An official website of the United States government
OCC Bulletin 2019-37
July 24, 2019
Share This Page:
Chief Executive Officers and Chief Risk Officers of All National Banks, Federal Savings Associations, and Federal Branches and Agencies; Technology Service Providers; Department and Division Heads; All Examining Personnel; and Other Interested Parties
The Office of the Comptroller of the Currency (OCC) is issuing this bulletin to inform national banks, federal savings associations, and federal branches and agencies (collectively, banks) of sound fraud risk management principles. This bulletin supplements other OCC and interagency issuances on corporate and risk governance, including the references listed in appendix A of this bulletin.
This guidance applies to all OCC-supervised banks.
The risk management principles addressed in this bulletin include the following:
Fraud risk management principles can be implemented in a variety of ways and may not always be structured within a formal fraud risk management program. Regardless of the structure, fraud risk management should be commensurate with the bank's risk profile. Banks with significant and far-reaching retail-oriented business activities should have well-documented fraud risk management programs with appropriate monitoring, measurements and reporting, and mitigation.
Fraud may generally be characterized as an intentional act, misstatement, or omission designed to deceive others, resulting in the victim suffering a loss or the perpetrator achieving a gain.1 Fraud is typically categorized as internal or external.
Fraud schemes are often ongoing crimes that can go undetected for months or even years and can be time consuming and costly to address. It is often difficult to fully understand and quantify the extent of the fraud and the harm caused. Measuring losses associated with fraud is often an inexact process. Typically, the true cost of fraud is greater than the direct financial loss, given the time and expense to investigate, loss of productivity, potential legal and compliance costs associated with remediation, and impact on a bank's reputation.
Fraud risk is a form of operational risk, which is the risk to current or projected financial condition and resilience arising from inadequate or failed internal processes or systems, human errors or misconduct, or adverse external events.2 Operational risk management weaknesses can result in heightened exposure to fraudulent activities, which can increase a bank's exposure to reputation and strategic risks. Failure to maintain an appropriate risk management system could expose the bank to the risk of significant fraud, defalcation (e.g., misappropriation of funds by an employee), and other operational losses.
Strong governance is of paramount importance to controlling the bank's exposure to fraud, and a strong corporate culture against fraud is crucial regardless of a bank's size or complexity. The tone at the top sets the foundation on which the bank operates. The board and senior management have a responsibility to lead by example and demonstrate that the bank is serious about promoting ethical behavior to deter and prevent fraud. The board-adopted code of ethics (or code of conduct) should encourage the timely communication and escalation of suspected fraud through the appropriate oversight channel.
The board is ultimately responsible for oversight but may delegate fraud risk management-related duties to specific committees (for example, the audit committee or operational risk management committee). The board also may delegate anti-fraud responsibilities to specific executives and managers, including those in charge of managing risks and controls. Roles and responsibilities should be clearly defined. The board should hold management accountable for effective fraud risk management and alignment of anti-fraud efforts with the bank's strategy, objectives, risk appetite, and operational plans. While not all fraud can be avoided, an active board can foster an environment in which fraud is more likely to be prevented, deterred, and promptly detected.
A sound corporate culture should discourage imprudent risk-taking. Incentives or requirements for employees to meet sales goals, financial performance goals, and other business goals, particularly if such goals are aggressive, can result in heightened fraud risk.3
Sound fraud risk management principles should be integrated within the bank's risk management system commensurate with the bank's size, complexity, and risk profile. Bank management should periodically assess the likelihood and impact of potential fraud schemes and use the documented results of this assessment to inform the design of the bank's risk management system and evaluate fraud control activities. Policies should clearly define, establish, and communicate the board's and senior management's commitment to fraud risk management. Processes should be designed to anticipate fraud and deploy a combination of preventive controls and detective controls. Detective controls are important because even with strong governance and oversight, collusion or circumvention of internal controls can allow fraud to occur. Some practices and controls may be both preventive and detective in nature.
Preventive controls are designed to deter fraud or minimize its likelihood. The following are some examples:
Detective controls are designed to identify and respond to fraud after it has occurred. The following are some examples:
Software and technology tools, developed internally or purchased from a third party, can assist with anti-fraud efforts. Bank management should consider the cost and value of fraud prevention tools selected, consistent with the bank's overall strategy, complexity, and risk profile. Depending on the specific products and services offered, management might deploy solutions that serve to detect anomalies and prevent potential fraudulent transactions or activities. These solutions can monitor transactions and behaviors, employ layered or multifactor authentication, monitor networks for intrusions or malware, analyze transactions on internal bank platforms, and compare data with consortium or publicly available data. Banks' fraud prevention and detection tools should evolve and adapt to remain effective against emerging fraud types.
Senior management should understand the bank's exposure to fraud risk and associated losses across all business lines and functions and use this information to effectively monitor and manage fraud risk. The board should receive regular reporting on the bank's fraud risk assessment, resulting exposure to fraud risk, and associated losses to enable directors to understand the bank's fraud risk profile. Reporting should allow management and directors to measure performance. Practices can include benchmarking current fraud losses against loss history or industry data.
Examples of metrics and analysis banks can use to measure and monitor fraud risk include the following:
Management should identify fraud losses as internal or external. Larger, more complex banks generally maintain this information in an operational loss database or similar system.9
A bank's policies, processes, and control systems should prompt appropriate and timely investigations into, responses to, and reporting of suspected and confirmed fraud. Banks should have processes for internal investigations, law enforcement referrals, regulatory notifications,10 and reporting. A bank is required to file a SAR for known or suspected fraud meeting regulatory thresholds.11 Reporting mechanisms should relay relevant, accurate, and timely fraud-related information from all lines of business to appropriate oversight channels.
Sound fraud risk management processes can include voluntary sharing of information with other financial institutions under section 314(b) of the USA PATRIOT Act. Pursuant to section 314(b), before exchanging information, the bank must register with the U.S. Department of the Treasury's Financial Crimes Enforcement Network (FinCEN). Current section 314(b) participants may share information with one another regarding individuals, entities, organizations, and countries for purposes of identifying and, when appropriate, reporting activities that may involve possible specified unlawful activities. FinCEN has issued guidance clarifying that, if section 314(b) participants suspect that transactions may involve the proceeds of specified unlawful activities, such as fraud, under the money laundering statutes,12 information related to such transactions can be shared under the protection of the section 314(b) safe harbor.13
A bank should design and perform reviews and audits specific to the bank's size, complexity, organizational structure, and risk profile. Reviews and audits should be designed to assess the effectiveness of the bank's internal controls and fraud risk management. Effective internal and external audit programs are a critical defense against fraud and provide vital information to the board of directors about the effectiveness of internal control systems.
Reviews and audits typically include the following:14
When auditing financial statements and asserting effectiveness of internal controls over financial reporting, auditors must consider a material misstatement due to fraud.15 If the auditor identifies that fraud may be present, the auditor must discuss these findings with the board or management in a timely fashion.16 The auditor must also determine whether they have a responsibility to report the suspected fraud to the OCC.17
Findings and results from audits and reviews should be communicated to the relevant parties in a timely manner. Management should take timely and effective corrective action in response to deficiencies identified.
Please contact Tanya A. Oskanian, Payments Risk Policy, Operational Risk Division, at (202) 649-6550.
Grovetta N. Gardineer
Senior Deputy Comptroller for Bank Supervision Policy
1 This bulletin discusses fraud in a broad context and is not limited to bank fraud as defined in 18 USC 1344, "Bank Fraud."
2 Refer to the "Bank Supervision Process" booklet of the Comptroller's Handbook for a full definition of operational risk.
3 Refer to OCC Bulletin 2010-24, "Interagency Guidance on Sound Incentive Compensation Policies," and 12 CFR 30, appendix D, II.M.4, "Compensation and Performance Management Programs."
4 Refer to 12 CFR 41, subpart J, "Identity Theft Red Flags," which addresses identity theft red flags and address discrepancies under sections 114 and 315 of the Fair and Accurate Credit Transactions Act, 15 USC 1681m and 1681c.
5 Refer to 12 CFR 30, appendix B, "Interagency Guidelines Establishing Information Security Standards," and the Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook.
6 Refer to 12 CFR 21.21, "Procedures for Monitoring Bank Secrecy Act (BSA) Compliance"; 31 CFR 1010.230, "Beneficial Ownership Requirements for Legal Entity Customers"; and the FFIEC Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual.
7 Refer to the "Compliance Management Systems" booklet of the Comptroller's Handbook for more information.
8 Refer to 31 CFR 1010.520, "Information Sharing Between Government Agencies and Financial Institutions," and 1010.540, "Voluntary Information Sharing Among Financial Institutions." Refer also to the "Information Sharing" section of the FFIEC BSA/AML Examination Manual.
9 Refer to the "Large Bank Supervision" booklet of the Comptroller's Handbook and OCC Bulletin 2011-21, "Interagency Guidance on the Advanced Measurement Approaches for Operational Risk."
10 Banks should notify regulators of significant incidents that could affect the bank's condition, operations, reputation, or customer information. Banks also should notify regulators of significant incidents that could affect the financial system.
11 Refer to 12 CFR 21.11, "Suspicious Activity Report" (national banks), and 12 CFR 163.180, "Suspicious Activity Reports and Other Reports and Statements" (federal savings associations).
12 Refer to 18 USC 1956–1957.
13 For more information, refer to FinCEN's FIN-2009-G002, "Guidance on the Scope of Permissible Information Sharing Covered by Section 314(b) Safe Harbor of the USA PATRIOT Act," and "Section 314(b) Fact Sheet."
14 Refer to the "Corporate and Risk Governance" and "Internal and External Audits" booklets of the Comptroller's Handbook. Refer also to OCC Bulletins 2013-29, "Third Party Relationships: Risk Management Guidance," and 2017-21, "Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29."
15 Refer to the American Institute of Certified Public Accountants' AU-C section 240, Public Company Accounting Oversight Board Auditing Standard 2401, and International Standard on Auditing 240.
16 Refer to the American Institute of Certified Public Accountants' AU-C section 240.39.
17 Refer to the American Institute of Certified Public Accountants' AU-C section 240.42.