3 key aspects: data mining as a fraud prevention tool … · · 2011-01-18data mining as a fraud...

© IDM 2006

ASIS Spring Seminar2006

Data Mining as aFraud Prevention Tool

Richard Kusnierz

16th March 2006© IDM 2006

Data Mining

3 key aspects:Prevention

Detection

Investigation

© IDM 2006

Data Mining

Before we start, let usconsider why we work in theSecurity industry.

Who or what are we tryingto prevent and detect?

© IDM 2006

First, know your enemy

Who is this?

© IDM 2006


Joti De-Laurey35 year old motherStole £4.5 million

© IDM 2006


Who is this?

© IDM 2006


Kenneth LayEnronEnron’s debts of£23 billion

© IDM 2006


Who is this?

© IDM 2006


Simon BrophyLighting DirectorMillennium Dome£4 million fraudBogus CV

© IDM 2006

Company relationships

© IDM 2006


Who is this?

© IDM 2006


John RusnakAllied Irish BankRogue traderTrading losses of £540million

© IDM 2006


Who is this?

© IDM 2006


James Munroe£3 million FraudChief AccountantMc-Graw Hill

© IDM 2006


Who is this?

© IDM 2006


Nick LeesonRogue traderBarings Bank£800 million

© IDM 2006

Data Mining

Why do weneed datamining to

detect fraud?© IDM 2006

2005 Fraud barometer

72% of cases involve menOver half of internal fraudinvolves 2 – 5 employees40% of frauds involve the financedepartment

© IDM 2006

2005 Fraud barometer

Only one in four cases werediscovered by internal controls 31% of frauds were discoveredfollowing a whistle blowerWeaknesses in controls wereexploited by the fraudsters

© IDM 2006

Fraud

the problemwith fraud isthat there areno reliablestatisticsOnly a smallpercentage isreported

£14 Billion

£72 Billion

© IDM 2006

How is Fraud Identified?

Source : ACFE, Report to the Nation, 2004© IDM 2006

ANALYSIS OF THE MAIN PERPETRATORS OF CORPORATE

FRAUD

38%

11%11%10%

30%

single insider

multiple insiders

single external fraudstermultiple external fraudsters

collusion between internal and external

49%Insiders79%Includeselement ofcollusion

Why Use Data Miningto Detect Fraud?

© IDM 2006

JMLSG

UK Money Laundering Regulationsdate from 1993“it is also a separate offence under theML regulations not to have systems andprocedures in place to combat moneylaundering (regardless of whether or notmoney laundering is actually takingplace).”

© IDM 2006

Combating the financing ofterrorism

© IDM 2006

Think outside the box

Trusted employees know thesystemsTrusted employees commitfraud or steal informationEffective fraud detectionsystems need to be unexpectedand innovative

© IDM 2006

Know Your Customer

It is not only vital to KYC, butWho are your employees?

© IDM 2006

Know your employee

Implementing a balanced,considered mechanism to ensurethat an organisation minimisesemployee fraud contains manyelements, data mining can bepart of that

© IDM 2006

Data Mining Employeeinformation

Conflicts of interestauditsExternal referencedataExpenses, corporatecredit card spend

© IDM 2006

Perceived barriers

Review legislation, dataprotection and privacy inusing data

PersonalData

Pers

onne

l File

© IDM 2006

Walking a tightropePlan to use data miningRegister the purposeDP Adverse Impact AssessmentRun fraud workshops and gainemployee understandingInclude a new clause inemployment contractsUse staff handbooks

© IDM 2006

DPA RegistrationCan often be done onlineIs not a barrier to data mining,but

Needs legal advice as eachEU member state hasinterpreted the DataProtection Directive in itsown way

© IDM 2006

Perceived barriers

HR may object to theuse of personnel databecause:

Employment contractsare inadequate

They don’t understandHumanResources

© IDM 2006

Perceived barriersData mining seen as anerosion of theirresponsibilities

IT “own” data

Use of non standard,therefore not approved,software

Not a priorityITDepartment

© IDM 2006

External Reference Data

Internet sourcesDownload forfreeDifferent formatsMay not be valid

© IDM 2006

Insolvency Register

http://www.insolvency.gov.uk/bankruptcy/bankruptcysearch.htm© IDM 2006

Insolvency Register

© IDM 2006

Prohibited Individuals

http://www.fsa.gov.uk/register-res/html/prof_proh_indiv_fram.html© IDM 2006

Disqualified Directors

http://www.companieshouse.co.uk/ddir/

© IDM 2006

Fraud profiles

Key red flagsDuplicate dataInaccurate and misleadinginformationUnusual relationshipsUnusual or contrivedtransactions

© IDM 2006

Fraud profiles

© IDM 2006

Benchmarking

Risk Exposure (Static Profiles) - VAT tests on

22%

74%

3%1%

>= 9 (High Risk)> 3 and < 9 (Medium Risk)<= 3 (Low Risk)No Score

The number of suppliers in each risk category expressed as a percentage of all suppliers

Case Study plc© IDM 2006

ComparisonsCompany 1 - Risk Exposure

11%9%

34%

46%>= 9 (High Risk)> 3 and < 9 (Medium Risk)<= 3 (Low Risk)No Score


Risk Exposure (Static Profiles) - VAT test on

7% 7%

45%

41% >= 9 (High Risk)

> 3 and < 9 (Medium Risk)<= 3 (Low Risk)

No Score


4% 5%

35%56%

>= 9 (High Risk)> 3 and < 9 (Medium Risk)<= 3 (Low Risk)No Score

Company 1

Company 2

Company 3


2% 13%

39%

46%>= 9 (High Risk)> 3 and < 9 (Medium Risk)<= 3 (Low Risk)No Score


Company 4

© IDM 2006

Past Example (1)Internal focus

1,500 unverifiable supplieraddresses, £300 million spend inthree years1,000 suppliers with no bankdetails1,500 suppliers with no VATnumbers

© IDM 2006

Past Examples (2)

Publishing company$1.0 million advance paid intosuspense accountsubsequently transferred toLuxembourgemployee responsible for transfers“didn’t come back from holiday”

© IDM 2006

Past Examples (3)

Printing companydifferent addresses and post codesdifferent telephone numberssame fax numberprinters had over charged andwithheld rebatesContract renegotiated, £1,000,000recovered

© IDM 2006

Past Examples (4)

Maintenance group3 companies linked by commonaddresses2 non tradingheading for liquidationcontracts in excess of £360,000awarded in 1 year

© IDM 2006

Past Examples (5)

Venture capitalout sourced ITcollusive relationship betweensupplier and employeeby passed central purchasingbilled in excess of £150,000

© IDM 2006

Past Example (6)Facilities payment (bribe)

Single round value £70,000Company in MaltaNo record of organisation orperson in Google, research etc.Invoice was for consultancy inWest AfricaNo supporting documents

© IDM 2006

Past Example (7)Art gallery donation

round value £20,000six months in advance of artexhibitionexhibition cancelled, money neverreturnedart gallery was under majorrefurbishment

© IDM 2006

Past Examples (8)20 sequential invoicesaverage invoice value of about£3,500hand-written invoicesstarted mid year, no priortrading historyno one accepted responsibility

© IDM 2006

Past Examples (9)

Multiple applications to a Charitysame charity different locationsdifferent charity same locationscollusion between charity andapplicantsuse of accommodation addresses

© IDM 2006

Practical Considerations

There is no magic bullet to identifyall fraudFrauds, and consequently profiles,vary

© IDM 2006

Data Mining- in practice

1. Importation

8. Final reports 2. Pre-processing

3. Testing andanalysis ofinitial reports

4. Visualisation5. Initialinvestigation

6. Refinement

7. Additional data

© IDM 2006

Case Study One:FSA Compliance

Mutual Insurance companyAuthorised by FSAElectronic payment verificationSpot problems before theyhappened

© IDM 2006

Case Study OnePerform daily verificationSatisfy bank in USA that controlsare in placeCreate blacklists and whitelistsSatisfy FSA that money launderingprocesses are in placePrevent problems

© IDM 2006

Internet Blacklists

Bank of England Sanctions ListOFAC Specially DesignatedNames ListWorld Bank Debarred ListCompanies House DisqualifiedDirectors List

© IDM 2006

BANK OF ENGLANDSANCTIONS LIST

Blacklists: Bank ofEngland

© IDM 2006

OFACSDN LIST

Blacklists: OFAC

© IDM 2006

Blacklists: World Bank

© IDM 2006

Transaction Monitoring

© IDM 2006

Conclusion

Data Mining is a veryproductive and valuable toolIt can be used proactivelyand reactively depending oncircumstances

© IDM 2006

41 Madeley Road, Ealing, W5 2LSTel: +44-208-997 1933Fax: +44-208-810 7340E-Mail: [email protected] Coates Place, Edinburgh, EH3 7AATel: +44-131-225 7707Fax: +44-131-225 7708E-Mail: [email protected]

Contact Details

3 key aspects: data mining as a fraud prevention tool … · · 2011-01-18data mining as a fraud...

Documents