with no explanation
d. Key employees acting without accountability or supervision and not being subject to audit checks

Recruitment Best Practices

a. Recruitment checks should be at least as stringent as the kind of checks required to open bank accounts:
b. Confirmation of previous employment details, sometimes going back 10 years or more
c. Confirmation of all qualifications
d. Confirmation of identity (name and address)
e. Credit reference agency checks
f. Fraud prevention checks (shared information)
g. Taking up references
h. Checks against own internal fraud databases
i. Police/criminal background checks on all prospective employees
j. Intensify background checks for temporary staff

Corporate Governance
a. Whistleblowing system
b. Reviewing risk and security audit procedures
c. Business process review for account management processes/lifecycle and re- allocation of responsibilities to ensure total accountability throughout business

Information and data security policy

a. Industry cryptographic standards for all customer and transaction data
c. Company-wide information and cyber security policy
c. Define levels of access on “need to know” basis only
d. Managing Outsourcing of Operations
e. Where the storage, or indeed destruction of data is outsourced, the owner of the customer relationship retains responsibility. The delegating firm retains ultimate responsibility for duties undertaken in its name.

Information sharing & collaboration
a. Maintaining records of internal fraud cases is good practice
b. Sharing fraud records across the financial services industry through industry fraud “blacklist” of known fraudsters

Security Access
a. Strict visitor access system
b. Ban mobile phones in sensitive locations
c. Systems access part of security and information policy