Insider fraud poses a growing threat to financial firms in the UK. But despite strengthening their fraud management capabilities, firms have been told they need go further to protect themselves and their customers from fraudsters.
The Fraud Governance report from government regulator the Financial Services Agency (FSA) looked at how senior management is tackling fraud risk in 16 mainly larger financial services groups.
It found that CEOs or other senior figures generally recognise that the increasing threat of fraud needs to be managed in a more effective and integrated way.
But it adds that there areas where firms need to work harder.
In particular, the report urges firms to be more proactive in collecting more detailed and accurate data and investing in systems and controls to detect mounting fraud threats at an early stage.
Without this, it warns, some firms are currently not in a position to adequately assess where and why they are at risk from fraud.
"A robust fraud strategy is one that is sponsored at the highest level within a firm and embedded within the culture," said Philip Robinson, financial crime sector leader at the FSA.
"While the larger firms have been forced to wake up to fraud, those that have so far remained outside the fraudsters' radar are not as developed.
"Fraud threats are dynamic and fraudsters constantly devise new techniques to exploit the easiest target. Firms need to continue to invest in systems and controls and manage their responses to fraud in order to avoid being targeted as the weakest link."
The report found firms that underinvested in anti-fraud measures tended to suffer relatively high levels of losses.
Insider fraud - whether arising from collusion, coercion, infiltration or existing employee action - was cited by firms as one of the most serious threats.
The most common example offered by firms was incidents of staff being approached outside work and offered money to sell confidential information.
To counter this rising threat firms have tightened their employee vetting procedures. The intensity of vetting varied between firms but did not always apply to both temporary and permanent staff.
One firm applied seven levels of screening with the degree of due diligence tailored towards the seniority of the role. Another firm stated that 8 per cent of potential hires were rejected after vetting
Investment in systems and a focus on robust anti-fraud operational processes, which are embedded in business units, are key to improvements in fighting fraud, the FSA said.
Where firms are getting better at identifying, assessing, mitigating and reporting fraud risk, this is a recent improvement and needs to be sustained.
Only a handful of firms were found to be developing formal risk assessment processes and, as a result, firms tended to respond to fraud in an incident-driven manner.
In particular, the report warns smaller firms to analyse their vulnerability to attack and consider the threats to their business in a structured way because the impact of an attack or series of fraud events could be particularly damaging.
The report noted some unclear or inappropriate allocation of anti-fraud responsibilities within firms. For example, accountability in individual roles was not always clearly defined and responsibility may be de-prioritised in favour of other business needs.
There is increased co-operation within the industry, and firms see this as critical to the success of anti-fraud measures. There was particular support for the lead taken by some trade associations and initiatives such as information sharing between firms.
The report also found evidence of competing priorities between fraud mitigation and customer experience.
Firms were found to be wary of putting customers off by implementing protective measures that risk causing inconvenience to them over and above what their competitors do. Firms recognise that customer education and awareness is vital to reduce fraud, the report said, but they should ensure that sufficient resources are applied to these areas.