On July 24th, 2019, the OCC issued Bulletin 2019-37 Operational Risk: Fraud Risk Management Principles. The OCC guidance can be broken down into two separate components: governance and risk management operations. The governance component includes:
Culture
Ethical standards and employee accountability.
Infrastructure
Policies, procedures, processes, controls, personnel sufficient to identify, measure, monitor, and control fraud risk.
Management
A system that allows bank management to assess fraud risk in senior management and board support and knowledge of the impact of fraud on the institution’s business.
The risk management/operational component is simultaneously simpler and more complex, but is made more effective when the institution’s governance house is in good order. We glean that the essence of OCC’s operational requirements is satisfied when the institution implements an effective system that assesses its fraud risk in formal fraud risk assessment and implements systems to:
At an operational level:
- Identify potentially fraudulent transactions
- Investigate fraud in a timely manner and react to known fraud by updating risk assessment and systems to identify/prevent future occurrences
- Interdict/prevent high-probability fraud in real time
At an institutional level:
Quantify, Categorize, Measure, Analyze, Report, React
This speaks to a comprehensive fraud risk assessment that includes data analysis demonstrating to management, institutional leadership, auditors, and regulators a comprehensive view of the institution’s fraud risk (including losses and recoveries) and how the institution mitigates that risk. Much more on this later in this series. From the OCC:
A bank’s risk management system should include policies, processes, personnel, and control systems to effectively identify, measure, monitor, and control fraud risk consistent with the bank’s size, complexity, and risk profile.
The board should receive regular reporting on the bank’s fraud risk assessment, resulting exposure to fraud risk, and associated losses to enable directors to understand the bank’s fraud risk profile.
About the Author
Mark Stetler is CEO of RegSmart. He has a BBA in Finance from Baylor University (cum laude, 1985) and a law degree from the University of Texas (with honors, 1988). Mark has worked in the financial services industry for 30 years as an attorney and entrepreneur. Mark previously co-owned one of the nation’s largest firms specializing in forensic financial audits. He is a Certified Anti-Money Laundering Specialist and a chief architect of RegSmart’s anti-money laundering risk assessment and audit SaaS.
About RegSmart
RegSmart offers the best-in-class automated BSA/AML risk assessment. Supported by subject matter experts, RegSmart collects data with intuitive wizards and stores that data for regulatory compliance and change management. RegSmart delivers complete, plain language reports with actionable intelligence. Please visit us at www.beregsmart.com.
If you would like to see a demonstration of our best-in-class automated BSA/AML risk assessment and audit applications, please contact us at 214.919.4670, or email John Ravita at jrravita@beregsmart.com or Mark Stetler at mstetler@beregsmart.com. We look forward to visiting with you.