©2015 Association of Certified Fraud Examiners, Inc.
WELCOME Abuse of Payment Systems in Fraud, Money
Laundering, and Other Financial Crimes
Andrew Koh, CRMA, MSRM, MSGF
Deputy Chief Manager, Risk Control
China Construction Bank Corporation
PRESENTED BY:
ANDREW KOH
2015 ACFE Asia-Pacific
FRAUD CONFERENCE
4-6 November 2015 |
Singapore
3
LINKEDIN Power Profiles S’pore 2015: https://lists.linkedin.com/power-profiles/sg/industry/finance
Thought leader, speaker, moderator, panelist, writer, advisor
• Selected conferences: World Cards & Payments; Financial Times;
RiskMinds Asia; Bloomberg; Cards & Payments Asia; Asian Banker.
• Presented to: Central banks, regulators, government agencies, financial
institutions, varsities, private equity, and fin-tech firms.
• Published articles for award winning magazine: StrategicRisk Asia.
25 years in banking, finance, payment, and cards sectors
• Experience in Fraud, Basel, ERM, GRC, Outsourcing, RCSA, KRIs, Stress
Testing, Security Incidents, BCP, Audit frameworks & systems.
Avid Lifelong Learner
• CRMA (The Institute of Internal Auditors, U.S.)
• MS Risk Managment (NYU Leonard N. Stern School of Business)
• MS Global Finance (HKUST + NYU Stern School of Business)
• MBA (University of Manchester, Manchester Business School)
JUST HOW MUCH ABUSE IS DONE ON PAYMENT SYSTEMS?
2015 ACFE Asia-Pacific
FRAUD CONFERENCE
4-6 November 2015 | Singapore
AGENDA
1. Actionable and effective controls to manage frauds, ML,
and other financial crimes
2. How to analyse transaction patterns to detect financial
crimes and e-payment frauds
3. Effective use of fraud filter rules to sift out false positives
4. How should an institution operating in several countries protect
countries protect its operations against cross border
fraudulent activities through its services?
5. Rise of new fraud threats from alternative e-payment
systems: e-wallets, crypto-currencies, mobile payments
6. Challenges in adopting advanced payment technologies
and best payment practices
2015 ACFE Asia-Pacific
FRAUD CONFERENCE
4-6 November 2015 | Singapore
1. ACTIONABLE AND EFFECTIVE CONTROLS TO MANAGE
FRAUDS, ML, AND OTHER FINANCIAL CRIMES
1. CUSTOMER DUE DILIGENCE covering on-boarding of
merchants / content providers prior to signing up
mobile/digital payment services
DO NOT BOARD applicants engaging in ILLEGAL
ACTIVITIES.
Get applicant’s name, address, and bank account
details at a minimum.
Conduct business and credit searches.
Collect multiple screen shots of online content that the
e-commerce merchants offer.
2015 ACFE Asia-Pacific
FRAUD CONFERENCE
4-6 November 2015 | Singapore
2. ANTI-MONEY LAUNDERING RULES apply on entire end-to-
end business transactions
Finding the source of money and who owns them Filtering out potential suspects on sanction lists
Escalating issues to senior management and the board
for approval and oversight
3. RISK MONITORING ON SUSPICIOUS / UNUSUAL
TRANSACTIONS on merchants / end users / purchasers
Understanding of root causes
Effectively filtering out on false positives to focus on
real / genuine cases
1. ACTIONABLE AND EFFECTIVE CONTROLS TO MANAGE
FRAUDS, ML, AND OTHER FINANCIAL CRIMES
2015 ACFE Asia-Pacific
FRAUD CONFERENCE
4-6 November 2015 | Singapore
4. INDUSTRY COLLABORATION and INFORMATION SHARING
Volunteer participation in informal working groups to
discuss practical issues across different industries
5. COMMERCIAL CONSIDERATIONS
Commercial advantages of credit card rules favouring:
(i) Merchants--can sign up just once to transact with
global credit card holders
(ii) Consumers--can request refunds and charge-backs
6. CASE STUDY A
How one financial institution created a risk-based fraud
policy to effectively fight against digital payment abuse
1. ACTIONABLE AND EFFECTIVE CONTROLS TO MANAGE
FRAUDS, ML, AND OTHER FINANCIAL CRIMES
2015 ACFE Asia-Pacific
FRAUD CONFERENCE
4-6 November 2015 | Singapore
9 9 9
CASE STUDY A (ADAPTED FROM ACFE)
FRAUD PREVENTION
FRAUD DETECTION
FRAUD RESPONSE
AND REPORTING
FRAUD MONITO
RING
• Sound fraud risk mgmt structure
• Comprehensive fraud controls.
• Regular fraud awareness training
• Monitoring of key risk indicators
• Detect early fraud warning signs
• Who is responsible for escalating
suspected or confirmed fraud cases to
senior management, Board, or the
regulator?
• Everyone’s business to monitor
fraud
2015 ACFE Asia-Pacific
FRAUD CONFERENCE
4-6 November 2015 |
Singapore
2. HOW TO ANALYSE TRANSACTION PATTERNS TO
DETECT FINANCIAL CRIMES AND E-PAYMENT FRAUDS
1. BE AWARE OF PHISHING WEBSITES
Sometimes bogus sites look better than the real ones!
2. HOLIDAY SEASON TRANSACTIONS Potential areas to transact illicit transactions
Matching merchant transactions with business nature
3. CANCELLATIONS OF MAJOR EVENTS Large volumes of refunds and cancellations
High potential possibilities of processing “errors”
4. CASE STUDY B How an FI set up specialised fraud teams to detect and
address illicit financial activities & payment fraud issues
2015 ACFE Asia-Pacific
FRAUD CONFERENCE
4-6 November 2015 |Singapore
A good fraud team should have the following qualities:
• Be very familiar with product design, rules, and processes
• Be very familiar with police investigation procedures
• Ready to be called into action 24/7 anytime, anywhere
• Dedicated and experienced staff with “never-say-die”
attitude
• A few small teams are better than one big team
• Establish and record a comprehensive audit trail supported
with credible evidence
CASE STUDY B
2015 ACFE Asia-Pacific
FRAUD CONFERENCE
4-6 November 2015 | Singapore
3. EFFECTIVE USE OF FRAUD FILTER RULES TO SIFT
OUT FALSE POSITIVES
1. ESTABLISH EFFECTIVE TRANSACTION FILTER RULES to
sift out false positives.
Allocate full resources in investigating real cases
Review of filter rules matching changing risk profiles
2. EFFECTIVE RISK & FRAUD GOVERNANCE.
Compliance team to inform regulator / police
Fraud team do the ground investigation work
Risk management team to perform txn monitoring work
Internal audit to report to senior management / board
3. CASE STUDY C
How data analytics can be used to sift out false positives
2015 ACFE Asia-Pacific
FRAUD CONFERENCE
4-6 November 2015 | Singapore
In the case of duplicate e-payments, data analytics can help
remove the frequent false positives such as:
• Removing voided checks / e-payments
• Removing cancelled invoices
• Reposting of an invoice after removing it.
• Removing cancelled checks / e-payments
• Removing intercompany account
• Removing credit value invoices (requires reconciliation)
CASE STUDY C
2015 ACFE Asia-Pacific
FRAUD CONFERENCE
4-6 November 2015 | Singapore
4. HOW SHOULD AN INSTITUTION OPERATING IN SEVERAL
COUNTRIES PROTECT ITS OPERATIONS AGAINST CROSS
BORDER FRAUDULENT ACTIVITIES THROUGH ITS SERVICES?
1. Must ESTABLISH A BASELINE POLICY & PROCEDURAL
FRAMEWORK for its global operations.
2. List down the list of “must-haves” driven by regulatory
and/or compliance requirements.
3. Enforce these across its global operations via risk
champions stationed across each country where it
operates and direct reporting to global headquarters.
4. Based on each country’s specific requirements, tailor
SPECIFIC POLICIES AND PROCEDURES.
5. CASE STUDY D: How a major bank uses technology
platform to monitor their global transactional activities
2015 ACFE Asia-Pacific
FRAUD CONFERENCE
4-6 November 2015 | Singapore
CASE STUDY D (FALCON PLATFORM)
2015 ACFE Asia-Pacific
FRAUD CONFERENCE
4-6 November 2015 | Singapore
5. RISE OF NEW FRAUD THREATS FROM ALTERNATIVE
E-PAYMENT SYSTEMS: E-WALLETS, CRYPTO-
CURRENCIES, MOBILE PAYMENTS
1. What are the drives behind the rise of new fraud threats?
2. INNOVATION > GOVERNANCE, RISK, COMPLIANCE
3. Lack of knowledge and understanding of how
alternative e-payment systems are designed and work
4. Stakeholders are still figuring out how to secure codes
to prevent abuse and hacking
5. CASE STUDY E
What are the new fraud threats from alternative e-payment
systems?
2015 ACFE Asia-Pacific
FRAUD CONFERENCE
4-6 November 2015 | Singapore
CASE STUDY E – VERIZON 2015 DATA BREACH REPORT
NEW FRAUD THREATS
2015 ACFE Asia-Pacific
FRAUD CONFERENCE
4-6 November 2015 | Singapore
2015 ACFE Asia-Pacific
FRAUD CONFERENCE
4-6 November 2015 | Singapore
CASE STUDY E
6. CHALLENGES IN ADOPTING ADVANCED PAYMENT
TECHNOLOGIES AND BEST PAYMENT PRACTICES
1. Need to have CLEAR CORPORATE OBJECTIVES in
using advanced technologies and adopting global payment
practices
2. Can be achieved with very HIGH SET-UP AND MONITORING
COSTS
3. Advanced technologies can either help or hinder business
operations based on user understanding and requirements
4. Global payment practices may not be effective in countries
where card rules not enforceable as cash is still king
5. CASE STUDY F: How a financial institution failed to set-up
AML system to monitor payment transactions
2015 ACFE Asia-Pacific
FRAUD CONFERENCE
4-6 November 2015 | Singapore
CASE STUDY F
2015 ACFE Asia-Pacific
FRAUD CONFERENCE
4-6 November 2015 | Singapore
AML SYSTEM
https://www.linkedin.com/pub/andrew-koh
@KohWee
Contact Information
2015 ACFE Asia-Pacific
FRAUD CONFERENCE
4-6 November 2015 | Singapore
Q&A
2015 ACFE Asia-Pacific
FRAUD CONFERENCE
4-6 November 2015 | Singapore
©2015 Association of Certified Fraud Examiners, Inc.
WELCOME Abuse of Payment Systems in Fraud, Money
Laundering, and Other Financial Crimes
Andrew Koh, CRMA, MSRM, MSGF
Deputy Chief Manager, Risk Control
China Construction Bank Corporation