Register For Our Mailing List

Register to receive our free weekly newsletter including editorials.

Home / 107

The ‘low versus no’ risk appetite for internal fraud

Ask an executive in a typical financial institution about their organisation’s fraud risk appetite and there is usually, conceptually, some level of tolerance for external fraud, but there is no tolerance for internal fraud. However there is often a gap between the expressed zero tolerance view and the fraud risk framework that has been put in place.

To adequately prevent and detect internal fraud, there should be a close alignment between prevention, detection, mitigation processes and the risk appetite – the extent to which an organisation is prepared to accept the possibility that risks will materialise. The lower the appetite for fraud risk and losses, the greater the processes that should be put in place for higher risk areas. The quandary for financial institution executives boils down to ‘low versus no’. How much internal fraud is too much?

Financial and reputational damage

While customer experience and fraud loss optimisation is often a trade-off determined by a financial institution’s risk appetite, this usually applies to external fraud losses.

However, when addressing internal fraud, customer experience is not the most significant consideration, as it is often brand impact that hurts a financial institution most. Internal fraud and misconduct issues invariably attract the attention of media, and sometimes even regulators or government. While there may be some level of acceptance for financial loss, often there will be zero appetite for reputational damage.

The approach to setting an internal fraud risk appetite should therefore be designed to not only safeguard the organisation’s and client’s assets, but also ensure minimal damage to the brand.

Two examples of fraud

1.  Misdirecting inward contributions

A super fund employee managed a relationship with a large corporate client and was responsible for processing the client’s employees’ super contributions. A regular payment file was received from the corporate client and the super fund employee altered the file to redirect the contributions to an external account held in a false name operated by the employee. As the reconciliation of contributions matched against the data (contribution file) was not conducted in a timely manner, there was no independent checking performed by the super fund to confirm the receipt of contributions. The employee was able to satisfy the corporate client’s inquiries and reporting requirements through their close relationship. The fraud was ultimately detected when a corporate client employee made their own inquiry with the super fund’s call centre regarding the balance of their own account.

2.  Information theft

A retail bank suffered a number of identity takeovers of customers’ online backing accounts. The bank found that all the customers had links to a common superannuation fund. The bank contacted the super fund and provided the names of the victim customers. Forensic data analytics conducted by the super fund found that the victim customers all had either a super or insurance product, and that a single employee had accessed (viewed) all the super and insurance accounts for no apparent reason. The employee was interviewed and made admissions and their employment was terminated. The super fund believed that confidential information was ‘harvested’ by their employee, and then provided to an organised crime group to enable the group to take over and defraud the customers’ bank accounts, with sufficient information to answer the bank identity challenge questions. The super fund’s own products were not affected.

Setting the risk appetite

There are a number of metrics that can be used, beyond the dollar loss, when determining an acceptable level of fraud risk, including: the number of internal incidents; the number of fraud attempts or near misses; and the percentage of employees that have completed mandatory fraud training.

Activities should be designed to impact behaviour beyond the absolute metrics. The culture of the financial institution may drive certain behaviours and therefore the perception of acceptability of the level of internal fraud. Understanding this is as critical as analysing the absolute metrics. For example, a financial institution may mandate that all allegations of internal fraud will be subject to its disciplinary procedures.

Once the acceptable level of risk appetite has been determined, resource allocation can be broadly categorised into two areas:

1.  Fraud risk management (proactive measures to prevent and detect fraud)

The correlation between proactive measures and expressed risk appetite is generally less evident in financial institutions than the reactive measures. Too often we see a stated zero tolerance for internal fraud, yet the proactive measures are either ineffective, do not cover the entire organisation or are lacking completely.

2.  Fraud investigation (reactive measures when an incident occurs)

Often financial institutions defend their zero tolerance for internal fraud on the basis that they investigate all fraud matters. The flaw in this approach is that it ignores the application of preventative measures. A true low, or zero, appetite for fraud requires more than just a reactive framework.

Finding the sweet spot between ‘low and no’ appetite

A certain level of internal fraud will probably occur as a commercial reality of doing business. How does a financial institution manage the optics of a low appetite and still communicate the message to employees that it is not ‘open slather’? A key plank in a fraud risk framework is strong deterrence, with overt condemnation of internal fraud and ‘tone at the top’ messages and behaviours. It comes down to the way risk appetite is operationalised and embedded into the organisation’s day to day business.

Where should financial institutions start when determining an appropriate level of internal fraud risk and putting in a mitigating framework to align to that level?

For starters, risk appetite for fraud loss should be a standard part of the risk management planning cycle. Calculations should be based on robust information on actual experiences and predicted risks, including the risks and rewards of new products and channels. Once the level of fraud risk appetite has been agreed, it should be communicated across the institution and oversight procedures put in place.

At the other end of the cycle, reporting should occur in line with a pre-defined risk appetite, with appropriate intervention when both positive and negative variances to the plan occur. Socialisation of notable results should be supported with strong messages, reinforced from the top of the institution.

Keeping pace with change

Fraud risk management is not a set and forget exercise. Fraud risk, like other risks, is fluid and ongoing monitoring is required to capture material changes. Many financial institutions are already in the process of de-risking their books and ending customer relationships where they present too high a risk.

Similarly, as the Australian superannuation sector continues to evolve and go through further consolidation and new parties get introduced into the delivery cycle and supply chain, enhanced due diligence processes should be put in place to ensure any new acquisitions have fraud risk profiles and a defined risk appetite that align to the core business.


Tony Prior is a Director in Ernst & Young’s financial services specialist fraud investigation and dispute services team. The views expressed in this article are the views of the author, not EY. The article provides general information, does not constitute advice and should not be relied on as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Liability limited by a scheme approved under Professional Standards Legislation.


Leave a Comment:



Lessons from the Volkswagen scandal


Most viewed in recent weeks

10 little-known pension traps prove the value of advice

Most people entering retirement do not see a financial adviser, mainly due to cost. It's a major problem because there are small mistakes a retiree can make which are expensive and avoidable if a few tips were known.

Check eligibility for the Commonwealth Seniors Health Card

Eligibility for the Commonwealth Seniors Health Card has no asset test and a relatively high income test. It's worth checking eligibility and the benefits of qualifying to save on the cost of medications.

Hamish Douglass on why the movie hasn’t ended yet

The focus is on Magellan for its investment performance and departure of the CEO, but Douglass says the pandemic, inflation, rising rates and Middle East tensions have not played out. Vindication is always long term.

Start the year right with the 2022 Retiree Checklist

This is our annual checklist of what retirees need to be aware of in 2022. It is a long list of 25 items and not everything will apply to your situation. Run your eye over the benefits and entitlements.

At 98-years-old, Charlie Munger still delivers the one-liners

The Warren Buffett/Charlie Munger partnership is the stuff of legends, but even Charlie admits it is coming to an end ("I'm nearly dead"). He is one of the few people in investing prepared to say what he thinks.

Should I pay off the mortgage or top up my superannuation?

Depending on personal circumstances, it may be time to rethink the bias to paying down housing debt over wealth accumulation in super. Do the sums and ask these four questions to plan for your future.

Latest Updates

Investment strategies

Three ways index investing masks extra risk

There are thousands of different indexes, and they are not all diversified and broadly-based. Watch for concentration risk in sectors and companies, and know the underlying assets in case liquidity is needed.

Investment strategies

Will 2022 be the year for quality companies?

It is easy to feel like an investing genius over the last 10 years, with most asset classes making wonderful gains. But if there's a setback, companies like Reece, ARB, Cochlear, REA Group and CSL will recover best.


2022 outlook: buy a raincoat but don't put it on yet

In the 11th year of a bull market, near the end of the cycle, some type of correction is likely. Underneath is solid, healthy and underpinned by strong earnings growth, but there's less room for mistakes.


Time to give up on gold?

In 2021, the gold price failed to sustain its strong rise since 2018, although it recovered after early losses. But where does gold sit in a world of inflation, rising rates and a competitor like Bitcoin?

Investment strategies

Global leaders reveal surprises of 2021, challenges for 2022

In a sentence or two, global experts across many fields are asked to summarise the biggest surprise of 2021, and enduring challenges into 2022. It's a short and sweet view of the changes we are all facing.


2021 was a standout year for stockmarket listings

In 2021, sharemarket gains supported record levels of capital raisings and IPOs in Australia. The range of deals listed here shows the maturity of the local market in providing equity capital.


Let 'er rip: how high can debt-to-GDP ratios soar?

Governments and investors have been complacent about the build up of debt, but at some level, a ceiling exists. Are we near yet? Trouble is brewing, especially in the eurozone and emerging countries.



© 2022 Morningstar, Inc. All rights reserved.

The data, research and opinions provided here are for information purposes; are not an offer to buy or sell a security; and are not warranted to be correct, complete or accurate. Morningstar, its affiliates, and third-party content providers are not responsible for any investment decisions, damages or losses resulting from, or related to, the data and analyses or their use. Any general advice or ‘regulated financial advice’ under New Zealand law has been prepared by Morningstar Australasia Pty Ltd (ABN: 95 090 665 544, AFSL: 240892) and/or Morningstar Research Ltd, subsidiaries of Morningstar, Inc, without reference to your objectives, financial situation or needs. For more information refer to our Financial Services Guide (AU) and Financial Advice Provider Disclosure Statement (NZ). You should consider the advice in light of these matters and if applicable, the relevant Product Disclosure Statement before making any decision to invest. Past performance does not necessarily indicate a financial product’s future performance. To obtain advice tailored to your situation, contact a professional financial adviser. Articles are current as at date of publication.
This website contains information and opinions provided by third parties. Inclusion of this information does not necessarily represent Morningstar’s positions, strategies or opinions and should not be considered an endorsement by Morningstar.

Website Development by Master Publisher.