Ask the experts in fraud and risk mitigation.
FAQs - Frequently Asked Questions.
What should I do to prevent Losses in my Business / Bank / Organisation / etc?
Let’s face the facts – ‘risks are always present’, ‘people will get attacked’, ‘mistakes will be made’ and ‘fraud is a popular crime’. Attacks, mistakes and risks arise from individuals, often in a position of a trust and close to you – an employee, a contractor or consultant, one of your approved suppliers or a trusted third party, one of your clients or customers.
Once you have found or been advised of incidents of suspected or confirmed risks or frauds - take action. Do not just assume that it will stop or go away. People always exploit weaknesses in an organisation.
An organisation needs a very public policy – both internally and externally of its tolerance level to errors, risky or illegal activity, rule breaking or fraud and other criminal activity.
Make it clear that doing risky things, carrying out fraud and/or dishonesty is unacceptable. Make it clear you have appropriate controls to proactively highlight such behaviour and that additional reactive controls are quick and effective; and make sure that people know that you will prosecute any crimes or dishonesty.
Look for anomalies in your businesses with scoring systems and exception reporting; and then implement them in a way that you ‘do better’ with these solutions than your competitors do.
What can I do to Stop / Detect / Prevent any kind of risk in my Organisation?
Exposures, risks, frauds, crime etc. can arise in many ways. There can appear to be small, one-off, opportunist, even ‘nothing to worry about’. Often things start with ‘small-time’ criminal activity or corner-cutting – whether a member of staff or contractor, a trusted supplier or a customer. If people think that they have ‘got away with it’ once, why not again, and why not a little more adventurous next time?
Being purely reactive and waiting for losses, fines, fraud or other types of cases - i.e. when they become obvious and are be spotted is dangerous. Good risk management uses a balance of understanding and learning from what has already taken place. But better risk management is also looking for, pre-empting and be proactive to losses and problems before they happen or as they are taking place.
Good risk managers work across the business to ensure appropriate disciplines and culture are in place and understood. They use a balance of processes and procedures to provide clarity in cases of uncertainty, suspicion and identification of risks that are being perpetrated.
How a Risk Specialist Can Help to Stop Losses in a Company / Bank / Organisation?
An independent specialist can step back from the day-to-day operations, be pragmatic, be challenging, question, listen and question again. A risk specialist will take a company-wide view, look at things top-down, bottom-up and horizontally. Specialists will assess how strategy and vision fit with policies, processes, and procedures, how successful the business is and how has this success being delivered.
This is what they do every day too.
How to Review the risk within an organisation before making an acquisition? What is Due Diligence?
Due diligence is really all about checking the details of ‘something’ before progressing towards a legal contract.
Before making a large purchase or investment, you generally need a trusted second opinion – on the products, the business, its culture and governance, systems integration, its finances, its history, its prospects.
One could argue that the banks which went into public ownership in recent years in the UK, did not do their ‘risk due diligence’ sufficiently – i.e. with Lloyds Bank not understanding fully what they were purchasing with HBoS and with RBS not understanding the ABM AMRO deal properly.
An acquisition due diligence will generally include a contractual/legal review and a financial/performance review; but commonly the risks associated with an acquisition will be less understood or explored.
The Riskskill team works with acquisition teams to highlight challenges and issues and to understand the work and costs needed to address these upon acquisition.
What is Compliance?
We are bound by an increasingly complex set of rules and regulations, that determine what we can/cannot do, what we must do, demonstrate that we are performing it, achieving necessary requirements and reporting on it accordingly. Across Financial Services and dealing with customers, there is a complex web of inter-related, and sometimes not, requirements and at various levels – industry or product-specific, national, European or international application.
Compliance management not only interprets these various requirements and the constant updates to a business, but ensures that the business is continually operating in an appropriate manner, safeguarding the business itself and the actions of any third parties, its IP, its customers and their personal information, and all those people and organisations that interact with the business.
The intention is to prevent and detect fraudulent or risky activity at the earliest possible opportunity, to be seen and to take appropriate actions. Failure to be and be seen to be acting in an appropriate and timely way can be expensive. It undermines the credibility of the business and the industry it operates in.
Not doing enough to understand your customers, preventing payments fraud or money laundering, averting a data breach, looking after someone’s personal data or promptly reporting an incident can lead to brand and reputational damage, financial losses, business operating restrictions and excessive scheme or regulatory non-compliance fines or penalties.
What is Operational Risk Review?
How well a business is managed and its success can often be gauged by the operational controls in place, and in having a clear strategy and vision. A review will start with a review of the executive leadership, and management and staff, of the culture in the organisation and of the risk-awareness in decision-making and the actions taken.
Operational Risk flows through to staff, how they are trained, whether this is sufficient and whether they are equipped with the right tools and services – and whether manual and/or automated.
Policies, processes, procedures and documentation must be in place and adhered to, to ensure understanding of who does what, when, why and how, not just within departments but their interaction with others internally and externally.
Riskskill provides the expertise to review what is in place, assess the merits of what is seen and to provide a prioritised action list of what the ‘next steps’ should be.
What is Credit Risk Review?
In business operating environments we always need to be looking forward, planning for growth, expansion, new products and services, new customers and more business from existing success.
We must also be aware of potential threats - environmental, economic, regulatory, political, etc., that may adversely impact our business performance or that of our customers.
Credit Risk Reviews allow a business to plan for future known and unknown events on the business and more importantly on its customers. Sudden changes in business performance or specific events can lead to a customer’s inability to meet its obligations, pay its bills, service its customers, etc. A sudden increase in fraud activity, customer disputes, brand/reputation damage, delayed product launch can lead to claims on a business that must be covered. This review ensures that the business understands what to look for and quantify it, then ensure that appropriate controls are agreed and in place, e.g. financial guarantees, collateral, etc.
What is Financial Risk Review?
Financial Risk Reviews are not just about ‘balancing the books’, but about understanding the money-flows in and out of a business. Strong financial management is a regulatory requirement, maximising performance, profitability and business success are down to the business itself.
Riskskill is not staffed by accountants or financial auditors, but has the industry awareness and knowledge to work with Clients to help understand various areas that impact financial performance. This includes, but is not limited to:
Interchange rates and performance optimisation
Authorisation and settlement currencies
Exception item processing – refunds and chargebacks
What is Enterprise Risk Management?
Enterprise Risk Management (ERM) has become one of those phrases that is used to ‘mystify people’ and make things appear more complicated than they really are. Backed by regulatory requirements in many markets and industries, it comes with a very ‘consultant-like’ set of processes and analytical tools – but really it is a structured way of trying to get an organisation to think, operate, prevent and plan for risks in and across the business, to take steps to avoid these risks, accept the risks or find other ways around the risks.
Above all though, it is about understanding the risks, quantifying them and monitoring them. This is all driven by various regulations that are in place to make sure that BIG companies (particularly in the financial sector) do not fail and that they have sufficient control and enough capital/ in place.
Risks will include operational risks (staffing, products customer satisfaction, supply / demand, training reputation etc.), financial risks (currency, interest rate, liquidity, depreciations, profitability and pricing), strategic (strategy, direction, planning, SWOT, capital / working capital adequacy, social trends etc.), and Environmental / Hazard risks (such as legal, political, geographical, natural catastrophe, property etc.).
Riskskill takes a practical perspective on the Enterprise Risks within a business. However, there are many regulations and formal processes that regulators and industry bodies expect to be followed that structure and prove that this has been done in a structured and documented way including some rather arbitrary Frameworks and Components for addressing the business and issues that arise.
Can Fraud / Risk be Prevented?
In many ways ‘fraud management’ is a reactive thing: i.e. we must look in the right place and know where to look, how to assess the risks, determine what needs to happen and implement solution. So much of what we do is reactive and must be done quickly – and making sure that the business does not suffer as a result.
Anti-fraud practices and risk management must also include prevention. This starts with management focusing the business upon a clear fraud strategy with sound risk measurements and controls over ‘day-to-day operations’. It also means that businesses must design and implement new products and processes that deter fraudsters and attract good customers.
Risk management should not be viewed as a business prevention procedure, i.e. “No we can’t do that”.
Effective risk management culture and application should be saying ”Yes we should be doing this, but these linked controls must be assessed or mitigated beforehand”.
Can Card Fraud be Prevented?
Card Fraud rises and falls – across countries and by type of payment and method of use of cards and in many other ways. There are many fundamentals that can help an organisation prevent and then deal with fraud and losses and include (at a very simplistic level):
As an immediate deterrent value, remind your staff, customers, clients, etc., of your approach to risk and fraud – not tolerated, prevention and detection methods in place, actions deployed to recover losses.
Ensure legal terms – contracts, Ts & Cs etc., reflect what is required, not tolerated and the actions that will be followed in the case of a breach of these conditions.
Making sure that we know who our customers are.
Making sure that we track what our customers do.
Tracking our losses.
Making sure that we have measurement and management systems in place
Making sure that our whole ethos and decision-making is both fast, pro-active and also enshrined in early action and preventative thinking.
Considering how we recover losses and if/how and why we prosecute as a prevention and deterrent to others.
Making sure that we make the position, losses and processes as transparent as possible in the business and,
Ensuring that we adopt the latest and ‘next generation’ solutions and prevention / detection tools available in the market and that we engage with the industry on these.
What is a Risk Review?
At Riskskill, we carry out risk reviews on a regular basis for our new clients – who will generally want to determine what they need to do and in a prioritised order. Such clients invariably ask for further help to address the challenges that they have and the losses that they might be experiencing.
A risk review is the first stage, where Riskskill responds to an initial need to identify where all the strong controls and gaps are, and what needs to be done. Our team will focus upon: the strategy, management and measurements of risk; who is doing what and where; prevention solutions across the sales / marketing functions and their interaction with Risk; how we detect fraud and risks, compliance issues and regulatory issues; how we investigate problems and cases where there are problems, and how we put things right for the future, how data is used. The challenges and the way to put things right are always different for every organisation and are almost always a combination of strategy, ethos and direction / measurement; through to operational impact, process and procedures.
Can Mobile Payment Fraud be Prevented?
All of the above apply, but we have to demystify the term ‘mobile payment fraud’ a little more.
Mobile Payments can be simply payments that are made on any computer and are now made on a mobile device; or they can be new applications built for the mobile device to do this, or even new money systems that are only available on the mobile device as a wallet or other solution and are also now increasingly involving new ideas and technologies including the Blockchain and digital currencies, such as Bitcoin.
Whatever the type of solution involved there will be new risks to be considered and managed. Many of these will be ‘technical’ – i.e. the encryption and/or where and how data is stored and/or transmitted; but equally many of them are more practical in nature – such as how we identify our customers and whether and how we can rely upon the technology.
Mobile is changing the face of payments. It is moving the controls away from the banks and merchants to the customer – it is their mobile device.
At Riskskill, we will help guide you through these issues and help you plan to prevent mobile payment fraud.
How can Frauds be Prevented in Insurance Companies?
Within Insurance companies, the same principles apply – indeed a) – h) in the card fraud prevention question equally apply here. Taking on new customers has to be done with a fine balance of knowing who they are and avoiding friction with new customer set-up; allowing customers to ‘use’ the services / policies, and yet understanding and tracking their behaviour along the way.
In Insurance, it is important to have a clear view on where the customer comes from, what they do, how they are applying for insurance and why and what their history with insurance is.
Many fraudsters or poor risks will be from organised fraudsters doing the same thing over and over again from the same locations and or computers with few barriers to entry – and with the problems managed only in arrears within a claims environment. There will also be many opportunists who lie about their past experiences and/or lie when things start to go wrong – which need to be addressed with data, with behavioural tools and/or checking of people and their situations. And the better companies do this at an underwriting or account-management stage rather than waiting for the claims to arise.
How can Frauds be Prevented in Telecom Companies?
Within Telecom companies the same principles apply – indeed a) – h) in the card fraud prevention question equally apply here. Taking on new customers has to be done with a fine balance of knowing who they are and avoiding friction with new customer set-up; allowing customers to ‘use’ the services / policies, and yet understanding and tracking their behaviour along the way.
In Telecoms, fraud can be controlled by simply restricting access to the network. But as consumers become able to do more with their telephone account, i.e. charge purchases to the telephone bill via their mobile, the dynamics change. Telcos have to think like traditional card issuers or work with trusted parties to do so. Fraud and bad debt, if not properly controlled will become a challenge – leading to financial losses, reputational damage etc.
Where can I Find a Good Reliable Risk & Fraud Specialist?
The Riskskill team provides trusted expertise in many aspects of electronic payments, retail banking, retail payments, insurance services and more, with respect to anti-fraud, compliance, data security and general risk management.
Riskskill not only provides real practitioners in risk management from across the payments industry, banking and retail, but also people who will look for the ‘bigger picture’ and/or creative new thinking that balances effective risk management with the commercial and strategic needs of a business.
And if we cannot help you directly, we will work to find you the right specialist for your specific needs; either through our partners or through AIRFA (the Association of Independent Risk & Fraud Advisors).
Does RiskSkill Provide its Services Globally?
Riskskill, though based in Europe, is global in the provision of its consulting and advisory services. It has clients across Europe, North America, Africa and the Middle East, and is expanding into the AsiaPacific region as clients hear about our solutions and what we have done for others.
Riskskill is proud to be an approved partner for Visa Inc. for risk-related reviews of card acquiring and pre-paid card programmes.
When Should I take Solutions provided by Riskskill or other Consultants?
With ‘luck and a fair wind’….. you will not need the services of a risk professional; as understanding and taking calculated risks is part of any successful business.
With any business that takes, makes and/or processes payments and deals with customers there will be risks and losses, collections, compliance issues and fraud challenges.
Being proactive, and understanding the business are valuable assets, which help management identify and address issues as they arise and prevent them before they become an issue.
A risk professional will:
Give impartial, trusted and experienced advice on any issues
Work on progressing strategy definition, policy and procedures development
Describe how to integrate anti-fraud tools and services into the business.
Help make sense of advice from an auditor, from one of the big general consultancy companies or other internal groups in larger businesses.
Help provide resource at times of extreme growth or losses that will help balance the wide and conflicting needs of a business, e.g. risk management vs. sales management.
Dive-in to help with regulatory issues and audits, fines and/or other losses that you may face.
What is VISA / MasterCard Compliance?
For payment businesses, MasterCard and Visa (and other schemes) are integral to every aspect of the business. Visa and MasterCard like their ‘brands’ to be associated with legal, reputable and ethical business. Over the last 60+ years, the schemes have spent a lot of effort building the payment system, its technical infrastructure and brand reputation. They have a lot to protect.
Accordingly, MasterCard and Visa rules dictate that business must be managed to avoid illegal, undesirable, misleading, or unsavoury or even inefficient activity, i.e. anything that is not tolerated within society or could bring the card scheme brand into disrepute. Much of this is based around laws such as gambling laws, data protection legislation, money laundering regulations, terrorism laws etc. - so often founded upon song foundations.
For instance, because of the legalities, child or animal pornography must not be distributed and paid for using any part of the payments systems; but more subtly there are many other legality issues that apply within distinct countries relating to payments, imports and exports or trade restrictions that must be followed: particularly when it comes to gambling (and/or gaming), prescription drugs, neutraceuticals, pharmaceuticals, tobacco, alcohol and adult content distribution.
The payment schemes enforce this compliance through the issuing and acquiring members, who in turn manage the understanding and actions of their customers, whether cardholders and/or merchants.
Organisations that MasterCard and Visa consider not to have complied with their rules or other applicable legislation, will be required to correct the position and to ‘move into compliance’ – very quickly – depending upon the severity of the issues.
There will also be concerns and compliance issues that relate to transaction data quality, excessive fraud and high levels of customer disputes/chargebacks, illegal sales, misleading sales practices and many, many more.
In the absence of swift corrective action or continued failure to comply with card scheme requirements may incur additional fees, financial penalties, operating restrictions or the removal of access rights in accepting card payments. The schemes apply this to their customer – the card issuing or acquiring member organisation. In turn, subject to contractual terms the organisation will attempt to pass any fines or losses onto its customer – whether the cardholder and/or merchant.
Riskskill specialists can review a business to assess compliance with many things and/or help work to plan business growth that is compliant and strong. Sadly, we are also often involved too late in the process once the fines and sanctions have gone so far that the position is financially crippling and where radical action is needed to put things right.
We have been instructed to perform an independent risk review by one or more the international cards schemes, what should we do?
We are sorry to hear that you have received this instruction from the card scheme(s) but you are in the right place for the solution. This means that you are either
Too close to specific performance thresholds that determine when compliance programmes will come into force.
You are managing a previous non-compliance situation and need independent assessment of the controls that have been deployed to convince card scheme management to lift operating restrictions or other financial penalties.
Riskskill works closely with the international card schemes and their member organisations. For instance, Visa Inc., appointed Riskskill as one of their trusted global risk reviewers when a Visa Inc client, an acquirer or prepaid issuer, is required to complete an independent assessment.
Riskskill will complete an onsite review on behalf of the client and document in accordance with the Visa Inc Global Acquirer Risk Standards (GARS) programme.
Is hiring a Risk / Fraud professional expensive?
Like anything in life, one gets what one pays for. There are very good specialists and very good generalists too; but also many consultants who do not know or understand or address risk and fraud issues or who understand payments intimately.
The more appropriate question maybe whether a business can afford to keep losing to fraud, debt write-offs, losing customers to bad-service and/or processes, compliance fines or regulator pressure.
The costs of not spending a smaller amount NOW, will often mean lost customers, closure of businesses or markets and regulatory sanctions and fines that can be devastating or cost €£$ millions.
Riskskill specialists find themselves sorting out the severest of problems more often than would be ideal; as big financial organisations really do ‘hold-off’ until things get too difficult to manage, and often to a point when things become public issues and/or industry challenges. We are good at working in these situations, but equally prefer to help businesses to ‘steer the right course’ away from the obstacles before they become major business issues and losses.