Register For Our Mailing List

Register to receive our free weekly newsletter including editorials.

Home / 107

The ‘low versus no’ risk appetite for internal fraud

Ask an executive in a typical financial institution about their organisation’s fraud risk appetite and there is usually, conceptually, some level of tolerance for external fraud, but there is no tolerance for internal fraud. However there is often a gap between the expressed zero tolerance view and the fraud risk framework that has been put in place.

To adequately prevent and detect internal fraud, there should be a close alignment between prevention, detection, mitigation processes and the risk appetite – the extent to which an organisation is prepared to accept the possibility that risks will materialise. The lower the appetite for fraud risk and losses, the greater the processes that should be put in place for higher risk areas. The quandary for financial institution executives boils down to ‘low versus no’. How much internal fraud is too much?

Financial and reputational damage

While customer experience and fraud loss optimisation is often a trade-off determined by a financial institution’s risk appetite, this usually applies to external fraud losses.

However, when addressing internal fraud, customer experience is not the most significant consideration, as it is often brand impact that hurts a financial institution most. Internal fraud and misconduct issues invariably attract the attention of media, and sometimes even regulators or government. While there may be some level of acceptance for financial loss, often there will be zero appetite for reputational damage.

The approach to setting an internal fraud risk appetite should therefore be designed to not only safeguard the organisation’s and client’s assets, but also ensure minimal damage to the brand.

Two examples of fraud

1.  Misdirecting inward contributions

A super fund employee managed a relationship with a large corporate client and was responsible for processing the client’s employees’ super contributions. A regular payment file was received from the corporate client and the super fund employee altered the file to redirect the contributions to an external account held in a false name operated by the employee. As the reconciliation of contributions matched against the data (contribution file) was not conducted in a timely manner, there was no independent checking performed by the super fund to confirm the receipt of contributions. The employee was able to satisfy the corporate client’s inquiries and reporting requirements through their close relationship. The fraud was ultimately detected when a corporate client employee made their own inquiry with the super fund’s call centre regarding the balance of their own account.

2.  Information theft

A retail bank suffered a number of identity takeovers of customers’ online backing accounts. The bank found that all the customers had links to a common superannuation fund. The bank contacted the super fund and provided the names of the victim customers. Forensic data analytics conducted by the super fund found that the victim customers all had either a super or insurance product, and that a single employee had accessed (viewed) all the super and insurance accounts for no apparent reason. The employee was interviewed and made admissions and their employment was terminated. The super fund believed that confidential information was ‘harvested’ by their employee, and then provided to an organised crime group to enable the group to take over and defraud the customers’ bank accounts, with sufficient information to answer the bank identity challenge questions. The super fund’s own products were not affected.

Setting the risk appetite

There are a number of metrics that can be used, beyond the dollar loss, when determining an acceptable level of fraud risk, including: the number of internal incidents; the number of fraud attempts or near misses; and the percentage of employees that have completed mandatory fraud training.

Activities should be designed to impact behaviour beyond the absolute metrics. The culture of the financial institution may drive certain behaviours and therefore the perception of acceptability of the level of internal fraud. Understanding this is as critical as analysing the absolute metrics. For example, a financial institution may mandate that all allegations of internal fraud will be subject to its disciplinary procedures.

Once the acceptable level of risk appetite has been determined, resource allocation can be broadly categorised into two areas:

1.  Fraud risk management (proactive measures to prevent and detect fraud)

The correlation between proactive measures and expressed risk appetite is generally less evident in financial institutions than the reactive measures. Too often we see a stated zero tolerance for internal fraud, yet the proactive measures are either ineffective, do not cover the entire organisation or are lacking completely.

2.  Fraud investigation (reactive measures when an incident occurs)

Often financial institutions defend their zero tolerance for internal fraud on the basis that they investigate all fraud matters. The flaw in this approach is that it ignores the application of preventative measures. A true low, or zero, appetite for fraud requires more than just a reactive framework.

Finding the sweet spot between ‘low and no’ appetite

A certain level of internal fraud will probably occur as a commercial reality of doing business. How does a financial institution manage the optics of a low appetite and still communicate the message to employees that it is not ‘open slather’? A key plank in a fraud risk framework is strong deterrence, with overt condemnation of internal fraud and ‘tone at the top’ messages and behaviours. It comes down to the way risk appetite is operationalised and embedded into the organisation’s day to day business.

Where should financial institutions start when determining an appropriate level of internal fraud risk and putting in a mitigating framework to align to that level?

For starters, risk appetite for fraud loss should be a standard part of the risk management planning cycle. Calculations should be based on robust information on actual experiences and predicted risks, including the risks and rewards of new products and channels. Once the level of fraud risk appetite has been agreed, it should be communicated across the institution and oversight procedures put in place.

At the other end of the cycle, reporting should occur in line with a pre-defined risk appetite, with appropriate intervention when both positive and negative variances to the plan occur. Socialisation of notable results should be supported with strong messages, reinforced from the top of the institution.

Keeping pace with change

Fraud risk management is not a set and forget exercise. Fraud risk, like other risks, is fluid and ongoing monitoring is required to capture material changes. Many financial institutions are already in the process of de-risking their books and ending customer relationships where they present too high a risk.

Similarly, as the Australian superannuation sector continues to evolve and go through further consolidation and new parties get introduced into the delivery cycle and supply chain, enhanced due diligence processes should be put in place to ensure any new acquisitions have fraud risk profiles and a defined risk appetite that align to the core business.


Tony Prior is a Director in Ernst & Young’s financial services specialist fraud investigation and dispute services team. The views expressed in this article are the views of the author, not EY. The article provides general information, does not constitute advice and should not be relied on as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Liability limited by a scheme approved under Professional Standards Legislation.


Leave a Comment:



Lessons from the Volkswagen scandal


Most viewed in recent weeks

24 hot stocks and funds for 2021

Many investors use the new year to review their portfolios, and in this free ebook, two dozen fund managers and product providers give their best ideas for 2021 - some stocks, some funds, some sectors.

Great new ways the Government helps retirees

Last year's retiree checklist of services available was one of our most popular articles. There are some additions for 2021, and while it can take effort to set them up, they can pay off over the long term.

The hazards of asset allocation in a late-stage major bubble

The Grantham article everyone is quoting, in full. "The long, long bull market since 2009 has finally matured into a fully-fledged epic bubble ... this could very well be the most important event of your investing lives."

Four simple strategies deliver long-term investing comfort

A long-time advocate of the merits of generating income by investing in industrial companies rather than bonds or deposits checks his 'mothership' chart for the latest results, and continues to feel vindicated.

Cut it out ... millionaires are not wealthy

The widespread use of 'millionaire' must stop. Inflation means that the basket of goods and services that cost $1 million in 1960 now requires $15 million. Today, millionaires are not wealthy.

Retirement changes everything: a post-retirement investing framework

Categorising post-retirement needs – living, lifestyle, legacy and contingency – creates a framework for retirees. Advisers can translate these needs into investment goals and portfolios.

Latest Updates

Investment strategies

Unfortunately, all fund manager presentations are good

Part of the fund manager's job is to raise money from investors, and with years of practice, a few good stock stories and an educated guess on the future, it's not hard to present well. That's a problem for investors.

Latest from Morningstar

Win some, lose some: Buffett's 2020 scorecard

Warren Buffett's investment portfolio gains attention because of his legendary status, but parts of his empire in insurance, railways, metalworking and aircraft suppliers have been damaged by the pandemic.


Prefer or defer? Sector and investment themes for 2021

It's time for equity prices to more closely tie to a company’s underlying near-term earnings trajectory and financial strength. Despite the market trading at record levels, some stocks have been left behind.


Is cancelling the SG increase a retiree version of ‘Buy now, pay later’?

No doubt, any reduction or deferral in the SG increase would be received favourably by many. However, early access and lower contributions undermine the foundation of our super system.

Three ways to match housing affordability with good returns

This increased focus on affordable housing is welcome but the challenge is that investors typically require ‘market’ rate financial returns. By definition, social housing tenants cannot pay market rent.

Investment strategies

Investors face their own Breaking Bad moment

Savers are making small decision after small decision that leads them away from investing and closer to outright speculating. Time will tell if this ends in a bloody climax or we all live happily ever after.


Australian banks prove resilient but risks remain

Australian major banks reported a decline in financial performance in 2020 but as the impact of the pandemic evolves, the banks maintained a strong focus on customers. Is the renewed market optimism justified?

  • KPMG
  • 1 January 2020



© 2021 Morningstar, Inc. All rights reserved.

The data, research and opinions provided here are for information purposes; are not an offer to buy or sell a security; and are not warranted to be correct, complete or accurate. Morningstar, its affiliates, and third party content providers are not responsible for any investment decisions, damages or losses resulting from, or related to, the data and analyses or their use.
Any general advice or class service prepared by Morningstar Australasia Pty Ltd (ABN: 95 090 665 544, AFSL: 240892) and/or Morningstar Research Ltd, subsidiaries of Morningstar, Inc, has been prepared by without reference to your objectives, financial situation or needs. Refer to our Financial Services Guide (FSG) for more information. You should consider the advice in light of these matters and if applicable, the relevant Product Disclosure Statement before making any decision to invest. Past performance does not necessarily indicate a financial product’s future performance. To obtain advice tailored to your situation, contact a professional financial adviser. Articles are current as at date of publication.
This website contains information and opinions provided by third parties. Inclusion of this information does not necessarily represent Morningstar’s positions, strategies or opinions and should not be considered an endorsement by Morningstar.

Website Development by Master Publisher.