Banking and Financial
Institutions Exposure to
Threats, Frauds and Risks –
Why Turn to RSI?
Research Solutions, Inc.
Dr. Mark D. Lurie,
CEO, Threat & Fraud Assessment
The Anti-Fraud Post-Fraud Operations
(AFPFO ) Solution
©
Page 2
RSI, Global Threat Management Solutions
• RSI is comprised of a large, seasoned staff of exceptionally wellexperienced professional analysts and professionals that maintain
disciplines in designated areas that cover Banking, Financial Services
and Insurance (BFSI) requirements, threats and frauds.
• RSI has the only staffing that is dedicated to deal directly with “mitigation”
of threats, frauds and risks WHEN they happen.
• RSI’s Global Threat Management Services (GTMS) group is not only
experienced with domestic (United States) based operations, but has a
35+ year track record “internationally” with exceptional results.
• Main services:
- Systems & Process Assurance
- Governance, Risk & Compliance (GRC)
- ITE (IT Effectiveness) & Security
Page 3
RSI, Global Threat Management
Services (GTMS)
• An Initial List of RSI’s Main “Cursory” GTMS services:
- Threat Analysis, Methodologies - Strategies, Systems & Procedures
- Fraud Analysis, Methodologies - Strategies, Systems & Procedures
- Risk Analysis, Methodologies - Strategies, Systems & Procedures
- Complete Company/Government Agency Operations Auditing and
Evaluation Procedures (National and International)
- Solutions for Prevention, Containment and Mitigation
- Anti-Fraud Post-Fraud Operations (AFPFO©) Formation and
Implementation
- Anti-Threat Post-Threat Operations (ATPTO©) Formation and
Implementation
Page 4
RSI, Global Threat Management
Services (GTMS),
(continued)
• An Initial List of RSI’s Main “Cursory” GTMS services (Continued):
- Systems & Process Assurance
- Governance, Risk & Compliance (GRC)
- ITE (IT Effectiveness) & Security
- Automated/Manual AFPFO & ATPTO Solutions
evaluations/Recommendations
- Implementation, Training and Post-Operation Auditing
- Post-Fraud / Post-Threat Mitigation and Media Controls
- Continuing Education
- Training
- Unscheduled Intrusion, Attack and Threat Operation Auditing
- Complete IT Global Operations Analysis and Validations
- Weakness / Attack Point Analysis and Assessment Reporting
Page 5
Dr. Mark D. Lurie, CEO Threat & Fraud
Assessment
Cursory Background Summary (continued)
• Over 35+ years experience in global and local anti-threat post-threat / anti-fraud,
post-fraud think tanks, corporate strategy analysis/formation and operations/project
development nationally and internationally
Dr. Lurie’s Basic Civilian Educational/Certification Background:
• Ph.D., Business Administration, emphasis- finance, March 1978, Emphasis on
International Banking and Finance
• M.A., Business Administration, emphasis- finance, Emphasis on International
Banking and Finance
• Certified Fraud Examiner (CFE) with historical emphasis on AML, Fraud and
Threats
• Certified Threat Analyst (CTA) with historical emphasis on Asset/Personnel Threats
Page 6
Dr. Mark D. Lurie, CEO Threat & Fraud
Assessment
Cursory Background Summary
Basic Civilian Educational /Credentials Background, (continued)
•Certified High-Risk Examiner (CHRE) with major emphasis on compliance, mitigation
programs, exposure levels and internal security operations
•
•
•
•
•
•
•
•
Certified Fraud Specialist (CFS)
Document Forensics Expert (DFE)
Computer Forensics Expert (CFE)
Certified Reconstruction Analyst - Instructor (CRA)
Data Reconstruction Specialist (DRS)
Interrogation/Examination Specialist
History & Cultural Expert, Middle East - Instructor
History & Cultural Expert, S.E. Asia/Asia – Instructor
• Cursory Summary CV can be acquired on LinkedIn.Com
Page 7
RSI Principals and Staffing
RSI has a long-term history of going though and extensive process of acquiring
candidates for employment with our company
The process is more than a collection of degrees and credentials, but a “verifiable”
list of experience, regardless how simple of mundane it may appear
There is an extensive process of “un-training” that is required, and then a long, hard
process of going through an internship
Out of every ten (10) candidates, we are fortunate if we end up with one or two that
will be willing to undergo an internship, and of those that DO enter the internship
program, we will be fortunate to see ten (10%) percent successfully pass our
program criteria, requirements and standards.
The rewards are strong, but the expectations we have that our employees and
management “must” achieve are “not” based upon the highest financial yields, but
that of the best, reasonable results that the client is totally satisfied with.
Page 8
RSI Principals and Staffing
(continued)
Our Policy is Simple:
•
We tell the client what they NEED to hear, not what they WANT to hear
•
We use Best, Reasonable Effort (BRE) to achieve the best results
•
We do not believe that the best results are from those who think outside the box, but
our methodology believes there is NO box
•
We do NOT believe in the conventional definition of “Due-Diligence”, since we have
historical proof that the requirements for “Due-Diligence” assures failure. We believe
in “Validation”, which many believe that is the same is Due-Diligence. This could not
be more inaccurate. Validation incorporates the “required” components of Due
Diligence; however it is performed on it’s own time schedule and to the acceptance
of the person performing the Validation process. Time is NOT the determining factor
when Validation is performed.
•
We have a zero-tolerance for any form of crime, fraud, threat or deception, whether it
be from our client and especially from any employee of our company
Page 9
RSI Principals and Staffing
(continued)
•
We enjoy being known for having one of the strongest global recognitions of the
licensing, credentials and security clearances of any of the top-ten analytical firms in
the world
•
We are also known as being one of the most culturally-aware institutions with our
clients, whether they be national or international. This may not seem important to
most entities, but to us, it is the foundation of each and every relationship with make
with our clients. It is a matter of absolute respect
•
We do NOT sub-contract out our work. We may incorporate other professionals into
projects that our clients desire to have us perform, but we control ALL aspects and
security of the work product and sensitive information. There is no company that has
a staff that is a jack-of-all-trades; however we have the resources and historicallyproven associates that we can and will trust to work with us when required
Page 10
RSI Principals and Staffing
(continued)
•
Finally, we believe that education must be a perpetual, mandatory requirement for
each and every member of our company. It is the keystone to our globally-known
successful career, not only with our clients, but with numerous government agencies
domestically and internationally
•
We do not believe there is a level that is reached where a person, regardless of their
status in the company, from entry level to C-Management that is more important than
the other. In RSI, the playing field was designed and maintained to be level
•
This proven methodology is exceptionally simple – Each member is dependent upon
the performance and knowledge of the other, regardless of their status in the
company
•
Finally, we can say we have one of the most knowledgeable and experienced staff of
employees and C-Management, we think, that can be maintained!
Page 11
• Sampling of Historical and Current RSI
Projects/Clients includes, but not limited to:
•
•
•
•
•
•
•
•
•
BCCI
Enron
WorldCom
Crédit Agricole S.A.
Bank of America
DuPont
Credit Suisse
BASF
Syngenta AG (SYT)
• BNP Paribas
• Deutsche Bank AG
• DBJ Nihon Seisaku
•
•
•
•
Tōshi Ginkō K.K.
Fujimi Mokei
Lilly Eli and
Company
Dow Chemical
General Dynamics
Page 12
• Sampling of Historical and Current RSI Projects/Clients
includes, but not limited to:
• Banque Nationale de Paris
• BNP Paribas
• Credit Suisse
• Industrial & Commercial Bank of China (ICBC)
• HSBC Holdings
• Mitsubishi UFJ Financial Group
Page 13
- J.P. Morgan Chase
- Banco Bradesco
- General Electric
- Rand Corporation
- Think-Tank – R&D Coordinator for pre-9/11 – PostHomeland Security
- State Department, FBI / PSTF and Regulatory Bureaus
- Numerous International Private/Public Sector
Operations
- Systems and Procedures & Instruction for AntiFraud/Post Fraud Operations
International
Finance
Corporation
(IFC)
Multilateral
Investment
Guarantee Agency
(MIGA)
International
Centre for
Settlement of
Investment
Disputes (ICSID)
UNITED
NATIONS
WORLD
BANK
GROUP
(UNWBG)
International Bank
for
Reconstruction
and Development
(IBRD)
International
Development
Association
(IDA)
Page 15
BCCI
Enron
Worldcom
CONFIDENTIAL
Frauds
and
Threats
Glitnir
Bank
CONFIDENTIAL
Icelandic
Central
Bank
Page 16
World Bank
What is the “World Bank”?
The World Bank consists of two distinct organizations:
• International Bank for Reconstruction and Development (IBRD)
• International Development Association (IDA)
Page 17
UNITED NATIONS WORLD BANK
GROUP (UNWBG):
What is the UNWBG?
The United Nations World Bank Group (UNWBG) Member of the “United Nations
Economic and Social Council” in conjunction with five (5) international
organizations that define and enter into leveraged loans with disadvantaged /
poor countries, which consist of the:
• International Bank for Reconstruction and Development (IBRD)
• International Development Association (IDA)
• International Finance Corporation (IFC)
• Multilateral Investment Guarantee Agency (MIGA)
• International Centre for Settlement of Investment Disputes (ICSID)
Page 18
THREAT
ASSESSMENT
POSTFRAUD
MITIGATION
Banco
Bradesco
CLIENT’S
CONFIDENTIAL
REQUIREMENTS
GOVERNANCE
RISK
POLICIES
DAMAGE
CONTROL,
SHAREHOLDERS
Page 19
Economic Crimes – Sample Figures
• 46.25% of companies worldwide have fallen victim to
economic crime
• In the past two years, the average financial damage to
companies from tangible frauds was $19.219 million
(USD)
• More than half (58-61%) of the perpetrators were
employed by the defrauded company
• Most fraud (43.35%) is detected by chance
• *Taken from the Global Economic Crime Survey – 2013
Page 20
Examples of Financial Fraud
• BCCI ($216B+) – Shell corporations and banks; Rotation of
funds; Circumvention of internal & external regulatory
procedures; overloading (1984-1992)
• Enron ($106B+) – Parasite implants; “Mutating” internal
standards and procedures; Mirroring (i.e. Looking Glass)
operating procedures; Puffing books (2002-2006)
• WorldCom ($57B+) – Simultaneous contracting; Shell
vendors; Transparent vendors; Vapor-Payables Piggy-backing
(2002-2006)
Page 21
Examples of Financial Fraud
(continued)
• Arthur Anderson ($10.3M + Civil Litigation Re. Colonial
Realty) – Over-selling; Puffing of books; “Slip and Slide”
accounting and monitoring systems; Shell companies “fronts”
(1990-1993) Note: Just “one” case violation
• Colonial Realty ($350M+) – Not a well-known fraud scam
case but one of the more interesting in its mode of operation:
Shell companies; Simultaneous contracting; Rotation of funds;
Bank processing echoes; “Musical chairs” regulatory and
procedural enforcement operations (1990-1993)
Page 22
Examples of Financial Fraud
(continued)
• International Bank Frauds – Averaging between 2-49
BILLION Dollars (USD) for “each” case (1998-2013)
• The “Iceland Scam” (Kaupthing, Glitnir, etc.) – Unknown
“final” losses, but a reasonable assessment is
somewhere around 47 Billion Dollars+ (USD) (2008-2011/12)
• The BITCOIN SCAMS (similar the 1970s and 1980s
bartering scams) to avoid sales tax, primary tax and an
excellent way to “launder” monies, both nationally and
internally (2012-current)
Page 23
Examples of Financial Fraud
(continued)
• Finally, the surfacing of “Virtual Financial Crimes” (VFC)
which work hand-in-hand with
• Clearing House Frauds (CHF) – Not really new at all…
• These are the two, most presently dangerous forms of
fraud in existence since they are new, exceptionally
strong and financially supported with “heavy” funding.
• It is presently “organized crimes” dream machine, and
there is “no question” that terrorist funding methodology
is seriously looking at utilizing it, if not already
Page 24
WHY ANTI-FRAUD/POST FRAUD METHODOLOGY
RESEARCH AND POLICY FORMATION?
Why Anti-Fraud/Post Fraud Policy Research,
Development And Implementation?
• Each year, the average company loses up to a hair over seven (7.1%)
percent* of its revenues to internal fraud, which is also commonly
known as “employee theft”, “fidelity losses”, or “occupational
fraud”.
• Just as a simple sample of deductive reasoning, taking a $50 million
revenue company, even with just a 10% reduction in annual exposure
to internal fraud is worth $300,000. As fraud prevention efforts
continue year-to-year, the annual savings will likely compound
Pursuing a Realistic Anti-Fraud Policy will result in a cost savings that
continues will-beyond the original investment for it.
*CSI/FBI Computer Crime & Security Surveys – FCPA Global Studies
Page 25
Companies and the Government Sector still “feel” that the
greatest risks are from “EXTERNAL” sources and beef up
their “outer walls” for protection. Such examples are:
•Firewalls
• Virtual Private Networks (VPN)
• Tightened Physical Security
• Cloud
• Anti-Virus / Anti-Malware
All make up the “Maginot Line” Defense Business Policy
– and a DISASTER!
Page 26
In Businesses and the Government
Sector, the Number One Source of
Computer Crimes is from Authorized
and Trusted Employees
(InfraGard FBI 2006 Report; CSI/FBI 2005-6; and FCPA 2005-6 results and the SAME statement for 2007,
2008, 2009, 2010, 2011, 2012 and 2013)
Page 27
Internal Computer Fraud (ICF)
 64-81%* of the economic losses incurred
through “automated” (computer) crimes are
the result of “INSIDE” “authorized” employees
or contract personnel
 The more knowledgeable and familiar the
insider is of the system, the higher the risk
* IIA, ICA
Page 28
Developing and Maintaining
a Successful Anti-Fraud Post-Fraud
Operation
(AFPF0 )
©
Page 29
Premise and Goals – 6 Key Points
• The total elimination of exposure (risk) is NOT possible in any
operation. There is NO “bullet-proof” operation
• Security concerns and regulatory conformity (compliance) will
always be ever-present risks
• The “key” is to reduce exposure to acceptable levels through
consistent and valid controls within a clearly-defined AFPFO
Policy
• The objective is to MITIGATE the Fraud, as best
and as quickly as possible, WHEN IT HAPPENS
Page 30
Premise and Goals – 6 Key Points (Cont.)
• Systems and procedures to be defined by the “policies” for
such processes and controls “requires” zero tolerance for
frauds and policy violations
• The business that is operationally sound through such
consistently-implemented and monitored controls and
processes will have a symbiotic relationship with “both”
internal and external auditors
• Preventative Maintenance Programs (PMP) and Preventative
Maintenance Systems/Procedures (PMSP) are the
cornerstone to a successful Anti-Fraud Post-Fraud Operation
Page 31
Anti-Fraud Post-Fraud Operations (AFPFO)
RSI
BOD &
CFO
AFPO
Management
Internal Auditors
Company Staffing – Level 1
Company Staffing – Level 2
Page 32
Key Components Of An AFPFO
• A Clearly-defined Policy
• Automated Systems and Procedures
• Manual Systems and Procedures Design and Implementation
• Internal Auditing
• External Auditing
• Disaster Planning and “Recovery”
• Preventative Maintenance Systems
• Training, Education and Instruction
• Policy Challenge/Proofing
Page 33
Key Components Of An AFPFO
And:
• A REAL MITIGATION POLICY
• A REAL MITIGATION STRATEGY
• A REAL MITIGATION PLAN
• REAL MITIGATION SYSTEMS & PROCEDURES
Page 34
8 STEPS to a Successful AFPFO
• Define (define the plan, the scope and the formal policy)
• Design (build a structured AFPFO)
• Challenge (analyze and validate the AFPFO internal structure)
• Approve (Critical management review and proofing)
• Implement (launch the AFPFO)
• Audit (monitor and validate effectiveness and efficiency)
• Append (fine-tune the AFPFO)
• Post-Maintenance Responsibilities and Follow-up
Page 35
Automated
Tools
–
A
Major
Compliment
Compliments to the AFPFO – Automated Tools
to a AFPFO
Benefits of Automated Tools:
• Compliance with greater speed and efficiency
• Viewing “real-time” current exception and summary reports
• Tracking potential liabilities and questionable history
• Authentication Security Solutions
• Authorization Monitoring
• Live “real-time” audit trail
• Data Protection over the WAN (target malicious users)
• HOWEVER, “automated tools”, regardless how sophisticated
they are, cannot be truly effective without “Manual” tools,
specifically policies, strategies, systems and procedures.
Page 36
Research Solutions, Inc.
Compliments to the AFPFO – Automated Tools
Thank You!
Page 37
Copyright Notice
Warning
AFPFO and ATPTO written works are copyrighted by RSI, Dr. Mark D. Lurie and specific contributions are acknowledged appropriately
AFPFO ©1978 – 2014 RSI/MDL (all rights reserved)
ATPTO ©1978 – 2014 RSI/MDL (all rights reserved)
AFPFO™ and ATPTO™ are trademarks of RSI and Dr. Mark D. Lurie (all rights reserved)
”Banking and Financial Institutions Exposure to Threats, Frauds and Risks – Why Turn to RSI?” © 2014 RSI (all rights reserved) – A PowerPoint Presentation
All other works, including, but not limited to white papers, reports, analysis articles, general articles, PowerPoint presentations, streaming videos and the like (hereinafter referred to as “Intellectual
Property”) are the sole and exclusive of Research Solutions, Inc. (hereinafter referred to as “RSI”), or any of its subsidiaries. Such Intellectual Property is protected under Copyright (as well as other
Protective Acts Nationally and Internationally) with all rights reserved. Any unauthorized use of any of RSI’s (or any of it’s subsidiaries) Intellectual Property without the exclusive written permission
by RSI will be considered unauthorized and illegally reproduced and/or used.
Such unauthorized reproduction and/or use shall be prosecuted to the fullest extent of the law with all legal remedies used, whether they be national or international, including the seeking of
injunctive remedies, court costs, legal fees, expert witness fees, expenses and whatever the court(s) of law deem fit to award.
We do welcome the “proper and procedurally correct” use of our Intellectual Property; however, the following procedures are “mandatory” for consideration by RSI to approve such use of
“any” of RSI’s Intellectual Property, which is as follows: Any request for reproduction or use of any of RSI (or any of it’s subsidiaries) Intellectual Property must be made, in writing.
Such request(s) must include, but not be limited to:
The name of the Intellectual Property that is being requested to be used
The purpose of the use of the Intellectual Property
The manner in which the Intellectual Property is to be used
How the Intellectual Property is to be reproduced
For how long the Intellectual Property is be used
If the requesting party is planning to charge a fee or cost (please state the amount in United States Dollars) to other individuals, companies, institutions or agencies (nationally or internationally) for
any RSI Intellectual Property of RSI, in part or whole, and if so, the amount to be charged, the frequency of such charges and over what period of time
Research Solutions, Inc. shall review the request and will respond, in writing to the terms, conditions, restrictions, provisions and charges/costs (if applicable) for the use of such proposed RSI
Intellectual Property
If the requesting party, company or agency who made the submission for use of such RSI Intellectual Property is “approved”, such approval will be contingent upon the execution of a written
Agreement, prepared by RSI, that will reflect the terms, conditions, provisions, restrictions and charges/costs (if applicable) which must be agreed upon and executed by the requesting party “prior”
to ANY use, in ANY manner of the proposed Intellectual Property
If RSI declines the request, such declination shall be made in writing and submitted to the requesting company
If there are and costs/charges that will apply to the use of said Intellectual Property, such costs/charges shall be paid, in advance to RSI, or by whatever terms and conditions stated in the
Agreement which is executed by all parties
Research Solutions, Inc.
51 Bedford Road  Roundup  Montana  59072
1-406-320-1036 / 1-406-323-2992  inquiries@rsi4u.org
Page 38
Page 39