Before Santa Fe Group Senior Advisor Bob Jones shares his insights on 2020 fraud trends, he points out that 2019 is the Year of the Pig. “It’s also the year of ransomware,” adds Jones, who expects ransomware attacks, phishing attacks and other forms of fraudulent activities to continue to hog headlines during the next 12 months.
Jones points to another 2019 development — the Federal Deposit Insurance Corporation’s (FDIC’s) June update to its Consumer Compliance Examination Manual — that has implications for third party risk management (TPRM) professionals’ fraud prevention activities in the financial services sector. Those revisions to the manual most notably include the addition of 21 pages of new guidance on third party risk management considerations and activities in the manual’s Deceptive Practices section.
“The board of directors and management of an insured depository institution are ultimately responsible for managing activities conducted through third-party relationships, and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution” the FDIC lays out in an introduction to the manual’s new TPRM guidance. “The use of third-party relationships does not relinquish responsibility of the board of directors and management. The institution’s officials are expected to have a clearly defined system of risk management controls built into the management system that governs the institution’s compliance operations, including controls over activities conducted by affiliates and third-party vendors. The more significant the third party program, the more important it is that the institution conduct regular periodic reviews of the adequacy of its oversight and controls over third-party relationships.”
The manual identifies four major components of an effective TPRM process: risk assessment, due diligence, contract structuring and review, and oversight (“monitoring” in Shared Assessments phrasing). “At least three of those components — risk assessment, due diligence and monitoring — and perhaps even the contract structuring piece are areas that the fraud prevention group within a company can offer significant value in helping to manage from a third party risk standpoint,” Jones notes.
The awareness and skeptical mindset that seasoned fraud prevention professionals bring to the table can add value throughout the TPRM lifecycle, as Jones and BlackRock VP Third Party Risk Emily Irving, who also serves as Shared Assessments Steering Committee Vice Chair, wrote earlier this year in their article, The Realities of Raising Fraud Awareness.
Looking ahead, Jones identifies several fraud-related topics that he thinks merit monitoring in 2020:
Jones also sees cause for optimism when it comes to anti-fraud professionals’ involvement in third party risk management programs. While speaking on fraud prevention at a recent meeting of Shared Assessments’ Financial Institutions Vertical Strategy Group (FI-VSG), Jones asked his audience of TPRM professionals how many of them involved anti-fraud experts in their vendor risk management activities. “More than a few hands shot up,” Jones reports, “which I found gratifying.”
These two sets of experts will certainly need to work hand-in-hand if they are to fortify their organization’s fraud-prevention capabilities as new risks unfold in the upcoming Year of the Rat.