India banking fraud survey - 2012 Navigating the challenging environment

February 2012

India banking fraud survey - 2012 Navigating the challenging environment

Contents
1. Foreword 2. Executive summary 3. About the survey 4. Size of the issue 4.1 What is the industry view 4.2 What is the banks Individual experience 4.3 Why did it happen 4.4 How much did they lose 5. The issue 5.1 Where did it happen 5.2 How did it happen 5.3 Retail Banking 5.4 Corporate Banking 5.5 Priority sector Banking 5.6 Others 5.7 Who committed the fraud 5.8 How was it discovered 5.9 How long did it take to uncover fraud 5.10 What was the response to fraud 6. How are banks geared to fight this menace 6.1 Who is responsible for fraud risk management 6.2 What is the current status of anti fraud programs 6.3 Proactive or reactive - What is the role of technology 7. What does the future foretell 7.1 What are the future trends 7.2 What will be the cost of fighting fraud Conclusion 4 5 12 13 13 13 14 15 17 17 17 18 18 19 19 20 21 21 22 24 24 25 26 30 30 31 33

1. Foreword
The Indian banking and financial services sector has witnessed exponential growth in the last decade. This growth has not been without its pitfalls as incidents of fraud in the industry have also been on the rise. Deloittes fraud survey shows that banks have witnessed a rise in the number of fraud incidents in the last one year, and the trend is likely to continue in the near future. The survey points to the increased difficult scenario for banks with increased fraud incidents and low recoveries, thereby directly affecting their bottomline. With increased regulatory scrutiny, banks are under increased pressure to implement best practices and fraud risk management framework. However, as indicated from the survey, this still appears to be work in progress in many of the organizations. Risks are inherent in the banking business. In todays economic climate, the adage prevention is better than cure has never been more accurate. No organization can be completely immune to fraudulent activity, but steps can be taken to reduce the exposure to financial loss and reputational damage, which are common consequences of fraud. Deloittes fraud survey for the banking industry was aimed at gaining an insight into the fraud scenario in the industry, the areas that incur the maximum number of fraud incidents, and the measures organizations are taking to fight the menace. The survey questionnaire was sent out in November 2011 to leading banks in India. The respondents included Chief Risk Officers, Chief Compliance Officers, Heads of internal audit and other senior management personnel. We would like to take this opportunity to thank the people and organizations who have taken time to share their views about the impact of fraud in their respective organisations. Our gratitude to the executives and their respective banks as the survey would not have been possible without their support. We hope you will find the report insightful and informative.

Avinash Gupta Leader Financial Advisory

4 | India banking fraud survey - 2012 Navigating the challenging environment

2. Executive summary
Over the last few years, India has been one of the worlds fastest growing economies with banking and financial services companies experiencing significant growth both in size and profitability. In the last decade, the Indian banking sector grew at an average of 18 percent compared to over 7 percent GDP growth. So frauds in the financial services industry pose a significant risk to institutions, as well as to the integrity of capital markets. Its effect can be widespread, causing long term financial and reputational damage. Deloittes fraud survey focuses on the key challenges facing the banking industry in fighting fraud. The objective of the survey is to gain an insight into the current scenario on frauds in the industry, the areas that are prone to fraud, and the way organizations are fighting this menace and preparing for the future. This survey has been developed based on the survey questionnaire responses received from banks in India including public sector banks, private sector banks, co-operative banks and multi-national (MNC) banks. We have consciously attempted to include a variety of banks with different sizes and type of operations to obtain a comprehensive picture of the fraud environment in the country. The profile of the respondents is given in Section 3. The survey covers the following key topics 1. What is happening 2. Current perception of fraud in the country/industry Fraud incidents encountered by the banks Average loss and ability to recover

What is the Issue Fraud prone areas Root cause analysis Detection mechanism

3.

How are banks geared to fight the menace Anti-Fraud framework Role of technology

4.

What will happen Areas perceived to be vulnerable in the years to come Cost of various anti-fraud measures

India banking fraud survey - 2012 Navigating the challenging environment | 5

Size of the issue

93% of respondents say banking industry has seen an increase of fraud incidents in the last year

An overwhelming 93% of the respondents indicated that there has been an increase in fraud incidents in the banking industry during the last year. Seventy-five percent of these respondents indicated that banking industry has seen an increase in fraud incidents by at least 5% as compared to the last one year. An analysis of the survey findings for respondents who have disclosed the number of fraud incidents encountered by them indicated that nearly one in every two institutions had encountered more than 50 incidents of fraud within the organization in the last one year. Similarly, one in every four institutions have witnessed at least 100+ fraud incidents in the last one year. Banks with higher asset size, appear to have encountered more fraud incidents. The average loss per incident for nearly half of the respondents is more than Rs 10 lac. The average value of recovery for more than half of the respondents is less than 25% of the reported fraud losses.

The banks are able to recover less than 25% of the losses in more than half of the fraud cases

6 | India banking fraud survey - 2012 Navigating the challenging environment

Retail banking has incurred the maximum number of fraud incidents

The Issue What happened?

Banks have encountered the maximum number of fraud incidents in retail banking followed by corporate banking. A majority of the respondents who are actively involved in priority sector have also encountered significant number of fraud incidents in this area. Fraudulent documentation and overvaluation/non-existence of collateral are the types of fraud incidents which appear to rank high to very high for all the areas of banking operations, i.e. retail, corporate and priority sector Frauds in private banking are attributed primarily to identity theft and misuse of power of attorney/account takeover. However, interestingly incidents involving mis-selling have not been identified by banks as a major contributor of frauds in private banking. Treasury and administration/procurement operations appear to have encountered least number of fraud incidents according to the respondents.

Why did it happen?

About 73% of the respondents cited lack of oversight by line managers or senior managers on deviations from existing process/controls as one of the major reason followed by current business pressure to meet targets and difficult business scenario as other two major reasons for increasing fraud incidents. About 37% of the respondents indicated that there was collusion between the employees and external parties.

How was it discovered?

It appears that a majority of the incidents are still detected through a formal and informal complaint mechanism. A significant 43% of the respondents detected frauds through anonymous complaints by external third party and another 37% through a whistle-blower mechanism. More than half the respondents indicated that they have detected fraud through internal audit reviews. However the worrying sign is that 20% of the respondents indicated that they still detect fraud by accident.

... lack of oversight by line managers or senior managers on deviations from existing process/controls has been identified as one of the major reason for increased fraud incidents

Technology appears to be gaining prominence in fraud detection. Forty percent of the respondents indicated that they detected fraud using a fraud detection/analytics tool. According to more than half of the respondents, the average time taken to discover a fraud incident is more than six months and 23% of them indicated it to be greater than a year.

How did they respond?

Almost 77% of the respondents indicated that the fraud incidents were investigated internally. However, only 63% of the respondents reported it to the law enforcement agencies.

How are banks geared to fight the menace?

Fraud risk management is being discussed at the board level at least every quarter as indicated by more than 93% of the respondents. Eighty percent of the respondents have indicated that they have a fraud risk management framework in place. The primary responsibility for fraud risk management according to 37% of the respondents is the "Chief Vigilance officer". Only 13% of the respondents indicated that they have a chief fraud risk officer for managing fraud risk.

India banking fraud survey - 2012 Navigating the challenging environment | 7

More than half the respondents discovered fraud after more than six months

Fifty percent of the respondents indicated, that they have already implemented a fraud analytics solution, and overwhelming 73% of these respondents appear to be completely satisfied with the solution. The primary issue for those who have not implemented a fraud analytics solution is "issues in data integration from existing internal system" or data insufficiency.

8 | India banking fraud survey - 2012 Navigating the challenging environment

Future Trends

Fraud risk management is a board level issue

What is in store?
With the current economic scenario, an overwhelming 83% of the respondents have indicated that the fraud incidents will increase with 64% of them indicating that the increase will be between 6-25% Of the respondents who indicated that frauds will rise in the coming years, an overwhelming 96% of respondents indicated that retail banking will continue to be the most vulnerable to fraud. The surprising revelation is that respondents feel that in the coming years priority sector will contribute to increased fraud incidents with a small decrease in the corporate banking as compared to the current scenario. Surprisingly, a few respondents indicated administration/procurement as the new areas vulnerable to fraud, which is not reflected in the current environment.

Fraud will increase in the years to come

Cost of compliance
An overwhelming 83% of the respondents indicated that the cost of anti-fraud measures will increase over the next two years with "implementing a fraud detection/analytics solution", "periodic fraud assessment", "providing fraud awareness training" and "setting up a dedicated fraud investigative cell" appearing to be the top contributors for this increase in cost.

Frauds in priority sector are expected to increase and the new areas of focus appear to be administration /procurement

India banking fraud survey - 2012 Navigating the challenging environment | 9

Conclusion
Banks are facing a tidal wave of regulatory requirements and are increasingly under regulatory scrutiny. In a bid to tackle the rising incidents of frauds, the Reserve Bank of India has issued various circulars and guidelines for banks to implement robust anti-fraud systems and controls to counter fraud risks. With the expected economic slowdown, the incidences of frauds are expected to increase further, which is confirmed by the survey results. An interesting finding of the survey is that greater the asset size, higher is the number of fraud incidents encountered. This could be due to the fact that as banks continue to increase their asset size by entering into new geographies or by introducing new products and systems, these developments if not managed well could contribute to increased fraud. However, it is important first to note the causes of increase in fraud incidents. According to the survey respondents, it appears that lack of oversight by the line managers or senior managers to the deviations from existing process/controls is cited as one of the major reasons for fraud followed by the current difficult business scenario and business pressure to meet targets. However only 37% of the respondents indicated that there was collusion between the employees and other third parties in perpetrating fraud. So does this indicate business pressure to meet targets is resulting in circumvention of controls? This brings us to a moot question: What does the future foretell? An overwhelming majority of respondents indicated that fraud incidents will increase, with over 64% of them stating that the increase will be at least 6%. In the current fraud situation coupled with the economic scenario it becomes all the more imperative for banks to ensure that they adopt realistic business strategies and ensure adequate internal controls and vigilance so as not to accentuate the existing problem. It comes as no surprise that the usual suspect - Retail banking - has been identified as the major contributor of fraud and will continue to do so in the foreseeable future. This fact has been highlighted by the Reserve Bank of India as well through their circular in 2009. As retail banking is more process as well as volume driven and decentralized, increased fraud incidents in this area could possibly be the tip of the iceberg - an indicator of deeper issues waiting to surface that can adversely impact the entire portfolio of the bank. Another area where banks are focusing is on the priority sector not only to meet their priority sector target, but also due to increased expectation of financial inclusion. With a significant number of respondents identifying it to be the area where fraud incidents are expected to increase, banks need to consider the risks involved in priority sector lending and develop appropriate risk mitigation strategies to ensure profitable growth. In the current economic climate, there is increased pressure on organizations to reconsider the way in which they incur and monitor expenses; the focus is shifting to frauds in the procurement/administration functions. One of the reasons that organizations have not been actively focusing on this area is perhaps because of the low ticket size and the difficulty in detecting them. However banks need to scrutinize this area as it not only directly affects their bottom line, but could also lead to potential violation of various anticorruption laws. The Reserve Bank of India has been coming out with various circulars and guidelines prodding banks to adopt measures to fight the menace of fraud. The challenge for banks is to develop comprehensive fraud risk management controls that will not only prevent frauds, but detect them as soon as they occur and respond to them. It is encouraging to note that an overwhelming 80% of the respondents indicated that they had a formal fraud risk framework in place. The survey responses when considered separately indicate near uniform adoption of various anti-fraud measures; however, when responses were analyzed there appeared to be some conflicting messages. With77% of the respondents investigating frauds internally, it appears surprising that only 20% of them had implemented a dedicated forensic technology tools for investigation and 28% having implemented intelligence gathering mechanism; bringing into question the effectiveness of the fraud risk management framework. This could possibly be because fraud risk management techniques are still in the development phase and many of the framework measures may be work in progress. According to the survey, it appears that the majority of the fraud incidents are still detected through a formal and informal complaint mechanism. More than half the respondents indicated that they detected fraud through internal audit reviews. However, the disturbing part is that 20% of the cases were still detected by accident and another 43% were by anonymous complaints by third parties, indicating that in spite of various anti-fraud measures adopted by banks, a significant number of frauds are detected by means other than the organizations fraud control framework. Hence it did not come as a surprise that the average time taken to

10 | India banking fraud survey - 2012 Navigating the challenging environment

uncover fraud is more than six months for more than 53% of cases. However, the silver lining is that banks are increasingly looking at leveraging technology solutions to detect fraud in addition to traditional methods like internal audit reviews and whistle-blower mechanisms. Usage of technology solutions can provide banks with a proactive way in identifying Red Flag transactions and weaknesses in their internal controls. With the increase in fraud incidents and recovery being less than 25% for 60% of the respondents, fraud directly affects the bottom line of banks. An overwhelming 83% of the respondents indicated that the cost of fraud risk management will increase over the years, which is attributed to implementing technology solutions, periodic risk assessments, and various due diligence measures. Organizations are slowly realizing that lack of crackdown in controlling frauds could create a culture of acceptability for this behaviour within the organization leading to increased incidents or more sophisticated frauds in future. By implementing appropriate controls and monitoring mechanism, management will not only be able to limit frauds, but also set the tone for ethical behaviour within the organization. So this could be money well spent.

India banking fraud survey - 2012 Navigating the challenging environment | 11

3. About the survey

This report presents the key findings from Deloittes Fraud survey for banks. The survey was conducted over three months from November 2011 to January 2012, to gather the views of key people responsible for fraud risk management in banks. Institutions who participated in the survey included private, public, multi-national and co-operative banks in India. The asset base of the participants varied from less than Rs 500 crore to greater than Rs 5000 crore. The majority of respondents were primarily with asset base of more than Rs 5000 crore. The customer base of the institutions who participated in the survey included those who had less than 10 lacs to a sizeable proportion with more than 50 lacs number of customers Responses were received from head of fraud risk management for banks or key people responsible for managing fraud risk in the organization. Fig 2: Respondent customer base

Fig 1: Respondent banks

3% Co-operative Bank 34% 40% Foreign bank Private Sector Bank 23% Public sector 57% 10% 7%

26%

< 10 lacs 10 25 Lacs 25 50 Lacs > 50 Lacs

Fig 3 : Respondent department-wise

Fig 4: Respondent asset base

10% 10%

Audit Business

7%

3%3%

<500 CR 500 - 1000 CR 1000 3000 CR

10% 53% Compliance 20% Operations 7% 77% Risk

3000 5000 CR

12 | India banking fraud survey - 2012 Navigating the challenging environment

4. Size of the issue

Today financial institutions operate in an increasingly competitive environment with complex products, slowing economy, tidal wave of new regulations coupled with new technology, leading to avenues for fraudsters to exploit loopholes. We asked the respondents about the general scenario in the banking industry and their individual organizations experience on frauds.

4.1 What is the industry view?

Ninety-three percent of the respondents indicated that fraud has been on the rise in the industry in the last one year. A breakdown of their responses indicated that 75% of the respondents who perceived an increase in the fraud in the industry believed that the fraud incidents had risen by more than 5%, with nearly one in every two of them believing that it had risen by 5 to 10% and one in every four indicating it to be more than 10% Fig 5: Industry perception

Dont know, 7%

21% Yes 4% 93% 7% 25%

43%

< 5% 5-10% 10-20% 20-50% No change

4.2 What is the banks Individual experience?

A significant 76% of all institutions surveyed have encountered more than two incidents of fraud within the organization in the last one year, with 40% of them indicating that they have encountered more than 51 cases of fraud within the last one year. Fig 6 : Experience of respondent bank 6% 20% 17% 17% 23% 17% 2-20 21-50 51-100 >100 No incident Not Disclosed 13% > 5000 CR 13% 4% 22% 22% 26% >100 51-100 21-50 2-20 Fig 7 : Experience of banks Vis a Vis asset base

3000 5000 CR 1000 3000 CR

Larger organizations are more likely to experience increased fraud incidents. This is true for banks as well. A comparison of the fraud incidents experienced by the organization indicates that banks with larger asset size have been encountering more fraud cases with public, private and MNC banks equally affected by it.

India banking fraud survey - 2012 Navigating the challenging environment | 13

4.3 Why did it happen?

According to the respondents, lack of oversight by line managers or senior management on deviations from existing process/controls along with difficult business scenarios and business pressure to meet targets appear to be some of the significant factors contributing to the fraud incidents. It is interesting to note that 37% respondents have also identified lack of tools to identify Red Flags as one of the factors which appears to contrast with the responses in Section 6.3 where half the respondents have indicated that they have implemented a fraud analytics solution and an overwhelming 73% of them are completely satisfied with it. Analysis of the responses for those who responded that they were satisfied with their data analytics solution indicated that only 50% of these respondents detected frauds using technology solutions. This variance could be because of the fact that banks may possibly be using their existing transaction monitoring system or have implemented a limited fraud detection solution for certain areas of their banking operations only. This brings into question, the adequacy of these solutions for fraud detection across the banking operations.

Fig 8 : Factors contributing to fraud (multiple choice)

Not Disclosed Collusion between employees and external parties Lack of Fraud Risk Framework within the organization Business pressure to meet targets Lack of oversight by line managers or senior management on deviations from existing process/controls Change to business strategy without changes in business processes Lack of tools to identify potential Red Flags

7% 33% 23% 50% 73% 27% 37% 47%

Difficult business scenario

14 | India banking fraud survey - 2012 Navigating the challenging environment

4.4 How much did they lose?

We asked the respondents for the average loss per fraud incident. Forty-seven percent of the respondents indicated that the average loss per incident is more than Rs 10 lac. Another 40% of the respondents indicated that they have incurred an average loss of Rs 10 lac per case. Overall these amounts may appear to be not very significant, but it is important to note that average loss per fraud case will be less for retail or priority sector banking as compared to corporate banking due to smaller ticket sizes. However, it is interesting to note that the average recovery for 60% of the respondents is less than 25%. With only 30% of the respondents indicating recovery of more than 25% of the loss suffered, it appears that banks are not in a position to recover the money lost and will have to write it off; affecting their profitability in addition to reputational damage. Fig 9 : Average loss per fraud incident

40%

23% 17% 13% 7%

10 Lacs

10-20 Lacs

20- 50 Lacs

>100 Lacs

Not Disclosed

Fig 10 : Average recovery of fraud loss

30%

17%

17% 13% 13% 10%

< 1%

1-5%

5- 10%

10-25%

>25%

Not Disclosed

India banking fraud survey - 2012 Navigating the challenging environment | 15

Deloitte point of view

Frauds are on the rise and no bank whether private, public or MNC is immune to the risk of fraud. As economic conditions continue to soften, it could lead to increased fraud risks. A slowing economy may increase pressure on organisations to meet and often exceed short-term performance goals (sometimes at the detriment to the organization in the long-term). In some instances, organizations may expect results that can be achieved only in a thriving economy. It is this mindset in slower economic times that can contribute to increased fraudulent activity which has been confirmed by respondents who have identified difficult business scenarios and business pressure to meet targets as significant factors contributing to the fraud incidents. Even though the average loss per fraud case appears low, i.e., Rs 10 lac, it should be taken in light of the fact that respondents have indicated that retail banking has contributed the most to fraud in banks. Since the ticket size of retail banking products is small, the average loss per fraud case appears to be less. However, the disconcerting part is that the recovery has been less than 25% according to more than half the respondents, indicating that banks are not able to recover losses in case of frauds. This trend in the context of corporate banking environment is significant given the fact that the value of fraud losses will be higher. With banks struggling to recover the losses, the survey points to a progressively difficult scenario for banks where frauds are increasingly affecting their bottom line.

16 | India banking fraud survey - 2012 Navigating the challenging environment

5. The issue
Since the developments in the 1990s, the entire banking products structure has undergone a major change. With de-regulation, increased competition and IT revolution making it possible to provide ease and flexibility in operations to customers, banks are also evolving and trying to become one-stop financial supermarkets. However, the entire range of banking operations can be segmented into four broad heads - retail, wholesale or corporate banking businesses, treasury operations and other banking activities including advisory services termed as private banking to "high relationship value" clients. Fraud follows opportunity and attacks weakness in the system. It is important to know the areas which are vulnerable to fraud before organizations can start working towards controlling them. With banks operating in various areas, we specifically asked the respondents on the areas where they have encountered fraud and the root cause analysis of the incidents.

5.1 Where did it happen?

An overwhelming 77% of the respondents indicated that they have suffered from frauds in retail banking. The other major area appears to be corporate banking as indicated by 57% of the respondents. Even though, only 33% of the respondents have indicated that they have experienced frauds in priority sector lending, a deeper analysis of the results indicated that a significant number of banks active in this area have faced frauds which are not truly reflected in the overall percentages above. Treasury and administration/procurement appear to be the areas least prone to frauds as per the respondents of the survey. Fig 11 : Areas prone to fraud (multiple choice)

77%

57% 33%

10% 3% 3%

13%

Retail Banking

Corporate Banking

Private Banking

Treasury

Private sector lending

Administration / Procurement

No Response

5.2 How did it happen?

With banking operations spanning across multiple areas from retail to corporate, treasury and private banking, the types of fraud will vary considerably depending on the areas and processes applicable. Fraudulent documentation appears to rank as the most common fraud scheme across all the areas of banking operations except treasury operations where it may not be applicable. This brings into question, the processes followed by banks in verifying documents/information before entering into a relationship with their customers.

India banking fraud survey - 2012 Navigating the challenging environment | 17

5.3 Retail Banking

With retail banking appearing to be the most vulnerable to fraud, it is interesting to see that the respondents have indicated high to very high incidents of frauds encountered by them involving multiple funding, overvaluation/non-existence of collateral, besides fraudulent documentation. Frauds due to incorrect sanctioning processes and external vendor fraud are also some of the fraud prone areas. An intriguing revelation of this survey is that even though many of the banks outsource the verification and valuation process to third party vendors, the percentage of respondents identifying external vendor induced fraud appears to be relatively low. Fig 12 : Fraud incidents in retail banking Very Low Low Medium High Very High

Incorrect sanctioning External vendor induced fraud Identity Theft 31%

55% 8%

9% 9% 31%

27%

8% 23%

46%

15% 15% 8% 15% 47% 43% 29%

Multiple funding 13%7% 20% 13% Fraudulent documentation 7% 7% Overvaluation/non-existence of collateral 29% 29% 14% 21%

7% 14%

5.4 Corporate Banking

According to the respondents, overvaluation/non-existence of collateral and siphoning of funds are some of the areas where banks have encountered high to very high incidents of fraud. Incorrect financial statements along with asset stripping and incorrect sanctioning, besides fraudulent documentation, are some of the other types of frauds increasingly encountered by the respondents in corporate banking area. Since banks are encountering frauds which encompass the whole spectrum of corporate banking process from incorrect sanctioning to siphoning of funds, it is important that banks not only review their sanctioning, but also enhance disbursement and their post disbursement monitoring process. A good practise could be to undertake a closer monitoring of accounts where early signals of stress are seen. The RBI circular of 15 January 2011, provides illustrative steps for banks which may be followed to ensure effective monitoring of end use by the corporates for the credit facilities granted to them. Fig 13 : Fraud incidents in corporate banking

Incorrect sanctioning

50%

25%

13% 13%

Asset Stripping

44%

22%

11%11% 11% Very Low

Incorrect financial statements

20%

30%

30%

20%

Low Medium

Siphoning/Diversion of funds

40%

20%

20%

20%

High Very High

Fraudulent documentation

30%

10%

40%

10%10%

Overvaluation/non-existence of collateral

45%

18% 9% 9% 18%

18 | India banking fraud survey - 2012 Navigating the challenging environment

5.5 Priority sector Banking

The government of India identified certain sectors as priority sectors and banks were directed to set aside a definite portion of their credit facilities to these sectors. RBI fixes the target for priority sector credit by commercial banks. As per RBI rules, if there is any shortfall in priority sector lending from the above targets and sub targets, the concerned bank should deposit an amount equivalent to the shortfall in certain schemes. We wanted to understand from the banks their experience of priority sector lending, as it has been identified as one which has encountered increased fraud incidents by those who are actively involved in this area. Siphoning of funds and overvaluation/ non-existence of collateral are some of the frauds where the most incidents have happened, apart from fraudulent documentation. High to very high incidents of frauds involving Identity theft is also identified by 26% of respondents. Since many of the priority sector customers may face challenges in providing the requisite KYC documents, this loophole may be exploited by fraudsters to steal the identity of gullible people and defraud banks. This brings us to the question of customer due diligence process adopted by the banks for this segment. Since standard identity documents like PAN cards, etc., may not be available with these customers, this problem may continue to persist for some time to come. Hopefully, the Aadhar program should provide some relief to banks in the future to contain this risk. Fig 14 : Fraud incidents in Priority sector Others - Interface with Government Systems Siphoning of funds/collateral Incorrect sanctioning External vendor induced fraud Identity Theft Multiple funding Fraudulent documentation Overvaluation/non-existence of collateral 50% 71% 56% 38% 33% 27% 13% 22% 18% 57%

100% 20% 30% 14% 14% 11%11%11%11% 25% 22% 13% 13% 22% 27% 43% Very Low Low Medium High Very High

18% 9%

5.6 Others
Ten percent of respondents have indicated that they have encountered fraud in private banking and 3% in treasury operations and administration/procurement functions. Amongst various areas, in private banking, respondents identified fraudulent documentation followed by identity theft as being the highest number of fraud incidents. It is very surprising to note that mis-selling is considered as a low risk, especially in view of the recent incidents highlighted in the media.

Fig 15 : Fraud incidents in Private Banking Account takeover/misuse of power of attorney Misselling Identity Theft Fraudulent documentation

75% 80% 75% 67%

25% Very Low 20% 25% 33% Low Medium High Very High

India banking fraud survey - 2012 Navigating the challenging environment | 19

Fig 16 : Frauds incidents in Treasury

Others - Business Target Pressure Overriding of controls Collusion with external parties Deviations from existing process Un accounted trades in error accounts

100% 100% 100% 100% 100% Very Low Low Medium High Very High

5.7 Who committed the fraud?

Fraud occurs because there is a motivation and opportunity to commit fraud. Almost 37% of the respondents indicated involvement of employees with 64% of these cases involving only one employee in addition to external parties Although banks have not encountered high levels of collusion, it begets the question: why is there increase in fraud incidents then? Is it because fraudsters are aware of the lacuna in the banks internal control systems? Is it because of negligence on the part of employees? While banks can implement the best fraud controls, it cannot be a substitute to diligence as any loss resulting out of negligence has to be borne by the bank. As the bank employees are at the forefront of fighting fraud, it is important for the organization to make them aware of their obligations through training. Employees should be provided periodic training for their specific areas of operations, which also includes various applicable fraud scenarios, so that they can pre-empt fraud incidents. Another important fraud risk management principle is to provide a clear and consistent message through a credible disciplinary system. A well designed disciplinary process providing guidelines on sanctions based on the nature of the offence and its uniform and consistent application will go a long way in sending the right signal to both internal and external parties and help prevent/reduce negligence acts. Fig 17: Collusion between employees and third party

47%

37%

36% 64% 17%

More than 1 employee Only 1 employee

Not Answered

No

Yes

20 | India banking fraud survey - 2012 Navigating the challenging environment

5.8 How was it discovered?

A well designed fraud control mechanism should enable organizations to identify frauds proactively. According to 53% of the respondents, frauds were detected through internal audit reviews and significant majority of the incidents were still detected through a formal or informal complaint mechanism. The complaint mechanism consisted of 43% respondents detecting frauds through anonymous complaints by external third party and another 37% through a whistle-blower mechanism. Fig 18 : Fraud Detection mechanism (multiple choice)

53% 43% 37% 40%

20%

20%

17%

Anonymous complaint by external party

Internal audit/legal/ compliance

Whistleblower mechanism

By accident

Fraud detection/ analytics solution

Others

Not disclosed

With the advent of technology, banks are at the forefront of leveraging technology to fight frauds. Forty percent of respondents were identifying frauds using a fraud analytics solution. This is an encouraging sign as a proactive fraud detection solution will not only enable banks to identify frauds before they occur, but can also be leveraged to improve their internal control mechanism. Even though 37% of the respondents indicated that they detected frauds through a whistle-blower mechanism, the number of frauds discovered by anonymous complaints is more at 43%. This could possibly be due to the fact that either the whistle-blower mechanism is probably not implemented fully or the complainants are not comfortable using the whistleblowing hotline. However, the disturbing part is that 20% of the cases were detected by accident and another 43% were by anonymous complaints by third parties, indicating that despite various anti-fraud measures adopted by banks, a significant number of frauds were detected by means other than the organizations fraud control framework. It leads to the question: do many frauds stay undetected?

5.9 How long did it take to uncover fraud?

With a significant 63% of the respondents indicating that they identified frauds through anonymous complaints or by accident, and another 53% were detected by internal audit reviews, it did not come as a surprise that the average time taken to uncover fraud is more than six months in more than 53% of cases. Fig 19 : Average detection time for fraud incidents

17% 3% 30%

< 6 months 6 -12 months 12-24 months

20% 30%

>24 months Not disclosed

India banking fraud survey - 2012 Navigating the challenging environment | 21

A timely detection of fraud incidents will go a long way in containing the losses and improving the chances of recovery. It is now time for banks to ensure that their current fraud risk management strategies are revised to ensure that they are in line with the current fraud trends and adequate to take care of future growth besides increasing ways of detecting frauds proactively. Hopefully, with the increase in usage of technology to detect frauds, as mentioned in the previous section, the average time to uncover frauds should reduce in future.

5.10 What was the response to fraud?

According to the survey, 77% of the respondents indicated that they responded to fraud by conducting an internal investigation and 63% reported it to the law enforcement agencies. The respondents also indicated that they allowed the individuals to resign in 10% of the cases, and in 20% of the cases they entered into a negotiated settlement. An important fraud risk management principle is the tone from the top. A tone that indicates zero tolerance for fraud goes a long way in propagating a disciplinary culture within banks. Any response to fraud should be swift and effective. The RBI circular of September 2009 required banks to investigate large value frauds with the help of skilled manpower for internal punitive action against the staff and external legal prosecution of the fraudsters and their abettors. Fraud investigation requires specific skill sets like forensic accounting and technology to collect evidence, which may not be available internally. However, with only 3% of the respondents going in for an external investigation and lack of forensic technology tools as indicated in Section 6.2, there could be a possibility of evidence getting lost during this period. Fig 20 : Response to fraud incident (multiple choice)

77%

63%

33% 20% 3% 10%

Internal investigation Reported to law enforcement agencies Negotiated settlement Permitted individual to resign Termination of contact

30%

17%

External investigation by an independent consultant

Termination of facility and initiate legal action

Not disclosed

22 | India banking fraud survey - 2012 Navigating the challenging environment

Deloitte point of view

An analysis of the fraud incidents provided by the respondents, as part of the survey, indicates possible control failures throughout the process as shown below.

The risk profile of different segments in banks like retail or corporate banking is different and therefore the processes which are required to control the risk of fraud in each segment needs to be customised for each bank and their processes applicable to that particular segment. Since retail and priority sector banking needs to be process driven due to huge volume of transaction, it is suitable for banks to employ fraud analytics solution to detect anomalies or Red Flags to detect any deviations which may not be suitable in corporate banking environment. For corporate banking adequate due-diligence and close post disbursement monitoring are some measures which can help prevent or detect frauds. Depending on the process, each bank must decide on the control that is appropriate to mitigate the risks. By adopting a leading-practice approach to designing and implementing antifraud programs and controls, Banks can reduce the risk of fraudulent activity. Assessing your fraud risks is the first step that can help create greater awareness of where your organization should improve its financial systems and processes. An effective fraud risk management framework will enable banks to have controls that first prevent/reduce the fraud from occurring, detect as soon as a fraud happens and respond effectively to fraud incidents when they occur.

India banking fraud survey - 2012 Navigating the challenging environment | 23

6. How are banks geared to fight this menace

In the wake of increasing incidents of frauds in the financial service sector, the Reserve Bank of India introduced guidelines for comprehensive Fraud Risk Management (FRM) system for banks, concerning fraud prevention and the role of management function in an organization to prevent fraud. Stated explicitly within these guidelines is the need for controls related to the prevention, detection and deterrence of fraud and the roles and responsibilities of the senior management in fraud prevention and management function. With increased scrutiny by the regulators, top management face enhanced responsibility in identifying and mitigating fraud, error, corruption, non-compliance, and unethical behavior. An effective fraud risk management solution will provide banks with tools and techniques to manage risk in a manner consistent with regulatory requirements, as well as with the entitys business needs and marketplace expectations. Towards this, we asked banks in this survey for the various anti-fraud measures that they have adopted.

6.1 Who is responsible for fraud risk management?

Fraud can have a devastating impact on organizations in other ways as well. In addition to potential revenue leakage, fraud can have a negative impact on a companys reputation, employee morale, and investor confidence. The key objectives of an effective, business-driven fraud risk management approach should encompass controls that help prevent occurrence of fraud, detect fraud as and when it occurs, and provide for an effective response mechanism to limit the consequences of fraud. The challenge for banks is to develop a comprehensive FRM framework which includes identifying, assessing and categorizing risks faced by the organization proactively and developing appropriate mechanism for preventing, detecting and responding to fraud. Fig 21 : Implementation status of Fraud risk management framework

7% 13% No Partly Yes 80%

A significant 80% of the respondents indicated that they have already implemented a formal risk management framework at the bank. Fraud risk management has become a board level issue, with an overwhelming 93% of the respondents indicating that these issues are discussed at the board level with senior management at least every quarter. A significant 23% of these respondents said that these issues were discussed at the board level every month.

24 | India banking fraud survey - 2012 Navigating the challenging environment

Fig 22 : Responsibility for fraud risk management

Others

13%

Internal audit

3%

Chief vigilance officer

37%

Chief risk officer (also responsible for financial risk management including credit and market risk)

17%

Chief fraud risk officer (only for fraud risk)

13%

Chief compliance officer

17%

A small 7% of the respondents have still not implemented a FRM framework, which is surprising considering the increased incidents of fraud and the scrutiny by the regulators. As per RBIs September 2009 circular, the fraud risk management and fraud investigation function must be owned by the bank's CEO, its Audit Committee of the Board and the Special Committee of the Board; and they should set up a dedicated outfit to manage this function. To help ensure that fraud controls remain effective, responsibility for the organizations fraud risk management should be delegated to a person at the senior level who can interact with various departments of the banks like internal audit, vigilance and risk management. The responsibility of fraud risk management is with the chief vigilance officer according to 37% of the respondents. However, only 13% of the respondents indicated that there is a separate chief fraud risk officer who is responsible for only fraud risk management with another 17% of the respondents indicating that the responsibility for this activity rests with the chief compliance officer or chief risk officer (who is also responsible for financial risk management).

6.2 What is the current status of anti-fraud programs?

A significant number of respondents had indicated that they have implemented a formal fraud risk management framework as mentioned in the earlier section. However, when we asked the implementation status of various components of the framework, it revealed a startling picture. A small 20% of the respondents have dedicated forensic technology tools for investigation. Similarly, only 28% appear to have implemented intelligence gathering mechanism. Only 60% of the respondents have a Fraud control organization structure with clearly defined reporting structure and 67% have a fraud control strategy in place.

India banking fraud survey - 2012 Navigating the challenging environment | 25

Fig 23 : implementation status of fraud risk management elements

Customer screening against negative list 3% 3% 7% 7% Employee background check 7% 3% 13% Vendor/third party due diligence 7% 3% 17% Fraud awareness training 20% 13% 13% 27%

80% 63% 60% 53% 70% 73% 20% 23% 21% 23% 34% 63% Implemented 67% 60% 53% 13% 7% 20% 28% Partially Implemented Planning to start in the next 12 months Just Started Not Started

Whistleblower hotline 7% 13% 3% 7% Employee code of conduct 10% 17%

Fraud risk assessment 3%10% 13% Dedicated forensic technology tools for investigation Intelligence gathering mechanism Dedicated fraud investigative cell/team and associated process 37% 10% 7% 10%3%

Fraud control strategy and policies 3% 3% 3% Fraud control organization structure 3% 13% including clearly defined reporting

23% 23%

Despite the fact that more than half the respondents having implemented a fraud control organization structure, number of frauds are rising which brings into question the effectiveness of the fraud risk management framework at the banks. The reason for complete implementation of all these framework controls could possibly be because of the fact that many banks are in the early stages of implementation of the framework and these are work in progress. With the advent of new products and technologies, fraudsters will keep finding new ways to exploit the system. To have robust and effective fraud control mechanism in place it is imperative for the banks to keep reviewing their operations and gather market intelligence on the new fraud scenarios to understand their operations vulnerability to fraud. However, it should be noted that market intelligence plays a key role in understanding new fraud schemes in the market and banks may need to employ mystery shopping exercise to understand the weakness in their system. So for a meaningful fraud risk assessment, banks should look at increasing their market intelligence capabilities or seek external help. A quick analysis of the results indicate that banks need to immediately focus and speed up their efforts in the following areas to foster better fraud risk management: Intelligence gathering mechanism Dedicated forensic tools for investigation Fraud risk assessment Due diligence of vendor/third party

6.3 Proactive or reactive - What is the role of technology?

Technology has created new avenues for banks to prevent or detect fraud as many of the indicators of fraud are hidden within the bank's operational data. A clever data analytics tool can mine through this data and identify hidden relationships and red flags. This will enable banks to proactively identify potential fraudulent transactions before they manifest themselves months or years down the line. Half the respondents indicated that they are using fraud analytics solutions to identify potential fraudulent transactions and another 23% are planning to implement it. It is interesting to note that 73% of the respondents who have implemented a solution appear to be completely satisfied with it.

26 | India banking fraud survey - 2012 Navigating the challenging environment

Fig 24 : Role of technology

20% 7% 73%

Satisfactory Satisfactory in certain areas Partly satisfactory

50% 23% 27%

Planned

No

Yes

50%

50%

25%

13%

13%

Issues in data Do not have integration from sufficient data to existing internal implement systems

Available solutions are expensive

As per our understanding, these solutions have not been effective

There are no system aavailable that will cater to my needs

Fig 25 : Reason for non-implementation of fraud analytic solution (multiple choice) Of the 27% percent who have not implemented technology solution, the prominent reason appear to be data related issues like data integration or data sufficiency issues. The other reasons are: Solution being expensive 13% Ineffective solution 25%

Banks have been traditionally early adopters of technology resulting in a number of legacy applications catering to various aspects of their operations. These systems often result in islands or pockets of information with limited data. With modern data analytics solution requiring varied types of data, banks are realizing that they may not have been capturing the requisite information in their existing system, resulting in lack of sufficient data for analytics. Also integrating these varied data sources which may exist in different platforms with varied formats is often cumbersome.

India banking fraud survey - 2012 Navigating the challenging environment | 27

Deloitte point of view

One of the important factors why fraud occurs is because the organizational system/controls provide the fraudster with an opportunity to commit fraud. This condition is principally managed by designing and implementing a control environment that prevents, detects, and deters the most fraudulent behavior whether conducted by employees, vendors, consultants, or in collusion with senior management. As part of such a control environment, there are five key anti-fraud controls that banks can implement, and it begins with the tone at the top. 1. Prevent: Tone at the Top

In organizations with multiple stakeholders, there is growing need for board of directors or other governing body to ensure that its governance practices set the tone for fraud risk management. Top management should implement policies that encourage ethical behaviour and demonstrate Enhanced ethical culture (tone at the top). The roles and responsibilities for personnel at all levels of the organization involved in fraud risk management should be defined clearly. The board of directors may appoint a senior person who would be responsible for the anti-fraud efforts and report to the board of directors. Since one of the strongest anti-fraud deterrents is the awareness that fraud prevention and controls are in place, it is essential for the top management to communicate to employees across levels/functions. Additionally, communication of action taken report to employees will go a long way in reinforcing the message. 2. Prevent: Conduct detailed fraud risk assessments

One of the objectives of a fraud risk assessment is to help focus managements attention on the significant fraud risks to be addressed. A fraud risk assessment can be recurring and systematic, and it can involve various levels of management across all functions of the business. An effective fraud risk assessment may include specific fraud schemes that could be perpetrated against the organization, including the people or departments within the organization that could commit them. The specific fraud schemes identified can be linked to existing internal controls within the organization that can mitigate the fraud risk and a remediation plan for significant fraud risks that could not be linked to existing internal controls. 3. Deter and detect: Promote the tools for effective reporting of suspicious or inappropriate activities A whistle-blower hotline is one of the easiest and least expensive of procedures that can be used for reporting fraud and misconduct. However, the existence of a hotline may not be enough. Management should also consider conducting periodic evaluations to determine whether the whistle-blower hotline is effective, including benchmarking analysis against competitors. The organization should consider the use of an experienced outside agency managing the whistle-blower hotline to enhance the perception of confidentiality. 4. Prevent and deter: Anti-fraud policy and appropriate training

Fraud risks can never be completely eliminated, as some degree of residual risk always exists in the operating environment. Hence actions to minimize such a risk include the fostering and development of a strong ethical culture as a part of the anti-fraud program. It is not uncommon for employees to be confused as to what activities constitute fraud or misconduct against the organization. The tolerance of frauds or misconduct within an organization could also send the wrong message about managements lenience towards employee misconduct and fraudulent behavior. This misunderstanding can be addressed by drafting and publishing an anti-fraud policy that clearly defines fraud and misconduct. This definition of fraud can also include specific, relevant examples of behavior that is not acceptable within the organization. Once the anti-fraud policy is published, periodic training can be held throughout the organization to provide employees with a forum to discuss the importance of ethical behavior. In addition to defining fraud, this policy can also address how the company intends to respond to fraud and misconduct allegations. 5. Deter and detect: Response to fraud allegations

Regardless of the size of the fraud allegation or the individual involved, the organization should consider having a documented policy of how fraud allegations will be investigated and resolved. The policy would typically include procedures for preserving documentation and gathering evidence. The policy can address which individuals or departments should be responsible, accountable, consulted, and informed depending on the nature of the allegation. Similar to fraud risk assessments, there are many companies that may have certified fraud examiners, attorneys, and certified public accountants on the payroll who may be able to conduct an effective internal investigation. However, if the amounts involved are potentially material to the

28 | India banking fraud survey - 2012 Navigating the challenging environment

financial statements or might involve members of senior management, leading practices would suggest that in many cases the investigation be conducted by independent attorneys and other third-party specialists.

India banking fraud survey - 2012 Navigating the challenging environment | 29

7. What does the future foretell

Given the current economic scenario and the increased awareness of the risks posed by frauds in the banking sector, we wanted to understand from the survey participants on the future trends in this area and, most importantly, the cost of mitigation. Towards this, we asked them to identify the fraud trends and specific areas which they perceive to be the most vulnerable to fraud, and the cost they expect to incur over the next two years on various anti-fraud measures.

7.1 What are the future trends?

Over 83% of respondents felt that fraud incidents will continue to rise in the next two years. Of the respondents who mentioned that frauds will rise and have provided inputs, more than 64% indicated that frauds will rise more than 6%. Thus, the increase in incidents of fraud could be worrisome. Fig 26 : Future trend in frauds (multiple choice)

4% 4% <1% 16% 28% 83% 48% 17% Fraud incidents will Fraud incidents will rise remain same 1125% Undisclosed 1-5 6-10%

An overwhelming 96 % of the respondents have indicated that retail banking will be most prone to fraud followed by the priority sector by 52% respondents and corporate banking at 48%. According to the respondents, the priority sector appears to be more vulnerable in the current situation. Due to the current economic conditions, banks may be planning to grow their retail asset portfolio along with priority sector due to financial inclusion agenda; it appears that banks do not expect a sizeable increase in frauds in the corporate banking environment. With retail and priority sector appearing to be vulnerable to fraud, banks should focus their efforts in enhancing their fraud risk management efforts in this area if they are to contain their non-performing asset (NPA) levels and also limit losses from fraud. A recent survey report on occupational fraud and abuse by Association of Fraud Examiners (ACFE) indicates that globally organizations lose approximately 5% of their revenues or more than $2.9 trillion to fraud. Fraud in administration and procurement functions is also expected to contribute to about 14% of fraud incidents. Banks therefore want to focus internally on their operational and administration expenses to contain fraud in this area.

30 | India banking fraud survey - 2012 Navigating the challenging environment

Fig 27 : Areas prone to fraud in future (multiple choice)

96%

48% 12% 4% 16%

52%

4%

Retail Banking

Corporate Private Banking Banking

Treasury

Administr ation/ Procurem ent

Priority Sector

Not disclosed

7.2 What will be the cost of fighting fraud?

An overwhelming 83% of the respondents said that the cost of anti-fraud measures will rise over the next two years. The anti-fraud measures contributing to the increase in spending will be in the following order of priority: Implementing a fraud detection solution Setting up a dedicated fraud investigative cell Providing fraud awareness training Conducting periodic fraud assessment Conducting vendor due diligence and customer screening against negative list Developing fraud control strategies and policies

Fig 28 : Cost of Anti fraud measures Customer screening against negative list Increased vendor/third party due diligence Providing fraud awareness training Implementing a whistleblower hotline Implementing a fraud detection/analytics solution 9% Periodic fraud risk assessment Setting up dedicated fraud investigative cell Developing fraud control strategy and policies 17% 22% 22% 21% 35% 30% 17% 26% 13% 38% 26% 35% 29% 13% 13% 21% 25% 25% 30% 21% 17% 30% 30% 22% 25% 4% 13% 17% Very Low Low Medium 26% 13% 13% 8% High Very High

17% 9% 13%

30% 25%

The results are a bit surprising considering the fact that nearly half of the organizations have indicated that they already have an analytical solution in place and a majority of them are satisfied with its results. However, the fact that anti-fraud spending will increase indicates that some institutions may be using their existing transaction monitoring and other technology solution to undertake some fraud analytics and would

India banking fraud survey - 2012 Navigating the challenging environment | 31

like to go in for a dedicated fraud risk management solution going forward. The other reason could be that these solutions may be catering to specific areas only, and the banks are now looking at enhancing their capability to cover other areas. With retail and priority sector being the focus areas for banks, the increased use of technology is inevitable when dealing with large volumes of data and banks will not have an option but to seek technology for detecting red flags proactively. With banks aspiring to go global, they should be cognisant of the fact that prosecutors and regulators across the globe are becoming increasingly active in enforcing the anti-corruption legislation. With the advent of the new UK Bribery Act (UKBA) and continued regulatory developments, ant-bribery and corruption compliance would now be a high priority for financial institutions. The highlight of the UKBA act is the introduction of new offence of failing to prevent bribery (including bribery by an associated person of the company) resulting in vendors coming under increased scrutiny. Expectedly, banks will be looking at increased vendor due diligence to not only contain fraud risk, but also to comply with the anti-bribery and corruption laws to which they must adhere.

32 | India banking fraud survey - 2012 Navigating the challenging environment

Conclusion
Risks are inherent in the banking business, but fraud risk is something that no bank would like to deal with. But the fact is that frauds are on the rise and organizations need to put their business affairs in order by having effective control mechanisms in place to curb the menace. Internal controls can weaken over time due to technological advances or human intervention (management override or collusion) or because of the rise in new fraud schemes. Implementing anti-fraud controls is not a fool-proof measure against frauds. Nonetheless, having anti-fraud measures in an organizations control environment can go a long way in deterring individuals from perpetrating fraud because the message going down the line is that the senior management is cognizant of this crime and is committed to preventing it within the organization.

India banking fraud survey - 2012 Navigating the challenging environment | 33

Contacts
Neeta Potnis Senior Director and National Leader Forensic & Dispute Services Mail: neetapotnis@deloitte.com Tel: +91 (22) 61855170

Tedd Avey Senior Director, Forensic & Dispute Services Mail: teddavey@deloitte.com Tel: +91 (22) 61855180

Sumit Makhija Senior Director, Forensic & Dispute Services Mail: sumitmakhija@deloitte.com Tel: +91 124 679 2016

K.V. Karthik Director Lead Financial Services Forensic & Dispute Services Mail: kvkarthik@deloitte.com Tel: +91 (22) 61855212

34 | India banking fraud survey - 2012 Navigating the challenging environment

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. This material and the information contained herein prepared by Deloitte Touche Tohmatsu India Private Limited (DTTIPL) is intended to provide general information on a particular subject or subjects and is not an exhaustive treatment of such subject(s). None of DTTIPL, Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the Deloitte Network) is, by means of this material, rendering professional advice or services. The information is not intended to be relied upon as the sole basis for any decision which may affect you or your business. Before making any decision or taking any action that might affect your personal finances or business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this material. 2012 Deloitte Touche Tohmatsu India Private Limited. Member of Deloitte Touche Tohmatsu Limited

India banking fraud survey - 2012 Navigating the challenging environment | 35