Non-financial Risk Management in the Financial Industry

Employee conduct risk can be defined as the risk of harm to the organisation by employees falling prey to conflicts of interests or violations of the code of conduct. The European Union defines conflict of interest as a situation

“where the ‘impartial and objective exercise of the functions of a financial actor or other person’ involved in budget implementation ‘is compromised for reasons involving family, emotional life, political or national affinity, economic interest or any other direct or indirect personal interest.’” [57]

According to the US Securities and Exchange Commission (SEC), organisations need to integrate conflict of interest risk into their three lines of defence structure and should consider conflicts of interest throughout their key business processes, including strategic planning, capital allocation, performance monitoring as well as evaluation of business units and individual business leaders. [58]

For further details on conduct risk, we refer to chapter 13.

The FDIC defines compliance risk in its guidance for managing third-party risk as “the risk arising from violations of laws, rules, or regulations, or from non-compliance with internal policies or procedures or with the institution’s business standards.” [59]

In a slightly more general version, we define regulatory compliance risk as the risk of failure of a financial institution to comply with all required laws, rules and regulations, across all jurisdictions and business operations in which the institution is active .

A risk event of regulatory non-compliance can lead to significant penalties imposed by regulators. This implies that financial institutions need to be aware at all times of currently relevant regulations, and they need to permanently screen for changes, updates or new regulations both for existing business operations and for new products and service offerings.

Fraud, by definition, entails intentional misconduct, designed to evade detection. Fraud risk denotes the vulnerability that an organisation faces from internal or external individuals capable of committing fraud. The fact that fraud risk is considered a sub-risk of operational risk is also visible from the BCBS loss event categorisation within operational risk, as both internal and external fraud are loss event types for the collection of operational risk loss data. [60]

In 2016, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published a fraud risk management guide that contains both a definition of fraud as well as guidance for establishing an overall fraud risk management programme, based on principles and points of focus. The definition of fraud according to it is as follows: “Fraud is any intentional act or omission designed to deceive others, resulting in the victim suffering a loss and/or the perpetrator achieving a gain.” [61]The guide, however, acknowledges that other definitions exist, including those developed by the Auditing Standards Board of the American Institute of Certified Public Accountants, the Public Company Accounting Oversight Board, and the Government Accountability Office.

In 2019, the OCC published fraud risk management principles under the heading of operational risks. The definition of fraud provided by the OCC is the following:

“Fraud may generally be characterized as an intentional act, misstatement, or omission designed to deceive others, resulting in the victim suffering a loss or the perpetrator achieving a gain. Fraud is typically categorized as internal or external:

Internal fraud occurs when a director, an employee, a former employee, or a third party engaged by the bank commits fraud, colludes to commit fraud, or otherwise enables or contributes to fraud. […]

External fraud consists of first-party fraud and victim fraud. External fraud is committed by a person or entity that is not a bank employee, a former employee, or a third party engaged by the bank. […]

Fraud risk is a form of operational risk, which is the risk to current or projected financial condition and resilience arising from inadequate or failed internal processes or systems, human errors or misconduct, or adverse external events.” [62]

The APRA defines fraud risk, similar to the OCC, as

“the risk of loss from internal fraud or external fraud. These can be defined as: a) internal fraud – losses due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company policy (excluding diversity/discrimination events) which involves at least one internal party; and b) external fraud – losses due to acts of a third party that are of a type intended to defraud, misappropriate property or circumvent the law.” [63]

There are a number of sub-types for fraud risk, mainly based on the products or services for which fraud can happen.

According to the Association of Certified Fraud Examiners (ACFE), “new account fraud is generally defined as fraud that occurs on an account within the first 90 days that it is open. It occurs when it is found that the account was opened with the intent to commit fraud.” [64]Based on this, we define account-opening fraud risk for a financial instituion as the risk of opening an account under a false identity and the subsequent misuse of such an account for fraudulent activities.

According to Cornell Law School, “Credit card fraud is a form of identity theft that involves an unauthorized taking of another’s credit card information for the purpose of charging purchases to the account or removing funds from it.” [65]The resulting risk is the risk of illegal use by a third party of a stolen or fake debit/credit card and the corresponding losses faced by the bank .

We define this risk as the risk of losses due to illegal use of means of payment by falsifying the payment media such as cheques or bank transfers .

This risk refers to the illegal use of online banking based on obtained user account credentials. These credentials are usually obtained via cyberattacks such as phishing or whaling.

Credit fraud can be described as the use of someone else’s credentials and credit standing to borrow money without the intention of repayment. The corresponding risk from the perspective of a bank is then the risk of losses due to credit fraud.

This risk refers to the removal or illicit confiscation of property belonging to another person or entity with the intent to illegally assume ownership or to give it to a third party. In the context of financial institutions, this is the risk of information being stolen and handed to third parties outside the bank. As such, it may lead to data privacy violations as a result of theft risk events.

Investopedia describes embezzlement as “a form of white-collar crime in which a person or entity misappropriates the assets entrusted to them. In this type of fraud, the embezzler attains the assets lawfully and has the right to possess them, but the assets are then used for unintended purposes.” [66]The corresponding risk can then be defined as the risk of losses resulting from the embezzlement or breach of trust.