Protecting your Customer against Fraud:

the Truth is within your Systems

Patrick Risch CFE CIA CCSA

ACFE Chapter Belgium

Board member

Past president

Outline

Introduction

Fraud Risk Management

Fraud Detection

Examples and cases

Conclusion

DISCLAIMER

The views expressed in this presentation are the views of the speaker and do not

necessarily reflect the views or policies of any organisation of which the speaker is a

member.

The purpose of this presentation is to share ideas and promote discussion. Examples are

purely for illustrational purposes, and may have been modified or simplified in order to

clarify a point.

Neither the speaker, nor the company and organisations he belongs to, accepts

responsibility for any consequence of the use of (parts of) the framework presented

today.

However, we invite you to participate in the discussion today and later on.

Patrick Risch

patrick.risch@acfe.be

About the ACFE

The ACFE is the world’s

largest anti-fraud

organization and premier

provider of anti-fraud training

and education.

Together with nearly 70,000

members in over 150

countries, the ACFE is

reducing business fraud

worldwide and inspiring

public confidence in the

integrity and objectivity within

the profession,

About the ACFE

Certified Fraud Examiners

CFEs are anti-fraud

experts who have

demonstrated knowledge

in four critical areas:

• Fraudulent Financial

Transactions

• Fraud Investigation

• Legal Elements of Fraud

• Fraud Prevention and

Deterrence

About the ACFE

Report to the Nations on Occupational Fraud and Abuse

• Association of Certified Fraud Examiners

World Headquarters • The Gregor Building

716 West Avenue • Austin, TX 78701-2727 • USA

• (800) 245-3321 (USA & Canada)

(0800) 962049 (United Kingdom)

+1 (512) 478-9000 (International)

Fax: +1 (512) 478-9297

• www.ACFE.com

Outline

Introduction

Fraud Risk Management

Fraud Detection

Examples and cases

Conclusion

Most people are honest

some of the time.

Some people are dishonest

all of the time.

Some people are honest all

of the time.

Tommie Singleton, PhD, University of Alabama

Why do people commit fraud?

Some people are honest

most of the time. HonestDishonest

Situational

Conclusion

There will always be fraud …

• Mindset of people

• Pressure

• Opportunity

So we have to manage the risk

The earlier we detect it, the better

• Reputation

• Financial

Outline

Introduction

Fraud Risk Management

Fraud Detection

Examples and cases

Conclusion

What can we detect?

Can a perfect fraud be detected?

Fraudsters

rarely have an

Invisibility Cloak

… or a Licence

to Apparate

What can we detect?

So, what can go wrong

(for the fraudster)?

• Inherent risk

• You HAVE to cross the open spot to get to the money

• Error, mistake

• You didn’t notice you left a track

• Stupidity

• You just don’t care

What is Fraud Detection?

Following the tracks of the fraudster

Can we detect everything?

Anyway …

The truth is within your systems.

• All transactions leave a trace

• Is it possible to

distinguish fraudulent transactions?

An exception …

• Parallel transactions

• And even then …

Recognising the tracks

Learn from

the past

Use your

imagination

Focus on

distinguishing

factors

Outline

Introduction

Fraud Risk Management

Fraud Detection

Examples and cases

Conclusion

Fraud Detection

The hay

• 70.000 new mortgage loans

• 450.000.000 transfers

• 3.800.000 cheques

• 600.000 physical coupon payments

• 17.000 staff members

• 1.300 branches

• …

And what about the tools ….

You need tools to

• Obtain data

• Connect to external datasources

• Import datasets, possibly from legacy applications

• Analyse data

• Statistical analysis

• Link datasets

• Report on suspect transactions

• React

Specialised solutions

And what about the tools ….

Some dedicated data mining tools

• Generic

• Audit tools

- Increased complexity- Connections with external data warehouses- Audit trail- Need for security

- High degree of complexity- Interactions with core systems- Real time

All of you have a minimum set of data mining tools on your PC’s

Fraud Detection: Block Leave

HR policy: 1 period of 2 weeks consecutive leave is mandatory

• Existing control by HR

• Based on holiday request forms

• Is this control effective?

• Does it take into account deception?

Fraud detection

• Databases

• Holiday requests

• Transactions (including userID)

• Customer database

• Did anyone execute a transaction

while he was supposed to be on leave?

• If so: is this a high risk transaction?

ID Entity Date Type App AmtEur Age Risk Sleeping Begin End NbrOfDaysAbsence ReasonAbsence

733993 branch 1 9/09/2013 transfer UH 30.350,00 79 N 20/08/2013 13/09/2013 19 holiday

733993 branch 1 9/09/2013 transfer UH 30.500,00 79 N 20/08/2013 13/09/2013 19 holiday

650742 branch 2 23/09/2013 transfer UH 4.950,00 85 Y N 16/09/2013 27/09/2013 10 holiday

695010 branch 3 4/09/2013 transfer UH 20.757,32 82 N 21/08/2013 4/09/2013 11 holiday

730340 branch 4 3/09/2013 transfer UH 375,50 90 Y N 2/09/2013 12/09/2013 9 holiday

640192 branch 5 9/09/2013 transfer UH 18,38 79 Y N 26/08/2013 9/09/2013 11 holiday

699041 branch 6 3/09/2013 deposit cheque UH 446,44 81 Y N 2/09/2013 6/09/2013 10 holiday

698082 branch 7 17/09/2013 transfer UH 363,00 97 Y N 17/09/2013 6/10/2013 14 illness

701737 branch 8 14/09/2013 transfer UH 12,71 84 Y N 11/09/2013 20/09/2013 9 holiday

752440 branch 9 6/09/2013 cash withdrawal UH 300,00 85 Y N 19/08/2013 9/09/2013 16 holiday

718194 branch 10 2/09/2013 transfer UH 13.954,00 41 N 21/08/2013 6/09/2013 13 holiday

785484 branch 11 11/09/2013 transfer UH 20.000,00 61 N 11/09/2013 24/09/2013 10 holiday

782394 branch 12 2/09/2013 transfer UH 1.000,00 86 N 2/09/2013 20/09/2013 15 holiday

765952 branch 13 3/09/2013 transfer UH 12.500,00 N 3/09/2013 18/09/2013 12 illness

826560 branch 14 10/09/2013 transfer UH 50.000,00 67 N 4/09/2013 13/09/2013 9 holiday

783118 branch 15 23/09/2013 transfer UH 12.272,70 58 N 23/09/2013 27/09/2013 10 holiday

738130 branch 17 23/09/2013 deposit cheque UH 160.000,00 N 23/09/2013 6/10/2013 11 illness

738130 branch 17 23/09/2013 transfer UH 95.680,18 66 N 23/09/2013 6/10/2013 11 illness

738130 branch 17 23/09/2013 transfer UH 3.500,00 79 N 23/09/2013 6/10/2013 11 illness

785342 branch 18 17/09/2013 transfer UH 1.229,17 86 N 17/09/2013 6/10/2013 14 illness

785342 branch 18 17/09/2013 deposit cheque UH 10.050,00 N 17/09/2013 6/10/2013 14 illness

Employee Transaction Absence

Fraud Detection: block leave

Fraud Detection: Transfer Fraud

Fraudulent payment order

• Falsified paper form

• Virus

• Social Engineering

Determining Risk Criteria

• “unusual transaction”

• Non domestic

• Other channel

• Amount

• Communication

Fraud Detection: Transfer Fraud

Home-made detection

• Ex-post screening (D+1)

It’s better than nothing

• Too little, too late

• Rule based

Fraud Detection: Transfer Fraud

Looking for an alternative

• Online or real-time

• More complex algorithms

• More easily adaptable to changing patterns

• Risk based

Fraud Detection: Transfer Fraud

Development and implementation

Some issues

• Connection to legacy systems required to make

choices

• Incomplete phase I

• Data quality and availability

• Project management

• The danger of shortcuts

• Translating business requirements

Fraud Detection: Transfer Fraud

50% detectionrate

30.000 alerts for1 true positive

LegacyTool

90% detectionrate

100 alerts for1 true positive

Next Gen

Performance comparison: back testing on identical 3-month sample

Conclusion

• The truth is within your data

• Learn to recognise the footprints of the fraudster

• A lot can be done with “simple” tools

• When complexity and need for speed

increases, you may want to go

looking for dedicated, specialised tools

• But even then ….

the truth is in YOUR data

Appendix

Fraud Detection: Expense notes

Staff asks reimbursement of professional expenses

• Are all expenses reclaimed work-related?

• Are they justified?

Fraud detection

• Database

• Expenses

• Staff members + functions

• Looking for outliers

• Expense category – function

• Amount - function

Function Branch Manager

Sum of Amount Column Labels

Row Labels 01 02 03 04 05 06 07 08 09 Grand Total

578575 514,2 497,1 285,2 242,4 202,3 437,7 73,4 549,85 830,15 3632,3

Commercial 270 270

Hotel 43,8 113,5 199,6 73,4 183,5 483,15 1096,95

Km allowance 27,9 6,8 24,4 64,5 2,7 30,1 156,4

Meal 442,5 490,3 260,8 64,4 407,6 351,75 77 2094,35

Transport 14,6 14,6

661284 80,5 387,5 334,1 225,1 547,97 335,1 497,1 571,05 452 3430,42

Commercial 154 154

Hotel 75 172 66,3 497,1 207,05 1017,45

Meal 215,5 248 218,5 367 335,1 89,5 452 1925,6

Other 22,02 22,02

People Mgt, Incentive 5,5 4,95 263,5 273,95

Transport 19,8 6,6 11 37,4

655425 326,26 434,37 223,86 466,64 163,16 24,11 685,14 369,3 237,42 2930,26

Commercial 73,23 135 208,23

Hotel 58,8 54,6 68,6 204,5 386,5

Km allowance 194,23 233,27 211,4 200,44 89,05 928,39

Meal 201,1 211,6 149,2 160 234,3 956,2

Other 314,96 314,96

People Mgt, Incentive 12,46 13,96 24,11 52,53 21,42 124,48

Transport 11,5 11,5

656150 527,12 453,81 200,47 313,96 196,22 225,76 230,71 193,92 324,18 2666,15

Km allowance 434,42 284,08 195,27 292,36 178,32 186,96 226,71 189,92 189,68 2177,72

Meal 82,4 169,73 8,1 10,2 4 134,5 408,93

Transport 10,3 5,2 21,6 9,8 28,6 4 79,5

571158 174,15 346,61 245,07 248,72 500,45 437,72 93,56 199,56 300,32 2546,16

Commercial 1,54 1,54

Hotel 13,2 22,9 36,1

Km allowance 86,4 13,34 52,88 18,66 31,79 40,43 9,35 252,85

Meal 4,25 98,7 98,8 162,4 221,5 368,75 70 175,8 213,4 1413,6

People Mgt, Incentive 60,1 166,55 39,3 204,84 17,16 53,8 541,75

Transport 10,2 45,12 54,09 67,66 42,32 27 14,21 6,6 33,12 300,32

590282 240,18 249,59 135,46 311,2 197,47 358,36 216,06 41,51 53 1802,83

Commercial 7 7

Hotel 97,8 54 151,8

Km allowance 115,38 134,79 135,46 188 137,87 143,76 23,53 878,79

Meal 124,8 48,2 58,9 200 122,5 53 607,4

Other 69,03 41,51 110,54

Transport 17 21 0,7 7,6 1 47,3

550220 264,12 154,39 213,51 183,73 204,25 183,24 156,8 197,26 153,75 1711,05

Km allowance 260,92 152,39 191,11 114,73 196,65 177,64 156,8 197,26 151,25 1598,75

Meal 67 67

Transport 3,2 2 22,4 2 7,6 5,6 2,5 45,3

574231 276,4 19,9 188,81 241,94 238,23 156,52 341,75 241,17 1704,72

Commercial 19,9 19,9

Hotel 217,5 123,17 340,67

Km allowance 114,4 143,41 216,34 60,82 109,25 644,22

Meal 162 45,4 238,23 81,7 116 643,33

Transport 25,6 14 15 2 56,6

564613 423,8 171,1 205,25 258,5 312,95 23,32 90 211,8 7,4 1704,12

Commercial 20 20

Hotel 77,5 99,5 79 256

Meal 238,5 171,1 127,75 159 186,85 90 211,8 1185

People Mgt, Incentive 165,3 47,1 23,32 235,72

Transport 7,4 7,4

643627 13,59 294,79 145,16 8,8 365,78 413,35 430,2 1671,67

Km allowance 294,79 145,16 340,08 413,35 430,2 1623,58

Meal 13,59 13,59

Transport 8,8 25,7 34,5

550450 58,15 248,2 202,03 54 260,21 276,9 173,65 198,29 137,93 1609,36

Hotel 95 95

Km allowance 78,43 250,21 156,9 98,29 130,83 714,66

Meal 50,95 248,2 114 49 172,4 16,75 100 751,3

Transport 7,2 9,6 5 10 9,5 7,1 48,4

0

5

10

15

20

25

30

35

40

Meals – Branch managers

Fraud Detection: Accounts payable

Suppliers have to be paid

• Looking for double payments, screen companies, …

Fraud detection

• Database

• Invoices

• Payments

• Payroll

• Double payments

• Amount

• Reference (Invoice #)

• Supplier

• Link staff-supplier

• Link supplier-supplier

refSAP refSAP2 VendorId VendorName Reference Account1 Account2 Date Date2 Amount

553477 556962 100383 STAR 5320 account A account A 12/08/2008 8/08/2008 25.200,00

505564 507066 100383 STAR 4802 account A account A 17/01/2008 16/05/2008 14.000,00

507065 505567 100383 STAR 4803 account A account A 29/04/2008 17/01/2008 10.500,00

568767 569446 108031 NEPTUNE Ltd 2008035 account B account B 1/10/2008 7/10/2008 9.528,75

505558 507051 100383 STAR 4841 account A account A 17/01/2008 18/03/2008 8.750,00

505569 507059 100383 STAR 4804 account A account A 17/01/2008 30/04/2008 7.000,00

560860 560863 937 AAR Ltd 71572279480308 account C account C 22/08/2008 22/08/2008 4.102,21

543414 543411 24550 E.N.G. 71572279480411 account D account D 17/06/2008 17/06/2008 2.662,20

543406 544307 23887 MES LTD 71572279480411 account E account E 17/06/2008 19/06/2008 1.543,62

Bookings in SAP with same amount, same reference, same vendor

refSAP refSAP2 VendorId VendorId2 VendorName VendorName2 Reference Account1 Account2 Date Date2 Amount529381 570367 105324 2005 BLACK COW (Use vendor

2005)

BLACKCOW BVBA 70738 account A account A 15/05/2008 13/10/2008 18.951,63

512669 543429 6193 3691 BETASCRIPT sa BLOCKED USe 11309

DOEN COMPU

907625004610 account B account F 15/02/2008 17/06/2008 15.120,16

519854 526719 103394 4452 Tetra Print SPRL TETRA 20080282 account C account G 25/03/2008 15/04/2008 8.103,37

566177 579099 77476 77286 ShowMe Benelux SA -SPSS FAI SOLUTIONS NV 2008GEO00174 account D account H 22/09/2008 1/12/2008 7.986,00

553467 559964 109089 95822 Upside IT LION TECHNOLOGIES

NV

VFUPT081752 account E account I 12/08/2008 10/09/2008 6.264,78

Bookings in SAP with same amount, same reference, different vendor

Fraud Detection: Accounts payable

Fraud Detection: Mortgage Fraud

Modus operandi

Risk factors• New customers

• Increase sales

• Renovation

• Distance between the branch and the residence

Fraud detection

• Databases

• Production data mortgage loans

• Drive time matrix

Fraud Detection