News & Events

What is External Fraud Risk Appetite in Banking and Financial Services?


Eddie Vaughan is well known in the banking and financial services sector having previously held positions as Future Fraud Strategy Risk Manager at a major UK bank, as well as the UK Financial Crime Manager at a leading retail partner finance and direct to consumer lending bank. Eddie has led a number of financial crime banking innovation projects, with a focus on digital and real-time account opening capabilities.

Eddie now works as a Business Development Manager for TruNarrative, who have created an innovative and market leading unified financial crime platform.  TruNarrative’s solution brings fraud detection, identity verification, eKYC and AML compliance into a single easy-to-configure environment accessed via a single API.  


Understanding External Fraud Risk Appetite

I first wrote about this topic back in 2017 in the context of increasing regulatory interest around how firms deal with the subject of fraud risk appetite.  The questioning from the UK’s Financial Conduct Authority (FCA) to retail banks was clear…‘has a risk appetite in regards to fraud been established within the organisation’? 


So, two years on from this first request… has every firm now defined their risk appetite for fraud? 


Some may have, but others will still be stuck with the complexity of defining what this is; and more importantly how to detail their appetite into a describable ‘something’ that can be effectively measured and managed.  With little formal guidance available in the industry, Fraud and Financial Crime Managers will often be left without the tools to succeed in this important area.


Whether you’re a financial crime professional in a start-up, challenger, or established firm, the issue of how to define a risk appetite for external is likely to be the same!


The concept of risk appetite isn’t hard to grasp and is something that is present in every aspect of life.  In banking and financial services, the term is often raised in various risk committees to describe the organisation’s position, usually when something has gone wrong.


From a fraud perspective, this is almost certainly raised when a significant incident has occurred and the organisation has identified sizeable financial losses that impact profitability, a detrimental impact on its customers, and/or a risk to brand perception.


But if you were to probe the view in a risk committee that ‘those fraud losses are unacceptable and not within our risk appetite’ then in many cases it would soon become clear that the statement is more one of individual perception and collective opinion than of a documented measure that perhaps could’ve have been forewarned. 


So the question then becomes: At what point do acceptable fraud losses become unacceptable and therefore outside of risk appetite? 


It is certainly true that no organisation can make a profit without taking a risk. The only question is how much risk do they need to take to achieve their commercial objectives?


What is external fraud risk appetite?

External fraud risk appetite is not just about making a statement of how much a firm is prepared to lose as a a result of fraud, on the products and services that they offer to consumers. 


Whilst such quantitative expressions are a key element, an external fraud risk appetite statement additionally needs to contain qualitative expressions, which reflect a firm’s internal stance and culture in preventing, detecting and responding to external fraud incidents.


Critically, a defined external fraud risk appetite enables a firm to take a risk-based and measurable approach to fraud losses and provides Key Performance (KPI) and Key Risk (KRI) Indicators across the fraud risk management cycle.

Advice for creating external fraud risk appetite


To download TruNarrative’s ‘External Fraud Risk Appetite Statement’ Template, Click Here


1. Understand your current and future risks…the firm should first have a full understanding of the current fraud landscape across all of its portfolios. This 

should be supported by data analysis, such as dashboards or other insight reports, that identify common fraud types, amount of losses, detection methods/reasons for losses and trends over time.


Risk appetite reporting should always aspire to be real-time and automated.  If your current fraud and financial crime systems cannot report in real-time, then perhaps its time to consider changing to become more analytical and data driven.  Data is king, and data driven decisions should be at the heart of any financial crime strategy.  


 2. Engage with key stakeholders…risk appetite needs to be agreed at board level but ultimately it is those fraud professionals with key stakeholders that will help to shape the risk appetite statement and supporting management processes. Critically, an effective fraud risk appetite statement needs to be supported by the wider business, particularly in those areas where it will have the most impact, such as commercial, finance, and other risk functions.


 3. Set quantitative levels of losses….working with key stakeholders, one concept is to set the expressions of risk appetite (the amount of material losses that the firm is willing to accept in pursuit of the commercial objectives). This level should not be set as an overall monetary figure, but rather, it should link as an overall % impact in the net profit of the product or other scaleable measure.  Other methodologies could be adopted, such as the volume of fraud incidents over a specified time period.  There is no right way to do this and it will depend on each organisation.  However, the key point is that whatever approach is taken it must be measurable and reportable.

 4. Set trigger points…within the appetite, set defined points such as a tolerance (the maximum material loss that the firm is willing to accept before (1) the appetite statement is revisited or (2) the firm instigates further preventative measures in their fraud systems.

 5. Visualize the risk appetite expressions through dashboards, communicate the statement internally and encourage challenge from stakeholders around product performance.

 6. Bring risk appetite into the heart of fraud management decision making. Using performance against risk appetite as a basis for resource and or investment allocation.  


 7. Constantly challenge the acceptable levels of loss. It’s unlikely that first time around the quantitative expressions will be correct. These need to be developed and refined over time as thresholds are tested and or surpassed.


 8. Develop fraud response plans in the event that the appetite thresholds are either triggered or surpassed. Be clear about what actions could be taken and who the information needs to be escalated to. Within the fraud response plans ensure that options are available for managing the increasing risk.  If your fraud systems are not capable of rapidly changing the strategy, to mitigate emerging fraud risk through new data and services, then perhaps it’s time to consider adopting a new system that enables a real-time adaptive strategy response. 


 9. One final point of note, risk appetite and tolerance levels should not be used as a ‘car-park’ for failed internal controls because current systems cannot adopt to changing risks.


I’ve created an ‘External Fraud Risk Appetite Statement’ template to help fraud and financial crime professionals start to build out the documented process of risk appetite. Download the template here…