Chapter 11: Fraud Management
Introduction:
Fraud is a major challenge that the Licensed Person faces in its day to day operations. Fraud is an intentional deception for unfair or unlawful personal gain. Fraud is not always limited to obtaining cash and tangible benefits. This chapter outlines the minimum requirements of an Anti-Fraud Framework that every Licensed Person must introduce to prevent, detect, investigate and respond to fraud incidents.
11.1 Forms of Fraud
- 11.1.1Frauds are broadly classified into Internal and External Frauds which are defined below:
- a)Fraud carried out by individual(s) employed by the Licensed Person is called Internal Fraud; and
- b)Fraud committed by an external party against the business of the Licensed Person is referred to as External Fraud.
- 11.1.2Fraud normally includes the following acts, although the list is not exhaustive:
- a)Misappropriation;
- b)Misrepresentation:
- •Misrepresentation of Financial Statements; and
- •Misrepresentation of Non-Financial Statements.
- c)Corruption:
- •Bribery; and
- •Illegal gratuities.
- d)Misconduct:
- •Breach of internal policies and procedures; and
- •Breach of applicable Laws, Rules, Regulations, Notices and the Standards.
- e)Any other deliberate deception for unlawful personal gain.
- 11.1.3Throughout this chapter, the terminology “Fraud” includes all types of frauds mentioned under Paragraphs 11.1.1 and 11.1.2 of this Chapter.
- 11.1.1Frauds are broadly classified into Internal and External Frauds which are defined below:
11.2 Anti-Fraud Framework
- 11.2.1The Licensed Person must implement an appropriate Anti-Fraud Framework in order to prevent, detect, investigate and respond to fraud incidents; and
- 11.2.2The following are the four basic elements that must be included in the Anti-Fraud Framework at a minimum, depending on the nature, size and complexity of the Licensed Person:
Elements of an Anti-Fraud Framework - a)Preventive measures for reducing the risk of Fraud from occurring:
- •Tone at the top by the Board of Directors (or by the Owner/Partners where there is no Board of Directors) on zero tolerance of fraud;
- •Introduce Policies and Procedures including a Code of Conduct and a Fraud Prevention Policy;
- •Conduct Fraud Risk Assessment;
- •Appropriate access controls in sensitive areas, both physical and in IT systems;
- •Segregation of duties (e.g. introducing maker/checker controls);
- •Background screening before hiring employees;
- •Annual declaration completed by all employees to:
- oDisclose conflict of interest, if any; and
- oConfirm their understanding of the Code of Conduct.
- •Provide training to assist employees to prevent fraud and to maintain public confidence.
- b)Detection measures for discovering fraud when it occurs:
- •Accurate and timely account reconciliations;
- •Independent Audits/AUPs (e.g. by External Auditors);
- •Scrutinizing required documents prior to completing transactions;
- •System controls;
- •Systematic fraud detection tools (to be implemented only if the Licensed Person has more than 25 branches); and
- •Whistleblowing Policy (to be implemented only if the Licensed Person has more than 25 branches).
- c)Investigation Process that includes the following:
- •Laid down Procedures for investigating fraud incidents through research, followup, interviews or a formal procedure of discovery.
- d)Response
- •Immediate reporting of fraud incidents to the police authorities, FID and the Banking Supervision Department;
- •Recovery through legal action, insurance claim, criminal referrals, disciplinary action, etc.; and
- •Monitoring:
- oOngoing corrective actions to ensure that internal controls continue to operate effectively; and
- oOngoing updates to respective policies and procedures to reflect developments in the Licensed Person and its operational environment.
11.3 Roles and Responsibilities
- 11.3.1The Manager in Charge and the Board of Directors (or the Owner/Partners where there is no Board of Directors) of the Licensed Person have the overall responsibility to create a culture of zero tolerance to fraud and to oversee the implementation of the Anti-Fraud Framework;
- 11.3.2The Licensed Person must appoint or designate a Fraud Prevention Officer who must be responsible to design, implement and manage an appropriate Anti-Fraud Framework;
- 11.3.3Depending on the nature, size and complexity of the business, the Licensed Person may appoint a dedicated Fraud Prevention Officer or combine this role with another suitable function subject to the conditions under Paragraphs 7.2.4 (a) of Chapter 7, 16.4.7 (a) and 16.5.1 (g) of Chapter 16;
- 11.3.4The Licensed Person’s recruitment process must fulfil the requirements of Paragraph 8.2 of Chapter 8 at a minimum;
- 11.3.5Fraud investigations must be undertaken by a team that includes the Fraud Prevention Officer, Internal Auditor and the concerned functional head at a minimum. The Licensed Person must ensure that a person, who is suspected in relation to a fraud incident, is not involved in the investigation. The investigation report must be submitted to the Board of Directors (or to the Owner/Partners where there is no Board of Directors);
- 11.3.6The Licensed Person must consult the legal advisors (internal or external) before, during or after the investigation for guidance on civil and criminal proceedings and recovery of losses;
- 11.3.7The Human Resources Department of the Licensed Person must take disciplinary action against employees who are involved in perpetrating internal fraud;
- 11.3.8The Internal Auditor is responsible for:
- a)conducting Fraud Risk Assessments jointly with the Fraud Prevention Officer on an annual basis and submit the report to the Board of Directors (or to the Owner/Partners where there is no Board of Directors);
- b)reviewing the adequacy of related policies and procedures;
- c)confirming the availability of insurance cover to protect the interest of the Licensed Person;
- d)confirming the recruitment process is in line with Paragraph 8.2 of Chapter 8;
- e)confirming that appropriate anti-fraud trainings are given to employees; and
- f)confirming that fraud incidents are appropriately reported in accordance with Paragraph 11.4 of this Chapter.
11.4 Fraud Reporting
- 11.4.1All fraud incidents must immediately be reported to:
- 11.4.2Fraud incidents must be reported to the Board of Directors (or to the Owner/Partners where there is no Board of Directors) immediately when the amount of loss is equal to or above AED 50,000. A summary of other fraud incidents must be sent to the Board of Directors (or to the Owner/Partners where there is no Board of Directors) on a monthly basis, at a minimum.
11.5 Anti-Fraud Training
- 11.5.1The Licensed Person must ensure that:
- a)appropriate and documented anti-fraud training is provided to all employees;
- b)two such trainings are provided to employees during the first year of their employment and annual training is given thereafter;
- c)training is provided to prevent fraud incidents from taking place at the Licensed Person’s business;
- d)training covers fraud typologies, fraud detection, fraud prevention, the Licensed Person’s policies/procedures and reporting procedures at a minimum; and
- e)employees are assessed annually to test their understanding of fraud prevention measures.
- 11.5.2Anti-fraud training may be in-house, external/outsourced, web based or a combination of all these.
- 11.5.1The Licensed Person must ensure that:
11.6 Fraud Incidents Register
- 11.6.1The Licensed Person must maintain appropriate register to record the following information about fraud incidents and this register must be available for the verification by the Central Bank Examiners during an examination:
- a)Date of fraud incident;
- b)Brief description of the fraud incident;
- c)Parties involved;
- d)Amount of loss;
- e)Was the loss covered by insurance or not?
- f)Date of reporting to the police, FID and the Banking Supervision Department;
- g)Other actions taken; and
- h)Disciplinary actions taken, if applicable.
- 11.6.2A review of Fraud Incident Register must be carried out at the end of every financial year to identify the anti-fraud training needs of employees for the following year.
- 11.6.1The Licensed Person must maintain appropriate register to record the following information about fraud incidents and this register must be available for the verification by the Central Bank Examiners during an examination: