OCC – Fraud Risk Management Principles

06 August 2019

The Office of the Comptroller of the Currency (OCC) inform national banks, federal savings associations, and federal branches and agencies (collectively, banks) of sound fraud risk management principles. Fraud risk management principles can be implemented in a variety of ways and may not always be structured within a formal fraud risk management program. Regardless of the structure, fraud risk management should be commensurate with the bank’s risk profile. Banks with significant and far-reaching retail-oriented business activities should have well-documented fraud risk management programs with appropriate monitoring, measurements and reporting, and mitigation.


Fraud may generally be characterized as an intentional act, misstatement, or omission designed to deceive others, resulting in the victim suffering a loss or the perpetrator achieving a gain.1 Fraud is typically categorized as internal or external.

  • Internal fraud occurs when a director, an employee, a former employee, or a third party engaged by the bank commits fraud, colludes to commit fraud, or otherwise enables or contributes to fraud.
  • External fraud consists of first-party fraud and victim fraud. External fraud is committed by a person or entity that is not a bank employee, a former employee, or a third party engaged by the bank.
  • First-party fraud occurs when an external party, including a bank customer, commits fraud against the bank.
  • Victim fraud occurs when a bank customer or client is the victim of an intentional fraudulent act.

Fraud schemes are often ongoing crimes that can go undetected for months or even years and can be time consuming and costly to address. It is often difficult to fully understand and quantify the extent of the fraud and the harm caused. Measuring losses associated with fraud is often an inexact process. Typically, the true cost of fraud is greater than the direct financial loss, given the time and expense to investigate, loss of productivity, potential legal and compliance costs associated with remediation, and impact on a bank’s reputation.

Fraud risk is a form of operational risk, which is the risk to current or projected financial condition and resilience arising from inadequate or failed internal processes or systems, human errors or misconduct, or adverse external events. Operational risk management weaknesses can result in heightened exposure to fraudulent activities, which can increase a bank’s exposure to reputation and strategic risks. Failure to maintain an appropriate risk management system could expose the bank to the risk of significant fraud, defalcation (e.g., misappropriation of funds by an employee), and other operational losses.


Strong governance is of paramount importance to controlling the bank’s exposure to fraud, and a strong corporate culture against fraud is crucial regardless of a bank’s size or complexity. The tone at the top sets the foundation on which the bank operates. The board and senior management have a responsibility to lead by example and demonstrate that the bank is serious about promoting ethical behavior to deter and prevent fraud. The board-adopted code of ethics (or code of conduct) should encourage the timely communication and escalation of suspected fraud through the appropriate oversight channel.

The board is ultimately responsible for oversight but may delegate fraud risk management-related duties to specific committees (for example, the audit committee or operational risk management committee). The board also may delegate anti-fraud responsibilities to specific executives and managers, including those in charge of managing risks and controls. Roles and responsibilities should be clearly defined. The board should hold management accountable for effective fraud risk management and alignment of anti-fraud efforts with the bank’s strategy, objectives, risk appetite, and operational plans. While not all fraud can be avoided, an active board can foster an environment in which fraud is more likely to be prevented, deterred, and promptly detected. A sound corporate culture should discourage imprudent risk-taking. Incentives or requirements for employees to meet sales goals, financial performance goals, and other business goals, particularly if such goals are aggressive, can result in heightened fraud risk.

Risk Management

Sound fraud risk management principles should be integrated within the bank’s risk management system commensurate with the bank’s size, complexity, and risk profile. Bank management should periodically assess the likelihood and impact of potential fraud schemes and use the documented results of this assessment to inform the design of the bank’s risk management system and evaluate fraud control activities. Policies should clearly define, establish, and communicate the board’s and senior management’s commitment to fraud risk management. Processes should be designed to anticipate fraud and deploy a combination of preventive controls and detective controls. Detective controls are important because even with strong governance and oversight, collusion or circumvention of internal controls can allow fraud to occur. Some practices and controls may be both preventive and detective in nature. (…)

Fraud Risk Measurement and Monitoring

Senior management should understand the bank’s exposure to fraud risk and associated losses across all business lines and functions and use this information to effectively monitor and manage fraud risk. The board should receive regular reporting on the bank’s fraud risk assessment, resulting exposure to fraud risk, and associated losses to enable directors to understand the bank’s fraud risk profile. Reporting should allow management and directors to measure performance. Practices can include benchmarking current fraud losses against loss history or industry data. (…)

Fraud Response, Reporting, and Information Sharing

A bank’s policies, processes, and control systems should prompt appropriate and timely investigations into, responses to, and reporting of suspected and confirmed fraud. Banks should have processes for internal investigations, law enforcement referrals, regulatory notifications,10 and reporting. A bank is required to file a SAR for known or suspected fraud meeting regulatory thresholds. Reporting mechanisms should relay relevant, accurate, and timely fraud-related information from all lines of business to appropriate oversight channels.
Sound fraud risk management processes can include voluntary sharing of information with other financial institutions under section 314(b) of the USA PATRIOT Act. Pursuant to section 314(b), before exchanging information, the bank must register with the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN). Current section 314(b) participants may share information with one another regarding individuals, entities, organizations, and countries for purposes of identifying and, when appropriate, reporting activities that may involve possible specified unlawful activities. FinCEN has issued guidance clarifying that, if section 314(b) participants suspect that transactions may involve the proceeds of specified unlawful activities, such as fraud, under the money laundering statutes, information related to such transactions can be shared under the protection of the section 314(b) safe harbor.

Reviews and Audits

A bank should design and perform reviews and audits specific to the bank’s size, complexity, organizational structure, and risk profile. Reviews and audits should be designed to assess the effectiveness of the bank’s internal controls and fraud risk management. Effective internal and external audit programs are a critical defense against fraud and provide vital information to the board of directors about the effectiveness of internal control systems. (…)

When auditing financial statements and asserting effectiveness of internal controls over financial reporting, auditors must consider a material misstatement due to fraud. If the auditor identifies that fraud may be present, the auditor must discuss these findings with the board or management in a timely fashion.16 The auditor must also determine whether they have a responsibility to report the suspected fraud to the OCC.

Findings and results from audits and reviews should be communicated to the relevant parties in a timely manner. Management should take timely and effective corrective action in response to deficiencies identified.

Read the full article on the website of the OCC.



Leave a Reply

Your email address will not be published. Required fields are marked *