© IDM 2006
ASIS Spring Seminar
2006
Data Mining as a
Fraud Prevention Tool
Richard Kusnierz
16
thMarch 2006
© IDM 2006Data Mining
3 key aspects:
¾ Prevention ¾ Detection ¾ Investigation © IDM 2006Data Mining
¾
Before we start, let us
consider why we work in the
Security industry.
¾
Who or what are we trying
to prevent and detect?
© IDM 2006
First, know your enemy
¾Who is this?
© IDM 2006
First, know your enemy
¾Joti De-Laurey
¾35 year old mother
¾Stole £4.5 million
© IDM 2006
First, know your enemy
© IDM 2006
First, know your enemy
¾Kenneth Lay
¾Enron
¾Enron’s debts of
£23 billion
© IDM 2006
First, know your enemy
¾Who is this?
© IDM 2006
First, know your enemy
¾Simon Brophy ¾Lighting Director Millennium Dome ¾£4 million fraud ¾Bogus CV © IDM 2006
Company relationships
© IDM 2006First, know your enemy
¾Who is this?
© IDM 2006
First, know your enemy
¾John Rusnak
¾Allied Irish Bank
¾Rogue trader
¾Trading losses of £540
© IDM 2006
First, know your enemy
¾Who is this?
© IDM 2006
First, know your enemy
¾James Munroe
¾£3 million Fraud
¾Chief Accountant
¾Mc-Graw Hill
© IDM 2006
First, know your enemy
¾Who is this?
© IDM 2006
First, know your enemy
¾Nick Leeson ¾Rogue trader ¾Barings Bank ¾£800 million © IDM 2006
Data Mining
Why do we
need data
mining to
detect fraud?
© IDM 20062005 Fraud barometer
¾72% of cases involve men
¾Over half of internal fraud
involves 2 – 5 employees
¾40% of frauds involve the finance
© IDM 2006
2005 Fraud barometer
¾Only one in four cases were
discovered by internal controls
¾ 31% of frauds were discovered
following a whistle blower
¾Weaknesses in controls were
exploited by the fraudsters
© IDM 2006
Fraud
¾ the problem with fraud is that there are no reliable statistics ¾ Only a small percentage is reported £14 Billion £72 Billion © IDM 2006
How is Fraud Identified?
Source : ACFE, Report to the Nation, 2004
© IDM 2006
ANALYSIS OF THE MAIN PERPETRATORS OF CORPORATE FRAUD 38% 11% 11% 10% 30% single insider multiple insiders
single external fraudster multiple external fraudsters collusion between internal and external
¾49% Insiders ¾79% Includes element of collusion
Why Use Data Mining
to Detect Fraud?
© IDM 2006
JMLSG
¾ UK Money Laundering Regulations
date from 1993
¾ “it is also a separate offence under the
ML regulations not to have systems and procedures in place to combat money laundering (regardless of whether or not money laundering is actually taking place).”
© IDM 2006
Combating the financing of
terrorism
© IDM 2006
Think outside the box
¾Trusted employees know the
systems
¾Trusted employees commit
fraud or steal information
¾Effective fraud detection
systems need to be unexpected and innovative
© IDM 2006
Know Your Customer
¾It is not only vital to KYC, but
¾Who are your employees?
© IDM 2006
Know your employee
¾Implementing a balanced,
considered mechanism to ensure that an organisation minimises employee fraud contains many elements, data mining can be part of that
© IDM 2006
Data Mining Employee
information
¾ Conflicts of interest audits ¾ External reference data ¾ Expenses, corporatecredit card spend
© IDM 2006
Perceived barriers
¾
Review legislation, data
protection and privacy in
using data
Personal Data P er so n n el F il e © IDM 2006Walking a tightrope
¾ Plan to use data mining
¾ Register the purpose
¾ DP Adverse Impact Assessment
¾ Run fraud workshops and gain employee understanding
¾ Include a new clause in employment contracts
© IDM 2006
DPA Registration
¾Can often be done online
¾Is not a barrier to data mining,
but
¾ Needs legal advice as each
EU member state has interpreted the Data Protection Directive in its own way
© IDM 2006
Perceived barriers
HR may object to the use of personnel data because:
Employment contracts are inadequate
They don’t understand
Human Resources
© IDM 2006
Perceived barriers
Data mining seen as an erosion of their
responsibilities IT “own” data Use of non standard, therefore not approved, software
Not a priority
IT
Department
© IDM 2006
External Reference Data
¾Internet sources
¾Download for
free
¾Different formats
¾May not be valid
© IDM 2006
Insolvency Register
http://www.insolvency.gov.uk/bankruptcy/bankruptcysearch.htm
© IDM 2006
© IDM 2006
Prohibited Individuals
http://www.fsa.gov.uk/register-res/html/prof_proh_indiv_fram.html © IDM 2006Disqualified Directors
http://www.companieshouse.co.uk/ddir/ © IDM 2006Fraud profiles
¾Key red flags
¾ Duplicate data
¾ Inaccurate and misleading
information ¾ Unusual relationships ¾ Unusual or contrived transactions © IDM 2006
Fraud profiles
© IDM 2006Benchmarking
Risk Exposure (Static Profiles) - VAT tests on
22%
74%
3% 1%
>= 9 (High Risk) > 3 and < 9 (Medium Risk) <= 3 (Low Risk) No Score The number of suppliers in each risk category expressed as a percentage of all suppliers
Case Study plc
© IDM 2006
Comparisons
Company 1 - Risk Exposure
11% 9% 34%
46% >= 9 (High Risk) > 3 and < 9 (Medium Risk) <= 3 (Low Risk) No Score The number of suppliers in each risk category expressed as a percentage of all suppliers
Risk Exposure (Static Profiles) - VAT test on
7% 7%
45%
41% >= 9 (High Risk)
> 3 and < 9 (Medium Risk) <= 3 (Low Risk) No Score
Risk Exposure (Static Profiles) - VAT test on
4% 5% 35% 56%
>= 9 (High Risk) > 3 and < 9 (Medium Risk) <= 3 (Low Risk) No Score
Company 1
Company 2
Company 3
Risk Exposure (Static Profiles) - VAT test on
2% 13% 39% 46% >= 9 (High Risk)
> 3 and < 9 (Medium Risk) <= 3 (Low Risk) No Score The number of suppliers in each risk category expressed as a percentage of all suppliers
© IDM 2006
Past Example (1)
Internal focus
¾1,500 unverifiable supplier
addresses, £300 million spend in three years
¾1,000 suppliers with no bank
details
¾1,500 suppliers with no VAT
numbers
© IDM 2006
Past Examples (2)
Publishing company
¾ $1.0 million advance paid into suspense account
¾ subsequently transferred to Luxembourg
¾ employee responsible for transfers “didn’t come back from holiday”
© IDM 2006
Past Examples (3)
Printing company
¾ different addresses and post codes
¾ different telephone numbers
¾ same fax number
¾ printers had over charged and
withheld rebates ¾ Contract renegotiated, £1,000,000 recovered © IDM 2006
Past Examples (4)
Maintenance group
¾ 3 companies linked by common
addresses
¾ 2 non trading
¾ heading for liquidation
¾ contracts in excess of £360,000 awarded in 1 year © IDM 2006
Past Examples (5)
Venture capital
¾ out sourced IT¾ collusive relationship between
supplier and employee
¾ by passed central purchasing
¾ billed in excess of £150,000
© IDM 2006
Past Example (6)
Facilities payment (bribe)
¾ Single round value £70,000
¾ Company in Malta
¾ No record of organisation or
person in Google, research etc.
¾ Invoice was for consultancy in
West Africa
© IDM 2006
Past Example (7)
Art gallery donation
¾ round value £20,000
¾ six months in advance of art
exhibition
¾ exhibition cancelled, money never
returned
¾ art gallery was under major
refurbishment
© IDM 2006
Past Examples (8)
¾
20 sequential invoices
¾
average invoice value of about
£3,500
¾
hand-written invoices
¾
started mid year, no prior
trading history
¾
no one accepted responsibility
© IDM 2006
Past Examples (9)
Multiple applications to a Charity ¾ same charity different locations ¾ different charity same locations ¾ collusion between charity and
applicants
¾ use of accommodation addresses
© IDM 2006
Practical Considerations
¾There is no magic bullet to identify
all fraud
¾Frauds, and consequently profiles,
vary
© IDM 2006
Data Mining- in practice
1. Importation
8. Final reports 2. Pre-processing
3. Testing and analysis of initial reports 4. Visualisation 5. Initial investigation 6. Refinement 7. Additional data © IDM 2006
Case Study One:
FSA Compliance
¾ Mutual Insurance company
¾ Authorised by FSA
¾ Electronic payment verification
¾ Spot problems before they
© IDM 2006
Case Study One
¾Perform daily verification
¾Satisfy bank in USA that controls
are in place
¾Create blacklists and whitelists
¾Satisfy FSA that money laundering
processes are in place
¾Prevent problems
© IDM 2006
Internet Blacklists
¾ Bank of England Sanctions List
¾ OFAC Specially Designated
Names List
¾ World Bank Debarred List
¾ Companies House Disqualified
Directors List © IDM 2006 BANK OF ENGLAND SANCTIONS LIST
Blacklists: Bank of
England
© IDM 2006 OFAC SDN LISTBlacklists: OFAC
© IDM 2006Blacklists: World Bank
© IDM 2006
© IDM 2006
Conclusion
¾
Data Mining is a very
productive and valuable tool
¾
It can be used proactively
and reactively depending on
circumstances
© IDM 2006
¾41 Madeley Road, Ealing, W5 2LS
Tel: +44-208-997 1933
Fax: +44-208-810 7340
E-Mail: richardkusnierz@idmfraud.com ¾1 Coates Place, Edinburgh, EH3 7AA
Tel: +44-131-225 7707
Fax: +44-131-225 7708