After more than a decade, Jay Leek knows when something doesn’t look right on the books. In the first part of this podcast series, the vice president of international security at Equifax Inc. talks about his two fraud prevention best friends: the billing system and the whistle blowers. In the second podcast, coming Tuesday, Leek talks about the dedication needed to develop a fraud prevention program and how to deal with false positives.
Q: You've said that a fraud prevention program doesn’t start with the technology, it starts with corporate culture. How do you build fraud prevention into the DNA of a company’s culture?
A: It really does start at the top of the organization and with the tone from your executive management. If you don’t have the support to actually have a culture of fraud prevention -- which I think starts with ethics and integrity, first and foremost -- from the top of the organization down, then you’re going to have a very difficult time ever implementing a comprehensive fraud prevention program.
Fraud prevention is all about your people, and as a vast majority of the investigations that result in fraud being discovered start with the whistle blowers, it is about people coming forward. You need to ensure they have that culture where they feel comfortable coming forward … that they’re doing the right thing by sticking their necks on the line.
You can think about all the technical controls in the world that you might put in to help prevent fraud. Many points along the way, what you’ll find is those technical controls are dependent upon people making the right decisions. Very few business processes are solely technical. There’s often an individual inserted throughout that process -- and anywhere an individual is inserted into a process, you run potentially the risk of opening or exposing yourself to a situation that could result in fraud.
If people know that action will be taken if they do something but also that no action against them will be taken if they come forward and stick their neck on the line, especially if it is their manager or someone they may threatened by to come forward about, then you’re going to build that culture that allows employees to be very aware of their surroundings. They will be very thoughtful in their approach and how they try to protect their organization from fraud.
Q: What is the cornerstone of your fraud prevention program in terms of processes?
A:I think it’s very important that you know who your customers are, for starters. And not just your customer, but who your business partners are. It’s your ecosystem of who you are working with. You want to make sure you have some kind of credentialing or an entitlement process for determining who you do business with and who you don’t.
Play the full podcast
Listen to the full podcast to learn more about credentialing, billing systems and the anomalies Leek looks for that may indicate fraud.
Read the full transcript from this podcast below:
Christina Torode: Hi. This is Christina Torode, news director for SearchCIO.com. I'm here with Jay Leek, vice president of international security for Equifax. Equifax is a data solutions provider for financial services companies, and a consumer credit card reporting agency. Jay has worked as a director of fraud, security, and compliance in the Telco and financial services industries for more than 10 years. In this podcast, Jay talks about developing a fraud prevention program based on his experiences at Equifax and in past positions.
Christina Torode: Hi Jay.
Jay Leek: Hello. How are you doing, Christina?
Christina Torode: Good. Thank you. When developing a fraud prevention program, you believe that it doesn't start with the technology; it starts with the corporate culture. How do you build fraud prevention into the DNA of a company's culture?
Jay Leek: Yeah. I mean, I think that's a great question, because it really does start at the top of the organization, and with the tone from your executive management. If you don't have the support to actually have a culture of fraud prevention, which I believe starts with ethics and integrity, first and foremost -- at the top of the organization down, then you're going to have a very difficult time ever implementing what I would consider to be a comprehensive fraud prevention program.
Because, first and foremost, fraud prevention is all about your people; and as a vast majority of investigations that result in fraud being discovered start from whistleblowers, people coming forward, you need to ensure that they have that culture where they feel comfortable coming forward, and also where they have that culture starting at the senior levels of your organization down, where they know that your company wants to operate with integrity. It has ethical values that it holds very high. And they're doing the right thing by sticking their neck on the line and actually coming forward.
Furthermore, you can think about all the technical controls in the world that you might put in to help prevent fraud. Many points in time along the way, what you're going to find is those technical controls depend on people making smart decisions. Because very few business processes are solely technical, there's often an individual that's inserted throughout that process. And anywhere you put an individual into that process, you potentially run the risk of opening or exposing yourself to a situation that could result in fraud.
If people also know this is important to the organization, that action will be taken if you do something, but also that no action against the individual is going to be taken if they come forward and stick their neck on the line, especially if it's their manager or somebody they might feel threatened to come forward about, if they believe they're doing something wrong, then you're going to build that culture that's going to allow your employees to be very aware of their surroundings, very thoughtful in their approaches and how they try to protect the organization from fraud.
Christina Torode: What is the cornerstone, in terms of processes, of your fraud prevention program?
Jay Leek: I think, it's very important that you know who your customers are, for starters; and not just your customers. It's also who your business partners are. It's your ecosystem of who you're working with. So you want to make sure that you have some kind of credentialing process, or entitlement process, so to speak, for determining who you do business with and who you don't, whether it be a customer relationship or a business partner relationship.
And I think if you take this back to, what most companies do with their own employees. You typically do a background check, and you have some kind of screening process to determine, is this individual someone that I really want to bring into my organization? And you need to have that same kind of thoughtfulness or process in place when you're thinking about all the other touch points, because, quite honestly, you do see a lot of fraud that originates, of course, from the inside. We hear about that all the time, in all kinds of write-ups. And that's where people are talking about fraud.
But what we also see, in my personal experience, is a lot of fraud that comes through our customers, or it comes through contractors, business partners. And this is very unfortunate. And a lot of times, it's not the entity that we're doing business with who commits fraud, but it is an employee of that entity, or it is a contractor of that entity. And they have just enough inside knowledge about how you do business, and they're able to take that inside knowledge and exploit it, and do a lot of things that we definitely don't want to have happen in our organizations.
Christina Torode: Could you actually give an example? I'm not talking about Equifax in particular, but in general, of that kind of situation, where an employee of a customer, or an employee of a partner...
Jay Leek: I think what we typically see... and if you think about organizations that provide various services. So there's no tangible piece of hardware or an asset that's part of the services that that entity provides. And you have a customer, let's say, that is buying this logical asset, or information, or whatever it may be, from you; what I've seen in the past is there's quite often employees of customers where they have certain access rights to this information. This information access, so to speak. And you'd be surprised as to how many side companies I've actually seen set up over the years where employees of our customers were actually stealing from their employer information that the organization I was working for had, and they were selling it on the back end. So in reality, what's happening is that the customer's paying the bill; unfortunately, the bill they were paying wasn't correct.
So we had processes, we had technology capabilities in place to look for this type of behavior that's coming from our customers, identify these anomalies, investigate it, and then go to our customer and say, we believe that you have this particular rogue employee that might be doing something completely correct, but it looks very peculiar to us.
Or perhaps even, we might have evidence to show that they're really doing something on the side. And ultimately, we turn that over to our customer, or we would turn it over to our customer, and we would suspend that account or terminate that account, most likely, of the individual. But then it's up to the customer to either do what they're contractually obligated, with the arrangement they have with us, or to take the right action that needs to be taken against that employee.
Christina Torode: You actually mentioned the billing system. Can you explain why is understanding the finance and the billing system so critical to a fraud prevention strategy?
Jay Leek: If you're wanting to look for fraud; you always kind of follow the money, because ultimately, in my experience, people are committing fraud, because there's some kind of dollar value behind it; it's not... like, so often, the things that we see in security, especially these days, where there's political hacktivism going on or whatever it may be. In a fraud case, typically speaking, someone's trying to steal something of a monetary value from you.
And finance has a vast amount of information that can prove to be very helpful. For example, with finance, you can look for statistical anomalies in invoicing type information. So if a customer is typically getting billed $1,000 a month, and then next month the bill is $30,000, we've never seen that before in the past 12 months, that's an anomaly.
Now, that doesn't necessarily mean that they've done anything wrong, per se. What it does mean is there's an anomaly there that is most likely worth investigating to see if fraud is actually taking place, or if they're just running some kind of special of whatever product that you offer and there's a lot more of it going out the door this month, or not.
So there's a lot of other very interesting customer behavioral type information that you're able to glean from your finance organization. And they're actually sitting on a ton of data that is very relevant to your fraud program. They have no clue, most likely, that this is relevant to your fraud program. But if you're able to get your hands on it, it can prove to be very valuable as you're building out your monitoring and investigating capabilities when either detecting or responding to a potential fraud incident.
Christina Torode: Are they resistant to that at all? Or do you directly work with the people in charge of the billing system and finance?
Jay Leek: Absolutely. I mean, in fact, we haven't had any resistance to that at all. In fact, when we show them the type of information that we can produce from taking the end data they already have, we typically find that they're very excited to work with us. I mean, finance doesn't want invoices coming back from customers saying that, you know, this isn't their invoice. It's not correct. And definitely, they don't want an invoice coming back that's saying this is not a correct invoice, and when the customer inquires as to why, it turns out that there was fraudulent activity.
Now, it could be there was fraudulent activity because, like I said, they have an employee that's stealing from them. But even that doesn't necessarily make your organization look good. In my opinion, you should have control of the place and be able to protect customers, such as the example I gave you earlier, as well as protecting your own organization; because you're all in business together.
Christina Torode: How do you test fraud prevention controls to make sure people aren't kind of finding their ways around them?
Jay Leek: There's several cornerstones to fraud prevention, kind of at a high level; I think, regardless of what organization you're in. And one of them, as we've been talking about today, is this entitlement or enrollment credentialing-type process. We've also been talking about the ability to monitor and look for anomalies, and investigate things like that. The third one that we touched on too is investigation piece making sure that you have the right tools in place to investigate potential fraudulent activity or anomalies that you're detecting.
And the final one we haven't touched on is some kind of auditing mechanism. So whether it be auditing your customers to ensure that they have the proper consent, or whatever it may be, depending on the nature of your products you're offering. To buy that from you, as in our case, where we are heavily regulated, and as we provide credit information to our customers, they have to have the proper consent. In various jurisdictions around the world, it may also vary the level of that consent; and we ensure that they have that by auditing our customers.
You also want to look internally and audit your processes. We're actually in the process right now of sitting down with our business operations teams and our IT teams and we're looking at our data life cycle, and how we manage data quality within our organization.
And we are literally pulling apart all of the internal processes that we have for the full data life cycle, and looking at the controls we have in place today, and saying, those controls made sense when they were implemented X time period ago, and do they still make sense today? And are there new threats, or new risk? New business environments that we're working in today, have things evolved and changed? Is this satisfactory?
And that's something that I think has to be done kind of on a continuous basis, as well, and it really, really requires that you have a strong understanding of how your company does business. Because if you don't understand, at a very detailed process level, how your company does business, how information flows through your company, how money flows through your company, and how products are basically ordered from your customer and then ultimately delivered to your customer, whether that be a physical product or a logical product, then you're going to have a very difficult time protecting it.
And for me, it's doing risk assessment, doing audits on your internal processes that are kind of cornerstones to how your company makes money is how you're going to make sure that you have the right controls of place; and never being satisfied, it is a continuous process.
Christina Torode: Well, thank you for your time today, Jay. I really appreciate it.
Jay Leek: No problem. Thank you.
Christina Torode: This has been Christina Torode, news director of SearchCIO, speaking with Jay Leek, vice president of international security for Equifax.
Let us know what you think about the interview; email Christina Torode, News Director.
Dig Deeper on Enterprise data security and privacy