top of page
Untitled (22).png
Search

Fraud Risk Is Multifaceted—Your Vendor Due Diligence Should Be Too!


By: Sharon Blanchette


At an industry roundtable event in late 2024, attended by Anti-Financial Crime (AFC) Officers from financial institutions of all sizes—including myself—the topic turned to Fraud Risk Assessments. The comments that followed were eye-opening.


Very few AFC Officers had a positive experience with the vendors they engaged to perform Fraud Risk Assessments in 2024. Much of the frustration in the room stemmed from the inherently multi-faceted nature of fraud in general, and of a Fraud Risk Assessment in particular.



One AFC Officer spoke up: “We engaged the vendor to perform a Fraud Risk Assessment. We thought the SOW was pretty clear. Instead, we received a standard BSA/AML Risk Assessment with an emphasis on fraud.”


Another AFC Officer added: “We had a similar experience with the vendor we engaged. We asked for a Fraud Risk Assessment with an emphasis on transactional fraud. Instead, we received an ID Theft Risk Assessment.”


A third AFC Officer lamented: “We engaged a vendor to perform a Fraud Risk Assessment, and at least we received something labeled as such. But the vendor focused on internal fraud, such as embezzlement. I guess it’s because we’d engaged a CPA firm—and that’s all the CPA firm knew about.”


A fourth AFC Officer mentioned: “We asked our IT auditors to perform our Fraud Risk Assessment. It focused mostly on ID management and MFA, which were important topics to us—but it didn’t go far enough for a true Fraud Risk Assessment.”


A fifth AFC Officer quickly added that they weren’t happy with their Fraud Risk Assessment either, but they felt mostly responsible for the miscommunication: “What we really wanted was an assessment of our entire second line of defense fraud risk management oversight function. We didn’t receive that, but we realized we weren’t clear about our expectations.”



I asked what each AFC Officer did after receiving a deliverable they weren’t satisfied with. All five said they ended up performing the Fraud Risk Assessment themselves. I then asked if there were any lessons learned from the experience. After some discussion, we came to the realization that an SOW for a Fraud Risk Assessment must reflect exactly what management’s expectations are—and what they are not.


Why? Because “fraud” means many different things to different firms. To some, it means ID management, MFA, and other information security concepts. To others, it means internal fraud like embezzlement. And to institutions that specialize in BSA/AML, fraud is simply one of the predicate crimes (a National Priority, no less) that leads to money laundering.



Key takeaways from that roundtable discussion were:


For AFC Officers: Have multiple conversations with your vendor about what you mean by “fraud” and what you expect to be covered in the Fraud Risk Assessment. Be mindful of the difference between fraud operations and second-line fraud risk management. Be cautious about wanting the assessment to cover “all things fraud”—that kind of scope can become unwieldy. Ask about the vendor’s methodology and review a sample deliverable before signing.


For Vendors: Every vendor has their own area of expertise—but make sure you’re well-versed in how financial institutions actually experience fraud: check fraud, ACH fraud, wire fraud, new account opening fraud, account takeover fraud, mortgage fraud, etc. That’s where your value lies. Don’t come to the table with another BSA/AML or ID Theft Risk Assessment repackaged as a Fraud Risk Assessment.

Neither AFC Officers nor vendors want to complete a project with a deliverable that misses the mark. A well-scoped conversation—and a thorough understanding of how financial institutions experience fraud—can prevent this from happening.


Conclusion


Neither AFC Officers nor vendors want to complete a project with a deliverable that misses the mark. A well-scoped conversation—and a thorough understanding of how financial institutions experience fraud—can prevent this from happening.

Ultimately, the success of any Fraud Risk Assessment hinges on mutual clarity, realistic expectations, and a shared understanding that “fraud” is not one-size-fits-all.


Meet The Author: Sharon Blanchette

Sharon Blanchette is a seasoned consultant and writer with over two decades of experience in banking, fraud, compliance, audit, and enterprise risk management. Sharon has held senior leadership roles across several financial institutions and advisory firms, spearheading initiatives in AML, InfoSec, and ESG. Today, she brings her deep subject matter expertise to life through content that bridges strategy, regulation, and real-world operations.


 

 
 
 

Comments

bottom of page