Earlier this summer the Office of the Comptroller of the Currency recently released bulletin 2019-37, which provides supplemental guidance on corporate and risk governance, specifically targeting the management of fraud risk. The OCC has issued these principles in an effort to instill the importance of having a “strong” and “sound” risk management system that encompasses governance, reporting, review and audit across institutions supervised by the OCC. The bulletin breaks down these principles under seven areas that are summarized as follow in an overview format.
The OCC has detailed the following risk management principles:
Corporate governance practices should be sound and instill a culture of ethical standards, promoting employee accountability.
An institution’s risk management system and all it encompasses should “identify, measure, monitor, and control fraud risk consistent with… size, complexity, and risk profile.”
A risk management system and controls should be created to prevent, detect and respond to fraud, including suspected fraud or allegations.
The likelihood and impact of potential fraud schemes should be assessed and results incorporated into the risk management system.
“Senior management and the board of directors should measure, monitor and understand fraud losses”, as well as use tools to quantify and assess loss exposure.
“Control reviews and audits should include fraud risk as a part of their assessments.”
The OCC describes fraud as “an intentional act, misstatement, or omission designed to deceive others” that results in victim loss or gain on behalf of the perpetrator. Fraud is identified as either internal, committed by an employee or contractor of the institution, or external. The latter is characterized as first-party fraud, whereby an external party commits fraud against the institution, or victim fraud, which is when a customer is the victim of fraud. The OCC further elaborates on the impact of fraud and how fraud is considered a form of operational risk.
Governance is described as a critical component to controlling institutional exposure to fraud. The culture, tone and responsibility for ethical behavior, timely response to fraud, and appropriate oversight all begins at the top, inclusive of the board of directors. “A sound corporate culture should discourage imprudent risk-taking,” and steer away from programs and incentives that can increase behavior leading to fraudulent activities.
An institution’s risk management system should encompass sound fraud risk management principles, and incorporate assessment results to help evaluate and control fraudulent actions. Policies and processes should anticipate fraud and tap multiple controls to ensure governance and oversight are effective.
The OCC uses this section to list examples of controls that minimize and deter fraud, as well as list control examples that identify and respond to fraud after the fact. The use of software and technology tools to address fraud management and ensure proper controls is recommended; however, solutions need to “evolve and adapt” in order to continue to be effective long-term in addressing fraud.
FRAUD RISK MEASUREMENT & MONITORING
It is important that senior management receive consistent reporting so there is a clear understanding of institutional exposure to “fraud risk and associated losses across all business lines and functions.” A number of examples of metrics that can be used to effectively measure and monitor fraud risk are also offered by the OCC.
FRAUD RESPONSE, REPORTING & INFORMATION SHARING
All policies, processes, and control systems need to support timely investigations, responses and reporting on both suspected and confirmed fraudulent activities. In addition to reporting requirements, institutions must file Suspicious Activity Reports (SAR) sharing this information with key governmental agencies and performing other actions as required by regulation.
REVIEWS & AUDITS
Reviews and audits should align with an institution’s “size, complexity, organizational structure, and risk profile.” They should identify the effectiveness of internal controls and fraud risk management, and serve as a key defense against fraud perpetration. The OCC notes that reviews and audits include:
Quality assurance and quality control reviews
Independent risk management reviews
Internal and external audits
Retrospective reviews after fraud is identified
Third-party relationship audits consistent with contractual provisions
Any findings must be readily and thoroughly discussed with management and the board of directors. A timely determination should also be made as to whether findings of suspected fraud need to be communicated to the OCC.
The OCC is one of a number of government agencies that have oversight over industry institutions. Staying abreast of regulation, oversight guidance and investor guidelines is tedious at a high level, and even more complex when an institution looks at required quality control and specific audit activities. This recent bulletin also illustrates the fact that easing regulation is not on the immediate horizon. Now more than ever, it’s important to have a trusted quality control partner. With new providers continuing to enter the market, don’t be swayed by the next “shiny” solution, connect with an experienced QC partner like QMS. We know the importance of meeting requirements amidst growing competition, and will help maintain your culture in today’s unique environment.
The QMS suite of boutique services and automated solutions provides extensive flexibility in monitoring, measuring and auditing to ensure fraud risk is under control throughout your organization. We are the mortgage quality control and audit technology solutions company, delivering quality control and industry required audits as our core product offering for over 20 years. Contact us today at 615.591.2528 to find out how QMS can help you meet the OCC’s expanded fraud risk management principles. Contact us today to learn more.