Wired-In Webinar: Insider Fraud – The ­­Post-Covid Aftermath

Posted on November 1, 2022
Written by Natalie Davies

Last week, we were delighted to be joined by the Head of Financial Crime Operations at Ziglu, Claire Maillet on the very first of our brand new webinar series, Wired-In. In a thought-provoking session, Claire shared how the cultural shift of remote mass working has created the highest rates of insider fraud in recent history, with the landscape calling for long-term strategies to address the matter.

Below, you’ll find a full transcript of the session. If you’d rather watch the session on-demand, simply click here to catch up on the recording from the webinar.

Webinar Transcript

Chris Bourne, Head of Marketing, NorthRow: Firstly, I would like to thank everyone that has joined this instalment of our WiredIn webinar series. This is actually our first month of running it in this format, and it’s great to see so many people interested in the insider fraud topic. We’ve had an overwhelming response to this webinar so, it’s great to actually see that. 

We’ll continue to run these sessions every month and we usually just focus on combating financial crime or adhering to ever-changing legislation which the Government is always putting out on a monthly basis. 

Just to introduce myself, I’m Chris Bourne. I’m the Head of Marketing for NorthRow and I’m just going to be the host for today. I am delighted to welcome Claire – I had some trouble with Claire’s last name, but apparently it’s Maillet so it’s one of those which can be difficult to pronounce! But hopefully, you can all see Claire there on your screen. 

Claire is currently the Head of Financial Crime Operations at Ziglu. She’s worked in financial crime prevention for about 8 years. Previously, she held roles with Amazon, Cifas, WorldFirst, Jaja Finance and if that’s not all, Claire is undertaking a PhD in Criminal Justice Studies at the University of Portsmouth. That looks into the vulnerabilities of FinTechs to insider fraud. 

But today, Claire is going to address the long-term adjustments to try and counteract insider fraud threats and adapt a new layered approach to that matter. 

So, Claire if you can just go to the next slide please? 

Claire Maillet, Head of Financial Crime Operations, Ziglu: Of course.

Chris B: I just wanted to do a quick blatant plug as we’re at the start of the webinar! If you don’t know who NorthRow is as a company. We are a software provider, we help compliance teams to make faster decisions, to onboard their customers quickly and safely, while also adhering to the ever-changing regulations that are always present. 

If you’d like to find out more about what we do, what we offer, just email marketing@northrow.com and that will come directly to me and my team. We can get in conversation with you and put you in touch with an expert at NorthRow.

Claire M: Hi everyone, thank you for joining. Today, as you’ve just heard, my name is Claire and I’m the Head of Financial Crime Operations at Ziglu.

Just so everyone knows, for those of you that haven’t met me before. I do have a stammer, as you may know. So if you feel like the Wi-Fi in your house isn’t quite right, it’s probably me so please don’t worry!

As has already been mentioned, I’m going to be talking about the aftermath of insider fraud in a post-COVID world. So, I hope you all find it insightful!

First of all, I’m going to talk about what insider fraud is. So it’s often known by a few terms. So there’s insider fraud, internal fraud and also occupational fraud. And by that, what we mean is essentially a staff member or prospective staff member who is perpetrating fraud against their own employer. 

Often when we talk about fraud, essentially we all tend to think of customers that will perpetrate fraud against our own business. But we don’t actually necessarily think of those who are actually working inside the company itself. 

As you all know, we are all coming out of the COVID world now – hopefully! As you may have seen, as a result of COVID, fraud as a whole has become spoken about on a much larger scale. Often because of the scams that were going round in relation to COVID, as well as the loan schemes and that sort of thing. So actually, as a result of COVID, if you can say there were any benefits from COVID, it’s actually helped financial crime to be placed on a higher level of importance and publicity than it was before. 

Because of COVID, most of us are now working from home or working remotely, if not all the time then most of the time. And this, essentially changes the way in which we work. So if you think back to when we were in offices, you could be sitting next to your boss or other colleagues and they would always know what work you were doing at the time. Even if it wasn’t in a ‘micro-managey’ kind of way, everyone sort of knew what people were working on at the time. 

But now, you can’t really keep tabs on what people are actually working on. And also, of course, if people are at home, our home lives become intermingled with our working lives. 

For example, if a meeting finishes a few minutes early, in the office there isn’t really that much you can do but if you’re at home you can put the washing on, you can do all sorts of home tasks that wouldn’t have been possible in the office. 

Our whole way of working has changed as a result of this. Of course, on the negative side, COVID led to a lot of economic problems, redundancies, job losses and the like which could also lead to people becoming more desperate to make money. In the most extreme of cases, you could be at risk of feeling that you need to lie on your CV in order to find work quickly if you have bills to pay and you’ve been let go. You may feel extra pressure to find a job as quickly as possible and, once you’re in a job, you may feel the need to try to obtain cash as quickly as possible. So you may go to lengths such as stealing customer cash, exaggerating business claims and that sort of thing.

All in all, as a result of COVID, we’re really looking at a huge reliance on employee trust and also transparency as well just because you aren’t able to see what people are working on every day. 

The response to insider fraud is very varied. On the screen here, I’ve taken some current research into people’s attitudes to insider fraud. Here we have ‘some organisations acquiesce to internal fraud whilst others robustly confront it’, ’employers use a variety of rationalisations to justify their inactions’ and also the ‘prospect of tackling occupational fraud stimulates greater anxieties than the frauds themselves.’

This really gives you an idea of how the companies can view insider fraud in a negative light in that the onus is on them to do something about it. Everyone often thinks that actually, yes, it’s all down to the individual, they shouldn’t have done this, and why did they do this. But actually, we also need to look at what the business is doing about it as well.

Here are some of my thoughts at the bottom of the screen. By the inactivity of companies actually doing very, very little towards tackling insider fraud, we’re actually being able to normalise it and to make it part of the day-to-day activities because it’s just being brushed under the carpet and very little is being done. 

Also reinforcing that if you are part of a company where one of your colleagues has perpetrated insider fraud, to what extent is it your problem? It’s not necessarily the company as a whole, but the individual staff members. If you look at the range of MOs of insider fraud that can be perpetrated, we are already looking much broader than financial crime teams. All of a sudden, you’ve got to get HR involved, IT because of systems and access controls, potentially legal departments as well if it were to ever reach that stage. 

This isn’t just an issue that only impacts one team inside a business. It impacts everybody. As I’ve mentioned before, there’s a need to be able to trust your staff and so employers are now really trying to focus on the ethical and moral compasses of their staff. If you interview someone, and say, it’s a half an hour interview, you aren’t necessarily going to know in that half an hour if they’re going to turn out to be an insider fraudster or not. So, being able to gauge the ethical compass of your staff before they’re even in the door is actually really difficult. 

Again, to what extent should companies be liable for the behaviour of their staff? Yes, it’s down to the staff member to comply with all of the processes and policies that the company has in place in order to stop this from happening, but even if they still go about doing it, to what extent is the company liable versus the staff member themselves?

It’s always a bit of a juggling act in that respect. 

I put this together because I’ve worked in many companies where this is the general structure of the business and the way that the company responds to insider fraud is very much reflected in this image. 

I’ve worked in many places in the past where all of the financial crime and compliance teams are seen as the ‘bad guys’. They’re the ones that want to stop all the customers coming through, they want to block all of the profits that the company can make, they want to kick people out of the business if there’s anything that looks slightly dodgy and, all of a sudden, we’re seen as the really bad guys. 

But actually this is a really key indicator, if you think that your business is structured like this, as to how your employer would actually respond to any sort of risk or events of insider fraud as well. 

From what research I’ve done so far as part of my PhD, insider fraud is just not seen as a massive threat. As I said earlier, everyone seems to think that by fraud, we always talk about our customers and not necessarily the people inside the actual doors themselves. 

I’ve also done some work looking into the documentation that companies would have to protect themselves from any sort of insider fraud risk. There’s a real sense of ensuring that you have these documents in place so that if you’re ever audited, and companies can easily say “we have all of these policies and all these processes!” but actually this is a thing called ‘cosmetic compliance’ where essentially, you are just making the documents to make it look like you’re actually doing something about it. But the chances are that those documents are made, they’re stored away and no one ever looks at them. So that is definitely something that I think we’re becoming accustomed to, unfortunately. Especially because if you need to fight any kind of insider fraud, then these are the documents that you need to be looking at. If you’re creating them, but your staff don’t know that they even exist, you can’t even use them as a deterrent. It isn’t just a form of documentation for people to be able to follow those steps. It’s also a way for staff to think: “Oh actually, as this has been documented, they take it really seriously.” And that can be used as a deterrent to anyone who feels like they may need to do something about that. 

Again, morality and rationalisation is a really key part of that. It’s often been stated according to previous research, that when someone commits an act of fraud, the first thing they do is try to rationalise it in their minds. Whether it’s a case of ‘my business doesn’t treat me fairly therefore I think I should be allowed to do this act’ or ‘I need to get some money because I’ve got an alcohol addiction and therefor I NEED to do this’ or ‘My friend in a different team got a bigger bonus than me and therefore I am entitled to more.’ It’s all about trying to rationalise how you’re going to be acting, or how you have acted. 

That really sways the moral compass in one or more directions in that you need to be able to try to identify those people as quickly as possible. Whether that is just through one-to-one discussions or any conversations that you might overhear in the office, these are all indicators that staff who might be feeling slightly disgruntled or undervalued or underpaid might not necessarily be thinking about those steps but it is absolutely something that you might want to bear in mind for the future.

That also plays a part in the whole company culture side of things. If you have a blame culture, if you have a culture where staff aren’t rewarded or recognised for their work; again, you are cultivating this breeding ground where people may feel they need to go to these lengths in order to satisfy their own thoughts or lifestyles. 

At the bottom here, I really like this quote. It says that ‘an individual’s morality is much more malleable under situational and social forces.’ That means that even if you hire someone who you think is absolutely ethical and has high moral standards, that’s absolutely fine. But, once they’re in a situation or if their situation changes at home say, then they might feel their moral compass changes towards the more negative side. But then of course, they will indeed absolutely try to rationalise those thoughts and those actions as well. 

The existing research is actually very little into insider fraud so it mainly looks at the psychological side of things. So, what do fraudsters think? How are their morals impacted by fraud? How do they try to rationalise those actions?

The research that looks into insider fraud specifically, is either a very standalone concept or it’s looking at the bigger banks. So I tried to fill a gap and look at insider frauds within FinTechs specifically but also looking at how the actual company itself is vulnerable. I’m trying to focus on what the businesses can do in order to detect, deter, prevent and respond to fraud. I’m trying to tackle this from a four-pronged approach by looking at all of these items as well. 

By including all of the impacts from COVID too, it’s trying to add another spin on this. If I were to have written this thesis before COVID, it would be completely different to the one I’m currently writing. It’s trying to look at how the current situation, the working world and economic state is going to impact fraud going forwards. As people know, the fraud landscape is always changing and by being able to pinpoint this moment in time, and to comment on how I can help to advise FinTechs on how they handle their insider fraud problems, I’m hoping this will generate a more fruitful research piece as well. 

That’s all from me. Does anyone have any questions at all?

Chris B: I’m just going to jump in here Claire if that’s okay? I just wanted to thank you for sharing your insights today, it’s always great to have new guest speakers on our webinars. 

Just before we go into any questions, I do have one myself if that’s okay with you?

Claire M: Go on then!

Chris B: On one of your slides, you mentioned that insider fraud actually isn’t thought of as a significant financial crime threat. I just wanted to get your thoughts on why you think it is perceived like that? Financial crime is on the rise as far as I am aware, and it’s becoming a major issue within financial services and regulated businesses. So why do you think that it’s not at the same level as maybe, fraud from outside. 

Claire M:  I think mainly because it’s just not been the focus of businesses. I also think it’s much more of a risk because of the company’s reputation. Companies would rather say that they have high fraud rates perpetrated by their customers as opposed to them saying that actually our staff have been perpetrating fraud. I think it is linked to how they would be perceived to the outside world. As a result of COVID, it’s just starting to be pushed into the spotlight a bit more. 

I think it’s definitely down to the reputational risks and it’s known that the fraud figures that we see in the news and published by industries is only the cost of fraud that we actually see. There is so much fraud that we don’t see, and those numbers are the bare minimum of the losses that we’re actually seeing to fraud. 

I’ve not really seen any company that has actually said how much they’ve lost as a result of insider fraud. I think it’s being able to gauge what those losses actually are and how you can calculate that. It’s being able to look at the reputational risk as something that’s much less simple to calculate compared to the fraud that could be perpetrated by customers. 

Chris B: Thanks Claire! Just while you were answering that question, we’ve had a couple more come in. The first one is: “How is it best to approach an employee we suspect is committing insider fraud? Is it best to go through HR?”

Claire M:  Not if the staff member is HR, no. It’s always best to highlight any potential wrongdoing to that person’s line manager. I think getting HR involved is useful, but I would say that’s further down the line. The first instance is to alert the line manager in the first place and discuss those concerns. 

If you wish to take it to HR, then absolutely do so because you may need to activate an investigation. But the absolute first port of call is to notify the person who is responsible for that person who you suspect, definitely. 

Chris B:  Okay, another question has just come in as well. “Where would you recommend we start discussing insider fraud as a team if we’ve not considered it before?”

Claire M:  Absolutely discuss it. I think it’s more of a companywide thing that needs to be discussed. Absolutely do it in teams, but I feel if you want to have an umbrella approach, then to do it as a business is going to be much more useful.

I would be engaging with HR, legal and compliance, financial crime and also IT. Essentially establish a working group where everyone can input the ways they can actually help.

It should be a companywide discussion and that can also help to push out to the outside world that as a business you’re taking insider fraud seriously, too.

Chris B: Thank you, Clare. We do have a final question: “As a regulated firm, we have to consider insider fraud. We have conducted a risk assessment looking at all of our operations, also we are conducting internal fraud training with colleagues. We also have an internal anti-fraud policy. Have you seen this type of approach in your research?”

Claire M: I have, and that’s by far the best that I’ve seen so excellent work! I think the next thing is to ensure that everyone has understood the documentation that you’re making and they have regular training updates as well. 

I’ve often seen places where they make the documents, they’re stored away and no one even knows that they’re there. I think that if you’re able to demonstrate that people understand the content, that’s much better than just saying that everyone has read it. It’s being able to evidence that people have understood the content and understand the actual consequences of their actions if they were to not comply with those. 

It’s almost being able to enhance beyond “here’s the documentation and everyone’s read it.” It’s being able to show that everyone understands those words, basically. So absolutely, the best thing to do. 

Chris B: Thank you, Clare. We have one more question and I think this will be the last one we take. If anyone does have any questions outside of this, they can email marketing@northrow.com and I’ll forward those on to Clare to answer. 

So, “How much responsibility do you believe a business should assume in tackling some of the underlying reasons for why insider fraud can occur? Are there any strategies that could help tackle this holistically and create the right culture to prevent it in the first place?”

Claire M: Gosh, that was about six questions in one! 

So, in my view it is the company’s responsibility for the most part. I think that once you onboard a staff member who seems absolutely ethical and completely clean, everyone thinks “Right! That’s it! It’s done!” 

I think it all stems from the culture side of things. I would say that if the business is not putting the right measures in place, then that demonstrates that they don’t care or they don’t see it as a risk. 

All businesses obviously have lots of risks that span the business but I think the best way, which might seem slightly controversial, to assess how much a company cares about a problem, is for that problem to happen. 

If you were to have a staff member who perpetrates fraud, the way and the speed in which the employer deals with that issue is going to speak volumes about how much they actually care about that problem. 

Again, if you’re able to have a working group or a committee that looks at insider fraud specifically, if you’re able to involve HR in the writing of those policies and processes, you can look at the IT team to ensure that people can only access things that they should be accessing and to make sure that everything is documented as well – that is really key. 

Everyone seems to think there is a grey area between lying and fraud. My view is that there is no grey area. If you lie on your CV, that is fraud. If you’re doing it to be able to obtain a job or to be able to work in a company that you aren’t qualified for, or you’re trying to do it to obtain a bigger salary, that to me is insider fraud. 

I think that being able to understand how a company looks at fraud right from the beginning, all the way to the end. Often, companies think that trying to stop insider fraud stops at the vetting stage. It absolutely doesn’t stop at the vetting stage. Once your staff are in the business, what are you doing to ensure that you’re able to track them on a regular basis just to ensure they aren’t doing anything they shouldn’t do?

And also, once they’ve left the business. If you have disgruntled employees who leave the business because they’re angry at their boss or the company or anything like that. Even though they’ve left, they are still a risk because they could still have access to company data, customer data and systems. Even though someone has given their notice, if they aren’t a happy staff member, arguably, they are more of a risk than everyone else in the business. 

It’s being able to look at it before they join, whilst they’re there and also, after they’ve left. You could almost split it into those three work streams to be able to gain a full view as to how you can stop insider fraud within the business. 

Chris B: Thanks, Clare. There have been a couple of other questions but as I mentioned it would be great if you can just email them to marketing@northrow.com, we’ll forward them on to you, Clare and you can respond that way. 

If you could just move the slide for me. I’ve just got a bit of a round up for everyone. 

So if you did enjoy this webinar, and you want to join any future ones that we’re hosting, we’ve got our next on the 30th November. That will be a 3:30pm and this will be an interactive discussion between the CEO and CPO, Payson and Marc from one of our highly valued customers called Crowdz. 

They’re going to be sharing their experience around the most pressing matters which they feel are impacting fintechs in 2023. Look out for the invite that we’ll be sending out fairly shortly, it’ll be on our website and across our social channels. 

I also wanted to raise something that NorthRow has recently gained over the last week or so. It’s our IDSP certification from the government’s Department for Digital, Culture, Media and Sport last week. Only a few vendors in the country have got this certification and what this means is that our software can support even more clients to complete those stringent remote ID verification checks and we do this to the UK government standards. 

We’re really proud of that and it’s something we wanted to raise on this webinar today. 

And if you can just go to the next slide please, Clare. Just in general for our software, we launched a new product this year called WorkStation. 

This is a system to onboard, monitor and remediate individuals and companies into a case management system. This makes it easier for compliance teams to meet their targets and onboard customers safely and quickly. 

If you want to have a look at our system, feel free to go to our website, click the Get Started button at the top and we’ll be in touch to book in a time that is suitable for you. 

So that’s it for today, I want to thank everyone that’s joined and thank you again Clare! 

Hopefully we’ll see you in the next instalment!

Claire M: Thank you everyone!