Banking and Financial Institutions Exposure to Threats, Frauds and Risks Research Solutions, Inc. Dr. Mark D. Lurie, CEO, Threat & Fraud Assessment The Anti-Fraud Post-Fraud Operations (AFPFO©) Solution Page 2 RSI, Global Threat Management Solutions • RSI is comprised of a large, seasoned staff of exceptionally wellexperienced professional analysts and professionals that maintain disciplines in designated areas that cover BFSI requirements, threats and frauds. • RSI has the only staffing that is dedicated to deal directly with “mitigation” of threats, frauds and risks WHEN they happen. • RSI’s GTMS group is not only experienced with domestic (United States) based operations, but has a 35+ year track record “internationally” with exceptional results. • Main services: - Systems & Process Assurance - Governance, Risk & Compliance (GRC) - ITE (IT Effectiveness) & Security Page 3 RSI, Global Threat Management Solutions (GTMS) • Main GTMS services: - Threat Analysis, Methodologies & Strategies - Fraud Analysis, Methodologies & Strategies - Risk Analysis, Methodologies & Strategies - Complete company/agency operations auditing and evaluation procedures - Solutions for Prevention, Containment and Mitigation - AFPFO Formation and Implementation - Systems & Process Assurance - Governance, Risk & Compliance (GRC) - ITE (IT Effectiveness) & Security - Automated/Manual AFPFO & ATPTO Solutions evaluations/Recommendations - Implementation, Training and Post-Operation Auditing Page 4 Dr. Mark D. Lurie – Background Summary • Over 35+ years experience in global and local anti-fraud, post-fraud think tank, corporate strategy analysis/formation and operations/project development • Ph.D., Business Administration, emphasis- finance, March 1978, Emphasis on International Banking and Finance • M.A., Business Administration, emphasis- finance, Emphasis on International Banking and Finance • Certified Fraud Examiner (CFE) with historical emphasis on AML, Fraud and Threats • Certified Threat Analyst (CTA) with historical emphasis on Asset/Personnel Threats • Certified High-Risk Examiner (CHRE) with major emphasis on compliance, mitigation programs, exposure levels and internal security operations Page 5 • Sampling of Historical and Current Projects/Clients includes, but is not limited to: • • • • • • • • • • BCCI Enron WorldCom Crédit Agricole S.A. Bank of America DuPont Credit Suisse BASF Syngenta AG (SYT) Banco Bradesco • BNP Paribas • Deutsche Bank AG • DBJ Nihon Seisaku • • • • • Tōshi Ginkō K.K. Fujimi Mokei Lilly Eli and Company Dow Chemical General Dynamics J.P. Morgan Chase Page 6 Sampling of Historical and Current Projects/Clients includes, but is not limited to (continued): - General Electric - Rand Corporation - Think-Tank – R&D Coordinator for pre-9/11 – PostHomeland Security - State Department, FBI/PSTF and Regulatory Bureaus - Numerous International Private/Public Sector Operations - Systems and Procedures & Instruction for Anti-Fraud/Post Fraud Operations International Finance Corporation (IFC) Multilateral Investment Guarantee Agency (MIGA) International Centre for Settlement of Investment Disputes (ICSID) UNITED NATIONS WORLD BANK GROUP (UNWBG) International Bank for Reconstruction and Development (IBRD) International Development Association (IDA) Page 8 BCCI Enron Worldcom PwC Bank and Financial Institution Frauds and Major Losses Glitnir Bank Arthur Anderson Icelandic Central Bank Page 9 World Bank What is the “World Bank”? The World Bank consists of two distinct organizations: • International Bank for Reconstruction and Development (IBRD) • International Development Association (IDA). Page 10 UNITED NATIONS WORLD BANK GROUP (UNWBG): What is the UNWBG? The United Nations World Bank Group (UNWBG) Member of the “United Nations Economic and Social Council” in conjunction with five (5) international organizations that define and enter into leveraged loans with disadvantaged / poor countries, which consist of the: • International Bank for Reconstruction and Development (IBRD) • International Development Association (IDA) • International Finance Corporation (IFC) • Multilateral Investment Guarantee Agency (MIGA) • International Centre for Settlement of Investment Disputes (ICSID) Page 11 Economic Crimes – Sample Figures • 45% of companies worldwide have fallen victim to economic crime • In the past two years, the average financial damage to companies from tangible frauds was $1.7 million • More than half of the perpetrators were employed by the defrauded company • Most fraud (34%) is detected by chance • *Taken from the Global Economic Crime Survey – 2005*, Conducted by PwC Page 12 Examples of Financial Fraud • BCCI ($216B+) – Shell corporations and banks; Rotation of funds; Circumvention of internal & external regulatory procedures; overloading (1984-1992) • Enron ($106B+) – Parasite implants; “Mutating” internal standards and procedures; Mirroring (i.e. Looking Glass) operating procedures; Puffing books (2002-2006) • WorldCom ($57B+) – Simultaneous contracting; Shell vendors; Transparent vendors; Vapor-Payables Piggy-backing (2002-2006) Page 13 Examples of Financial Fraud (cont.) • Arthur Anderson ($10.3M + Civil Litigation Re. Colonial Realty) – Over-selling; Puffing of books; “Slip and Slide” accounting and monitoring systems; Shell companies “fronts” (1990-1993) Note: Just “one” case violation • Colonial Realty ($350M+) – Shell companies; Simultaneous contracting; Rotation of funds; Bank processing echoes; “Musical chairs” regulatory and procedural enforcement operations (1990-1993) Page 14 WHY ANTI-FRAUD/POST FRAUD METHODOLOGY RESEARCH AND POLICY FORMATION? Why Anti-Fraud/Post Fraud Policy Research, Development And Implementation? • Each year, the average company loses up to six percent* (6%) of its revenues to internal fraud, which is also commonly known as “employee theft”, “fidelity losses”, or “occupational fraud”. • At a $50 million revenue company, even a 10% reduction in annual exposure to internal fraud is worth $300,000. As fraud prevention efforts continue year-to-year, the annual savings will likely compound Pursuing a Realistic Anti-Fraud Policy will result in a cost savings that continues will-beyond the original investment for it. *CSI/FBI Computer Crime & Security Surveys – FCPA Global Studies Page 15 Companies and the Government Sector still “feel” that the greatest risks are from “EXTERNAL” sources and beef up their “outer walls” for protection. Such examples are: •Firewalls •Virtual Private Networks (VPN) •Tightened Physical Security The “Maginal Line” Defense Policy Page 16 In Businesses and the Government Sector, the Number One Source of Computer Crimes is from Authorized and Trusted Employees (InfraGard FBI 2006 Report; CSI/FBI 2005-6; and FCPA 2005-6 results) Page 17 Internal Computer Fraud (ICF) 62-77%* of the economic losses incurred through “automated” (computer) crimes are the result of “INSIDE” “authorized” employees or contract personnel The more knowledgeable and familiar the insider is of the system, the higher the risk * IIA, ICA Page 18 Developing and Maintaining a Successful Anti-Fraud Post-Fraud Operation (AFPF0) Page 19 Premise and Goals – 6 Key Points • The total elimination of exposure (risk) is NOT possible in any operation. There is NO “bullet-proof” operation • Security concerns and regulatory conformity (compliance) will always be ever-present risks • The “key” is to reduce exposure to acceptable levels through consistent and valid controls within a clearly-defined AFPFO Policy Page 20 Premise and Goals – 6 Key Points (Cont.) • Systems and procedures to be defined by the “policies” for such processes and controls “requires” zero tolerance • The business that is operationally sound through such consistently-implemented and monitored controls and processes will have a symbiotic relationship with “both” internal and external auditors • Preventative Maintenance Programs (PMP) and Preventative Maintenance Systems/Procedures (PMSP) are the cornerstone to a successful Anti-Fraud Post-Fraud Operation Page 21 Anti-Fraud Post-Fraud Operations (AFPFO) RSI Page 22 Key Components Of An AFPFO • A Clearly-defined Policy • Automated Systems and Procedures • Manual Systems and Procedures Design and Implementation • Internal Auditing • External Auditing • Disaster Planning and “Recovery” • Preventative Maintenance Systems • Training, Education and Instruction • Policy Challenge/Proofing Page 23 8 STEPS to a Successful AFPFO • Define (define the plan, the scope and the formal policy) • Design (build a structured AFPFO) • Challenge (analyze and validate the AFPFO internal structure) • Approve (Critical management review and proofing) • Implement (launch the AFPFO) • Audit (monitor and validate effectiveness and efficiency) • Append (fine-tune the AFPFO) • Post-Maintenance Responsibilities and Follow-up Page 24 Automated Tools – A Major Compliment Compliments to the AFPFO – Automated Tools to a AFPFO Benefits of Automated Tools: • Compliance with greater speed and efficiency • Viewing “real-time” current exception and summary reports • Tracking potential liabilities and questionable history • Authentication Security Solutions • Authorization Monitoring • Live “real-time” audit trail • Data Protection over the WAN (target malicious users) Page 25 Established Companies Offering Automated Tools, such as: • Data Cleansing • Data Integration • Data Monitoring • Data Auditing HOWEVER…. Page 26 An “Automated System” is NOT enough! “HOWEVER, NO AUTOMATED SYSTEM WILL GUARANTEE AGAINST A SUCCESSFUL FRAUD INTRUSION.” Thinking that an “automated solution” is all that is needed is a “REACTIVE METHODOLOGY” which is both dangerous and a “guarantee” that there will be a MAJOR disaster “WHEN” the fraud takes place. An automated system must work with an equally-balanced MANUAL system with “PROACTIVE” strategies in place so WHEN the fraud takes place, it can be MITIGATED quickly, efficiently and with the lowest loss possible. Page 27 Copyright Notice Warning AFPFO and ATPTO written works are copyrighted by RSI, Dr. Mark D. Lurie and specific contributions are acknowledged appropriately AFPFO ©1978 – 2015 RSI/MDL (all rights reserved) ATPTO ©1978 – 2015 RSI/MDL (all rights reserved) AFPFO™ and ATPTO™ are trademarks of RSI and Dr. Mark D. Lurie (all rights reserved) “Fraud, Computer Fraud and Abuse Part-1” © 2015 RSI (all rights reserved) – A PowerPoint Presentation All other works, including, but not limited to white papers, reports, analysis articles, general articles, PowerPoint presentations, streaming videos and the like (hereinafter referred to as “Intellectual Property”) are the sole and exclusive of Research Solutions, Inc. (hereinafter referred to as “RSI”), or any of its subsidiaries. Such Intellectual Property is protected under Copyright (as well as other Protective Acts Nationally and Internationally) with all rights reserved. Any unauthorized use of any of RSI’s (or any of it’s subsidiaries) Intellectual Property without the exclusive written permission by RSI will be considered unauthorized and illegally reproduced and/or used. Such unauthorized reproduction and/or use shall be prosecuted to the fullest extent of the law with all legal remedies used, whether they be national or international, including the seeking of injunctive remedies, court costs, legal fees, expert witness fees, expenses and whatever the court(s) of law deem fit to award. We do welcome the “proper and procedurally correct” use of our Intellectual Property; however, the following procedures are “mandatory” for consideration by RSI to approve such use of “any” of RSI’s Intellectual Property, which is as follows: Any request for reproduction or use of any of RSI (or any of it’s subsidiaries) Intellectual Property must be made, in writing. Such request(s) must include, but not be limited to: The name of the Intellectual Property that is being requested to be used The purpose of the use of the Intellectual Property The manner in which the Intellectual Property is to be used How the Intellectual Property is to be reproduced For how long the Intellectual Property is be used If the requesting party is planning to charge a fee or cost (please state the amount in United States Dollars) to other individuals, companies, institutions or agencies (nationally or internationally) for any RSI Intellectual Property of RSI, in part or whole, and if so, the amount to be charged, the frequency of such charges and over what period of time Research Solutions, Inc. shall review the request and will respond, in writing to the terms, conditions, restrictions, provisions and charges/costs (if applicable) for the use of such proposed RSI Intellectual Property If the requesting party, company or agency who made the submission for use of such RSI Intellectual Property is “approved”, such approval will be contingent upon the execution of a written Agreement, prepared by RSI, that will reflect the terms, conditions, provisions, restrictions and charges/costs (if applicable) which must be agreed upon and executed by the requesting party “prior” to ANY use, in ANY manner of the proposed Intellectual Property If RSI declines the request, such declination shall be made in writing and submitted to the requesting company If there are and costs/charges that will apply to the use of said Intellectual Property, such costs/charges shall be paid, in advance to RSI, or by whatever terms and conditions stated in the Agreement which is executed by all parties Research Solutions, Inc. 51 Bedford Road Roundup Montana 59072 1-406-320-1036 / 1-406-323-2992 inquiries@rsi4u.org Page 29