The author’s work experiences have primarily been with financial institutions, insurance companies and outsourced billing companies (U.S. healthcare) operating in the Indian subcontinent. – ed.
Possibly the toughest task for any fraud examiner is preventing and deterring fraud. Some believe that fraud control and prevention is at its best when the process of detection remains a secret. However, it’s very interesting to see how people react when the mode of detection is open, and he or she knows they risk being caught.
RULE NO. 1: NEVER UNDERESTIMATE
A fraudster uses the same techniques we use for fraud prevention to find new ways to penetrate a system or process.
Regardless of your system’s complexity, it’s just a matter of time until a fraudster overcomes its protections. Periodically updating and revising your fraud identification techniques are essential.
We had this interesting training-room incident at a bank, at which we’d taught select members from a team to identify patterns in bank passbooks that could indicate fraud as they reviewed huge volumes of loan cases. We split the team into two groups: Group A (trained with special skills) and Group B (trained with basic skills).
We let Group B process the cases first, and then let Group A review the processed cases. Out of 100 proposals reviewed by Group A, 12 cases matched the patterns that we had taught them. We didn’t tell the two groups, but we then added three perfect, pre-screened, fraud-free cases. We announced to Group B that 15 cases had been turned down for loans. We allowed Group B members to review any of the cases once again.
Within an hour, a shrewd member of Group B walked up with the three cases we added, asking, “Would you please re-process these cases? I think there has been a mistake in the assessment.” We asked him why he felt so. He said, “I’ve been observing these guys [members of Group A] from across the room and felt whatever they were looking for wasn’t here." He quickly explained the pattern that we had taught Group A.
Many of us sitting inside glass walls feel secure about the processes that are our safety valves. However, it's just a matter of time before fraudsters can penetrate processes and know the triggers. Rarely, neither remains a secret. The objective is to continuously explore and never be under the impression that fraudsters won’t uncover your triggers or identification mechanisms.
RULE NO. 2: NEVER REPLACE DILIGENCE WITH AUTOMATION
Nothing can substitute for common sense and diligence. We need technological fraud prevention mechanisms, but we can’t forget that the answers we seek depend on how logically and accurately we design the questions. And if someone tampers with your logic or queries, you could be barking up the wrong tree.
The Indian people work hard to retain their culture. Many across the country have the same first names. Street, city and locality names are also very similar or exactly the same. Therefore, when investigators find a match in a credit bureau verification report of a customer, they verify all details to establish that the customer and person in the report are one and the same. Customer credentialing for granting financing or loans is one of the toughest.
I recall a verification case in which we tried to review three years of income tax return (ITR) forms. However, the preliminary verification report stated that two of the forms didn’t exist. Based on these automated reports, we were about to decline the proposal. However, we wanted to make sure that we weren’t losing a good customer because the other documents apart from the ITR didn’t show any negative patterns. It’s prudent in business not to reject good customers simply because they made mistakes in the process or documentation. In this case, we decided to investigate the matter.
The evolving story was an eyeopener.
All income tax returns have to be filed by July 31 every year. The ITR was segmented into different wards based on the location of the tax assessors. The conversion from paper records to computerized records in some of these wards hadn’t yet been completed because the base records were still being updated. To handle the massive number of returns, some of these wards had adopted manual registers. Some other wards had been split, with different ward numbers. In this case, our investigation confirmed that the customer's ITR forms were genuine. We had earlier suspected fraud, but there was none.
The important lesson: Treat data as red flags and not conclusive evidence. Actively question the data.
RULE NO. 3: LOCAL FLAVOR IS IMPORTANT
When constructing fraud deterrence mechanisms, we devise a “local profile mix,” which includes demographics, market practices, cultural influences, state economies and policies, politics and organizational practices. What’s applicable in Pune, State of Maharashtra, won’t necessarily be effective in Coimbatore, State of Tamilnadu. Any preventive measure should be based on market practice, competition and local culture.
During my early days, we collected a lot of information about customer profiles, demographics and types of loan sanctions that the bank had granted and disbursed. Our team members continually pruned the data.
We found that the average employee attrition rate for the same company across locations was different, so we couldn’t offer the same hybrid product to those employees across locations like Mumbai and Bangalore. Bangalore was known to be the IT capital of the country and Mumbai the financial capital.
The unknown factor was also that the average employee attrition was anything between six months and two years because employees quickly moved from one employer to another. Since a number of companies existed in the same location, getting job offers wasn’t hard. [Many Business Process Outsourcing (BPO) companies from the U.S., U.K. and Australia would offshore their mundane routine processes to India to save on cost and leverage time zone advantages. Once jobseekers came over to a location like Bangalore, these companies surrounded them and demand was greater than supply, meaning they wouldn't have a problem in finding positions.]
This high attrition rate became a problem. For example, I’d be under the impression that I was funding a personal loan for a manager in Infosys Tech Private Limited, who was earning Rs.70000/- per month (US$1,250). However, the next month he would quit his mundane job, join another company and become untraceable. His earlier employer wouldn’t know where he or his references were.
We created the new demographic of “floating population,” which was prevalent in certain types of IT companies, BPO companies and in Bangalore.
For company “X,” which has branches in Mumbai and Bangalore, average employee attrition would be 4:2 (four years in Mumbai and two years in Bangalore) and specifically to BPO, it would be 3:0.6 (three years in Mumbai and six months in Bangalore).
From a business perspective, the company believed it was safe to offer short-tenure products for Bangalore.
Our risk flow design indicated three weak points based on year-on-year delinquency history and key risk data. From the fraud prevention perspective:
- For Bangalore, control mechanisms had to be very tight.
- Verification processes had to be sacrosanct with no deviations.
- Physical meetings with customers were very important.
This study indicated to us that our fraud prevention and deterrence techniques needed to be far more geographically specific.
RULE NO. 4: LOCAL NEWS IS A KNOWLEDGE SOURCE
One of the best ways to keep track of the latest fraud is to follow local events and news and to teach employees how to look for fraud schemes by following local news. We wrote a series of articles for our staff on inculcating the habit of looking for evidence of schemes in media reports.
When John Gill, J.D., CFE, vice president – education for the ACFE, and Bruce Dorris, J.D., CFE, CPA, CVA, vice president and program director for the ACFE, spoke about Ponzi schemes in the ACFE’s CFE Exam Review Course in Singapore, we Indian delegates found it difficult to comprehend and differentiate between Ponzi, pyramid and chit funds. However, after we analyzed a local scam that we found through a newspaper account, we understood the difference. A company said it would raise emu chicks if investors covered the expenses. Once the company "sold" the supposed adult birds, investors would receive a return on their investment. It turned out to be a classic Ponzi scheme. We circulated the newspaper article about it within our organization, which helped colleagues identify such schemes.
RULE NO. 5: THE POWER OF KINETICS
Many times, intuition plays a pivotal role in identifying fraud patterns. Experience will suggest that there’s something wrong, while the document in front of you would speak otherwise. In these cases, we use interview methodology on customers, their neighbors, people in the vicinity and the village administrative officers who are responsible for revenue collection (government representative) in the respective villages.
These interview sessions are best conducted at the interviewee's place of business or residence. This is important to keep the interviewee at ease and therefore more forthcoming without the perception of threat. The interviewees by design would be related in some manner to the interviewee and would need to be interviewed in quick succession. This also would be best facilitated, if we’re out in the field, at the interviewee's preferred location.
For example, consider a loan application. During customer credentialing, to confirm the details that the customer provided, we speak to the interviewee’s clients, his neighbors, his associates and people in his village who have a social standing. We keep this list of interviewees confidential so the applicant won’t be able to influence them. Interviewing them in quick successional so prevents him from influencing them.
Of course, only the correctly framed question gets the right answer. A formal interview may work in urban locations, while more informal interviews work in rural locations. An informal conversation gets the interviewee talking, and expressions and body movements can tell you’ve asked the correct questions and heard the correct answers.
We need to keenly watch for points in conversations when subjects “deviate from facts” (a euphemism for lying). Giveaways include articulations, gestures, narrative styles, accents and expressions. Do your homework prior to interviewing in a local culture.
In May, part 2 will cover the remaining golden tenets of fraud: Rule 6: practice the art of observation and listening, Rule 7: beware of decoys, Rule 8: common sense approaches are best, Rule 9: root cause analysis theory and Rule 10: curtail process lapses.
The author wishes to thank Bruce Dorris, J.D., CFE, for inspiring him to put this information to paper.
Vivek Krishnan, CFE, LIII is a zonal credit manager for India's largest private-sector bank. The opinions expressed or implied in this article are solely his own and don’t reflect those of his employer who isn’t liable for these views.