How Boards Can Oversee Fraud Risks at Banks

One bank that was recently hit with a data breach did a thorough investigation only to find a bank employee had been taking pictures of customer files and sending them to a criminal — she was paid per picture. Other banks have been targets of sustained person-to-person payment or check fraud that cost the bank five figures, says Steve Sanders, chief risk officer and chief information security officer for CSI, a provider of banking and risk management solutions. 

The board isn’t responsible for stopping all fraud in all its forms. But it is responsible for providing oversight to ensure the bank’s policies and procedures are effective in counteracting the bank’s risks, including fraud. 

“It doesn’t matter how robust your technical controls are, most cyber incidents are a result of human failure,” says Michael La Marca, a partner at the law firm Hunton Andrews Kurth. “So, it comes back to the board and the necessity of having oversight, not only of technical resources involved, but the culture and the readiness as an organization, because it all takes one weak link.”

Part of that responsibility lies in creating an ethical, compliance-focused corporate culture, says Jonathan “Jack” Harrington, a partner at the law firm Bradley Arant Boult & Cummings and former assistant U.S. attorney investigating complex fraud cases, including cybercrime and money laundering. “That really does start with the board of directors at any financial institution, whether it’s a small community bank or a JPMorgan [Chase],” he says.

Resources and Reporting
One way to ensure the board sets the correct tone is to give the chief risk officer or chief compliance officer a direct reporting line to the board. “If you’re trying to filter that information through a traditional business line,” Harrington warns, “they are going to have naturally competing priorities in terms of what they’re going to put in front of the board.”

Sanders recommends boards ask for information about trend lines for different types of fraud over time and fraud detection rates. “That contextual data is often what I think the board is missing,” he says. “They’re getting snapshots rather than movie reel, and I think they need the movie reel.”

Other questions board members should consider asking: How often are we stopping fraud before it hits the books? What’s the emergency switch if there’s an uptick in a certain type of fraud? 

The Risk Assessment Imperative
Small banks aren’t expected to have the compliance structures of a big bank. But banks are responsible for tailoring their mitigation to the unique risks of the bank, an area that the board must understand.

Boards are responsible for setting the risk appetite of the organization, but few banks conduct formal fraud risk assessments, says Bob Sprague, managing director in the forensics and valuation services practice at Forvis Mazars.

He describes a best practice as bringing together stakeholders across the organization, from the business lines to different geographies, to identify risks, assess controls and close any gaps. The CFO and the COO shouldn’t sit down in a room together and figure it out by themselves.

More importantly, the risk assessment cannot be a one-time exercise. A common pitfall is to do the review and put it on a shelf to collect dust. “Risk profiles do not stay stagnant,” Harrington says. “As banks grow in terms of geography, as banks enter into new product lines, as banks grow their customer bases in new ways, they are always taking on and potentially in some cases walking back from new types of risk.”

The full loop works like this: “You need to identify the risks, you need to assess the risks, you need to mitigate the risks, and then you need to monitor and review whether or not that mitigation works,” Harrington says. The board can help with the process. If directors haven’t heard from management about an updated risk assessment in a few years, they can ask why.

For a small board, a simple process might be ensuring the chief compliance officer or chief risk officer has engaged in an annual review of the bank’s risk, which should include fraud. The board can look at ways the bank’s risk profile has changed that year and a summary of steps management is taking to address those changes, Harrington says.

Cyber Challenges
One risk that has been on the rise is cybercrime. A common problem is that banks don’t address audit findings about problems with cyber risk, says Harrington. He recommends significant findings and issues be put on the board meeting agenda as a line item until they are mitigated.

Directors can help a bank prepare in the event of a major attack. La Marca advocates for exercises at the board and executive level, because so many decisions must be made and because of the interdisciplinary demands of the response, involving legal, communications, federal and state reporting, insurance and regulatory reporting. “It’s often sort of a wake-up call for companies who haven’t seen that kind of thing before,” La Marca notes, “because it can be quite stressful, and there are a lot of complicated decisions to make in real time.”

Boards can also ask outside and inside experts to give updates and presentations on cyber risks and emerging threats, staying current on new trends such as the introduction of stablecoins and artificial intelligence, so they can ask good questions of management. 

Internal Fraud
One of the largest risks to the bank is internal fraud, as investigators have tied numerous small bank failures to bank officer fraud. 

Some 43% of occupational frauds were detected by a tip, more than three times as many as any other method, according to the Association of Certified Fraud Examiners 2024 report. Depending on the complaint, a best practice is to route fraud complaints to someone independent of management, such as the head of the audit committee, Sprague says. Hotlines work best when they’re accessible not just to employees but also to customers and vendors. 

The importance of whistleblower programs has increased significantly since the Anti-Money Laundering Whistleblower Improvement Act of 2022, which created financial incentives for reporting financial crimes. A successful prosecution that results in a fine of over $1 million nets a whistleblower between 10% and 30% of the fine. With investigators relying on such tips, boards need visibility into whistleblower complaints and trends presented as part of routine board materials, Harrington says.

The worst-case scenarios rarely happen when it comes to fraud. Even significant events are usually survived, as in the case of the employee selling pictures of customer files. But sustained attention, regular assessments and education can go a long way in ensuring the bank is safe and sound. 

1. Oversee a company-wide assessment of risk by bringing together the heads of departments and geographies.
2. Oversee the risk appetite, anti-fraud policies and controls, and adjust regularly based on changing risk, such as new geographies or products. Regulators expect a risk-based approach. 
3. Understand internal controls and follow up with management on any significant audit concerns, cyber problems that aren’t being fixed or problems with internal controls. Regulators consider the board ultimately accountable for making sure the executives do their job.
4. Educate yourself on the latest fraud trends and risks, including thorough presentations from inside and outside experts. 
5. Make sure the board or a committee has direct access to the chief risk officer
   and/or chief compliance officer, not necessarily at every meeting, but to hear reports and ensure the bank’s resources match the risk appetite.
6. Board meeting packages should include information on fraud trends, whistleblower reports and customer complaints. Make sure you’re getting the full trend line, not a snapshot. Ensure an independent board member receives complaints about financial fraud. 
7. The head of cybersecurity should report to someone other than the head of information technology.
8. The board should run through tabletop exercises to get a sense of how the cyber incident response plan will play out in the event of a major cyberattack.