3 key aspects: data mining as a fraud prevention tool … · · 2011-01-18data mining as a fraud...
TRANSCRIPT
© IDM 2006
ASIS Spring Seminar2006
Data Mining as aFraud Prevention Tool
Richard Kusnierz
16th March 2006© IDM 2006
Data Mining
3 key aspects:Prevention
Detection
Investigation
© IDM 2006
Data Mining
Before we start, let usconsider why we work in theSecurity industry.
Who or what are we tryingto prevent and detect?
© IDM 2006
First, know your enemy
Who is this?
© IDM 2006
First, know your enemy
Joti De-Laurey35 year old motherStole £4.5 million
© IDM 2006
First, know your enemy
Who is this?
© IDM 2006
First, know your enemy
Kenneth LayEnronEnron’s debts of£23 billion
© IDM 2006
First, know your enemy
Who is this?
© IDM 2006
First, know your enemy
Simon BrophyLighting DirectorMillennium Dome£4 million fraudBogus CV
© IDM 2006
Company relationships
© IDM 2006
First, know your enemy
Who is this?
© IDM 2006
First, know your enemy
John RusnakAllied Irish BankRogue traderTrading losses of £540million
© IDM 2006
First, know your enemy
Who is this?
© IDM 2006
First, know your enemy
James Munroe£3 million FraudChief AccountantMc-Graw Hill
© IDM 2006
First, know your enemy
Who is this?
© IDM 2006
First, know your enemy
Nick LeesonRogue traderBarings Bank£800 million
© IDM 2006
Data Mining
Why do weneed datamining to
detect fraud?© IDM 2006
2005 Fraud barometer
72% of cases involve menOver half of internal fraudinvolves 2 – 5 employees40% of frauds involve the financedepartment
© IDM 2006
2005 Fraud barometer
Only one in four cases werediscovered by internal controls 31% of frauds were discoveredfollowing a whistle blowerWeaknesses in controls wereexploited by the fraudsters
© IDM 2006
Fraud
the problemwith fraud isthat there areno reliablestatisticsOnly a smallpercentage isreported
£14 Billion
£72 Billion
© IDM 2006
How is Fraud Identified?
Source : ACFE, Report to the Nation, 2004© IDM 2006
ANALYSIS OF THE MAIN PERPETRATORS OF CORPORATE
FRAUD
38%
11%11%10%
30%
single insider
multiple insiders
single external fraudstermultiple external fraudsters
collusion between internal and external
49%Insiders79%Includeselement ofcollusion
Why Use Data Miningto Detect Fraud?
© IDM 2006
JMLSG
UK Money Laundering Regulationsdate from 1993“it is also a separate offence under theML regulations not to have systems andprocedures in place to combat moneylaundering (regardless of whether or notmoney laundering is actually takingplace).”
© IDM 2006
Combating the financing ofterrorism
© IDM 2006
Think outside the box
Trusted employees know thesystemsTrusted employees commitfraud or steal informationEffective fraud detectionsystems need to be unexpectedand innovative
© IDM 2006
Know Your Customer
It is not only vital to KYC, butWho are your employees?
© IDM 2006
Know your employee
Implementing a balanced,considered mechanism to ensurethat an organisation minimisesemployee fraud contains manyelements, data mining can bepart of that
© IDM 2006
Data Mining Employeeinformation
Conflicts of interestauditsExternal referencedataExpenses, corporatecredit card spend
© IDM 2006
Perceived barriers
Review legislation, dataprotection and privacy inusing data
PersonalData
Pers
onne
l File
© IDM 2006
Walking a tightropePlan to use data miningRegister the purposeDP Adverse Impact AssessmentRun fraud workshops and gainemployee understandingInclude a new clause inemployment contractsUse staff handbooks
© IDM 2006
DPA RegistrationCan often be done onlineIs not a barrier to data mining,but
Needs legal advice as eachEU member state hasinterpreted the DataProtection Directive in itsown way
© IDM 2006
Perceived barriers
HR may object to theuse of personnel databecause:
Employment contractsare inadequate
They don’t understandHumanResources
© IDM 2006
Perceived barriersData mining seen as anerosion of theirresponsibilities
IT “own” data
Use of non standard,therefore not approved,software
Not a priorityITDepartment
© IDM 2006
External Reference Data
Internet sourcesDownload forfreeDifferent formatsMay not be valid
© IDM 2006
Insolvency Register
http://www.insolvency.gov.uk/bankruptcy/bankruptcysearch.htm© IDM 2006
Insolvency Register
© IDM 2006
Prohibited Individuals
http://www.fsa.gov.uk/register-res/html/prof_proh_indiv_fram.html© IDM 2006
Disqualified Directors
http://www.companieshouse.co.uk/ddir/
© IDM 2006
Fraud profiles
Key red flagsDuplicate dataInaccurate and misleadinginformationUnusual relationshipsUnusual or contrivedtransactions
© IDM 2006
Fraud profiles
© IDM 2006
Benchmarking
Risk Exposure (Static Profiles) - VAT tests on
22%
74%
3%1%
>= 9 (High Risk)> 3 and < 9 (Medium Risk)<= 3 (Low Risk)No Score
The number of suppliers in each risk category expressed as a percentage of all suppliers
Case Study plc© IDM 2006
ComparisonsCompany 1 - Risk Exposure
11%9%
34%
46%>= 9 (High Risk)> 3 and < 9 (Medium Risk)<= 3 (Low Risk)No Score
The number of suppliers in each risk category expressed as a percentage of all suppliers
Risk Exposure (Static Profiles) - VAT test on
7% 7%
45%
41% >= 9 (High Risk)
> 3 and < 9 (Medium Risk)<= 3 (Low Risk)
No Score
Risk Exposure (Static Profiles) - VAT test on
4% 5%
35%56%
>= 9 (High Risk)> 3 and < 9 (Medium Risk)<= 3 (Low Risk)No Score
Company 1
Company 2
Company 3
Risk Exposure (Static Profiles) - VAT test on
2% 13%
39%
46%>= 9 (High Risk)> 3 and < 9 (Medium Risk)<= 3 (Low Risk)No Score
The number of suppliers in each risk category expressed as a percentage of all suppliers
Company 4
© IDM 2006
Past Example (1)Internal focus
1,500 unverifiable supplieraddresses, £300 million spend inthree years1,000 suppliers with no bankdetails1,500 suppliers with no VATnumbers
© IDM 2006
Past Examples (2)
Publishing company$1.0 million advance paid intosuspense accountsubsequently transferred toLuxembourgemployee responsible for transfers“didn’t come back from holiday”
© IDM 2006
Past Examples (3)
Printing companydifferent addresses and post codesdifferent telephone numberssame fax numberprinters had over charged andwithheld rebatesContract renegotiated, £1,000,000recovered
© IDM 2006
Past Examples (4)
Maintenance group3 companies linked by commonaddresses2 non tradingheading for liquidationcontracts in excess of £360,000awarded in 1 year
© IDM 2006
Past Examples (5)
Venture capitalout sourced ITcollusive relationship betweensupplier and employeeby passed central purchasingbilled in excess of £150,000
© IDM 2006
Past Example (6)Facilities payment (bribe)
Single round value £70,000Company in MaltaNo record of organisation orperson in Google, research etc.Invoice was for consultancy inWest AfricaNo supporting documents
© IDM 2006
Past Example (7)Art gallery donation
round value £20,000six months in advance of artexhibitionexhibition cancelled, money neverreturnedart gallery was under majorrefurbishment
© IDM 2006
Past Examples (8)20 sequential invoicesaverage invoice value of about£3,500hand-written invoicesstarted mid year, no priortrading historyno one accepted responsibility
© IDM 2006
Past Examples (9)
Multiple applications to a Charitysame charity different locationsdifferent charity same locationscollusion between charity andapplicantsuse of accommodation addresses
© IDM 2006
Practical Considerations
There is no magic bullet to identifyall fraudFrauds, and consequently profiles,vary
© IDM 2006
Data Mining- in practice
1. Importation
8. Final reports 2. Pre-processing
3. Testing andanalysis ofinitial reports
4. Visualisation5. Initialinvestigation
6. Refinement
7. Additional data
© IDM 2006
Case Study One:FSA Compliance
Mutual Insurance companyAuthorised by FSAElectronic payment verificationSpot problems before theyhappened
© IDM 2006
Case Study OnePerform daily verificationSatisfy bank in USA that controlsare in placeCreate blacklists and whitelistsSatisfy FSA that money launderingprocesses are in placePrevent problems
© IDM 2006
Internet Blacklists
Bank of England Sanctions ListOFAC Specially DesignatedNames ListWorld Bank Debarred ListCompanies House DisqualifiedDirectors List
© IDM 2006
BANK OF ENGLANDSANCTIONS LIST
Blacklists: Bank ofEngland
© IDM 2006
OFACSDN LIST
Blacklists: OFAC
© IDM 2006
Blacklists: World Bank
© IDM 2006
Transaction Monitoring
© IDM 2006
Conclusion
Data Mining is a veryproductive and valuable toolIt can be used proactivelyand reactively depending oncircumstances
© IDM 2006
41 Madeley Road, Ealing, W5 2LSTel: +44-208-997 1933Fax: +44-208-810 7340E-Mail: [email protected] Coates Place, Edinburgh, EH3 7AATel: +44-131-225 7707Fax: +44-131-225 7708E-Mail: [email protected]
Contact Details