Back

Implement a fraud detection system.


CONTROL ID
13081
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a risk monitoring program., CC ID: 00658

This Control has the following implementation support Control(s):
  • Update or adjust fraud detection systems, as necessary., CC ID: 13684


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Moreover, AIs should perform adequate identity checks when any customer requests a change to the customer's Internet banking account information (including resetting or reissuing of Internet banking password) or contact details (e.g. e-mail address, correspondence address or contact phone number) th… (§ 4.1.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • AIs should have a robust and effective automated fraud monitoring mechanism in place to detect, in a timely manner, suspicious Internet banking transactions and unusual activities ideally after taking into account their customers' Internet banking usage and behavioural patterns. For e-banking servic… (§ 8.1.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • AIs should assign sufficient designated staff with relevant expertise to promptly handle the alerts generated by their fraud monitoring mechanism if significant suspicious e-banking transactions or unusual activities are detected during or after office hours. AIs should also ensure that proper proce… (§ 8.1.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • AIs should perform adequate identity checks when any customer requests a change to the customer's account information (including resetting or reissuing of account password) or contact information (e.g. e-mail address, contact phone number, correspondence address) that are used by the customer to rec… (§ 4.1.7, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • AIs should have a robust and effective automated fraud monitoring mechanism in place to detect, in a timely manner , suspicious Internet banking transactions and unusual activities ideally after taking into account their customers' Internet banking usage and behavioural patterns. For e-banking servi… (§ 8.1.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • AIs should assign sufficient designated staff with relevant expertise to promptly handle and respond to the alerts generated by their fraud monitoring mechanism if significant suspicious e-banking transactions or unusual activities are detected during or after office hours. AIs should also ensure th… (§ 8.1.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • In addition to withdrawal, transfer, and other transactions, also the inquiry transaction, personal identification number input error, insertion of counterfeit or stolen card, and other incidents should be properly recorded and managed. (P10.7. ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • If the functions as described above are not available, it is recommended that systems be set up for detecting falsification, double spending by unauthorized copying or other illicit actions. (P137.2., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Fraud analysis (Critical components of information security 22) iii. Bullet 9, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Risk based transaction monitoring or surveillance process needs to be considered as an adjunct. (Critical components of information security g) ¶ 2 12., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The FI should implement robust fraud detection systems with behavioural scoring or equivalent; and correlation capabilities to identify and curb fraudulent activities. The FI should set out risk management parameters according to risks posed by cardholders, the nature of transactions or other risk f… (§ 13.1.8, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The FI should implement real-time fraud monitoring systems to identify and block suspicious or fraudulent online transactions. (§ 14.3.1, Technology Risk Management Guidelines, January 2021)
  • documented and communicated procedures for incident monitoring and management of fraud, data leakage and identity theft; and (Attachment F 1(d)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • When incidents of fraud or suspected fraud are identified during the examination, the service auditor is expected to respond appropriately. For example, unless prohibited by law, regulation, or ethics standards, appropriate responses may include the following: (¶ 3.222, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Determine whether instant issue cards are utilized and card company security procedures are implemented to limit potential fraud. (App A Objective 8:8c, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • The financial institution's use of a front-end fraud detection application either in-house design or purchased. (App A Tier 1 Objectives and Procedures Objective 6:9 Bullet 4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Commercially reasonable fraudulent transaction detection systems and routing number verification, (App A Tier 2 Objectives and Procedures K.4 Bullet 2 Sub-Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Procedures to identify, measure, and monitor fraud risk. (App A Tier 2 Objectives and Procedures M.3 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Describe how financial institution management monitors for fraud associated with RDC. (App A Tier 2 Objectives and Procedures N.14 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Describe how the financial institution attempts to mitigate fraud risks (e.g., duplicate check detection, establishing deposit limits, safeguarding checks). (App A Tier 2 Objectives and Procedures N.14 Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Fraud tools and techniques. (AppE.7 Objective 3:4 g., FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Operational risk mitigation: Review whether management controls include the following: risk management; transaction monitoring and geolocation tools; fraud prevention, detection, and response programs; additional controls (e.g., stronger authentication and encryption); authentication and authorizati… (AppE.7 Objective 5:4 b., FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • fraud detection and monitoring systems that include consideration of customer history and behavior and enable a timely and effective institution response (Layered Security Programs ¶ 2 Bullet 1, Supplement to Authentication in an Internet Banking Environment)
  • policies and practices for addressing customer devices identified as potentially compromised and customers who may be facilitating fraud; (Layered Security Programs ¶ 2 Bullet 7, Supplement to Authentication in an Internet Banking Environment)
  • Management should consider the potential for fraud when identifying, analyzing, and responding to risks. (8.01, Standards for Internal Control in the Federal Government)
  • The CSP SHOULD obtain additional confidence in identity proofing using fraud mitigation measures (e.g., inspecting geolocation, examining the device characteristics of the applicant, evaluating behavioral characteristics, checking vital statistic repositories such as the Death Master File [DMF], so … (4.2 ¶ 1.10, Digital Identity Guidelines: Enrollment and Identity Proofing, NIST SP 800-63A)
  • In the back-channel model, the subscriber is given an assertion reference to present to the RP, generally through the front channel. The assertion reference itself contains no information about the subscriber and SHALL be resistant to tampering and fabrication by an attacker. The RP presents the ass… (7.1 ¶ 1, Digital Identity Guidelines: Federation and Assertions, NIST SP 800-63C)
  • Employ information technology (IT) systems and digital storage media to solve, investigate, and/or prosecute cybercrimes and fraud committed against people and property. (T0479, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Employ information technology (IT) systems and digital storage media to solve, investigate, and/or prosecute cybercrimes and fraud committed against people and property. (T0479, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • collecting and analyzing data from reporting mechanisms on detected fraud to monitor fraud trends and using that data and information to continuously improve fraud prevention controls; and (Section III (B2) OMB Circular No. A-123 Fraud Risk Profile Requirements. ¶ 2 Bullet 2, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • Management has overall responsibility for establishing internal controls to manage the risk of fraud. This includes reporting to the Agency's governance structure what actions have been taken to manage fraud risks and on the status of the Agency's Risk Profile. The Agency's Risk Profile as required … (Section III (B2) OMB Circular No. A-123 Fraud Risk Profile Requirements. ¶ 2, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • using the results of monitoring, evaluation, and investigations to improve fraud prevention, detection, and response. (Section III (B2) OMB Circular No. A-123 Fraud Risk Profile Requirements. ¶ 2 Bullet 3, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • Within each Federal Agency, there is a shared interest for management and oversight of Federal grant dollars from both a financial management and grants management perspective. Leveraging the risk-based perspective, the internal controls framework should serve as a mechanism to ensure effective and … (Section VII (C) ¶ 2, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • One required Green Book principle that is absent from the current acquisition framework is management's consideration for potential fraud when identifying, analyzing and responding to risks. Agencies must consider fraud risks in their strategic plans, and ensure agency professionals involved in plan… (Section VII (B) ¶ 4, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, or malicious, deceptive, or illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; (§ 6-1-1304 (3)(a)(X), Colorado Revised Statutes, Title 6, Article 1, Part 13, Colorado Privacy Act)
  • prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; (§ 10 (a)(9), Connecticut Public Act No. 22-15, An Act Concerning Personal Data Privacy and Online Monitoring)
  • prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; (§ 10 (a)(9), Connecticut Public Act No. 22-15, An Act Concerning Personal Data Privacy and Online Monitoring)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, preserve the integrity or security of systems, or investigate, report or prosecute those responsible for any such activity. (§ 12D-110.(a)(9), Delaware Code, Title 6, Subtitle II, Chapter 12D. Delaware Personal Data Privacy Act)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, preserve the integrity or security of systems, or investigate, report or prosecute those responsible for any such activity. (§ 12D-110.(a)(9), Delaware Code, Title 6, Subtitle II, Chapter 12D. Delaware Personal Data Privacy Act)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity. (§ 501.716(1)(f), Florida Statutes, Title XXXIII, Chapter 501, Sections 701-721, Florida Digital Bill of Rights)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity. (§ 501.716(1)(f), Florida Statutes, Title XXXIII, Chapter 501, Sections 701-721, Florida Digital Bill of Rights)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, investigate, report, or prosecute those responsible for any such action, and preserve the integrity or security of systems. (IC 24-15-8-1(a)(7), Indiana Code, Title 24, Article 15, Consumer Data Protection)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, investigate, report, or prosecute those responsible for any such action, and preserve the integrity or security of systems. (IC 24-15-8-1(a)(7), Indiana Code, Title 24, Article 15, Consumer Data Protection)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity. (§ 715D.7.1.g., Iowa Code Annotated, Section 715D, An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity. (§ 715D.7.1.g., Iowa Code Annotated, Section 715D, An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions)
  • prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, preserve the integrity or security of systems, or investigate, report, or prosecute those responsible for any of these actions; (§ Section 11. (1)(i), Montana Consumer Data Privacy Act)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; (§ 507-H:10 I.(i), New Hampshire Statutes, Title LII, Chapter 507-H, Expectation of Privacy)
  • Preventing, detecting, protecting against or responding to, and investigating, reporting or prosecuting persons responsible for, security incidents, identity theft, fraud, harassment or malicious, deceptive or illegal activity or preserving the integrity or security of systems; (Section 2 (3)(e), 82nd Oregon Legislative Assembly, Senate Bill 619)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activity, or illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for such action; (§ 47-18-3208.(a)(7), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activity, or illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for such action; (§ 47-18-3208.(a)(7), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)
  • prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; (§ 541.201 (a)(6), Texas Business and Commercial Code, Title 11, Subtitle C, Chapter 541, Subchapter A, Section 541)
  • prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; (§ 541.201 (a)(6), Texas Business and Commercial Code, Title 11, Subtitle C, Chapter 541, Subchapter A, Section 541)
  • detect, prevent, protect against, or respond to a security incident, identity theft, fraud, harassment, malicious or deceptive activity, or any illegal activity; or (13-61-304 (1)(h)(i), Utah Code, Title 13, Chapter 61, Utah Consumer Privacy Act)
  • detect, prevent, protect against, or respond to a security incident, identity theft, fraud, harassment, malicious or deceptive activity, or any illegal activity; or (13-61-304 (1)(h)(i), Utah Code, Title 13, Chapter 61, Utah Consumer Privacy Act)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; (§ 59.1-582.A.7., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; (§ 59.1-582.A.7., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act, April 11, 2022)