The COVID-19 pandemic is forcing much of the world to shut down, but businesses like telecommunications providers, financial service providers and retailers must continue operations, albeit with limited resources. With their large customer bases and their online presence, there will likely be gaps in monitoring of controls put in place to manage their fraud risks, creating opportunities for criminals to steal from these businesses or their customers.
A unique set of questions are posed by the pandemic, which limits the mobility of people and resources as a result of self-isolation measures to slow the spread of the virus. The suddenness of the lock down has challenged business leaders and their business continuity plans (BCP). Even more challenging is the uncertainty of the duration of the shutdown. Global businesses with redundancies spread across various countries have had to tinker with their BCP due to the global effect of the pandemic. Indeed, we are in uncharted waters.
Essential services worldwide are on overdrive. Not frequently mentioned, but important to the global COVID-19 fight, are telecommunications and financial services. Health information and updates must be disseminated via telcos. For example, in some countries operators have been mandated to send public health instructions to all phone users via SMS. The availability of good internet services has made it possible to issue ‘stay at home’ directives that might otherwise be unworkable. Customers still transact business through their banking applications which underscores the importance of the financial service industry. However, due to safety reasons, telco and bank employees will work from home like everyone else. This sudden change in the normal way of working might allow fraud to fester undetected.
Over the years, companies in these sectors have implemented fraud management systems that perform automated fraud controls; however, people are still needed to review the alerts, discern between false positives and actual fraud cases and liaise with other functions to close the identified leakages. Fraud management desks in big telcos and banks now run like factory floors, with agents and analysts rummaging through alerts from fraud management tools and escalating exceptions. The restricted mobility will impact work patterns in these ways:
- Access to fraud management tool: Most fraud desks have desktop computers in their workstations and are accessed by agents/analysts on a shift basis. This is cheap to set up, as it allows multiple users to access one workstation at various times. It ensures data security, as only authorised systems can access the company’s sensitive databases in a secure network environment. This is even more important considering the fact that the fraud analyst role is a junior level role with low discretion and high attrition rate. The lockdown means companies might have limited personnel accessing fraud management tools.
- Reduced workforce: Where the companies manage to get employees into the office to work on alerts, this can only be on a skeletal basis as social distancing rules will mean just a few people can be in a confined environment at a time. Having fewer analysts working on the fraud alerts exposes the business to risk that were hitherto mitigated.
These concerns mean companies will have some of their fraud management employees work from home during this period.
Constraints of working from home
- Distractions: Working in the office has its own distractions, but working from home, particularly during this period, may be more distracting. Interruptions from children, work, family may be very disruptive. Also, being at home you may suddenly start feeling obliged to clean the home, cook, or socialise. These are things that the work environment immunises you from.
- Technology failure: Bandwidth utilisation has gone up due to simultaneous access to internet TV and games by children, who are now out of school, and the video conferencing by parents working from home.
- Communication difficulty: The workplace provides the ease of walking up to a colleague and getting a problem solved and issues are resolved speedily. Working from home removes the face to face contacts that sometimes aid quick and quality resolutions.
- Security of corporate information: Home internet is typically less secure than that in the workplace. Hackers and fraudsters may find it easier to illegally access corporate data. This increases corporate espionage risk and theft of customer information.
- Effectiveness of supervision: To work well from home, employees are required to have the discipline and temperament to act independently with reduced oversight. Supervision is a big challenge with remote staff. Working in the same location affords supervisors the opportunity to provide support to employees that may be having challenges. When employees work from home, supervisors lack those visual cues and may not realise there is a problem until it has escalated.
What do we do?
With the obvious limitations of working from home, it is imperative for businesses to take a risk-based approach to managing fraud during this period of increased uncertainty. Companies will have to assess their vulnerability to pre-existing risk and work with limited resources to manage them.
- Create a governance process for fraud risk management: Include fraud management in the business continuity plan of the company with a C-level manager assuming responsibility for fraud management outcomes during the period.
- Risk identification: Each business must be able to assess its risks, and the level of vulnerability to those risks, using a risk matrix that clearly identifies the likelihood of occurrence and the impact when the risk does crystallise. Some of these risks must have been previously identified and redundancies created to mitigate the occurrence. For instance, for a multi-national telco or bank the risk of a business shutdown within a country would be mitigated by having controls transferred to another country with access to database and ability to perform such controls. A simultaneous shutdown of primary control location and redundancy might not have been evaluated in the current BCP. Therefore, there is a need to reassess the fraud risks and create new mitigation plans.
- Prioritise resources: This goes together with the earlier point. Priorities must be restated, and resources redistributed based on the reassessed risk. For instance, the threshold for reporting high data usage by a broadband customer might have to change as the average daily usage has increased now that children and parents are at home. This will reduce the number of alerts and hence the resources thrown at investigating these alerts. Another example is roaming; NRTRDE and HUR files will be fewer due to the significant decline in international travel and consequently in roaming. In financial services, multiple use of a customer’s debit card across widely dispersed locations will be viewed as a greater risk than it was prior to the movement restrictions.
- Suspend non-urgent high-risk changes: Businesses might be tempted to seize this opportunity to get ahead of competition by creating new products, opening new distribution channels, acquiring new wholesale customers and business partners or might just want to continue business as usual by implementing infrastructure changes like network upgrades and changes to IT systems. While these actions might give the business some advantages, these changes are fraught with risks and might not be ideal in the middle of a change management crisis such as this. Creating additional risks should be avoided.
- Escalation and incidence reporting: As part of the BCP, an unambiguous escalation path, which may be different from the escalation path in the normal course of business, must be established. This must be clearly communicated to employees.
More than ever before, the fraud manager is required to be more vigilant during this period. He or she must bring knowledge of resource management, fraud and risk management to bear at this time.
This article is for general information and a broad discourse on this issue. It is not offered as a specific solution to this problem. If you have a question about the article, please contact the author, firstname.lastname@example.org.