India Banking Fraud Survey

Edition II
April 2015
www.deloitte.com/in
Foreword

T. M. Bhasin
Chairman, Indian Bank's Association (IBA)
Chairman and Managing Director, Indian Bank

Over the years, IBA has emerged as the voice of the

Indian banking industry, and we have always aspired
to proactively work for the growth and betterment of
the banking and financial services industry, in a manner
consistent with public good.

We are committed to accelerate the Indian Banking

industry’s growth through innovation, transformation,
inclusion, and better governance. In the last few years,
governance and compliance has taken precedence in
fueling the economic growth of the nation as well as the
sector, in line with our strong focus on accountability
and transparency.

To support this ongoing effort, we believe that the

Deloitte India Banking Fraud Survey 2015 (“survey”) has
tried to recognize what is currently working well for the
industry and what areas need further work and scrutiny.
While the need to improve proactive fraud risk miti-
gation strategies is paramount, the survey also details
emerging fraud risks that are a reality in the banking
sector today.

It is clear that while the sector has grown by leaps and

bounds in the last few years, the growth in incidents of
fraud and cybercrime has also continued, if not acceler-
ated. I am therefore hopeful that this survey report will
not only enhance awareness but also push organizations
towards furthering their investments and efforts in the
area of fraud risk management.

2
Preface

Rohit Mahajan, KV Karthik

Senior Director & Head Senior Director and Financial services Lead
Deloitte Forensic Deloitte Forensic

The Indian banking sector is experiencing a plethora of measures adopted by banks, a significant number of
changes as it gears up to meet international standards, frauds are being detected by means other than those
while balancing its commitment to financial inclusion. under the anti-fraud control framework. For many years
The last two years have been particularly significant now, the RBI has asked banks to focus on KYC checks
from a fraud risk management perspective, with the RBI and customer data integration; however, it appears that
issuing several directives aimed at improving governance most banks are still investing in this area and are yet to
and profitability levels among banks, by mitigating the see results. We also observe that while there is sensiti-
risk of loan defaults and fraud. zation to fraud at higher levels in the organization, the
levels of awareness among operational level staff can be
The pace of change in the sector has left banks improved. Overall, the sector does not seem to be taking
grappling with multiple fraud-related challenges. While a holistic view towards fraud risk management and
financial crime appears to be a major concern for banks remains embroiled in day-to-day concerns. We believe
as the number of incidents and value of fraud rise, the challenge for banks is to develop comprehensive
there appears to be a certain lag in the implementation fraud risk management controls that will not only
of fraud risk management measures. With the current prevent frauds but detect them as soon as they occur
economic slowdown and increased use of technology, and respond to them.
incidents of fraud are also expected to increase further,
which has also been substantiated through our survey This situation signals the need for quality guidance that
results. Continued reliance on manual controls to detect banks can use to develop and implement a fraud risk
red flags and well known frauds such as diversion of management strategy. We believe that the Deloitte India
funds and fraudulent documentation (leading to loan Banking Fraud Survey report can provide not only greater
fraud) continue to impact the sector more significantly clarity but also provide focus areas to banks on acceler-
than cyber-crime and identity theft, which are domi- ating their fraud risk management efforts.
nating the global banking fraud landscape.
We hope that this report provides you with helpful
The proliferation of the use of the Internet for financial insights into how banks are responding to today’s
transactions warrants a baseline level of awareness challenges and fosters discussion that will help further
and vigilance at all banks. However, it appears that the enhance fraud risk management across the industry. We
banks’ own adoption of technology for internal controls also wish to thank all our survey participants for their
and fraud risk management appears to be still work- time and insights, without which this report would not
in-progress. Frauds are detected primarily by customer have been possible.
complaints indicating that in spite of various anti-fraud

India Banking Fraud Survey Edition II 3

Contents

Key findings 6

Section 1: Banking sector fraud on a rise 8

What is contributing to the rise in fraud? 11

Impact of fraud 13

Section 2: Reliance on traditional channels

for fraud detection 14

Unearthing fraud 15

Response to fraud 19

Section 3: Fraud risk management at Banks 20

Current status of anti-fraud programs 21

Being proactive in managing the risk of fraud 24

Defining the role of technology 25

Section 4: Emerging fraud risks 26

Conclusion 32

India Banking Fraud Survey Edition II 5

 India Banking Fraud Survey
Key Findings

State of Banking Sector Fraud

93% respondents
indicated that there has More than half of the respond-
been an increase in ents indicated that the banking
fraud incidents in the industry has seen more than a
banking industry in the
last two years 10% increase in fraud
incidents in the last two years

:
Top reasons for increase in fraud incidents: 1 in every 4 institutions has witnessed
more than 100 fraud incidents in the
• Lack of oversight by line managers/ retail banking segment
senior management on deviations
from existing processes
• Business pressures to meet unrea- The majority of retail banking segment
sonable targets respondents claim they suffered an
• Lack of tools to identify potential red average fraud loss of INR 10 lakhs. In
flags contrast, the average fraud loss in the
• Collusion between employees and non-retail segment was in the region of
external parties INR 2 crore.

Common frauds observed: How is fraud discovered?

By a customer complaint
Retail banking: ‘Fraudulent docu- 1
mentation’ and ‘Over valuation/ Internal whistleblower/ anonymous
absence of collateral’ 2 complaint

Corporate banking: ‘Diversion

3 During account reconciliation
of funds’ and ‘Siphoning of
funds’
Private banking: ‘Identity theft’ and 4 Through automated data analysis
‘Fraudulent documentation’ or transaction monitoring software

Average time taken to uncover a Majority of respondents said

fraud incident: Less than 6 they were able to recover less
months by approx. 70% of the than 25% of the reported fraud
respondents loss value

6
How did they Respond? Challenges faced in the prevention of fraud

45%
Carried out
an internal
investigation
Lack of customer and/ or staff
32% awareness

Asked the Difficult to integrate data from

Reported the
individual in various sources
incident to a
law enforce- question to
resign Inadequate fraud detection tools
ment agency
14% and technologies

Preparedness to tackle fraud

Top three fraud risk management measures that have been implemented effectively by banks:

Customer screening Fraud control strate- Employee code of

against negative list gies and policies conduct

Future trends

Technology to fuel fraud in the future

Greater investment towards the adop-
tion of anti-fraud measures
The top three fraud risks that are currently 83% of the respondents foresee an increase in
the highest concerns for banks: their investments in adopting anti-fraud
• Internet Banking and ATM fraud measures, especially in the areas of:
• E-banking (credit card, debit card etc.)
• Identity fraud • Fraud detection and
monitoring systems
• Upgradation of
technology to combat
cybercrime
• Fraud risk assessments
and investigations

India Banking Fraud Survey Edition II 7

Section 1
Banking sector fraud on
a rise
The big picture

Banking sector frauds have been in existence for Figure 1: What has been the percentage of change in fraud incidents
centuries1, with the earliest known frauds pertaining encountered by the Banking industry as compared to the last two years?
to insider trading, stock manipulation, accounting
Less than 5%
irregularity/ inflated assists etc. Over the years, frauds
Increased by 5 - 10%
in the sector have become more sophisticated and
Increased by 10 - 20%
have extended to technology based services offered
Increased by 20 - 50%
to customers. The Indian banking sector too is
7% More than 50%
experiencing the pain due to increase in fraud incidents No change
with 93 percent of our survey respondents indicating
that fraud has grown over the last two years. 9%
5%
A majority of survey respondents indicated that they
have experienced more than 50 fraud incidents in the
retail banking segment in the last two years (average
fraud loss of around INR 10 lakh per incident) and an
average of 10 fraud incidents in the non-retail segment 12%
(average loss amount close to INR 2 crore per incident). 30%
This is a significant jump compared to the survey
findings of the previous edition of the Deloitte India
Banking Fraud Survey report where only 40 percent of
respondents claimed such fraud losses.
37%
While most respondents have indicated an overall
increase in frauds incidents across all banking segments,
it comes as no surprise that retail banking has been
identified as the major contributor to fraud, followed by Figure 2: Which of the following areas in your organization have
corporate banking. As retail banking is more process as encountered fraud incidents?
well as volume-driven, increased fraud incidents in this
area should trigger a wider review of the process and
controls to identify the root cause as these incidents
8%
could be just the tip of the iceberg.
31%
14%
5%
40%
2%
Administration/ procurement Corporate banking
Priority sector lending Private banking
Retail banking Treasury department

1
Source: Book titled ‘William
Duer and America’s first
Financial scandal’, Authored by
David J Cowen

India Banking Fraud Survey Edition II 9

 Figure 3: Which of the following fraud incidents have been encountered in Corporate and
Retail Banking?

Corporate Banking Retail Banking

Diversion of funds Fraudulent documentation
Siphoning of funds Overvaluation/non-existence of collateral
Incorrect financial statements Multiple funding
Overvaluation/non-existence of collateral Identity theft
External vendor induced fraud
Fraudulent documentation Incorrect sanctioning
Asset stripping
1.91
2.45
3.42
3.83 2.31
2.75
3.00
3.54 2.57
3.12
2.77

3.25

Note: An aggregate of the responses received have been collated in this figure

Within retail banking, it is interesting to note that survey In case of corporate banking, the key challenge for
respondents highlighted ‘fraudulent documentation’ a bank is to ensure that the borrower utilizes the
and ‘overvaluation/ absence of collateral’ as areas where funds for the purpose stated in the loan sanction, and
incidents of fraud were most likely to occur. Whereas, periodically reports progress, while meeting the loan
within corporate banking, ‘diversion of funds’ has been repayment criteria. While this may not appear to be as
identified as the biggest area where fraud incidents were process driven as retail banking, the absence of standard
encountered. processes and automation makes end use monitoring in
corporate banking more challenging compared to the
Retail banking is considered relatively more fraud risks in retail banking. The RBI’s annual report of
process-oriented, requiring significant control and 2013-14 places NPAs from retail banking at 2 percent,
meticulousness over the due diligence carried out while whereas NPAs from corporate banking were at 36
on-boarding a customer. Given the limited resources percent2. Given the size of transactions in corporate
banks have to monitor these processes and adequately banking and the challenges mentioned above, it is
verify documents/ information, and the increasingly important that banks implement a robust monitoring
fragmented nature of customer information available, mechanism post sanction and disbursement of facilities
the risk of fraud becomes significantly high and banks and be vigilant to early signs of stress in the borrower
need to realize the importance of investing in preventive accounts. 2
Source: RBI Annual Report
mechanisms. 2013-14 http://rbidocs.rbi.
org.in/rdocs/Bulletin/PDFs/
RBIARE210814_FULL.pdf

10
What is contributing
to the rise in fraud?

Fraud tends to be committed primarily due to the Figure 4: What are the reasons for the increase in fraud incidents in your
presence of three major factors: financial pressure, organization?
opportunity, and rationalization. While these factors
are present in a growing economy, they can get
exacerbated during an economic downturn, when
margins are tight and profitability is a challenge. This
has been clearly brought out in our survey results,
where respondents have attributed the increase in
22% Lack of oversight by line manager
fraud to the lack of oversight by line managers or senior or senior management on deviations
management on deviations from existing process/
controls; business pressure to meet targets; and 18% from existing processes

Business pressure to meet

collusion between employees and external parties.

14%
targets

Lack of oversight by line managers/ senior

Lack of tools to identify
manager on deviations from existing process/

14%
potential red flags
controls
Poor internal controls, dilution of existing systems/
Collusion between employees
controls and non-adherence to procedures can

12%
and external parties
increase the likelihood of frauds in banks. Based on our
experience, the following are some instances where
New Technology/channels
controls tend to be overlooked.

responsible for making bank deposits, posting them

to the accounts receivable system and performing
10% Difficult business scenario
monthly bank reconciliations

such as bank draft forms, deposit receipts and

4% Changes to business strategy without

4%
changes in business processes
cheque books is handed over to counter staff
without obtaining a written acknowledgement
Introduction of new products

2%
without adequate controls in place
accounts tend to be less frequently monitored for
oversight or malpractice.
Lack of a fraud risk framework
within the organization
In addition to the instances listed above, limited
oversight is also a reason for fraud in areas such as loans
and advances. Some examples include inadequate KYC
checks on prospective borrowers by bank managers,
and the subsequent limited monitoring of the use
of funds loaned. Further in many cases, loans may
be processed based on insufficient documentation/
wrong valuation of collateral. We also observe that
banks are increasingly outsourcing these tasks – KYC,
documentation support etc. – to third parties, which can
further dilute the scope of managerial oversight.

India Banking Fraud Survey Edition II 11

Business pressure to meet targets Collusion between employees and external
One of the common reasons cited for limited oversight parties
is the heightened pressure to exceed business targets Insider fraud, whether arising from coercion, collusion,
that are often linked to compensation. Under the current or otherwise, are increasingly considered to be one
economic climate of tepid credit growth, banks may of the most serious fraud threats faced by financial
face increased pressures to meet or exceed financial institutions. An aspirational work force can resort to
targets. With increased pressure, the risk of fraudulent unethical ways of meeting business targets, thereby
activity can tend to escalate due to the sensitivities putting the bank at risk to fraud and reputational
involved in cases of missed earnings or perceived bad damage. A number of instances of employee-external
news. With employee compensation increasingly being party collusion have been seen in recent incidents of
tied to performance, it may therefore drive individuals to payment fraud and account take-over.
achieve overly optimistic results.

“Fraud and its redressal is a major concern area for the

banking sector and across all portfolios - retail, corporate,
and priority sector. The State Bank of India has put in place
frameworks that enhance the existing state of controls to
deter fraud. In addition to these measures, it is also important
to develop an organizational culture of zero tolerance towards
fraud. Such a culture can, in the long term, fortify fraud risk
management efforts at banks and help reduce incidents of
fraud."

B Sriram
Managing Director & Group Executive (National Banking)
State Bank of India

12
Impact of fraud

Some of the recent fraud incidents in India reported by Figure 5: What was the nature of the non-financial loss that your
the media relate to fixed deposits, loans disbursement or organization suffered, due to the impact/ incident of fraud?
extending credit facilities for bribes, phishing and other
internet/ ATM based frauds. These high-profile cases in
recent times have shown that frauds not only undermine
profits, operating efficiencies and reliability of services
but can also have a severe impact on an organization’s
reputation. In addition to potential fines levied by
regulatory bodies, it can have a negative impact on
employee morale and investor confidence. Survey
respondents have concurred with this. 14% 20%

23%
“…Any dent in the
confidence of the
stakeholders in the 33%
1%
banking system will result 9%
in huge reputational and
operational risks for the
banks, adversely affect
Loss of productivity
public perception and Reputational impact
No loss
undermine faith in the Negative impact on customer accounts
financial system….” Regulatory or other compliance issues
All of the above

Survey statistics also reveal that the frequency,

Sashi Jagdishan volume and the gravity of instances of fraud has
Finance Division gone up over the past few years. More than half
Corporate Office of the respondents indicated that they were able
HDFC Bank to recover less than 25 percent of the losses due to
fraud. Combined with a rise in the number of fraud
incidents and the loss incurred per incident, it is
possible that fraud may be significantly impacting
profitability and perhaps partially contributing to the
rising NPA levels.

India Banking Fraud Survey Edition II 13

Section 2
Reliance on traditional channels
for fraud detection
Unearthing fraud

Although organizations can never eliminate the risk of Figure 6: How is a fraud incident involving your organization
fraud entirely, it is important to have controls that can typically detected?
effectively detect and prevent fraud. Efficient internal
controls and data analytics can help identify frauds faster
and thereby help banks limit the losses incurred.
During account audit/
Survey respondents indicated that frauds in their reconciliation Through automated data
organizations were most commonly detected through analysis or transaction
Internal whistleblower/ monitoring software
customer complaints, followed by an internal or external
anonymous complaint 18
tip3, which is in line with global trends.

18 16
The role of internal audit teams is expanding to include
fraud risk management. An RBI circular on inspection At the point of
transaction
and audit systems in banks4 notes the failure of internal
audit teams to highlight the existence of irregularities
such as improper credit appraisal, disbursement
By a customer 21 10
complaint
without observing the terms of sanction, failure to
exercise proper post-disbursement supervision, and
suppression of information relating to unauthorized
excess withdrawals. The circular has proposed a series
Review by a law 4 7 Through a third
of changes to the Internal Audit function to improve party notification
enforcement agency
its effectiveness starting with expanding the coverage
6
of the function itself. Internal Audit teams are expected
to specifically report on the position of irregularities in
branches, analyze and make in-depth studies of the
corruption/ fraud prone areas,(such as appraisal of credit By accident
proposals, balancing of books, reconciliation of inter-
branch accounts, settlement of clearing transactions,
suspense accounts, premises and stationery accounts)
during the course of their inspection; thereby leaving
no scope for any malpractices/ irregularities remaining
undetected. These appear to have borne some fruit as
respondents have indicated that they rely heavily on
audit/ reconciliation as one of their primary modes of
fraud detection.

Despite these changes, the inherent nature of internal

audits tends to be limited, relying on scrutinizing a
small sample size for fraud and irregularity. In such
cases, fraud may continue to be perpetrated, if the
related transactions fall outside of the audit sample,
making it difficult to detect. In our experience, frauds
detected primarily through internal audit have existed
on an average for 12-18 months, prior to detection,
significantly increasing the fraud loss amounts and
making recovery difficult. 3
Source: ACFE 2014 Global
Fraud Study
Internal auditors should therefore, while planning their
4
Source: RBI Master circular on
Inspection and Audit Systems
in Primary (Urban) co-operative
banks, 2013

India Banking Fraud Survey Edition II 15

annual audit plan, consider the assessment of fraud
risks and review the management’s fraud mitigation
capabilities periodically. They should also regularly and “The fraudster is always
closely communicate with those responsible for risk ahead of the controls or
assessment(s) in the organization to ensure that action,
if required, can be taken in time. Internal auditors, other risk mitigants which will be
than spending adequate time and attention to evaluating put in place by the Banks.
the framework and internal controls related to fraud risk
management, should also have a well-defined response
However, Banks have to
plan to handle potential frauds uncovered during an be agile and think ahead
internal audit assignment.
of the fraudsters and put
Around 30 percent of our survey respondents have in place control measures
indicated that it took them 6-24 months to detect quickly. The cat and mouse
fraud. Close to 22 percent of survey respondents said
they could recover only up to 25 percent of the fraud game has been going on in
loss amount. These statistics indicate a move towards the past and will continue
reliance on multiple channels, including technology
based channels, to detect fraud, as indicated by a
to be in future, but Banks
significant percentage of respondents. have to devise ways to be
ahead.”
In this context it is interesting to note the use of
whistleblowing channels by banks to detect fraud.
According to the Association of Certified Fraud
Examiners (ACFE), organizations with whistleblower
hotlines experience frauds that are 41 percent less costly,
and are able to detect frauds 50 percent faster compared
Sanjeeva Murthy
to organizations that do not have such a channel5. Executive Vice President
However, in our experience we have observed that
Indian companies tend to approach whistleblowing with
- Compliance
a ‘tick in the box’ mentality, often resulting in ineffective Kotak Bank
and poorly managed whistleblower programs.

The success of a whistleblowing program lies in its

adoption by employees and third parties such as
customers and business partners. For Indian banks
operating across different geographies, it becomes
paramount to invest in a robust whistleblowing program
that is not confined to one language, limited operating
hours and selectively accessible to certain employees
(e.g. only mid-level employees). Further, banks must
institutionalize training programs to encourage
employees to blow the whistle when they see or hear
anything suspicious or seemingly unethical.

5
Source: ACFE 2014 Global
Fraud Study

16
Deloitte Point of View
Forensic Data Analytics - The
new frontier to detect fraud

With banks facing heightened regulatory and public Banks can reshape their fraud detection efforts using
scrutiny in many countries, using advanced analytics to advanced analytics and related tools, software and
help identify potential fraud, committed by employees, applications to obtain more efficient oversight. These
customers, and third parties may be a strategic and steps can not only help enhance fraud deterrence, but
operational imperative. Analytics has the potential to help also show regulators an enterprise-wide commitment
banks refine the way they perform monitoring that will to enforcing an effective anti-fraud strategy. The below
allow them to detect and identify potential fraud prior to chart shows some key methodologies and actions that
the launch of a formal investigation/ inquiry. banks can consider:

Methodology Action Benefits

Risk-based Define specific analytic tests based on results Management of exposed areas
from risk assessments through targeted testing
Focus analytics on high-risk products and Improved fraud mitigation planning
portfolios
Constantly Incorporate feedback from periodic reviews Reduced false positives and risk of
evolving Perform statistical analysis to create custom missed violations
thresholds and apply sensitivity analysis for Less human effort needed in the
alert tuning long-run
Predictive Use profiling and association of algorithms to Enhanced ability to predict fraud and
couple high-risk entities with nature of parties involved
fraudulent activity Improved effectiveness of pattern
Apply results from visual and text analytics to recognition
train models
Integrated Enhancing central datasets with data from Greater insights and holistic view of
additional departments operational data
Combine structured and unstructured datasets Improved risk-scoring of analytic tests
in a single platform

India Banking Fraud Survey Edition II 17

Another emerging tool that banks can use to detect Sample 1- Link analysis depicting fund movement/ transactions that reflect a
frauds is data visualization. We are seeing global money trail through multiple banks and bank accounts
adoption of these technologies in leading banks. Built on
the premise that human beings assimilate information
better in visual format, than numerical format, this
tool provides a visual representation of data patterns
and outliers to translate multidimensional data such
as frequency, time and relationships into an intuitive
picture. This can be useful in identifying hidden and/ or
indirect relationships, demonstrating complex networks
involving multiple layers and/ or several intermediaries
and tracking the movement of money especially in anti-
money laundering investigations and diversion of funds
by borrowers. Data can also be represented geo-spatially,
to show interactions between data such as financial
transactions, asset information, customer data and
contracts, references to places, names and addresses.

Today, regulators are already beginning to use proprietary

risk analytics to identify inconsistent investment returns,
fraudulent valuations, and improper use of assets. While
many banks may already be using analytics to uncover
frauds, they can most likely benefit by expanding
their capabilities to implement a fraud detection and Sample 2 - Geo spatial data representation showing select locations with
deterrence strategy with a larger scope to include certain defaults across different product categories
methodologies mentioned above.

Personal Loans Credit cards Mortgages Auto loans

18
Response to fraud

An organization’s response to fraud is crucial as it has forensic technology tools for investigation, and that these
the ability to prevent future occurrences. Any response tools were effective (elaborated in the next section).
to fraud should be swift and effective so as to percolate
the right message to employees. An RBI circular dated It is important to understand that fraud investigation
September 20096 requires banks to investigate frauds of requires specific skill sets like forensic accounting and
large values with the help of skilled manpower in order to technology to collect adequate evidence. While the
effectively take internal punitive action against the staff evidence unearthed by a fraud investigation can vary on
in question along with external legal prosecution of the a case-to-case basis, typically, it needs to be relevant and
fraudsters and their abettors, if required. comprehensive to be admissible in a court of law. Certain
additional aspects such as the source of the evidence, a
Figure 7: In your organization, what is the typical legitimate witness, electronic evidence and data etc., can
response to a fraud incident? all add credibility to the case. In the absence of these,
organizations may not have the confidence to take legal
recourse or action on the fraudster which could be one
of the reasons why banks may not be reporting all the
cases to law enforcement agencies.

46% 32%

14% 8%

An internal investigation is carried out

Incident is reported to a law enforcement agency
Individual in question is asked to resign
External investigation by an independent consultant

In line with RBI’s recommendations, the majority of the

survey respondents indicated that upon the detection
of fraud, they carried out internal investigations, while
others reported the incident to a law enforcement
agency. It is interesting to note that only 8 percent of
survey respondents indicated using an independent
consultant to carry out investigations. While the
responses received in our survey indicate that banks have
set up a dedicated fraud investigative cell (elaborated
in the next section), it appears to be hampered by the
6
Source: RBI circular dated
lack of dedicated technology tools for investigation. A
Sept 16, 2009 titled ‘Fraud
little over 40 percent of survey respondents indicated Risk Management System in
they had not started implementing dedicated forensic banks – Role of Chairmen/
Chief Executive Officers’:
technology tools for investigation, whereas, 20 percent
http://rbidocs.rbi.org.in/rdocs/
of respondents had partially implemented these tools. notification/PDFs/DRAC160909.
Only 20 percent indicated that they had implemented pdf

India Banking Fraud Survey Edition II 19

Section III
Fraud risk management
at Banks

20
The current status of
anti-fraud programs

The key to any anti-fraud program is to have a framework components can be daunting for any organization. The
in place that will not only prevent fraud but also be able key features which should necessarily be part of any
to detect fraud incidents in real time. However, the task organization’s fraud risk management program include
of developing and maintaining such a robust enterprise- the following:
wide anti-fraud program with proactive monitoring

Preventive mechanism

Detective mechanism Response mechanism

An effective fraud risk management solution can help it difficult to integrate with applications/ tools (such as
banks manage fraud risks in a manner consistent with integrating online transactions and ATM transactions, and
regulatory requirements, as well as with the entity’s integration between retail banking, corporate banking
business needs and marketplace expectations. Through and private banking transactions); however, over 80
this survey, we asked banks about the various anti-fraud percent of them find their current controls to be largely
measures that they had adopted. effective. Further, in terms of the implementation status
of various anti-fraud programs, it is heartening to note
Survey respondents have highlighted that they face that banks have progressed across several parameters
certain challenges in maintaining the efficiency of anti- compared to the last edition of our ssurvey, taking
fraud security controls at an enterprise-wide level, such cognizance of the impact of fraud on their organization.
as struggling to work across channels and/ or finding

India Banking Fraud Survey Edition II 21

Figure 8: What is the status of the following measures in your organization?

Customer screening against negative list

Employee background check

Vendor/ third party due diligence

Fraud awareness training

Whistleblower hotline

Employee code of conduct

Fraud risk assessment

Dedicated forensic technology tools for investigation

Intelligence gathering mechanism

Dedicated fraud investigative cell/ team and
associated process
Fraud control strategy and policies
Fraud control organisation structure including a
clearly defined reporting structure
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Not started Just started Implemented and effective

Planning to start in the next few months Partially implemented Implemented but not effective

Around 43 percent of the survey respondents appear helps reduce the risk of employing people with a
to have an effective intelligence gathering mechanism, checkered past or those who claim to have qualifications
compared to 28 percent from our previous survey in they do not possess. It allows organizations to have
2012. Such an intelligence gathering mechanism can greater confidence in the work ethics of their employees.
enable banks to identify weaknesses inherent to their We recommend that banks undertake the following
process, and also be used to identify new threats hitherto pre-employment checks at the minimum:
unknown.

Only half of the survey respondents indicated having an

effective risk assessment program; however, more than
two-thirds of the survey respondents indicated that they
have effective fraud control strategy and policies in place.
A fraud control plan describes an organization’s approach A quick analysis of the survey findings also indicates that
to controlling fraud. It includes actions to be taken to banks need to immediately focus and speed up their
reduce the fraud risks identified through the fraud risk efforts in the following areas:
assessment process and assigns responsibility for their
treatment. In case the fraud risks are not identified, the Conduct regular fraud risk assessments
fraud prevention controls will be rendered inadequate, Existing processes within the bank must be
posing a challenge to fraud risk strategy at banks. regularly challenged to unearth gaps in the
controls environment. Once this is done, the fraud
A significant proportion of survey respondents have risk exposure should be assessed periodically to
indicated that employee background checks, while identify specific potential schemes and events that
implemented in the organization, are not effective. In the organization needs to mitigate. A good fraud
our experience, more often than not, employees who risk assessment should necessarily answer three
engage in unethical behavior or commit fraud tend to questions.
have a history of dishonesty. Pre-employment screening - Am I aware of all the fraud scenarios in my

22
 immediate environment? Figure 9: According to you, over the next two years, will the cost of anti-
- Do I have the necessary controls in place? And fraud measures (already adopted or to be adopted) in your organization
am I aware of how a potential fraudster can increase?
override or circumvent existing systems and
controls? Yes
- How is the effectiveness of controls monitored? Can’t say

Further, a team of specialists can be instituted to collect 83% No

information on the latest fraud schemes and test existing

controls for vulnerability. Many banks may have such a
team as part of their fraud investigation units.
14%
Invest in an intelligence gathering mechanism
“Mystery Shopping” or “Market Intelligence” is an
important element of fraud vulnerability assessment.
This will enable banks to not only test the efficacy of
3%
controls to existing and new fraud scenarios but also
have the ability to identify collusion, if any, which
could result in circumvention of controls. This can
also be leveraged in providing objective and accurate
information on individuals and entities in the context Overall, a significant majority of respondents have
of due diligence, litigation support, fraud, asset indicated that they plan to invest in enhancing or
tracing and business investigations. implementing certain anti-fraud measures. While these
costs largely cover elements that fall within a fraud risk
Use dedicated forensic tools during an management framework, it indicates that banks have
investigation process realized that managing the risk of fraud is a continuous
Today’s business environment generates vast process that will need regular investment in order to
amounts of data. The key to a successful meet current challenges as well as future fraud scenarios.
investigation is to not only manage this data and
turn it into meaningful information, but also collect,
preserve and analyze large and disparate data to "In today's world, fraud is a continuous and
support or refute facts and allegations of a case.
Forensic tools can be used to navigate IT systems
rapidly evolving threat. There is no such
for evidence of malfeasance, such as information thing as perfect security, so it is critically
deletion, policy violations and unauthorized access.
A wealth of information can be recovered from
important that, we, the leaders in the field
computers, including active, deleted, hidden, lost of financial crime prevention, work together
or encrypted files or file fragments which can be to establish strong relationships and trust, to
presented in a court of law. These include tools for
forensic imaging, electronic discovery, data anomaly prevent, detect and respond to these threats
detection and records management which can effectively and efficiently.”-
help banks and their legal counsels in handling and
analyzing large and complex data issues to help
support their cases.
Dr. Sanjay Chougule
Global Head - Internal Audit
& Financial Crime Prevention
ICICI Bank Ltd.
India Banking Fraud Survey Edition II 23
Being proactive in managing the
risk of fraud
To be or not to be, therein lies
the question
Survey respondents indicated that the top three Figure 10: What are your organization’s biggest challenges to fraud
challenges faced by banks in preventing fraud were: lack prevention?
of customer/ staff awareness; integration of data from
various source systems; and inadequate fraud detection
tools.
Lack of customer awareness
Employees are often the first ones to detect fraud. 23% 20% 18%
Difficulty integrating data from
Organizations that have effective anti-fraud training various sources
programs experience less-costly losses, quicker Lack of staff awareness
resolutions of fraud cases, and an enhanced reputation Inadequate fraud detection tools
for customer protection7. Targeted fraud awareness and technologies
training for employees and managers is a critical 17% 8% 5% Difficulty investigating crimes
across borders
component of a well-rounded program for preventing
and detecting fraud. By implementing an effective fraud Insufficient resources

awareness program, management can harness the Poor coordination with

law enforcement
efforts of all staff members in its anti-fraud activities
and can significantly reduce the cost of fraud within the Organizational silos
5% 4%
organization. On a broad level, fraud awareness training
should include following key topics:

management involvement or of such allegations being

for (including behavioral signs)
ignored. Employees need to be made aware of these
detailed processes around how their complaints will be
and the process of dealing with complaints
handled, so that they can gain trust in the system.

As new regulations such as the Companies Act, 2013,

On the technology front, banks have been struggling
place greater emphasis on the presence of a vigil
with a number of legacy applications catering to various
mechanism to mitigate fraud risks, banks must ensure
aspects of their operations. These systems often result in
that their employees are aware of their organization’s
islands of information with limited data in a format that
whistleblower program. In our experience, little effort is
may be incompatible with the rest of the organizational
taken to sensitize employees on how their complaints are
data. Additionally with sophisticated anti-fraud solutions
managed as well as how the whistleblower and suspect
requiring varied types of data inputs for analysis, banks
are dealt with throughout the investigation process.
are realizing that they may not have been capturing the
A clear and well-documented process for managing
requisite information in their existing system, resulting in
complaints can give greater confidence to employees to
lack of sufficient data for meaningful analytics.
report suspicions.

For instance, the processes required to establish

allegations involving junior or middle ranking staff tend
to be fairly straightforward across most companies.
Either internal or external investigators are appointed
to review the matter and report the allegations that
are raised. Usually, an appropriate senior manager will
then deal with the matter after seeking advice from the
Legal and/ or HR teams. However, if the allegation is
against a senior manager, the situation can become a
little complicated. Companies without a robust policy
for dealing with such a scenario, mostly, run the risk of 7
Source: ACFE 2014 Global
such investigations becoming compromised by senior Fraud Study

24
Getting it right: Defining
the role of technology

In the realm of fraud detection, the ability to reveal Figure 11: Have you implemented a dedicated fraud detection/analytics
relationships, transactions, locations and patterns solution to identify red flags?
can make the difference between uncovering a fraud
scheme at an early stage as opposed to having it
Not satisfactory
grow into a major incident. From money-laundering
schemes to anti-corruption laws, from manipulating
22%
financial statements by reporting fictitious revenues to Satisfactory in
inappropriate sanctioning; forensic analytical tools can certain areas
help explore data and quickly identify errors, irregularities
and suspicious transactions embedded within your day to 53%
day business, thereby providing clarity to concerns raised
by managers and employees. 25% Satisfactory

According to the responses received, a little over half of

the survey respondents appear to have implemented a Yes No In the process of implementing
dedicated fraud detection/ analytics solution. However,
interestingly only one in every three respondents who
has implemented such a solution appears to be entirely
satisfied with it. In our experience, banks are trying to Figure 12: Which areas do you feel are the most important and are crucial to
leverage their existing transaction monitoring tools for an anomaly detection solution?
fraud monitoring. Many are of the opinion that existing
tools in the market are expensive/ ineffective with a few
indicating insufficiency of data for non-implementation.

It was interesting to note that a large number 29 27 19

of respondents sought technology to help them
either highlight red flags where controls have been
circumvented or where controls need to be enhanced. In
Ability to highlight red Ability to identify where Provide enhanced
our opinion, this could be because banks have realized flags where controls are enhanced controls are tracking of high-risk
that ‘deviation from existing controls by line managers/ being circumvented needed customers
supervisors’ is one of the major causes of fraud in
the sector. With technology available which can help
banks detect these deviations in controls, the internal
audit team can also leverage this solution to undertake
forensic based audits8, which could go a long way in
enhancing the efficiency of detecting frauds in time.
13 12

Provide case Provide audit trails

management abilities
8
A forensic based audit
approach is aimed at identifying
the health of internal controls
to prevent the risk of fraud
and to safeguard assets. A
regular internal audit is aimed
at providing assurance to the
company that the financial
statements, in all material
respects, fairly state the
company's financial position as
of a certain date.

India Banking Fraud Survey Edition II 25

Section IV
Emerging fraud risks
The advancement of technology in providing innovative Figure 13 A. Current fraud risks that are of high concern to banks/
services, combined with the explosive growth in financial institutions
internet banking, has permanently altered the business
landscape and how banks manage this risk. Internet E-Banking Identity Collusion Funds Bribery Others
banking (credit fraud between transfer and (please
While cybercrime as a trend is not to be ignored, the and card, employees fraud corruption specify)
actual losses are, at times, not significant enough to a ATM debit and
bank’s financials. The potentially greater impact from fraud card etc.) customers
cybercrime is on customer and investor confidence,
reputational risk, and regulatory impact that together
add up to substantial risks for financial services
companies. These issues ultimately have the potential to
impact the reliability of a bank and in extreme cases may 24% 18% 17% 15% 13% 7% 6%
lead to a systemic crisis.

With organizations increasingly depending on

technology, it is perhaps not surprising to find that
cybercrime continues to increase in volume, frequency Figure 13 B.: New fraud trends that banks believe will be areas of concern
and sophistication. This includes ATM skimming, in the next two years
phishing/ vishing and misuse of credit and debit cards.
Additionally, when asked to select the top three areas 23%
which were giving ‘sleepless nights to bankers’, it was
no wonder that Internet Banking/ ATM fraud, E-Banking 16%
and Identity fraud were the top culprits. Interestingly,
in addition to the above as a future fraud concern,
mortgage portfolio also appears to be increasingly
14%
vulnerable to the risk of fraud.
10%
These concerns appear to be in line with overall statistics
available in India as well as the global trend. India itself, 37%
has witnessed a massive surge in cybercrime incidents
Note:Out of the 15 options provided to the respondents, we have provided a synopsis of the
in the last ten years - from just 23 in 2004 to 72,000
top 4. Each individual option under ‘Others’ accounts for 3 to 4 percent each and has
last year. As per the government's cyber security arm hence been clubbed.
Computer Emergency Response Team-India (CERT-In)
ATM/ ABM (skimming, ram raid etc.)
62,189 cybersecurity incidents were reported in just the
Phishing/ vishing
first five months this year 9.
Mortgage
Credit/ debit card
On a global level, the likely annual cost to the economy
Others (includes options such as third party POS
from cybercrime is estimated to be more than $400 skimming, account takeover fraud, IP theft, money 9
Source: Story reported on
billion10 . Additionally, a global survey of corporate laundering etc.)
17 Oct 2014 and published
C-level executives and board members (conducted last in The Times of India - http://
year) revealed that cyber risk was now the world’s third timesofindia.indiatimes.com/
tech/tech-news/Cybercrime-
corporate-risk priority overall 11. Interestingly, the same
cases-shot-up-in-last-10-
survey from 2011 ranked cybersecurity as only the years-Telecom-minister/
twelfth highest priority; a rapid rise explained perhaps in articleshow/44846265.cms
10
part by the evolving nature of the risks themselves. Source: “Net losses :
Estimating the global cost
of cybercrime” published by
McAfee in June 2014
11
Source: “Risk Index 2013”,
Llyod’s, July 2013

India Banking Fraud Survey Edition II 27

How are banks fighting
this menace?

Business and technology innovations that the banking Figure 14: Select the top three, out of the following, that you feel will be
sector is adopting in their quest for growth are in turn the greatest impact of a cybercrime attack
presenting heightened levels of cyber risks. These
innovations have likely introduced new vulnerabilities Cost of investigation
04
and complexities into the overall ecosystem. For and damage control
22 Reputational damage
example, the continued adoption of web, mobile,
cloud, and social media technologies has increased
opportunities for attackers. Similarly, the waves of Regulatory risks 07
outsourcing, offshoring, and third-party contracting
driven by a cost reduction objective may have further
diluted institutional control over IT systems and access
points. These trends have resulted in the development
of an increasingly boundary-less ecosystem within which
banking companies operate, and thus a much broader 22 Theft or loss of
personal identifiable
“attack surface” for the threat actors to exploit .
12
information

It therefore becomes essential for organizations to

try and keep pace with these new emerging threats. 09
The root causes of cybercrime, according to the Service disruption
25
Actual financial loss
respondents, lie both internally as well as externally.
from cybercrime 11
activity IP theft, including
Cyberattacks on financial institutions are both theft of data
increasingly diverse - and therefore unpredictable - and
are also here to stay. Many of these continue to be
driven, as we know, by financial gain, however the Exhibit 2: A diverse array of cyber attack actors and impacts
impact of cybercrime is not just financial, but also on
A typical cyber risk heat map for the banking sector
the organization’s reputation and customer confidence.
With grave consequences such as these, financial IMPACTS Financial Theft of Business Destruction Reputation Threats Regulatory
institutions need to necessarily ‘beef up’ their security theft / intellectual disruption of critical damage to life /
fraud property infrastructure safety
controls which currently, as per the responses received, ACTORS on strategy
appear to be focused on more traditional channels such plans
as firewalls (and other perimeter controls), encryption Organised
including VPN, and anti-virus/ anti-malware solutions. criminals
Since the tactics used by cyber-criminals to target Hactivists
sensitive financial data are sophisticated and constantly Nation
changing. So, too, must the security controls financial - states
institutions have in place, in order to not only stop the Insiders
next cyber-threat, but also be resilient to such attacks. Third
parties
An illustrative cyber threat landscape for the banking Skilled
individual
sector (Exhibit 2) suggests the need for firms to consider
hackers
a wide range of actions and motives when designing
a cyber-risk strategy. This requires a fundamentally
Very High High Moderate Low
new approach to the cyber-risk appetite and the
corresponding risk-control environment. Source: Deloitte Center for Financial Services analysis
12
Acknowledgment:
“Transforming cybersecurity,
New approaches for an
evolving threat landscape”,
Deloitte Center for Financial
services, Published in 2014

28
It was however encouraging to note that respondents
have started actively addressing this threat on three
fronts:
1. They are not only monitoring these threats by
creating a separate in-house team of specialists,
but also organizing regular awareness trainings/
workshops and periodic fraud risk assessments.
2. Additionally, banks are securing their boundaries by
investing in firewalls, increased access management
technology and database security tools including
scanners. One of the reasons for increased spending
in technology could be attributed to this.
3. Given the fact that banks have identified both
internal and external factors as key culprits, one of
the key risk management principles to consider is
‘customer awareness’. While banks are undertaking
customer education on the ‘Do’s and Dont’s’ of
using internet banking and making transactions
through credit cards/ ATM facilities, there needs to
be a lot more awareness creation. RBI is cognizant
of this fact and has insisted on twin factor
authentication for all transactions over the internet,
which can help lower frauds in online transactions.
However, it would also have a positive impact to
have an industry body undertaking such a program
at a national level. This body can not only help in
data dissemination (at an industry level) but also
provide recommendations to banks on the issues
faced by the industry including remedial measures.
This is also important to ensure that customers feel
safe while utilizing channels which have not only
helped banks lower their overall cost on transactions
but also in penetrating into newer markets through
innovative products.

India Banking Fraud Survey Edition II 29

Deloitte Point of View –
Managing cyber risks

The relationship between a fraudster and victim can prevent, but also detect, respond to, and recover from
be likened to a cat-and-mouse game, in which each the potential damage that results from these attacks.
side perpetually learns and adapts, leveraging creativity
and knowledge of the other’s motives to develop new Banks have traditionally focused their investments
offensive tactics and defensive postures. The relatively on becoming secure. However, this approach is no
static compliance or policy-centric approaches to security longer adequate in the face of a rapidly changing
found in many financial institutions may be outdated. threat landscape. Banks should consider building cyber
Today’s industry needs to create a dynamic, intelligence- risk management programs to achieve three essential
driven approach to cyber risk management not only to capabilities: the ability to be secure, vigilant, and resilient

Resilient

Vigilant
Establish the ability to quickly
return to normal operations and
repair damage to the business

Detect violations and anomalies through

Secure better situational awareness across
the environment

Enhance risk prioritized controls to protect against known

and emerging threats, comply with industry cybersecurity
standards and regulations

Source: Deloitte Center for Financial Services analysis

Being Secure Becoming vigilant

A good understanding of the known threats and Early detection, through the enhancement of programs
controls, industry standards, and regulations can guide to detect both emerging threats and the fraudster’s
financial services firms to secure their systems by design moves, can be an essential step towards containing and
and implementation of preventative, risk-intelligent mitigating losses. Incident detection that incorporates
controls. Based on leading practices, banks can build sophisticated, adaptive, signaling, and reporting systems
a “defense-in-depth” approach to address known and can automate the correlation and analysis of large
emerging threats. This involves a number of mutually amounts of IT and business data, as well as various
reinforcing security layers both to provide redundancy threat indicators, on an enterprise-wide basis. Banks’
and potentially slow down the progression of attacks in monitoring systems should work 24/7, with adequate
progress, if not prevent them. support for efficient incident handling and remediation
processes.

30
Building resilience
Resilience may be more critical as destructive attack
capabilities gain steam. Banks have traditionally planned
for resilience against physical attacks and natural
disasters; cyber resilience can be treated in the same
way. Banks should consider their overall cyber resilience
capabilities across several dimensions. First, systems
and processes can be designed and tested to withstand
stresses for extended periods. This can include assessing
critical online applications for their level of dependencies
on the cyber ecosystem to determine vulnerabilities.
Second, banks can implement good playbooks/ guides
to help triage attacks and rapidly restore operations
with minimal service disruption. Finally, robust crisis
management processes can be built with participation
from various functions including business, IT,
communications, public affairs, and other areas within
the organization.

Though financial institutions may acknowledge the

magnitude of the problem that cyber risks pose, not just
to them but also to the systemic stability of the market,
this imperative is not always adequately recognized or
accounted for across the enterprise. A deeper analysis
of the successes and failures of cyber threat programs
may suggest some of the following potential actions
that leaders can take to develop a more comprehensive
organizational approach to cyber risk management:
1. Address the organizational challenges with decisive
actions that recognize cybersecurity as a strategic
business problem, not just an “IT issue”
2. Cyber risk strategy to be driven at the executive level
as an integral part of the core company strategy
3. A dedicated cyber threat management team to
be established for a dynamic, intelligence-driven
approach to security
4. A focused effort to be placed on automation
and analytics to create internal and external risk
transparency
5. People and culture - The “people” link in the
defense chain can be strengthened as part of a
cyber-risk aware culture.

India Banking Fraud Survey Edition II 31

Conclusion

While fraud is not a subject that any organization wants Financial institutions that have the ability to respond
to deal with, the reality is that most organizations flexibly to the continuing series of regulatory changes,
experience fraud to some degree. The important thing coupled with effective risk governance, strong analytical
to note is that dealing with fraud can be constructive, capabilities, and clear and consistent risk data, may
and forward-thinking, and can position an organization be better placed to steer a steady course though the
in a leadership role within its industry or business ever-shifting risk management landscape. A proactive
segment. Strong, effective, and well-run organizations approach to managing the risk of fraud is one of the
exist because the management tends to take proactive best steps organizations can take to mitigate their
steps to anticipate issues before they occur and to take exposure to fraudulent activities. Although complete
action to prevent undesired results. elimination of all fraud risks is most likely unachievable
or uneconomical, organizations can take positive
It should be recognized that the dynamics of any and constructive steps to reduce their exposure. The
organization requires an ongoing reassessment of combination of an effective fraud risk governance, a
fraud exposures and responses in light of the changing thorough fraud risk assessment, strong fraud prevention
environment an organization encounters. Especially and detection strategies (including specific anti-fraud
given the unrelenting pace of regulatory change within control processes), as well as coordinated and timely
the banking sector, these stricter regulatory requirements investigations and corrective actions, can significantly
are demanding more attention from management, mitigate fraud risks. The important element to
affecting the profitability of different lines of business, remember therefore is that with evolving fraud threats,
and increasing costs of compliance. Financial institutions banking institutions’ defensive strategies also need to
therefore, should consider how their business models necessarily keep up. Firms that are able to institutionalize
will be affected by current and potential future new compliance in an effective and efficient manner could
requirements, and whether their risk management create competitive advantages, allowing them to best
programs have the ability to respond flexibly to the pursue their growth agenda.
ongoing process of regulatory change.

32
Section V
About the survey

India Banking Fraud Survey Edition II 33

This report presents the key findings from the second
edition of Deloitte’s ongoing assessment of fraud included private, public and multi-national banks in
and risk management practices survey in the financial India
services industry in India. The survey was conducted over
two months from August 2014 to September 2014, to than INR 2 Lakh crore and represented a range of
gather the views of key people/ senior management asset sizes. The majority of the respondents were
responsible for compliance and fraud risk management primarily with an asset base of more than INR 5,000
from varied financial institutions based in India. crore.

responsible for compliance or managing the risk of

fraud in their organization

Public sector banks Private sector banks Foreign banks

500 – 1000 crore

> 5000 crore

3000 – 5000 crore

<500 crore

Domestic operations Domestic base with operations Multinational operating

in foreign jurisdictions in India

36% 13% 11% 11%

Risk/ Fraud risk management department

Business function
Compliance department
9% 2% 18%
Audit
Operations
Legal department
Others

The previous edition of this survey was released in 2012;

where relevant, this report compares the current results
with those from the 2012 survey.

34
Contacts

Rohit Mahajan KV Karthik

Senior Director and Head Senior Director and FS Lead
Deloitte Forensic Deloitte Forensic
Tel: +91 22 6185 5180 Tel: +91 22 6185 5212
Email: rmahajan@deloitte.com Email: kvkarthik@deloitte.com

India Banking Fraud Survey Edition II 35

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of
member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred
to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and
its member firms.

This material and the information contained herein prepared by Deloitte Touche Tohmatsu India Private Limited (DTTIPL) is intended to provide
general information on a particular subject or subjects and is not an exhaustive treatment of such subject(s). This material contains information
sourced from third party sites (external sites). DTTIPL is not responsible for any loss whatsoever caused due to reliance placed on information
sourced from such external sites. None of DTTIPL, Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the
“Deloitte Network”) is, by means of this material, rendering professional advice or services. The information is not intended to be relied upon
as the sole basis for any decision which may affect you or your business. Before making any decision or taking any action that might affect
your personal finances or business, you should consult a qualified professional adviser.

No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this material.

©2015 Deloitte Touche Tohmatsu India Private Limited. Member of Deloitte Touche Tohmatsu Limited