Global Banking Fraud Survey

Global Banking
Fraud Survey
The multi-faceted threat of fraud:
Are banks up to the challenge?
May 2019
kpmg.com
© 2019 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated
with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any
1
other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
2
Content
Foreword
04
Key findings
05
Themes of the survey
06
The fraud operating model
15
Conclusion
19
3
Foreword
KPMG is delighted to share the findings of our inaugural Global Banking Fraud Survey (Survey). The Survey was conducted to obtain a global
perspective of how banks are tackling internal and external fraud threats.
The Survey questioned banking fraud risk, investigations and group security professionals on trends in fraud typologies, challenges banks
are facing in mitigating internal and external threats in the period 2016 to 2018, security in a digital age and how banks are structuring their
teams and deploying resources to optimize their fraud risk management efforts.
KPMG’s Global Banking Survey was conducted between November 2018 and February 2019 across 43 retail banks, 13 of which are in
the Asia-Pacific, 5 in the Americas and 25 in Europe, the Middle East and Africa (EMA) region. Eighteen have annual revenues in excess of
US$10 billion and 31 employ more than 10,000 people across the globe.
We would like to thank the respondents who took the time to participate in the survey. We are delighted to share the results, accompanied
by our own global and regional insights from KPMG member firm professionals.
5 25 13
Americas Europe, Asia-Pacific
The Middle East,
Africa
Source: Global Banking Fraud Survey, KPMG International 2019
“ “
Our survey has identified that fraud costs
are increasing at a faster rate than fraud
risk management spend. A radical rethink
is urgently required.
David Hicks
Global Forensic Leader
KPMG International
Throughout this document, “we”, “KPMG”, “us” and “our” refer to the network of independent member firms operating under the KPMG name and affiliated
with KPMG International or to one or more of these firms or to KPMG International. KPMG International provides no client services. No member firm has
any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to
obligate or bind any member firm.
4
© 2019 KPMG International Cooperative (“KPMG International”). KPMG International provides no client services and is a Swiss entity with which the
independent member firms of the KPMG network are affiliated.
Key findings
—— Over half of survey respondents globally experienced increases however, customers consider it banks’ responsibility to prevent
in both external fraud total value and volume. Increasing fraud social engineering fraud on their account. Examples of such
typologies globally from 2015 to 2018 include identity theft social engineering methods are set out in Appendix 1.
& account takeover, cyber attack, card not present fraud and
—— The survey found banks globally are seeing an increasing trend
authorized push payments scams. In this report we refer to
in scams. Examples of scam types are set out in Appendix 2.
such customer authorized payments as scams.
Fraudsters are manipulating and coercing customers into
—— The largest portion of respondents globally said that the total making payments to them, bypassing bank controls. The UK
cost, average cost and volume of internal employee fraud has introduced a Contingent Reimbursement Model Code for
detected stayed the same or decreased. This may not, however, Authorised Push Payment Scams to reimburse customers in
present a true picture of the cost of internal fraud. Many certain circumstances; and for regulators and government to
external frauds originate with someone working inside the bank. deliver a sustainable solution for scam victims.
—— Over half of respondents recover less than 25 percent of —— Customers are key in the prevention and detection of fraudulent
fraud losses; demonstrating that fraud prevention is key. activity on their accounts, particularly to reduce scam losses.
Banks are investing in new technologies, including machine More should be done to educate customers about fraud and
learning real time fraud alerts, voice, facial & fingerprint scams.
recognition (biometrics) and profiling how customers interact
—— Open Banking is considered a significant challenge in fraud
with their device and internet banking (behavioral biometrics)
risk by banks, with banks across the globe getting ready to
towards fraud prevention.
open their doors to third parties to access their customer data.
—— In every region, banks surveyed considered the most significant Questions are being raised on the reliance that can be placed on
challenge in fraud risk to be cyber attacks. Fraudsters are third party controls. Open Banking also presents an opportunity
obtaining customer data through hacking, in social engineering to gain a richer customer dataset, which can be used to prevent
attempts, on the dark web and through criminal networks and detect fraudulent activity and recover
following data breaches, outside of banks controls. Ultimately, fraud losses.
< 25% > 50% > 60%

Over half of Over half of Over 60 percent of
respondents recover respondents globally respondents globally
less than an quarter experienced an experienced an increase
of fraud losses. increase in fraud value in fraud volume
“
Typologies
In the context of a changing

Card not present Social Scams Cyber/ online global banking landscape,
(“CNP”) engineering fraud
where the demand for face
Security in a Digital World to face banking is decreasing,
volumes of digital payments
are increasing and payments
Increasing products Rules, machine learning, artificial High volume of
are being processed in
delivered via digital channels intelligence & robotics false positives
seconds, fraudsters are
Investment versus Costs creatively finding new ways
to steal from banks and their
customers. Banks need to
Complex operating
models
Fraud Operating Model

Non-agile
processes
Customer
Education
‘Here and now’ as
opposed to predicting
emerging trends
be agile to respond to new
threats and embrace new
approaches and technologies
“
to predict and prevent fraud.
Lack of a documented Failures to detect Optimizing Financial crime Natalie Faulkner,

Fraud Operating impact management technology versus operations in Global Fraud Lead,
Model and enterprise information and headcount silos
wide Fraud Risk investment decisions KPMG International
Assessment
5
Themes of the survey
Fraud trends
External fraud Internal (employee) fraud
The survey found that in 2018, 61 percent of respondents indicated In contrast, the largest proportion of respondents said that
that the total volume of external fraud had increased and 59 globally the total cost, average cost and volume of internal fraud
percent said the value had increased. stayed the same or decreased in 2017 and 2018. This however,
In most cases, respondents felt the average value of each fraud may not present a complete picture of the internal threat to a
had stayed the same (21%) or decreased (38%). This is likely financial institution, as in our experience many external fraud
due to high volume, low value card fraud. Increasing external incidents originate with experienced criminal operatives working
fraud typologies globally from 2015 to 2018 include identity theft with internal sources who have a detailed working knowledge of
& account takeover/impersonation fraud, cyber attack, card not bank systems, processes and controls (and any control gaps or
present fraud and scams. weaknesses.
The potential harm of insider fraud can be as great, if not greater,
than external fraud, given the ability of employees to exploit
weaknesses in controls to target the most valuable assets of
a bank. Banks should continue to take a proactive approach to
detecting insider fraud.
These statistics are based on fraud detected. In our experience, fraud detection is becoming more sophisticated however there will
be an element of fraud that has slipped through the gaps, yet to be detected.
61% 31% 59% 27% 41% 24%
Volume increasing Value increasing Average value increasing

External Fraud Internal Fraud
Survey fraud typology trends by region 2017-2018 based on the most common response
Fraud loss recoveries Fraud Typology Americas EMA Asia-Pacific
Scams Increased Increased Increased

Over half of survey
Card not present Increased Increased Increased
respondents stated fraud
recoveries were less than Cyber/online fraud Increased Increased Increased
25 percent of fraud losses. Identity theft/impersonation
This low rate demonstrates fraud Increased Increased Increased
the importance of prediction Internal fraud Increased Increased Stayed the same
and prevention efforts. Data theft Increased Stayed the same Increased
Mortgage application fraud Stayed the same Increased Increased
Merchant fraud Stayed the same Stayed the same Stayed the same
Financial statement fraud Stayed the same Stayed the same Stayed the same
Rogue trading Stayed the same Stayed the same Stayed the same
6
Challenges facing banks today
The survey posed the question of what are the most significant challenges faced today by financial institutions in fraud risk. From a list of
seven options1; the top 5 responses by region are represented in the following chart.
Americas EMA Asia-Pacific

1. Cyber and data breaches 1. Cyber and data breaches 1. Cyber and data breaches
2. Faster payments 2. Faster payments 2. Social engineering
3. Open Banking (equal third) 3. Evolving digital channels 3. Faster payments
4. Evolving digital channels (equal third) 4. Payment Services Directive 2 (PSD2)/ 4. Evolving digital channels
5. Virtual currencies (equal third) Open Banking 5. Open Banking
5. Social engineering
We look at these challenges in more detail below.
1. Cyber and data 2. Social 3. Evolving digital 4. Open

breaches engineering channels & Banking
Faster
payments
7
“ Cyber related fraud risk is the most significant challenge
faced by financial institutions in all three regions.
In fact, the top 5 fraud risks across all three regions are in
connection with the digital transformation that the world
is going through. Financial institutions need a paradigm
shift in their approach to mitigate fraud risks going forward.
Fundamentally, financial institutions need to understand the
digital transformation that is happening rapidly all around us,
appreciate the evolving fraud risks arising from this rapid
change and design a fraud risk management framework
that is able to mitigate these fraud risks in a sustainable,
effective and efficient manner. I don’t think the existing
“boxes” or solutions within financial institutions, while
costly to maintain, are capable of dealing with the evolving
fraud risks as they are too fragmented and simplistic. The
new generation of fraud risk management should be able
to deal with the ever evolving digital transformation, identify
the unknown-unknown fraud risks, harness the benefits of
“
technology and reduce the cost of compliance.
Lem Chin Kok

Forensic Lead, Asia Pacific,
KPMG in Singapore
8
1. Cyber and data breaches
Respondents across the globe consider cyber and data breaches As an example, in 2018 a major airline carrier experienced a data
as the most significant challenge they face. The past few years has breach in which hackers obtained over 244,000 credit card details.
seen numerous high profile data breaches reported in the press, The hackers charged between US$9 and US$50 for each card’s
a sample of which are set out in the depiction below. information on the Dark Web, resulting in estimated takings of
US$12.2 million2.
In an interconnected world, whilst a data breach may relate to one
company, in one country, the data held often relates to individuals “Names, email addresses, passwords, social security numbers,
across the globe. Through these data breaches, cyber criminals are dates of birth, credit card numbers, banking data, passport
able to get hold of vast quantities of information, which can be used numbers, phone numbers, home addresses, driver’s license
to facilitate identity theft, social engineering fraud and authorized numbers, medical records - they all get swept up by shadowy,
push payments scams where personal data is used to gain a amorphous hackers for fraud, identity theft”3
customer’s trust, or facilitate the takeover of customer accounts.
Customer data/records now in the public domain4
Target 110 million ebay 145 million Equifax Facebook

people in 2013 users in 2014 148 million people 50 million accounts in
in September 2017 September 2018
Yahoo 3 billion & Adult Friend Finder Chinese Huazhu Hotels Marriott International
500 million accounts Networks 412 million Group 500 million 500 million records in
in 2013 and 2014 respectively accounts in 2016 records in August 2018 December 2018
“ As this report demonstrates, the ongoing digitization of the banking sector

is certainly creating new fraud risks. But it is also spawning some amazing
new solutions and opportunities for those charged with protecting the
bank’s customers and assets. Given the relationship between technology
and fraud risk, banks may want to prioritize fraud prevention and financial
“
crime management within their digital strategies.
Judd Caplain
Global Head of Banking and Capital Markets,
KPMG International
9
2. Social engineering:
A spotlight on scams
Social engineering was cited as a top 5 challenge by EMA and
Asia Pacific banks surveyed.
Social engineering can result in:
Unauthorized access to Authorized payments where

customer bank accounts, a customer is coerced into
where customers obtain transferring their money to
customers’ personal an account controlled by
information that is used to the fraudster, on the pretext
gain access to their bank of them being a legitimate
accounts (account takeover). payee (also known as scams,
Examples of some of wire fraud, authorized push
the methods fraudsters payments). In this report
employ to obtain customer we refer to such authorized
information are set out in payments as scams.
Appendix 1.
Survey respondents reported an increase in scams in each global

region in 2018. From the ‘Nigerian Prince’ scams of old, new tricks
of impersonation are being employed by fraudsters including
romance, government agency/tax office, investment, lottery,
business email compromise, technology support/remote access7
and grandparents scams, to name a few. These scams all have the
same objective to obtain access to a victim’s data that is then used
to misappropriate the victim’s funds, or persuade them to make
a payment to an account controlled by the fraudster. Examples of
such scams are set out in Appendix 2.
Losses to scams are exponentially growing.
In 2018, the US Federal Bureau of Investigation (FBI)

reported that business email compromise scams resulted in
global losses of over US$12billion between 2013 and 20185.
In Australia, the Australian Competition and Consumer

Commission (ACCC) reported that almost half a billion
Australian dollars was lost to scammers in 20186.
10
This is likely just the tip of the iceberg with not all consumers Where the bank is bearing the liability, average losses from scams
knowing, or reporting that they have been scammed. are significantly higher than card fraud.
Scam victims vary. Whilst the elderly are a considerable The UK has introduced a Contingent Reimbursement Model Code
demographic at risk, scams also impact: for Authorised Push Payment Scams (the Code), to reimburse
the victims of scams in any case where the bank or payment
—— Customers who are socially isolated and lonely, such as
service provider is considered at fault and the customer has met
romance scams
the standards expected of them under the Code7. The Code is
—— Financially vulnerable such as advance fee loan scams to obtain voluntary, and was developed in an effort to protect customers,
unsecured finance, debt collection scams and investment ‘too and for regulators and government to deliver a sustainable solution.
good to be true’ scams The banks who have signed up to the Code have not yet been
announced, though one major retail bank has announced that it will
—— Businesses, where a member of the finance team receives an
reimburse their customers for all scams, including push payment
email purporting to be the Chief Executive or Finance Officer
fraud8. It will be interesting to see if more countries introduce
(CEO/ CFO) requiring funds transfer, timed when they are on
similar frameworks for banks.
leave
The following chart displays scam volumes reported by victims and
—— Youths, such as employment, vacation and lottery scams.
potential victims in the US and Canada from 1 July 2015 to 22 April
Banks are often blamed for failing to prevent and detect scams. 2019.
From a bank’s perspective, the difficulty with detecting scams
is that the customer is accessing their own account, so access
controls will not detect scams. Many banks now have a dedicated 152,595 Scams Found
scams team operating in parallel with fraud teams to address this
escalating risk.
Where scams are detected by banks prior to payment processing,
banks are finding customers are so convinced of a scam’s
legitimacy, they can still be adamant they want the payment
processed despite the bank informing them that a payee is
fraudulent.
In most countries, there is no clear liability framework dictating who
bears the cost of scams, with some banks deeming the loss as the
customer’s, whereas other banks assess scams on a case by case
basis before determining if the bank will compensate the customer
for their loss.
Even where the bank is not bearing the liability for scams, we are
seeing this form of fraud take up significant employee time in an
emotionally charged situation when customers realize they have
lost significant sums.
Source9 accessed on 22 April 2019
11
3. Evolving digital channels and faster payment processing: The move to digital banking
with less customer “face time”
Evolving digital channels was cited as a top 3 challenge by our What proportion of your products/services are delivered via
survey respondents in the Americas and EMA. digital channels?
The proportion of products and services delivered by banks through
digital channels is increasing. The World Payments Report 2018
forecasts that non-cash transactions will grow compound by
42%
12.7 percent to 202110.
Seventy eight percent of survey respondents said more than a
quarter of their products and services are delivered via digital 19%
channels. In many markets, we are seeing the emergence of neo 15% 17%
or challenger digital banks delivering their products solely via digital
7%
channels.
With less customers holding and withdrawing cash, due to the
<10% 10%-25% 26%-50% 51%-75% Over 75%
ease of digital banking and cashless payments, customer demand
for face to face banking services is diminishing. This is leading to a 78%
global trend of banks closing branches.
The UK has closed two-thirds of bank branches in the

past 30 years11, nearly 6,000 branches have closed in
Europe12 and in the US nearly 9,000 branches have
been closed this decade13.
Less branches reduces the face to face interaction
between banks and their customers, which is being
exploited by organized criminals and fraudsters to commit
Fewer bank branches, and the increasing use of digital banking by
fraud across borders, hacking & phishing for customer
customers requires an enhanced automated approach by banks to
identity information to facilitate customer account
mitigate evolving digital fraud threats.
takeovers.
Further, faster payments processing can pose a challenge with less
More digital transactions provides a rich data set of
time available for banks to scrutinize transactions for fraud. Faster
customer digital behavior, making it easier to spot
payments also poses the risk of reduced fraud loss recovery rates
potentially fraudulent payments.
due to the velocity of payments if funds are transferred through
“
multiple accounts in seconds and offshore.
With banks ever sensitive to the balance between fraud risk
mitigation and customer experience, as seen in the survey, banks
Currently there is too much dispersion and
are responding via real time fraud prevention and detection tools,
and imposing limits and step up authentication for higher risk fragmentation in fraud prevention systems
transactions in an effort to mitigate the risk of increased fraud in a within a single entity. Financial entities
real time payments environment.
Authentication of alias’s is also key, particularly for pull payments
where fraudsters may pose as a utility or telecommunications
company, for example, to request payment. The UK has responded
“
must evolve towards more centralized and
transversal fraud management models, with
the aim of identifying synergies and improving
to this risk with confirmation of payee checks when customers efficiency.
request fund transfers.
Enric Olcina
Forensic Lead, Europe, Middle East and Africa,
KPMG in Spain
Banks are investing in technology to better detect fraud - so why are fraud losses increasing? We consider the challenges faced by
banks in mitigating fraud, and how banks are structuring their fraud functions to respond to this changing threat as follows.
12
4. Open Banking
Open Banking was cited as one of the top 5 challenges facing —— On the flip side, for banks this greater transparency of their
banks in all regions. Open Banking presents a radical change to customers’ accounts across banks will likely enable more robust
how financial institutions will operate across the globe going identity verification, the earlier identification of mule/fraudulent
forward, transferring the ownership of account information from accounts and more efficient fraudulent funds tracing.
banks and financial institutions to their customers.
How should banks prepare?
Customers will be able to share their details and transaction data
Data security – Banking records include sensitive, confidential
with third parties (such as other banks, budgeting applications
customer information and requires the most rigorous data security
(apps), fintechs, telephone companies and investment platforms),
standards. Banks must ensure that APIs include robust data
through Application Programming Interfaces (APIs).
security controls and that third party developers are vetted before
Regulators are increasingly encouraging, and in some countries being granted access, as well as before being accredited as a
mandating, that the banking industry give customers access to service provider.
open banking through the development of APIs.
Digital identity – Open Banking relies heavily on an integrated
Open Banking is likely to impact fraud risk management in digital identity at its foundation. Consolidation of the holistic online
a number of ways for financial institutions: profile for a person, organization or electronic device will enable a
—— As with all reforms that result in faster and more convenient secure and seamless authentication experience.
banking for consumers, it is likely that a higher proportion of Access management – Banks will need the capability to securely
payments will be made through digital channels, resulting in and confidentially link a customer to their data. This will require
higher transaction volumes for banks reviewing account activity a framework governing access (and revocation) rights, usage
for fraud. limitations and security. Much like using a social media account to
—— Through open banking, banks will rely on the security of third login to a banking account, customers require either a standardized
parties to protect customer banking information accessed or customizable set of access management protocols defined for
through APIs. Should third parties fail to provide adequate the sharing and use of data with third party service providers.
protection against fraud, customers are likely to consider the
bank, rather than the apps being at fault.
—— Open access to banking information across financial institutions
will provide fraudsters who gain access with the ability to
gather more sensitive customer data, presenting a more holistic
picture of a customer’s accounts to target higher positive
balance accounts across banks.
A summary Open Banking timeline across the globe
European second Payment Open Banking APIs made Consultation paper Australian Government
Services Directive (PSD2) available. released. deadline for the big 4 banks
introduced. to enact open banking.
Europe Europe Canada Australia
Jan Nov Jan Jul Jan Feb Jul Nov

2016 2016 2018 2018 2019 2019 2019 2019
Singapore USA New Zealand Hong Kong
Open Banking API Playbook Treasury recommends US Gov’t Open Banking APIs Local banks to deploy
introduced by Monetary affirms that Dodd-Frank act applies template and standards Open APIs by November
Authority, encouraging adoption to Open Banking API users. Open produced by Reserve Bank. 2019.
of Open Banking. Banking remains discretionary.
13
In this challenging environment, more can be done to educate customers
Customers play a key role in fraud prevention and detection, particularly in regards to scams where customers are facilitating the payment.
In the survey, the majority of respondents reported customers as being a source of detection for identified fraudulent activity in 2018.
Given this finding, coupled with the low fraud recovery rate identified in the survey with over half of respondents stating recoveries are less
than 25 percent of fraud losses, more can be done by banks to educate their customers to prevent and detect fraud.
How do banks identify fraudulent activity?
Customer
89%
82% Automated
Systems
Manual systems
71%
Third party
55% 58% Internal/External audit
68% Whistleblower
Fraudsters are becoming more sophisticated. To arm customers with the skills needed to avoid falling victim to fraud,
banks should educate customers to:
—— Conduct timely reviews of their account activity;
—— Reverse google search images used in Romance scams;
—— Learn to spot phishing emails, text messages/SMS and phone calls;
—— Frequently change passwords;
—— Ignore pop-ups;
—— Recognize SPAM emails through spelling errors, lack of secure website information, dubious links to click and email addresses
which differ from the organization purporting to be the author of the email;
—— If unsure, ask a friend or family member;
—— Remember that a genuine organization will never ask for passwords, or be concerned if you ask to end a call and phone back
on a number from your records;
—— Be aware of caller ID spoofing where fraudsters mimic the phone number of the institution they are pretending to be. Caller ID
spoofing has been used, for example, to appear to be a victim’s friends or family phone number where the fraudster pretends
that they are at the scene of an accident and their family member/friend will be left to die if they do not transfer money
immediately to the caller14.
—— Remember that if the offer is too good to be true, it often is;
Further, customer education should leverage digital and non-digital channels to cater to elderly and vulnerable customers who are
often less tech savvy.
14
The fraud operating model
How much is fraud risk management costing you and how
effective is it?
The survey asked questions to understand how banks structure
their fraud risk management operations to optimize resource
allocation and to inform investment decision-making across their
governance, people, processes and technology.
Despite being a cost center, the total cost of fraud risk
management to banks is not monitored by 52 percent of banks
surveyed. This makes it an outlier within bank operations and
reduces visibility to the Board and Risk Committees who make key
budget, resourcing and investment decisions.
In terms of accountability for the effectiveness of fraud functions,
“
there was a diversity of responses with respect to holding the
fraud risk owner accountable for effectively preventing, detecting
and responding to suspected fraud; and recovering fraud losses.
As fraudsters and fraud risks
Responses varied from no formal assessment to scorecards/key
performance indicators, maintaining forecast losses to plan/risk have become more sophisticated
appetite, business/customer satisfaction, mystery shopping and emanating from the shift to
second line assurance stated.
digital channels and tools,
There was a diversity in responses to how financial institutions Regulators increasingly expect
globally structure their fraud risk management operating models.
financial institutions to achieve
greater consistency and
Who owns fraud risk?

integration of the First and
Second lines of defense in their
approach to preventing, detecting
“
and responding to fraud risks.
First line
69%
Thomas Stanton
Fraud Lead, Americas,
KPMG in the US
The first line of
defense, or business
units/customer-facing
employees
Second line
31%
The second line of
defense, with group
security providing risk and
compliance oversight to
the business units
15
KPMG’s Fraud navigator
A well-structured fraud risk management operating model and an enterprise-wide risk assessment are important to ensure banks’ defences
are robust to consistently mitigate the risk of internal and external fraud to within the bank’s fraud risk appetite.
01 02
Governance Risk
Strategy &
Risk Appetite Framework
Fraud
Predict
typologies
09
Analytics, MI
Strategy &
03
& Insights Core
Governance decisions
& processes
Customer 08 Data,
Fraud Prevent &
Data navigator Process &
Lifecycle Management technology &
Detect
Controls
Analytics
04
07 Controls &
Rule design
Core Technology People &
systems Organisation
Products & 06 05 Respond &

Channels People & Organisation & Remediate
Performance Infrastructure
Source: KPMG Fraud navigator 2019
The survey found not all respondents have a documented fraud Governance, People, Process….
risk management operating model, conduct an enterprise wide The survey found differences in how financial institutions structure
fraud risk assessment and have a fraud committee as follows: their fraud risk management operations, with the designated fraud
risk owner found:
71%
Documented fraud —— 69% in the first line of defence, managed by the business units/
60% customer facing employees (First line);
risk management
operating model 75% —— 31% in the second line of defence, in the group security
function providing risk and compliance oversight to the business
69%
units (Second line).
57% Reporting lines for the fraud risk owner varied, with reporting being
Enterprise wide to the Fraud committee, Chief Risk Officer, Head of Compliance,
60% General Counsel and Internal Audit.
fraud risk
assessment 46% Interestingly, there appears there is no one “right” model
77% followed by banks globally to consistently structure their fraud risk
management operations.
69%
Fraud 60% The survey found differences in who sets the bank’s fraud risk
committee 79% appetite, with
* 52% Board/Risk Committee
54%
* 29% First line
* 5% Second line
Global Americas EMA ASPAC
16
…and Technology
Financial institutions face a significant challenge to outpace Respondents reported investments in behavioral biometrics,
fraudsters’ changing techniques. Banks are increasingly looking adverse media review technology, network analysis and Google
to enhance systems through enhanced transaction monitoring authentication.
enabled by machine learning/artificial intelligence and biometric
Despite the advances and investment in technology, 51 percent
access management. A majority of survey respondents have
of banks’ surveyed reported a significant number of false positives
invested in the following methods to predict, prevent and detect
resulting from their technology solutions, hampering efficiencies in
fraud attempts:
fraud detection.
—— Two or multi-factor authentication to verify a customer’s
Ineffective systems impact fraud management information - are
identity (requiring users to provide something they know
banks’ risks hidden in plain sight? Deficient reporting can also
(e.g. a password) with other factors they have (for example
negatively impact the Board and Risk Committee’s ability to make
a text message/SMS verification code or fingerprint);
appropriate resource allocation and investment decisions, with
—— 70 percent of banks’ surveyed have technology solutions able fraud investment seen to fall short of financial crime in the survey.
to risk score and make decisions in real time;
Furthermore, due to the size and complexity of bank operations and
—— 67 percent use physical biometrics (voice, fingerprint and facial processes, it can take time to effect change. In contrast, fraudsters
recognition). We note that there is now a cyber crime market can be agile in their fraud attempts. As fraud typologies such as
place for digital finger prints and cases of fraudsters recording
scams and identity theft/social engineering to facilitate account
and replicating customer voices using technology;15 and
take over become more prevalent, and organized criminals share
—— 63 percent use a combination of rules and machine learning knowledge within their network across jurisdictions to overcome
embedded within their technology to facilitate fraud detection. bank fraud detection methods, banks recognize the need to
continuously hone their fraud risk management efforts to managing
these risks.
Proportion of respondents who have invested in the following technology
70% Transaction monitoring that risk scores in real time
67% Physical biometrics (voice, fingerprint or facial recognition)
63% Transaction monitoring using rules and machine learning
33% Behavioural biometrics
To continue to enhance fraud detection, survey respondents In conclusion, there are still improvement opportunities for banks
identified the need to invest in new technologies over the next to optimize their fraud operating model across governance, people,
three years, including: process and technology, particularly around:
—— Transaction monitoring technology with machine learning/ —— The balance between headcount and enhancements to
artificial intelligence (AI)/robotics technology;
—— Innovations in Fintech/RegTech software automating the —— Optimizing resource allocation through resource planning,
delivery of financial services, including automation of Know Your despite the uncertainty in time to investigate;
Customer (KYC); and —— Enhancing fraud detection systems, particularly to reduce
—— Biometrics and a greater use of open source and social false positives in systems through a feedback loop to enhance
media data. algorithms and rule sets.
Banks must plan beyond the technology to achieve results and

optimum performance in their fraud operating model across
governance, people, processes and technology.
17
What about merging fraud and financial crime compliance functions?
The significant fines being levied globally for failure to report Our survey results found that 43 percent of respondents had
suspected money laundering activity or associated financial crime integrated reporting, 40 percent had integrated governance
control deficiencies are impacting investment decisions of banks to structures, 38 percent had integrated systems and 35 percent had
uplift financial crime ahead of fraud. integrated staffing between fraud and financial crime compliance.
Survey results reveal over 50 percent of survey respondents For 43 percent of respondents there was no integration between
globally plan to invest more in financial crime compliance fraud and financial crime compliance.
(Anti- Money Laundering and Counter Terrorism Financing
(AML CTF), Anti-Bribery and Corruption (ABC) and Sanctions
screening) than in fraud risk management.
The table below sets out considerations for a siloed verses an integrated model for fraud and financial crime.
Perceived reasons to combine Fraud Perceived reasons to silo/not

with Financial Crime combine Fraud with Financial Crime
Integrated Fraud & Financial Crime teams – People & Siloed Fraud & Financial Crime teams
Process perspective
—— Likely the main driver of siloed teams are the different
—— Activities associated with Financial Crime - such as Know regulatory reporting requirements, and specifically the
Your Customer (KYC) and suspicious matter reporting significant penalties for non-reporting of financial crime
are also relevant to the risk of fraud. As one team with suspicious matters to regulators and bribery/corruption fines
one strategy there is likely more integration to leverage and jail time in some countries (particularly by the
intelligence regarding the same attack/incident. For example, US Securities and Exchange Commission (SEC) and the
the proceeds of crime (fraud) being passed through money US Department of Justice (DoJ) globally). Such penalties
mule accounts that require reporting to the Financial Crime are not levied for non-reporting of fraud.
regulator.
—— Legacy/organizational culture - “we’ve always done it
—— Staff diversity of role and thinking has been stated as a this way”.
benefit in integrated teams.
Siloed Fraud & Financial Crime systems
—— Avoid duplication of effort or missed communications for
incidents impacting both fraud and financial crime. —— Ability to pick a “best in breed” fraud system and financial
crime system, potentially with a third system to identify
—— Leverage the benefits of the significant investment going cross purpose intelligence.
into financial crime to also benefit fraud and corruption risk
management. —— Potentially a lack of awareness of appropriate solutions
which can manage both risks.
Integrated Fraud & Financial Crime teams –
Technology perspective
—— Leverage red flag/alert intelligence and dynamic customer
profiling between fraud and financial crime.
—— Cost efficiencies in using the same technology platform,
with different modules and user interfaces.
18
Conclusion
In the context of a changing global banking landscape, where branch
networks are shrinking, volumes of digital payments are increasing and
payments are being processed in seconds, fraudsters are creatively finding
new ways to steal from banks and their customers.
So how should banks respond?
Our survey results show that fraudsters are shifting focus from
account takeovers to scams where customers are exploited as a
weak link. More needs to be done by banks to educate and protect
their customers.
Our survey reinforces that the potential harm of insider fraud can
be as great, if not greater, than external fraud, given the ability of
employees to exploit weaknesses in controls to target the most
valuable assets of a bank. Banks should continue to take a proactive
approach to detecting insider fraud.
In the context of more countries implementing Open Banking,

banks must enhance their ability to analyze big data within an open
banking environment and navigate through Application Program
Interfaces (API’s).
The methods used by both internal and external fraudsters

continues to evolve. There is a growing need for banks to ensure
the operational efficiency and effectiveness of digital fraud controls,
leveraging advanced data analytics, and human expertise to
predict, prevent and detect fraud. Ineffective systems impact fraud
management information - are banks’ risks hidden in plain sight?
Deficient reporting can also negatively impact the Board and Risk
Committee’s ability to make appropriate resource allocation and
investment decisions, with fraud investment seen to fall short of
financial crime in the survey.
Technology alone is not enough, with over half our global

respondents reporting false positives hampering efficiencies in fraud
detection. Banks must plan beyond the technology to achieve results
and optimum performance in their fraud operating model across
governance, people, processes and technology..
Fraudsters are becoming more sophisticated and can quickly change and
adapt their approaches. Banks need to be agile to respond to new threats
and embrace new approaches & technologies to predict and prevent fraud.
19
Appendix 1
Examples of social engineering methods
Phishing/ Spoofing: A phishing attack is where a scammer

sends an e-mail pretending to be someone or something they
are not in order to obtain personal information from their victim.
Phishing commonly involves a user clicking a link and entering their
password, after which the scammer will have sufficient information
to obtain access to the victim’s account or mailbox. On average, 4%
of the targets of any given phishing campaign will click on the link.
Spear Phishing: Spear phishing refers to phishing attempts where
the scammer uses open source information to craft e-mails that are
highly customised to further encourage the victim to click on a link
in their e-mail. For instance, a scammer may identify through social
media that a victim is expecting a parcel, and will craft a phishing
e-mail appearing to be from the delivery service, with a message
regarding that parcel with a fake link to track the delivery.
Pretexting: Pretexting is a form of social engineering in which
the attacker fabricates a scenario, a convincing pretext, for why
they require information from the victim. Typically, scammers will
impersonate people in a position of authority, such as the tax
authorities, or a bank, and request information from their target in
order to confirm their identity.
Baiting: Baiting is a social engineering attack designed to
manipulate the victim through their curiosity. The scammer will
offer the victim a good of some kind (such as a software update, a
prize or leaving a USB in a public place for a victim to plug into their
computer), which once opened by the victim will compromise the
victim’s computer to install malicious software.
Quid Pro Quo: This is a variant of baiting where the scammer will
promise a service or benefit following the execution of a specific
action. For instance, a hacker may impersonate an IT security
specialist, offering a software upgrade, providing the victim disable
their antivirus software first, thereby installing malicious software
unimpeded onto the computer.
20
Appendix 2
Scam Typologies
Nigerian Prince scam: The ‘Nigerian Prince’ scam, one of the

Average amount lost per scam
longest running scams, in which the victim is contacted by
someone claiming to be from overseas who claims to be very
Investment $8,648 Fake invoice $441 wealthy and/or royalty requesting assistance to move money out of
their country for the opportunity to share in the millions of dollars,
Romance $6,003 Credit repair/debt
$388 are still remarkable prevalent and effective. Requests are made for
relief
the victim to pay taxes, bribes to government officials and legal fees
Moving $3,993 with a promise all expenses will be reimbursed when the funds
Online purchase $365
are out of the country. Once in possession of the payment, or bank
Cryptocurrency* $3,147 Fake check/money details, the ‘Prince’ will disappear, often with the contents of the
$341
order victim’s bank account.
Home
$2,895
improvement Tech support $255 Business E-mail Compromise (BEC): A common form of e-mail
Nigerian/Foreign fraud, BEC targets individuals with access to company banking
$2,133
money exchange facilities and uses social engineering to trick them into making
Credit card $231
Business email payments to fraudsters. Frequently, the fraudster will pretend to
$1,717
compromise be the CEO of the company, requesting an urgent payment that
Government grant $218
Family/friend bypasses usual controls. The FBI’s Internet Crime Complaints
$1,219
emergency Health care/ Centre (IC3) published in June 2018 BEC as a US$12 billion scam.
$170
medical/medicare Family/ friend emergency: Often targeted to the elderly and
Counterfeit product $1,210
playing on poor hearing, the fraudster will pretend to be the victim’s
Scholarship $155
Travel/vacation $887
grandchild. The ‘grandchild’ will claim to be in trouble needing
money (for instance pretending to be in jail, in legal trouble or
Utility $106 in debt). Victims are often told that they are the only person the
Advance fee loan $716
grandchild trusts and not to tell anyone else. Scammers will use
Debt collection $98 details from social media to make their story sound more believable
Charity $708
and obscure their voices by feigning crying.
Yellow pages/
$91 Lottery scams: Lottery scammers contact victims informing them
Identity theft $683 directory
that they have won the lottery or a prize draw that they had never
Rental $662 Phishing $44 actually entered. Victims will be asked to pay an up front fee to
release or deliver their gift or monies. They may also be asked to call
Employment $598 Tax collection $31 a high rate telephone number to claim the prize. Often fraudsters
will use the names of real competitions so that if the victim
Sweepstakes/ researches the scam it appears legitimate.
$547 Other $746
lottery/prize
Tech Support/Remote Access Scams: Tech support/ Remote
* Denotes a category first tracked in 2018
access scams convince the victim that there is a computer or
Source: BBB Scam Tracker, 2015 to December 2018 internet problem and that new software is required to fix the
The average losses in the Americas, by scam typology. problem. The victim will receive a call, e-mail or a computer pop-up
informing them that there are issues with their internet connection
Investment scams: Investment scams present the victim with an or computer and direct the victim to contact the fraudster to get
unbeatable opportunity, often to make guaranteed high returns, it fixed. Scammers may cite common problems such as internet
should they invest their money. Victims are often contacted by speed as evidence of the problem. They will then request the victim
phone or e-mail by fraudsters claiming to offer genuine investment provide them with remote access to ‘find out what the problem
advice. is’. Once the fraudster has access to the victim’s computer they
Romance scams: Dating and romance scams take advantage of harvest their data, access their Bank accounts and often make
people looking for love, creating fake profiles on dating websites payments to themselves.
or social media sites pretending to be a potential romantic partner. Government agency scams: In a government agency scams,
Following an often protracted online courtship, the fraudster will ask fraudsters contact victims by phone, text or e-mail pretending to
for money, gifts or personal information. Scams often play on the be from a judiciary body or the tax office. In some instances the
victims emotional triggers, for instance asking for money to pay for fraudster will ask for an urgent payment to settle a debt such as an
‘family medical bills’ or for flights so that they can visit the victim. overdue parking fine or tax payment. The fraudster may threaten
Fraudsters may also ask for intimate photos which they will then that non-payment will result in the payment increasing or jail time.
use to blackmail the victim.
21
Appendix 3
Sources
2013 Target: 110 million. Based on figure quoted in report by The The Daily Mail, “Russian hackers made £9.4m from British Airways
Huffington Post, “Target Hacked: Retailer Confirms ‘Unauthorised data breach with customers’ credit card details put on sale for as
Access’ Of Credit Card Data” (19 December 2013). Available at little as £6.94, experts say” (Sami Quadri, 14 November 2018).
https://www.huffpost.com/entry/target-hacked-customer-credit-card- Credit card details available for sale were from customers through
data-accessed_n_4471672 Europe and from Mexico, Brazil and China including others.
2013 Yahoo: 3 billion. Based on figure quoted in report by The New Available at: https://www.dailymail.co.uk/news/article-6387001/
York Times, “All 3 Billion Yahoo Accounts Were Affected by 2013 Russian-hackers-9-4m-British-Airways-data-breach.html
Attach” (Nicole Perlroth, 3 October 2017). Available at: https://www. Wired, “The Wired Guide to Data Breaches” (Lily Hay Newman, 12
nytimes.com/2017/10/03/technology/yahoo-hack-3-billion-users.html July 2018). Available at: https://www.wired.com/story/wired-guide-
2014 Yahoo: 500 million. Based on figure quoted in report by to-data-breaches/
The Washington Post, “Yahoo confirms data breach affecting at FBI Public Service Announcement, “Business E-Mail Compromise:
least 500 million accounts” (Hayley Tsukayama, Craig Timberg The 12 Billion Dollar Scam” (12 July 2018). Report states that
& Brian Fung, 22 September 2016). Available at: https://www. 78,617 incidents of business e-mail compromise scams occurred
washingtonpost.com/news/the-switch/wp/2016/09/22/report-yahoo- between October 2013 and May 2018 resulting in global losses
to-confirm-data-breach-affecting-hundreds-of-millions-of-accounts/ of US$12,536,948,299. Business e-mail compromise scams are
2014 Ebay: 145 Million. Based on figure quoted in report by defined as “when a subject compromises legitimate business
The Washington Post, “eBay asks 145 million users to change e-mail accounts through social engineering or computer intrusion
passwords after data breach” (Andrea Peterson, 21 May 2014). techniques to conduct unauthorised transfers of funds”. Available at:
Available at: https://www.washingtonpost.com/news/the-switch/ https://www.ic3.gov/media/2018/180712.aspx
wp/2014/05/21/ebay-asks-145-million-users-to-change-passwords- Australian Competition and Consumer Commission, Targeting
after-data-breach/ Scams Report (May 2019). $489 billion in losses reported to the
2016 Adult Friend Finder: 412 million. Based on figure quoted ACCC from over 378,000 scam reports. Available at https://www.
in report by The Verge, “Over 300 million AdultFriendFinder accc.gov.au/publications/targeting-scams-report-on-scam-activity/
accounts have been exposed in massive breach” (Andrew targeting-scams-report-of-the-accc-on-scam-activity-2018
Liptak, 13 November 2016). Available at: https://www.theverge. Authorised Push Payment Scams Steering Group 28 February 2019
com/2016/11/13/13615750/412-million-adultfriendfinder-accounts- Press release, and attached copy of the Code. The Code states
exposed-breach that the customer may not be refunded if the customer “ignored
September 2017 Equifax: 148 million American Consumers. Based effective warnings”, “did not take appropriate actions” or where the
on figure produced by U.S. House of Representatives Committee behaved in a way that was “grossly negligent”. The Code comes into
on Oversight and Government Reform, The Equifax Data Breach force on 28 May 2019, signatories have not yet been announced.
Report (December 2018) p2. Available at: https://oversight.house. Available at: https://appcrmsteeringgroup.uk/app-scams-steering-g
gov/wp-content/uploads/2018/12/Equifax-Report.pdf 1
Faster payments, Cyber and data breaches, Payment Services
Directive 2/ Open banking, Virtual currencies,
August 2018 Chinese Huazhu Hotels Group: 500 million records.
Evolving digital channels, Social engineering, Criminal use of
Based on figures quoted in report by China Daily, “Huazhu Hotels
artificial intelligence.
Group investigates alleged info leak” (29 August Adata (including
name and mobile numbers), 130 million check-in records (including 2
The Daily Mail, “Russian hackers made £9.4m from British
name and address) and 240 million hotel stay records (including Airways data breach with customers’ credit card details put on
credit card numbers and check in and out dates). sale for as little as £6.94, experts say” (Sami Quadri, 14 November
2018). Credit card details available for sale were from customers
September 2018 Facebook: 50 million accounts. Based on figures
through Europe and from Mexico, Brazil and China including others.
quoted in report by The Guardian, “Facebook says nearly 50m
Available at: https://www.dailymail.co.uk/news/article-6387001/
users compromised in huge security breach” (Julia Carrie Wong,
Russian-hackers-9-4m-British-Airways-data-breach.html
29 September 2018). Available at: https://www.theguardian.com/
technology/2018/sep/28/facebook-50-million-user-accounts-security- 3
Wired, “The Wired Guide to Data Breaches” (Lily Hay Newman, 12
berach July 2018). Available at: https://www.wired.com/story/wired-guide-
to-data-breaches/
2018 Marriott International: 500 million records. Based on figures
quoted in report by The New York Times, “Marriott Data Breach Is 4
2013 Target: 110 million. Based on figure quoted in report by The
Traced to Chinese Hackers as U.S. Readies Crackdown on Beijing” Huffington Post, “Target Hacked: Retailer Confirms ‘Unauthorised
(David E. Sanger et al, 11 December 2018). Available at: https:// Access’ Of Credit Card Data” (19 December 2013). Available at
www.nytimes.com/2018/12/11/us/politics/trump-china-trade.html https://www.huffpost.com/entry/target-hacked-customer-credit-card-
data-accessed_n_4471672
22
2013 Yahoo: 3 billion. Based on figure quoted in report by The New between October 2013 and May 2018 resulting in global losses
York Times, “All 3 Billion Yahoo Accounts Were Affected by 2013 of US$12,536,948,299. Business e-mail compromise scams are
Attach” (Nicole Perlroth, 3 October 2017). Available at: https://www. defined as “when a subject compromises legitimate business
nytimes.com/2017/10/03/technology/yahoo-hack-3-billion-users.html e-mail accounts through social engineering or computer intrusion
2014 Yahoo: 500 million. Based on figure quoted in report by techniques to conduct unauthorised transfers of funds”. Available at:
The Washington Post, “Yahoo confirms data breach affecting at https://www.ic3.gov/media/2018/180712.aspx
least 500 million accounts” (Hayley Tsukayama, Craig Timberg 6
Australian Competition and Consumer Commission, Targeting
& Brian Fung, 22 September 2016). Available at: https://www. Scams Report (May 2019). $489 billion in losses reported to the
washingtonpost.com/news/the-switch/wp/2016/09/22/report-yahoo- ACCC from over 378,000 scam reports. Available at https://www.
to-confirm-data-breach-affecting-hundreds-of-millions-of-accounts/ accc.gov.au/publications/targeting-scams-report-on-scam-activity/
targeting-scams-report-of-the-accc-on-scam-activity-2018
2014 Ebay: 145 Million. Based on figure quoted in report by
The Washington Post, “eBay asks 145 million users to change 7
Authorised Push Payment Scams Steering Group 28 February
passwords after data breach” (Andrea Peterson, 21 May 2014). 2019 Press release, and attached copy of the Code. The Code states
Available at: https://www.washingtonpost.com/news/the-switch/ that the customer may not be refunded if the customer “ignored
wp/2014/05/21/ebay-asks-145-million-users-to-change-passwords- effective warnings”, “did not take appropriate actions” or where the
after-data-breach/ behaved in a way that was “grossly negligent”. The Code comes into
force on 28 May 2019, signatories have not yet been announced.
2016 Adult Friend Finder: 412 million. Based on figure quoted
Available at: https://appcrmsteeringgroup.uk/app-scams-steering-
in report by The Verge, “Over 300 million AdultFriendFinder
group-agrees-voluntary-code/.
accounts have been exposed in massive breach” (Andrew
Liptak, 13 November 2016). Available at: https://www.theverge. 8
The Independent, “TSB becomes first bank to offer ‘refund
com/2016/11/13/13615750/412-million-adultfriendfinder-accounts- guarantee’ to all fraud victims” (Ben Chapman, 16 April 2019).
exposed-breach Available at: https://www.independent.co.uk/news/business/news/
tsb-bank-fraud-guarantee-refund-scams-a8870781.html
September 2017 Equifax: 148 million American Consumers. Based
on figure produced by U.S. House of Representatives Committee 9
BBB Scam Tracker, reporting US and Canadian victim and potential
on Oversight and Government Reform, The Equifax Data Breach victim accounts from 1 July 2015 to 22 April 2019. Available at:
Report (December 2018) p2. Available at: https://oversight.house. https://www.bbb.org/scamtracker/us/
gov/wp-content/uploads/2018/12/Equifax-Report.pdf World Payments Report 2018, p6. Available at https://
10
August 2018 Chinese Huazhu Hotels Group: 500 million records. worldpaymentsreport.com/wp-content/uploads/sites/5/2018/10/
Based on figures quoted in report by China Daily, “Huazhu World-Payments-Report-2018.pdf
Hotels Group investigates alleged info leak” (29 August 2018). 11
The Financial Times, “UK has lost two-thirds of bank branches
Available at: http://www.chinadaily.com.cn/a/201808/29/ in 30 years” (Emma Agyemang, 16 November 2018). Available at:
WS5b86473da310add14f38871b.html. Unauthorized access https://www.msn.com/en-gb/money/news/uk-has-lost-two-thirds-of-
to Huazhu Hotels Group 123 million pieces of registration data bank-branches-in-30-years/ar-BBPL1Z7
(including name and mobile numbers), 130 million check-in records
(including name and address) and 240 million hotel stay records
12
The European Banking Federation, 2018 Facts & Figures (11
(including credit card numbers and check in and out dates). September 2018). Available at: https://www.ebf.eu/ebf-media-
centre/banking-in-europe-ebf-publishes-2018-facts-figures/ )
September 2018 Facebook: 50 million accounts. Based on figures
quoted in report by The Guardian, “Facebook says nearly 50m
13
The Wall Street Journal, “Thousands of Bank Branches are
users compromised in huge security breach” (Julia Carrie Wong, Closing, Just Not at These Banks” (Allison Prang, 15 June 2018).
29 September 2018). Available at: https://www.theguardian.com/ Available at: https://www.wsj.com/articles/the-bank-branch-is-
technology/2018/sep/28/facebook-50-million-user-accounts-security- dyingjust-not-at-these-banks-1529055000
berach 14
CNBC.com, “You think it’s your friend calling, but it’s actually this
2018 Marriott International: 500 million records. Based on figures growing phone scam” (Annie Nova, 12 June 2018). Available at:
quoted in report by The New York Times, “Marriott Data Breach Is https://www.cnbc.com/2018/06/12/you-think-its-your-friend-calling-
Traced to Chinese Hackers as U.S. Readies Crackdown on Beijing” but-its-actually-this-growing-phone-scam.html
(David E. Sanger et al, 11 December 2018). Available at: https:// 15
https://www.zdnet.com/article/cybercrime-market-selling-full-
www.nytimes.com/2018/12/11/us/politics/trump-china-trade.html digital-fingerprints-of-over-60000-users/
5
FBI Public Service Announcement, “Business E-Mail Compromise:
The 12 Billion Dollar Scam” (12 July 2018). Report states that
78,617 incidents of business e-mail compromise scams occurred
23
Contacts
David Hicks
Global Forensic Leader
KPMG International
T: +44 20 76942915
E: David.Hicks@KPMG.co.uk
Judd Caplain
Global Head of Banking and Capital Markets
KPMG International
T: +1 212 872 6802
E: jcaplain@kpmg.com
Natalie Faulkner
Global Fraud Lead
KPMG International
T: +61 2 9335 7716
E: nfaulkner1@kpmg.com.au
Enric Olcina
Fraud Lead, Europe, Middle East and Africa
KPMG in Spain
T: +34 93 2532 985
E: eolcina@kpmg.es
Thomas Stanton
Forensic Lead, Americas
KPMG in the US
T: +1 212 872 7758
E: tstanton@kpmg.com
Lem Chin Kok

Forensic Lead, Asia Pacific
KPMG in Singapore
T: +65 6213 2495
E: clem@kpmg.com.sg
kpmg.com/socialmedia
Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to
provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in
the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
© 2019 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG
International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis
third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
Throughout this document, “we”, “KPMG”, “us” and “our” refer to the network of independent member firms operating under the KPMG name and affiliated with KPMG
International or to one or more of these firms or to KPMG International.
The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Designed by: KGS
Publication date: May 2019
24

Global Banking Fraud Survey

Uploaded by

Copyright:

Available Formats

Global Banking Fraud Survey

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Global Banking Fraud Survey

Uploaded by

Copyright:

Available Formats

Global Banking

< 25% > 50% > 60%

In the context of a changing

Fraud Operating Model

Lack of a documented Failures to detect Optimizing Financial crime Natalie Faulkner,

61% 31% 59% 27% 41% 24%

Volume increasing Value increasing Average value increasing

Fraud loss recoveries Fraud Typology Americas EMA Asia-Pacific

Scams Increased Increased Increased

Americas EMA Asia-Pacific

Source: Global Banking Fraud Survey, KPMG International 2019

We look at these challenges in more detail below.

1. Cyber and data 2. Social 3. Evolving digital 4. Open

Lem Chin Kok

Customer data/records now in the public domain4

Target 110 million ebay 145 million Equifax Facebook

“ As this report demonstrates, the ongoing digitization of the banking sector

Unauthorized access to Authorized payments where

Survey respondents reported an increase in scams in each global

In 2018, the US Federal Bureau of Investigation (FBI)

In Australia, the Australian Competition and Consumer

The UK has closed two-thirds of bank branches in the

A summary Open Banking timeline across the globe

Europe Europe Canada Australia

Jan Nov Jan Jul Jan Feb Jul Nov

Singapore USA New Zealand Hong Kong

How do banks identify fraudulent activity?

Source: Global Banking Fraud Survey, KPMG International 2019

Who owns fraud risk?

Source: Global Banking Fraud Survey, KPMG International 2019

Products & 06 05 Respond &

Source: KPMG Fraud navigator 2019

Proportion of respondents who have invested in the following technology

70% Transaction monitoring that risk scores in real time

67% Physical biometrics (voice, fingerprint or facial recognition)

63% Transaction monitoring using rules and machine learning

33% Behavioural biometrics

Source: Global Banking Fraud Survey, KPMG International 2019

Banks must plan beyond the technology to achieve results and

Perceived reasons to combine Fraud Perceived reasons to silo/not

In the context of more countries implementing Open Banking,

The methods used by both internal and external fraudsters

Technology alone is not enough, with over half our global

Phishing/ Spoofing: A phishing attack is where a scammer

Nigerian Prince scam: The ‘Nigerian Prince’ scam, one of the

Lem Chin Kok

You might also like