Register For Our Mailing List

Register to receive our free weekly newsletter including editorials.

Home / 107

The ‘low versus no’ risk appetite for internal fraud

Ask an executive in a typical financial institution about their organisation’s fraud risk appetite and there is usually, conceptually, some level of tolerance for external fraud, but there is no tolerance for internal fraud. However there is often a gap between the expressed zero tolerance view and the fraud risk framework that has been put in place.

To adequately prevent and detect internal fraud, there should be a close alignment between prevention, detection, mitigation processes and the risk appetite – the extent to which an organisation is prepared to accept the possibility that risks will materialise. The lower the appetite for fraud risk and losses, the greater the processes that should be put in place for higher risk areas. The quandary for financial institution executives boils down to ‘low versus no’. How much internal fraud is too much?

Financial and reputational damage

While customer experience and fraud loss optimisation is often a trade-off determined by a financial institution’s risk appetite, this usually applies to external fraud losses.

However, when addressing internal fraud, customer experience is not the most significant consideration, as it is often brand impact that hurts a financial institution most. Internal fraud and misconduct issues invariably attract the attention of media, and sometimes even regulators or government. While there may be some level of acceptance for financial loss, often there will be zero appetite for reputational damage.

The approach to setting an internal fraud risk appetite should therefore be designed to not only safeguard the organisation’s and client’s assets, but also ensure minimal damage to the brand.

Two examples of fraud

1.  Misdirecting inward contributions

A super fund employee managed a relationship with a large corporate client and was responsible for processing the client’s employees’ super contributions. A regular payment file was received from the corporate client and the super fund employee altered the file to redirect the contributions to an external account held in a false name operated by the employee. As the reconciliation of contributions matched against the data (contribution file) was not conducted in a timely manner, there was no independent checking performed by the super fund to confirm the receipt of contributions. The employee was able to satisfy the corporate client’s inquiries and reporting requirements through their close relationship. The fraud was ultimately detected when a corporate client employee made their own inquiry with the super fund’s call centre regarding the balance of their own account.

2.  Information theft

A retail bank suffered a number of identity takeovers of customers’ online backing accounts. The bank found that all the customers had links to a common superannuation fund. The bank contacted the super fund and provided the names of the victim customers. Forensic data analytics conducted by the super fund found that the victim customers all had either a super or insurance product, and that a single employee had accessed (viewed) all the super and insurance accounts for no apparent reason. The employee was interviewed and made admissions and their employment was terminated. The super fund believed that confidential information was ‘harvested’ by their employee, and then provided to an organised crime group to enable the group to take over and defraud the customers’ bank accounts, with sufficient information to answer the bank identity challenge questions. The super fund’s own products were not affected.

Setting the risk appetite

There are a number of metrics that can be used, beyond the dollar loss, when determining an acceptable level of fraud risk, including: the number of internal incidents; the number of fraud attempts or near misses; and the percentage of employees that have completed mandatory fraud training.

Activities should be designed to impact behaviour beyond the absolute metrics. The culture of the financial institution may drive certain behaviours and therefore the perception of acceptability of the level of internal fraud. Understanding this is as critical as analysing the absolute metrics. For example, a financial institution may mandate that all allegations of internal fraud will be subject to its disciplinary procedures.

Once the acceptable level of risk appetite has been determined, resource allocation can be broadly categorised into two areas:

1.  Fraud risk management (proactive measures to prevent and detect fraud)

The correlation between proactive measures and expressed risk appetite is generally less evident in financial institutions than the reactive measures. Too often we see a stated zero tolerance for internal fraud, yet the proactive measures are either ineffective, do not cover the entire organisation or are lacking completely.

2.  Fraud investigation (reactive measures when an incident occurs)

Often financial institutions defend their zero tolerance for internal fraud on the basis that they investigate all fraud matters. The flaw in this approach is that it ignores the application of preventative measures. A true low, or zero, appetite for fraud requires more than just a reactive framework.

Finding the sweet spot between ‘low and no’ appetite

A certain level of internal fraud will probably occur as a commercial reality of doing business. How does a financial institution manage the optics of a low appetite and still communicate the message to employees that it is not ‘open slather’? A key plank in a fraud risk framework is strong deterrence, with overt condemnation of internal fraud and ‘tone at the top’ messages and behaviours. It comes down to the way risk appetite is operationalised and embedded into the organisation’s day to day business.

Where should financial institutions start when determining an appropriate level of internal fraud risk and putting in a mitigating framework to align to that level?

For starters, risk appetite for fraud loss should be a standard part of the risk management planning cycle. Calculations should be based on robust information on actual experiences and predicted risks, including the risks and rewards of new products and channels. Once the level of fraud risk appetite has been agreed, it should be communicated across the institution and oversight procedures put in place.

At the other end of the cycle, reporting should occur in line with a pre-defined risk appetite, with appropriate intervention when both positive and negative variances to the plan occur. Socialisation of notable results should be supported with strong messages, reinforced from the top of the institution.

Keeping pace with change

Fraud risk management is not a set and forget exercise. Fraud risk, like other risks, is fluid and ongoing monitoring is required to capture material changes. Many financial institutions are already in the process of de-risking their books and ending customer relationships where they present too high a risk.

Similarly, as the Australian superannuation sector continues to evolve and go through further consolidation and new parties get introduced into the delivery cycle and supply chain, enhanced due diligence processes should be put in place to ensure any new acquisitions have fraud risk profiles and a defined risk appetite that align to the core business.


Tony Prior is a Director in Ernst & Young’s financial services specialist fraud investigation and dispute services team. The views expressed in this article are the views of the author, not EY. The article provides general information, does not constitute advice and should not be relied on as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Liability limited by a scheme approved under Professional Standards Legislation.


Leave a Comment:



Lessons from the Volkswagen scandal


Most viewed in recent weeks

How to enjoy your retirement

Amid thousands of comments, tips include developing interests to keep occupied, planning in advance to have enough money, staying connected with friends and communities ... should you defer retirement or just do it?

Results from our retirement experiences survey

Retirement is a good experience if you plan for it and manage your time, but freedom from money worries is key. Many retirees enjoy managing their money but SMSFs are not for everyone. Each retirement is different.

A tonic for turbulent times: my nine tips for investing

Investing is often portrayed as unapproachably complex. Can it be distilled into nine tips? An economist with 35 years of experience through numerous market cycles and events has given it a shot.

Rival standard for savings and incomes in retirement

A new standard argues the majority of Australians will never achieve the ASFA 'comfortable' level of retirement savings and it amounts to 'fearmongering' by vested interests. If comfortable is aspirational, so be it.

Dalio v Marks is common sense v uncommon sense

Billionaire fund manager standoff: Ray Dalio thinks investing is common sense and markets are simple, while Howard Marks says complex and convoluted 'second-level' thinking is needed for superior returns.

Fear is good if you are not part of the herd

If you feel fear when the market loses its head, you become part of the herd. Develop habits to embrace the fear. Identify the cause, decide if you need to take action and own the result without looking back. 

Latest Updates


The paradox of investment cycles

Now we're captivated by inflation and higher rates but only a year ago, investors were certain of the supremacy of US companies, the benign nature of inflation and the remoteness of tighter monetary policy.


Reporting Season will show cost control and pricing power

Companies have been slow to update guidance and we have yet to see the impact of inflation expectations in earnings and outlooks. Companies need to insulate costs from inflation while enjoying an uptick in revenue.


The early signals for August company earnings

Weaker share prices may have already discounted some bad news, but cost inflation is creating wide divergences inside and across sectors. Early results show some companies are strong enough to resist sector falls.


The compelling 20-year flight of SYD into private hands

In 2002, the share price of the company that became Sydney Airport (SYD) hit 80 cents from the $2 IPO price. After 20 years of astute investment driving revenue increases, it sold to private hands for $8.75 in 2022.

Investment strategies

Ethical investing responding to some short-term challenges

There are significant differences in the sector weightings of an ethical fund versus an index, and while this has caused some short-term headwinds recently, the tailwinds are expected to blow over the long term.

Investment strategies

If you are new to investing, avoid these 10 common mistakes

Many new investors make common mistakes while learning about markets. Losses are inevitable. Newbies should read more and develop a long-term focus while avoiding big mistakes and not aiming to be brilliant.

Investment strategies

RMBS today: rising rate-linked income with capital preservation

Lenders use Residential Mortgage-Backed Securities to finance mortgages and RMBS are available to retail investors through fund structures. They come with many layers of protection beyond movements in house prices. 



© 2022 Morningstar, Inc. All rights reserved.

The data, research and opinions provided here are for information purposes; are not an offer to buy or sell a security; and are not warranted to be correct, complete or accurate. Morningstar, its affiliates, and third-party content providers are not responsible for any investment decisions, damages or losses resulting from, or related to, the data and analyses or their use. Any general advice or ‘regulated financial advice’ under New Zealand law has been prepared by Morningstar Australasia Pty Ltd (ABN: 95 090 665 544, AFSL: 240892) and/or Morningstar Research Ltd, subsidiaries of Morningstar, Inc, without reference to your objectives, financial situation or needs. For more information refer to our Financial Services Guide (AU) and Financial Advice Provider Disclosure Statement (NZ). You should consider the advice in light of these matters and if applicable, the relevant Product Disclosure Statement before making any decision to invest. Past performance does not necessarily indicate a financial product’s future performance. To obtain advice tailored to your situation, contact a professional financial adviser. Articles are current as at date of publication.
This website contains information and opinions provided by third parties. Inclusion of this information does not necessarily represent Morningstar’s positions, strategies or opinions and should not be considered an endorsement by Morningstar.