The Gulf Cooperation Council (GCC) countries’ economic recovery since the peak of the pandemic in 2020 has been remarkable; it has been so convincing that their economies were projected to have grown at their fastest pace in more than a decade in 2022.1 The flurry of economic activity also resulted in increased financial fraud (FF), specifically in the financial services sector.
FF has had a dramatic surge in the region in the post-pandemic era. In Q2 of 2022, reported FF cases more than doubled in the region compared to the previous quarter.2 A recent survey reported 62% of KSA residents have experienced attempts of FF while 14% have been impacted by some form of fraud.3
Regional authorities have taken notice of this surge in fraud related incidents and have introduced measures to enhance the controls to counter fraud - key measures such as the below:
In tandem with the authorities, banks have a vital role to play in the fight against FF. Governance, technology, and people are 3 key pillars that the banks should be focusing on within their CF program.7
The Committee of Sponsoring Organizations of the Treadway Commission (COSO), a leading issuer of fraud risk8 management guidance, describes fraud risk governance as an integral component of corporate governance and the internal control environment; it designates the board and executive leadership to be ultimately responsible for the CF program. The governance of fraud risk varies from bank to bank. This is evident when looking at where fraud risk lies at leading global banks. At HSBC, the group risk and compliance function is responsible for fraud risk, at Standard Chartered Bank, the financial crime compliance (FCC) function is responsible for it.9 In the GCC, governance of fraud risk is usually the responsibility of either the compliance function or the risk management function.
Regardless of where ownership of fraud risk lies within the bank, it is important for the owner of the risk to have sufficient understanding of the current threats/trends and the mitigating controls’ effectiveness to ensure that residual risk is in line with the bank’s agreed risk appetite.
Increased digitalization and remote-payment of products and services in recent years has also resulted in innovative ways for fraudsters to bypass the banks’ controls. For example, fraudster(s) developed fake websites that greatly resembled the domain-name and appearance of a leading recruitment company’s website in order to steal customers’ online/mobile banking credentials. The stolen credentials were then used to transfer moderate amounts (SAR20,000–70,000) to “money mules” (i.e., associates who receive stolen funds for further money laundering or immediate cash out via ATM). The worrisome matter is that this fraud was conducted in such a way that it out-maneuvered traditional CF controls such as one-time passwords (OTPs) and legacy fraud detection systems.10
In another example of FF sophistication, a fraudster was able to successfully transfer out AED9.5 million from a customer’s bank account. After obtaining the mobile/online banking log-in details (via a phishing/vishing scheme), the fraudster submitted a cancellation and replacement issuance request for the SIM registered with the bank. Following receipt of the replacement SIM, the fraudster conducted forty-six transactions over a month to empty out the bank account.11
The ever-evolving modus operandi of fraudsters is increasingly propelling regional banks to look at more proactive technological solutions. Technology, such as the below, is enabling interesting use cases to prevent FF.
Banks need to urgently revisit their CF program and ensure that they invest in updated technology for real-time fraud monitoring to ensure proper safeguards are in place against fraudsters. The value of a fraud detection system is highly dependent on the quality and quantity of the data it has access to. Thereby, by using collective intelligence from multiple sources, banks can increase the effectiveness of their dedicated CF solutions. Organizations who have made investments in CF technology (in the post-pandemic era) have experienced a 60% decrease in their fraud cases.12
No matter how robust the control framework is, the human element continues to be the most important control against FF. A recent study has identified that over 137,000 Arabs visit fraudulent websites through which they are subjected to various fraud schemes every day.13
It is the banks’ responsibility to adequately train their internal stakeholders (i.e., employees, executive leadership, board members) and spread awareness amongst internal and external stakeholders (i.e., third-parties, customers). Although most organizations do provide CF-related training and awareness, a recent survey indicated that almost half of the organizations find their CF training and awareness to be inefficient.13 Banks need to consider how they can optimize the efficiency of their existing CF training and awareness frameworks for each respective audience group.
As technology advances, fraudsters will continue to come up with innovative techniques to exploit the population’s limited awareness of FF and take advantage of CF program deficiencies. While banks in the region have made great strides in fighting FF, fraudsters remain a step ahead of the curve; this clearly puts the onus on the bank to protect its customers and itself from FF.14 It is time for banks to invest in their CF programs, especially with advanced CF technologies, to ensure fraud is prevented, rather than investigated.
By Saad Qureshi, Director, Financial Crime and Analytics and Humaid Hussain, Senior Associate, Financial Crime and Analytics, Deloitte Middle East