Fraud management and privacy regulations are integral to ensuring consumer trust and safeguarding the integrity of financial and online systems in the digital age. Regulations and ethics have roles in the discussion of internal controls and fraud management.
The Association of Certified Fraud Examiners began a project in 2022 to map its fraud risk management best practices based on the 2013 Internal Control—Integrated Framework from the Committee of Sponsoring Institutions of the Treadway Commission COSO, of which the Institute of Management Accountants is a founding member.
COSO was formed as a response to the corporate fraud and financial scandals of the 1970s and 1980s, and its first major project was the development of the Internal Control-Integrated Framework, which was released in the year 1992.
It provided a common definition of internal controls and established a comprehensive framework for evaluating internal control systems.
While they vary somewhat in approach, recent privacy regulations such as the European Union’s regulation which is the General Data Protection Regulation and the California Privacy Rights Act include directions on how institutions must manage PII.
For example, the act may include a requirement that institutions provide a link on their homepage allowing consumers to opt out of sharing their PII with third parties. General Data Protection Regulation provisions mandate that data subjects may opt out of processing data for marketing purposes.
Institutions that choose to ignore these requirements do so at their peril. Based on what regulators seem to be taking more and more aggressive enforcement actions, violations of consumer privacy laws may cause the incurrence of massive fines totaling hundreds of millions of dollars.
But there are also important exceptions to these laws when it comes to essential business activities, such as fraud management. The fraudsters have no qualms about opting out of tracking if it makes it easier for them to steal from their victims. General Data Protection Regulation recognizes the reality, noting that processing personal data to prevent fraud constitutes a legitimate interest.
Furthermore, the privacy regulation notes that decision-making based on profiling is expressly authorized for fraud prevention.
Fraud Management and Privacy Regulations
Automated systems and tools are getting better and better every year at detecting fraud or fraud attempts. The systems and tools need to be more sophisticated and compliant with the requirements of applicable regulations, and rules to avoid non-compliances. Fraud management systems need to be more effective and the fraudsters need to be identified and controlled because they are constantly trying to blend in just long enough to avoid fraud detection, right before they move on to the next institution to target for fraud purposes.
Only by looking at past and current behavior can fraud management systems hope to spot fraudsters with the speed and accuracy necessary to prevent and mitigate losses. Systems and technologies provide the context to identify and verify the credentials of users and reduce false positives or onboarding of fraudsters.
Behavioral profiles that use biometric technology can detect the most subtle of changes that cause the occurrence of fraudulent activity, such as fake identity, account opening of criminals, remote account takeover, and push payment fraud. Further, fraud management teams get additional data insights and visibility into details around complex or multiple transactions to confirm suspicious transactions.
When examined holistically, combined with entity resolution and network analytics, fraud team specialists may automate the process of user or customer screening to identify fake identities in a real-time.
The institutions must be careful to adhere to ethical best practices by adopting clear and transparent policies that govern the use of technology and data tools. It is worth noting that not all biometric fraud detection systems and tools make use of personally identifiable information because they may make institutions non-compliant with privacy laws.
Final Thoughts
The intricate dance between regulations, ethics, and fraud management showcases the imperative need for balanced, forward-thinking measures. Rooted in the aftermath of financial scandals, institutions like COSO have long established frameworks to uphold internal controls, guiding bodies like the Association of Certified Fraud Examiners. Modern challenges, such as the introduction of the GDPR and the California Privacy Rights Act, emphasize the protection of personal data, with hefty consequences for non-compliance.
However, they also acknowledge the essential role of data processing in fraud prevention. As fraud detection technologies become increasingly sophisticated, relying on behavioral profiles and biometrics, the challenge remains in ensuring these tools not only catch malefactors but also respect privacy regulations. It is a testament to the ever-evolving nature of the financial world that institutions must remain agile, always aligning with both ethical best practices and the latest in fraud prevention methodologies.
