I was lucky to chair the recent ViB conference on Fraud Management and RA held in Dubai, where there were a number of high quality presentations. Hayley Daniels of Neural Technologies gave a very informative talk on fraud. Her thoughts on internal fraud got me thinking. She provided the following checklist for opportunistic internal fraud:
- Knowledge of process;
- In a position of trust;
- Close alliance with suppliers;
- Collusion;
- Lack of adequate controls;
- Lack of policies and procedures;
- Turnover of crucial employees;
- Constantly operating under crisis conditions; and
- Impersonal relationships and low morale.
Take a look at that list once more. Then think about the typical revenue assurance department. Do they have knowledge of processes? Yup. Are they in a position of trust, with access to sensitive data and the right to direct alterations to it? Yup. Whilst they give out controls to others, might they lack adequate controls, especially over the non-standard activities and irregular projects they conduct? Yup. Lack of policies and procedures, especially when taking on new challenges? Yup. Turnover of crucial employees? Yup. Constantly operating under crisis conditions? All too often, yup. And low morale? Sadly, the answer to that is often yes as well.
Then I thought some more. Staff in Revenue Assurance departments have some particular advantages if they were inclined to engage in fraud. They may be free to direct and give approval to changes to network and billing data, especially during data cleanses and system migrations, but who supervises and reviews whether those changes are correct and justified? Revenue Assurance may have liberty to set up and remove services and accounts. They may have access to SS7 probe data and be able to specifically track the calls made and received on specific lines, and even review the content of SMS messages. They will often be responsible for test accounts that are an exception to normal billing activities and hence may not be as well controlled. Many of the staff will have superior skills for manipulating data or a keen understanding of how changes to data may exploit controls weaknesses to the benefit of a customer. Because of recruitment pressures, and because the numbers of staff are relatively low, checks on staff may not be as stringent as in other areas more commonly perceived to be high risk. In addition, vendor, contract and consultant staff may be given unusual levels of freedom to inspect and even alter sensitive data. And finally, the line management responsibility for fraud management and revenue assurance may be unified. A failure to segregate duties magnifies the risk of opportunistic internal fraud executed under the guise of revenue assurance.
Of course, I am not saying that all revenue assurance staff are fraudsters. But they have an unusual freedom and latitude to access systems and data, and direct changes, and with that comes the danger of fraud. So the question is really, what are Fraud departments doing to mitigate the particular and unique risks relevant to the Revenue Assurance department? If they are just trusting that revenue assurance people care about the bottom line, and cannot be corrupted, surely they are missing the point of why fraud takes place? And when Fraud and Revenue Assurance reports to the same manager, who is expert enough to ensure that there is no collusion between the two? These are all tricky questions, but staff who work in fraud prevention or revenue assurance should aim to provide good answers.
