IT TURNS OUT that bases aren't the only thing stolen at Shea Stadium, New York’s famous baseball arena. After staggering through a losing season, the New York Mets suffered yet another indignity last October when it was revealed that four former Mets employees had allegedly bilked the ball club out of $US2 million over a period of six years. According to Queens prosecutors, the suspects pulled off a variety of cons with the assistance of two accomplices who worked for team vendors. By overbilling the team for office supplies such as copy paper, setting up bogus companies and cooking up kickback schemes, the sextet netted hundreds of thousands of dollars a year for supplies that were never delivered. The Mets and Sterling Doubleday Enterprises, the Mets parent company at the time, proved to be easy marks. They were completely unaware of the scams, which dated back to 1994, until an internal audit in 2000 brought them to light.
As a company whose only product is baseball, the Mets organisation provides relatively few opportunities for procurement fraud, certainly far fewer than do larger corporations. But even on a small scale, fraud can be incredibly damaging, and the Mets are a good example of both the ease with which fraud can be perpetrated and the difficulty of tracking it down. The "2002 Report to the Nation" from the Association of Certified Fraud Examiners found that the average fraud scheme lasts 18 months before it's detected, and that internal controls seldom catch the crooks. In fact, according to the survey (based on 663 reported occupational fraud cases that caused more than $US7 billion in losses), the top two cited means of detecting a fraud were a "tip from an employee" (26 per cent) and "by accident" (19 per cent) — hardly methods on which most companies are willing to stake their reputation or financial security.
As CSOs' responsibilities expand, fraud is a problem that increasingly falls into their lap. Whether they lead their company's fraud unit or govern just a piece of that apparatus, the CSOs' expertise with layered security architectures and forensic tools, and their understanding of the importance of enforced processes and procedures make them invaluable players in the battle against corporate fraud. When it comes to fraud, "the CSO is responsible for detection, protection, prevention and recovery of all the organisation's assets," summarises Vincent DeLuca, vice president of fraud control, security and risk management for MasterCard International. But DeLuca stresses that success in preventing and detecting fraud requires that CSOs build strong working relationships with the other key executives who also play a part in fraud response. "The CSO must first align himself with the CEO and senior management," he says. "They set the tone within the organisation and [affirm] its commitment to protecting corporate assets."
In fact, CSOs — as relatively new corporate players — are often in the position of joining an effort already in progress. Their challenge is to figure out the best way to enhance the process using their experience.
John Frazzini, a former special agent with the US Secret Service financial crimes division, believes that even though fraud-prevention teams, investigative departments, IT security staff and legal counsel are already entrenched in dealing with fraud, there remains a crucial role that the CSO is well positioned to fill. "Tearing down the walls between those departments and getting them to work together is the most cost-effective way to get ahead of the risk," says Frazzini. "CSOs should take the 50,000-foot view and make sure that, as the company moves forward with a fraud program, it does so with one voice."
This story will look at the technical and organisational challenges of fraud detection for CSOs, the relationships they need to build in order to be effective and the best practices that some CSOs have unearthed for tackling corporate fraud head-on.
Culprits and Schemes
The first thing to understand about fraud is its incredible breadth. Fraud encompasses everything from expense account and procurement scams to financial reporting irregularities, bid-rigging, intellectual property theft and more. Furthermore, specific financial-service sector industries such as insurance and banking have their own unique strains of fraud to worry about as well.
To a degree, fraud is still a pretty old-fashioned type of crime. Some of the techniques used in detection may have gone high-tech, but the same culprits and schemes that were popular a hundred years ago are still going strong. The vast majority of corporate fraud is perpetrated by insiders — employees and other trusted individuals who exploit their authorised access to do unauthorised things. Whether these people are embittered, financially strapped or just criminally opportunistic, they trade on their insider status by submitting doctored purchasing slips, thickly padding their expenses, setting up ghost employees or vendors, or simply selling the company's customer list or other valuable information to an interested outside party. Unlike the "pump-and-dump" stock fraud schemes that were popular during the 1990s market boom and the accounting scandals that have dominated the news in the past year, individual expense and procurement frauds, embezzlement and misappropriation don't wax and wane with the fortunes of the economy. They are easy to commit, produce high returns, are very hard to detect and are likely to fly under the corporate radar. Worse, in many cases they are tolerated as a cost of doing business. But when they rise above a certain financial threshold, these low-grade frauds become a legitimate business concern.
External frauds may be less common than internal ones, but the perpetrators are far more adept at using technology. Frazzini notes that one of the largest threats businesses now face is from organised crime syndicates out of Eastern Europe that specialise in identity and credit card theft for the purposes of extortion or financial fraud. "[Between] 15,000 and 20,000 customer account records can be stolen at a time," he says. "Technology has given these criminals the ability to conduct mass victimisations because all the information is often stored in a single depository."
Not surprisingly, financial services companies are the biggest targets. Techniques like "salami slicing" (stealing small, hard-to-notice amounts from many thousands of accounts on a given day) are profitable scams in the aggregate. Credit card numbers are often sold in chat rooms for $US2.50 each; a few dollars more can get you enough information on a person to perpetrate identity theft. "Many of the countries [where this is done] don't even have cybercrime laws," says Tom Kellerman, a data risk-management specialist for the financial strategy and policy sector of the World Bank. "From their perspective, we are the wealthy elite, we created the game of capitalism, and now we're seeing the dark side of it."
Not only do CSOs have to stay up on the various flavours of fraud, old and new, but they are also under increasing pressure — especially in financial services — to comply with such government regulations as the USA Patriot Act. This omnibus antiterrorism law mandates that financial institutions verify the identity of anyone seeking to open an account, maintain records of their identification and check all such people against the "denied persons" list of suspected terrorists. That has added another layer of complexity to corporate antifraud measures in these industries.
How CSOs Plan to Fight Fraud
CSOs' reporting relationships may define their degree of responsibility for fraud detection and prevention. A CSO who reports to IT is likely to govern the technical side of a fraud investigation, whereas a CSO who reports to the legal, risk-management or CEO's office may handle the investigation from both the business and IT angles. Rick Mercuri, vice president and corporate security director for Citizens Financial Group (the parent company of Citizens Bank), has worked in fraud investigations for 19 years. At Citizens, he and his group of 25 investigators are responsible for investigating all fraud incidents and the tracking, statistical reporting and trend analysis of fraud across the company. That is in addition to his role in managing the company's physical security. Mercuri stakes a large part of his unit's success on its independence from business functions that may hamper fraud investigations. He reports to the auditing group and then ultimately to the group executive of risk management. Both of those entities are historically autonomous. "In my career, I've seen cases where the investigation group reported to HR or another business unit that had too much of a vested interest," he says. "I've seen investigations that were hindered, where there was too much oversight or involvement. With straight-line reporting to auditing and risk management, we have free reign over investigations."
In order to fulfil their security responsibilities (which, like fraud, touch almost all aspects of the business), most CSOs have already started building strong relationships with the so-called "other Os" — the top executives of the various business functions that are generally represented in the fraud unit. These established relationships place the CSO in the unique position of being the only executive with the necessary technical and business perspectives to knit together this diverse group of corporate characters.
At MassMutual Financial Group, a special investigative unit (SIU) is responsible for policing both internal and external fraud. CISO Bruce Bonsall is a member of the 2-year-old SIU team. He coordinates the security function's active collaboration with the other members of the SIU, who are from internal audit and the legal department. The group meets quarterly to discuss new fraud trends and the investigative process.
"Don't try to go it alone," Bonsall advises security executives. "Good relationships with audit departments and legal people are critical because at some point something bad will happen, and [by then] it's too late to start thinking about how you'll handle those events as a group."
The CSO must draw on different players for different objectives. HR and legal representatives will help determine how background checks and employee monitoring should be conducted, facilitate fraud-related terminations, and develop policy and legal parameters for employee conduct and investigation procedures. The public relations and general counsel offices will help strategise over what recourse the company will pursue when fraud is discovered, whether to bring in law enforcement, and when and how instances of fraud are announced to customers and the public. The IT, security and audit team members will be the corporate detectives who undertake the technical and physical sleuthing necessary to detect, contain and build a body of evidence to prosecute fraud. Virtually all accounting and financial control systems — the candy stores of the fraud set — are computerised. CSOs already have the necessary understanding of the overall security architecture and the controls it has in place; they can take the leadership role in determining where those controls may have broken down and allowed fraud to occur. Their experience with incident-response planning around security breaches suits them well to drive the development of similar plans for incidents of fraud. A fraud-response effort will have to formulate how incidents should be handled, the mechanism for communicating those decisions through the executive branches and procedures for documenting the plan so that when an incident occurs there can be a rapid, decisive response. The plan should identify the "go to" people who are tasked with responding to each aspect of an incident. It should also define the appropriate procedures for conducting a fraud investigation so that evidence that is pulled off corporate networks isn't tainted in the process.
How Technology Can Help
Technology is an important part of a company's fraud prevention and detection program, but the good guys aren't the only ones exploiting its capabilities. Crooks are often among the earliest adopters of new technology (remember the fondness of drug dealers for pagers back in the 1980s?). Frazzini notes that the drug cartels alone have invested $US1 billion in technology. "Sleep with one eye open if you're relying on technology," he cautions. "[Criminals] will invest money, time and energy to beat you at the technology game." CSOs need to view technology as just part of their defence rather than a panacea.
Companies can either buy customisable software or write their own rules-based programs that analyse network activity for specific indicators of fraud. For example, if corporate policy decrees that all purchases above $US20,000 require approval, then a program that flags purchase orders for amounts between $US19,000 and $US20,000 could be useful in fraud monitoring. Similarly, a program could compare vendor addresses with employee addresses to detect "ghost" vendors.
The insurance industry is a frequent target of fraudsters. According to the Insurance Information Institute, property and casualty insurers alone pay about $US30 billion annually in fraudulent claims (which includes the administrative and investigative costs of fraud). This leads, as we're often reminded, to higher premiums for consumers.
To drive down the cost of fraud in its auto and home division, MetLife has teamed with Computer Sciences to develop an early fraud-detection system. The program, called @First, combines rules-based technology with predictive modelling to identify possible fraudulent activity. Previously, MetLife Auto and Home relied exclusively on the company's claims representatives to spot possible fraud. But picking up on many of the common red flags (for example, an individual who files a claim within the first 30 days after obtaining a policy) required that claims reps note every policy's inception date — which didn't always happen. A claim that came through on a Friday before a holiday weekend, or at some other time when reps were unusually distracted, could slip through unnoticed.
John Sargent, manager of the corporate SIU for MetLife Auto and Home, wanted to provide a safety net. The @First system scours claims for signs of possible fraud: vehicle ID numbers and addresses similar to those of other claimants, drop boxes that could indicate a fictitious address, or the names of doctors and auto body shops that have been previously sanctioned. Using predictive modelling, the program looks at historical patterns of fraud and scores each claim for characteristics that in the past have indicated fraud. MetLife is currently using a test version of the technology and expects to have the software fully rolled out by the end of this month. To date, Sargent estimates as much as a 10 per cent increase in the flagging of suspicious claims. But he cautions that even the best technology won't replace the skills of a seasoned claims rep. "No system captures a reluctant voice on the phone or somebody who can never be contacted by phone but is able to call the claim rep," he says. "We rely on their gut instincts."
Many fraud-detection tools use link analysis or neural networks to reveal the hidden connections between pieces of information that, in combination, may indicate fraud. Credit card companies rely on these kinds of tools to help spot suspicious transactions. One of the most famous such products is the Falcon Fraud Manager from HNC software (a subsidiary of Fair, Isaac & Co.). Falcon is a neural network system used by 85 per cent of US credit card issuers. It pools large volumes of historical purchasing data about cardholders and analyses it to establish transaction and spending patterns so that exceptions to those patterns can be discerned. The software looks at how each customer spends against how risky that spending is. Using a mathematical algorithm, it computes the likelihood that a transaction is fraudulent on a scale from 1 to 999. For example, if a consumer historically uses her card once a week to purchase gas and groceries in a New Jersey ZIP code, a transaction posted for a gas purchase in Ohio would trigger a slightly elevated fraud score. Conversely, a big-ticket Ohio purchase of an easily liquidated item like jewellery would produce a much higher score. Each card issuer determines the threshold at which it will initiate a fraud response — for example, requesting the sales clerk to check the cardholder's ID or referring the case to a fraud analyst.
Technology has made a huge difference in fraud detection for companies like MasterCard, according to DeLuca. "Before, cards would run seven, 10 or even 30 days before a customer got their statement and realised they didn't make a transaction," he says. "Globally, fraud as a percentage of our transactions is down in 2002 compared with 2001."
Getting the Drop on Fraud
The challenges of fraud are unending. Fraudsters are constantly alert for new and ingenious techniques. "As we get up every morning to go to our jobs," says Sargent, "they're getting up to go to theirs. And their job is to steal money from us." Given the broad spectrum of ways to conceal fraudulent acts across an enterprise, CSOs need to take high-level steps to strengthen corporate defences.
The first is to be proactive rather than reactive. Frazzini recommends that CSOs get involved in industry groups and fraud-buster organisations to pick up best practices that they can bring back and share within their company. One such group is the Financial Services Roundtable, a Washington, DC, trade association for the banking, insurance and securities industries that has a technology unit known as Bits. Within Bits is a fraud working group where member companies can share experiences and glean advice. In addition, the Association of Certified Fraud Examiners runs seminars and offers continuing education for fraud examiners.
Technology can also help make you more proactive. Systems that provide better real-time visibility of fraud and fraud losses can allow the business to get the jump on fraud before problems escalate. At Citizens Financial Group, Mercuri depends on his fraud-management system for an actionable view of the fraud landscape. With big-picture information, he says, "you can do the trend analysis, see the root causes and act on them."
Having clearly communicated processes and procedures is an essential accompaniment to technology. CSOs should spearhead a fully developed fraud plan that gets input and buy-in from all the business units and top executives. "You would be shocked to find out how many companies don't have protocols for reporting illegal or improper activity," says Ed Rial, a former federal prosecutor who led the Brooklyn US Attorney's fraud unit and is now a principal with the Forensic & Investigative Services Group at Deloitte & Touche in New York. "You've got to get the information to the right people as quickly as possible. I've been on investigations where we've been given the name of a fraud point-person and they'll say, 'Oh, I don't do that!'"
CSOs may want to strategise with the general counsel and other executives over what the company's electronic records retention policy should be, paying particular attention to the system log files that track all network activity. The resulting policy should be worked into the fraud plan. Additionally, whatever plans the company develops must be tested. "You need to war-game and test against the system," says World Bank's Kellerman. "You can't presume that you are invulnerable."
Assembling the right staff for a fraud investigation unit is critical; having a keen understanding of finance or the forensic skills to track down a security breach are not enough on their own. "All the technology in the world is only as good as the people who use it," says MassMutual's Bonsall. "Most of the work is done by people thinking outside the box, following hunches and carefully following procedures." Mark Rasch, former head of the US Justice Department's computer crimes unit and currently senior vice president and chief security counsel with managed security service provider Solutionary, recommends that CSOs look for people who have experience conducting internal investigations, are knowledgeable about the various guises that fraud can assume and are discreet — ideally with some law enforcement experience. Individuals with that background are good at interviewing people and making assessments based on body language and other subtle cues. Just because somebody specialises in pulling information off a computer network doesn't mean that they are qualified to pull that same evidence and information out of a suspect.
Investigative units need clout as well. They'll be ineffective if they're made up of low-level managers who lack decision-making authority. Mercuri has seen companies where fraud working groups or committees sit around and discuss ideas and possible solutions, but then must run to their managers before anything can be approved. At Citizens, the fraud committee consists of senior executives who can implement their decisions. Giving the group further credibility is the fact that it is chaired by the company's vice chairman. Mercuri credits the seniority of the group with the company's success in reducing fraud. "If there's a difference of opinion, we hash it out right there in that room," says Mercuri. "And once we come up with a recommendation, we can act on it quickly."
Beyond the fraud investigation unit, the CSO can make a positive difference by evangelising to employees about the threats fraud poses. At companies like MassMutual, where most employees don't encounter fraud on a daily basis, Bonsall often acts as the harbinger of caution and awareness. Even when fraud occurs at another company, he talks to MassMutual employees about it, making sure they understand the vulnerability that was exploited and the preventive measure that should be taken in response. "We need them to stop thinking like good, honest people and to start [thinking like] the bad guys," he says.
The other challenge that Bonsall often encounters is that employees who suspect fraud is being committed are reluctant to bring their suspicions to the fraud-investigation unit. To counter this reticence, he markets the fairness and discretion of his unit to the company at large, hoping to ensure that people will come forward. "People like to try and take care of their dirty laundry on their own," he says. Often, employees will attempt to prove an instance of fraud themselves before bringing it to Bonsall's group — a habit that he is trying to stamp out. "I would rather that people bother us and have it turn out to be nothing than have it be something and then not have the evidence maintained to prove it."