Register For Our Mailing List

Register to receive our free weekly newsletter including editorials.

Home / 107

The ‘low versus no’ risk appetite for internal fraud

Ask an executive in a typical financial institution about their organisation’s fraud risk appetite and there is usually, conceptually, some level of tolerance for external fraud, but there is no tolerance for internal fraud. However there is often a gap between the expressed zero tolerance view and the fraud risk framework that has been put in place.

To adequately prevent and detect internal fraud, there should be a close alignment between prevention, detection, mitigation processes and the risk appetite – the extent to which an organisation is prepared to accept the possibility that risks will materialise. The lower the appetite for fraud risk and losses, the greater the processes that should be put in place for higher risk areas. The quandary for financial institution executives boils down to ‘low versus no’. How much internal fraud is too much?

Financial and reputational damage

While customer experience and fraud loss optimisation is often a trade-off determined by a financial institution’s risk appetite, this usually applies to external fraud losses.

However, when addressing internal fraud, customer experience is not the most significant consideration, as it is often brand impact that hurts a financial institution most. Internal fraud and misconduct issues invariably attract the attention of media, and sometimes even regulators or government. While there may be some level of acceptance for financial loss, often there will be zero appetite for reputational damage.

The approach to setting an internal fraud risk appetite should therefore be designed to not only safeguard the organisation’s and client’s assets, but also ensure minimal damage to the brand.

Two examples of fraud

1.  Misdirecting inward contributions

A super fund employee managed a relationship with a large corporate client and was responsible for processing the client’s employees’ super contributions. A regular payment file was received from the corporate client and the super fund employee altered the file to redirect the contributions to an external account held in a false name operated by the employee. As the reconciliation of contributions matched against the data (contribution file) was not conducted in a timely manner, there was no independent checking performed by the super fund to confirm the receipt of contributions. The employee was able to satisfy the corporate client’s inquiries and reporting requirements through their close relationship. The fraud was ultimately detected when a corporate client employee made their own inquiry with the super fund’s call centre regarding the balance of their own account.

2.  Information theft

A retail bank suffered a number of identity takeovers of customers’ online backing accounts. The bank found that all the customers had links to a common superannuation fund. The bank contacted the super fund and provided the names of the victim customers. Forensic data analytics conducted by the super fund found that the victim customers all had either a super or insurance product, and that a single employee had accessed (viewed) all the super and insurance accounts for no apparent reason. The employee was interviewed and made admissions and their employment was terminated. The super fund believed that confidential information was ‘harvested’ by their employee, and then provided to an organised crime group to enable the group to take over and defraud the customers’ bank accounts, with sufficient information to answer the bank identity challenge questions. The super fund’s own products were not affected.

Setting the risk appetite

There are a number of metrics that can be used, beyond the dollar loss, when determining an acceptable level of fraud risk, including: the number of internal incidents; the number of fraud attempts or near misses; and the percentage of employees that have completed mandatory fraud training.

Activities should be designed to impact behaviour beyond the absolute metrics. The culture of the financial institution may drive certain behaviours and therefore the perception of acceptability of the level of internal fraud. Understanding this is as critical as analysing the absolute metrics. For example, a financial institution may mandate that all allegations of internal fraud will be subject to its disciplinary procedures.

Once the acceptable level of risk appetite has been determined, resource allocation can be broadly categorised into two areas:

1.  Fraud risk management (proactive measures to prevent and detect fraud)

The correlation between proactive measures and expressed risk appetite is generally less evident in financial institutions than the reactive measures. Too often we see a stated zero tolerance for internal fraud, yet the proactive measures are either ineffective, do not cover the entire organisation or are lacking completely.

2.  Fraud investigation (reactive measures when an incident occurs)

Often financial institutions defend their zero tolerance for internal fraud on the basis that they investigate all fraud matters. The flaw in this approach is that it ignores the application of preventative measures. A true low, or zero, appetite for fraud requires more than just a reactive framework.

Finding the sweet spot between ‘low and no’ appetite

A certain level of internal fraud will probably occur as a commercial reality of doing business. How does a financial institution manage the optics of a low appetite and still communicate the message to employees that it is not ‘open slather’? A key plank in a fraud risk framework is strong deterrence, with overt condemnation of internal fraud and ‘tone at the top’ messages and behaviours. It comes down to the way risk appetite is operationalised and embedded into the organisation’s day to day business.

Where should financial institutions start when determining an appropriate level of internal fraud risk and putting in a mitigating framework to align to that level?

For starters, risk appetite for fraud loss should be a standard part of the risk management planning cycle. Calculations should be based on robust information on actual experiences and predicted risks, including the risks and rewards of new products and channels. Once the level of fraud risk appetite has been agreed, it should be communicated across the institution and oversight procedures put in place.

At the other end of the cycle, reporting should occur in line with a pre-defined risk appetite, with appropriate intervention when both positive and negative variances to the plan occur. Socialisation of notable results should be supported with strong messages, reinforced from the top of the institution.

Keeping pace with change

Fraud risk management is not a set and forget exercise. Fraud risk, like other risks, is fluid and ongoing monitoring is required to capture material changes. Many financial institutions are already in the process of de-risking their books and ending customer relationships where they present too high a risk.

Similarly, as the Australian superannuation sector continues to evolve and go through further consolidation and new parties get introduced into the delivery cycle and supply chain, enhanced due diligence processes should be put in place to ensure any new acquisitions have fraud risk profiles and a defined risk appetite that align to the core business.


Tony Prior is a Director in Ernst & Young’s financial services specialist fraud investigation and dispute services team. The views expressed in this article are the views of the author, not EY. The article provides general information, does not constitute advice and should not be relied on as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Liability limited by a scheme approved under Professional Standards Legislation.


Leave a Comment:



Lessons from the Volkswagen scandal


Most viewed in recent weeks

10 reasons wealthy homeowners shouldn't receive welfare

The RBA Governor says rising house prices are due to "the design of our taxation and social security systems". The OECD says "the prolonged boom in house prices has inflated the wealth of many pensioners without impacting their pension eligibility." What's your view?

House prices surge but falls are common and coming

We tend to forget that house prices often fall. Direct lending controls are more effective than rate rises because macroprudential limits affect the volume of money for housing leaving business rates untouched.

Survey responses on pension eligibility for wealthy homeowners

The survey drew a fantastic 2,000 responses with over 1,000 comments and polar opposite views on what is good policy. Do most people believe the home should be in the age pension asset test, and what do they say?

100 Aussies: five charts on who earns, pays and owns

Any policy decision needs to recognise who is affected by a change. It pays to check the data on who pays taxes, who owns assets and who earns the income to ensure an equitable and efficient outcome.

Three good comments from the pension asset test article

With articles on the pensions assets test read about 40,000 times, 3,500 survey responses and thousands of comments, there was a lot of great reader participation. A few comments added extra insights.

The sorry saga of housing affordability and ownership

It is hard to think of any area of widespread public concern where the same policies have been pursued for so long, in the face of such incontrovertible evidence that they have failed to achieve their objectives.

Latest Updates


The 'Contrast Principle' used by super fund test failures

Rather than compare results against APRA's benchmark, large super funds which failed the YFYS performance test are using another measure such as a CPI+ target, with more favourable results to show their members.


RBA switched rate priority on house prices versus jobs

RBA Governor, Philip Lowe, says that surging house prices are not as important as full employment, but a previous Governor, Glenn Stevens, had other priorities, putting the "elevated level of house prices" first.

Investment strategies

Disruptive innovation and the Tesla valuation debate

Two prominent fund managers with strongly opposing views and techniques. Cathie Wood thinks Tesla is going to US$3,000, Rob Arnott says it's already a bubble at US$750. They debate valuing growth and disruption.


4 key materials for batteries and 9 companies that will benefit

Four key materials are required for battery production as we head towards 30X the number of electric cars. It opens exciting opportunities for Australian companies as the country aims to become a regional hub.


Why valuation multiples fail in an exponential world

Estimating the value of a company based on a multiple of earnings is a common investment analysis technique, but it is often useless. Multiples do a poor job of valuing the best growth businesses, like Microsoft.


Five value chains driving the ‘transition winners’

The ability to adapt to change makes a company more likely to sustain today’s profitability. There are five value chains plus a focus on cashflow and asset growth that the 'transition winners' are adopting.


Halving super drawdowns helps wealthy retirees most

At the start of COVID, the Government allowed early access to super, but in a strange twist, others were permitted to leave money in tax-advantaged super for another year. It helped the wealthy and should not be repeated.



© 2021 Morningstar, Inc. All rights reserved.

The data, research and opinions provided here are for information purposes; are not an offer to buy or sell a security; and are not warranted to be correct, complete or accurate. Morningstar, its affiliates, and third-party content providers are not responsible for any investment decisions, damages or losses resulting from, or related to, the data and analyses or their use. Any general advice or ‘regulated financial advice’ under New Zealand law has been prepared by Morningstar Australasia Pty Ltd (ABN: 95 090 665 544, AFSL: 240892) and/or Morningstar Research Ltd, subsidiaries of Morningstar, Inc, without reference to your objectives, financial situation or needs. For more information refer to our Financial Services Guide (AU) and Financial Advice Provider Disclosure Statement (NZ). You should consider the advice in light of these matters and if applicable, the relevant Product Disclosure Statement before making any decision to invest. Past performance does not necessarily indicate a financial product’s future performance. To obtain advice tailored to your situation, contact a professional financial adviser. Articles are current as at date of publication.
This website contains information and opinions provided by third parties. Inclusion of this information does not necessarily represent Morningstar’s positions, strategies or opinions and should not be considered an endorsement by Morningstar.

Website Development by Master Publisher.