反欺诈——公司的又一战场.doc

天和财务： 反欺诈——公司的又一战场 Anti-fraud: The Next Phases in the On-going Battle 来源：天和网 核心提示：当今技术飞速发展，公司不仅要担心内部人员或支票欺诈，电子欺诈也可能为公司带来更大损害。 This article is written by Paul Buelens. 天和网天和财务频道消息：本文作者为保罗•布伦斯。 The lightning pace of technological advancement in recent years has meant that the nature and mode of financial frauds have seen a drastic change. Not only do corporations have to worry about the insider staff threat or basic cheque fraud anymore, but a whole raft of other electronic frauds that could cost the business money and reputational damage. 近年来技术进步的闪电发展意味着金融欺诈的本质和模式已经发生了巨大的变化。公司不仅需要担心来自内部人员或基本支票欺诈的威胁，其他的一系列电子欺诈行为可能为公司金钱和名誉带来更大的损失。 Modern frauds, particularly related to payments, are a far cry from the manual cheque frauds of old, as they are being perpetrated across all forms of payment devices, from credit and debit cards to investment instruments, to automated clearing houses (ACH). Financial and commercial institutions are constantly seeking comprehensive anti-fraud solutions that can cover all threats and protect all types of customers, including corporate ones, given how such crimes now have a global reach and have become highly sophisticated. 现代欺诈行为，多和支付有关，和以前的人工支票大不相同，它们借助各种各样的支付工具进行诈骗，从信用卡，到借记卡、投资工具以及自动结算所(ACH)。鉴于欺诈已经具有世界影响力并且高度复杂，金融和商业机构不断寻求全面的反欺诈解决方案，可以解除所有威胁，保护所有类型的客户，包括企业客户。 To prevent fraud it is advisable to adopt best practice, which in my opinion involves opting for separate individual modules that cover separate fraud areas completely, and report into a central over-arching control solution. These modules must be easily adaptable so that they can be integrated into reporting platforms. A payment card fraud module is usually the first one to be implemented. A real-time web-based application using proven anti-money laundering (AML) profiling and transaction monitoring and framework engines is best. The rule-based application can combat and prevent the modus operandi used by organised criminals around the world. The module should be applicable for both issuers and acquirers and set up for all payment cards including prepaid cards, which seem to be picking up market share in different regions and are popular with corporate treasurers. Gift and reward cards can be a real threat too when not properly monitored and are prone to money laundering. 为防止欺诈行为，最宜采用最佳做法，在我看来包括选择完全囊括单独欺诈行为的独立模块，并且将这些模块报告给总的控制方案。这些独立模块必须适应性强，以便与报告平台相结合。支付信用卡欺诈模块通常是第一个被实现的。在基于网络的实时应用程序中加入已确认的反洗钱分析以及事务监控和框架引擎是最好的了。以规则为导向的应用程序可以应对及制止世界范围内犯罪组织的作案方式。该模块对发行者和收购者都适用，可应用于所有付款卡包括预付款卡，在各地区都很受财务官的欢迎，占据越来越多的市场份额。礼物和卡片很可能成为真正的威胁，它们不容易被控制，且容易洗钱。 Extensive market research within financial institutions and corporations, overlooking internal procedures and ways how businesses interact, quickly teach you that there are various areas where improvements, such as enhanced authentication and access control tools, can result in reduced risks. 通过在金融机构和企业中进行广泛额市场研究，观察内部过程和交易进行方式，可以很快得知许多地方对减少风险都是非常重要的，例如改进身份验证和访问工具。 Every industry, company or geographical location will have its specific needs, issues and even country regulations that need to be taken into consideration when building an anti-fraud tool. Therefore, it is of the utmost importance that when focusing on a specific part you first have a complete understanding of the overall situation concerning where and how fraud occurs. Is it an internal or external threat your corporation is facing, domestic or cross-border, online or physical? These are some of the main topics that are analysed in-depth during a business analysis, which everyone should complete. 在建立反欺诈工具时，每个公司和行业或地区都有自己的特殊要求和问题，有时甚至需要考虑国家规定。因此，在你专注于某一特定部分前，对哪里或是怎样发生欺诈行为有一个总体了解是非常重要的。在你的公司中，欺诈的威胁来自内部还是外部？是国内的，还是国外的？是来自网上还是现实中？这些都是包含在深度业务分析中的主要课题，是每个人在都应该完成的。 The problems come from different sides. Both internal and external threats present different criminal approaches and philosophies. In most cases, internal problems emerge out of greed, poor internal control systems, disagreements and revenge, but at the core, these people normally do not have a criminal mind; at least to start with. On the contrary, when dealing with an external threat the setup is different and can take up any form of disguise. The criminal mindset is unpredictable and has no boundaries, regulations or time to look at. Their aim is financial gain no matter what is needed to do so. 欺诈问题来源于各个方面。内部和外部威胁表现出不同犯罪手段和策略。通常情况下，内部问题主要是贪婪、不健全的内部控制制度、分歧以及报复引起的，但根本上说，这些人一般没有犯罪心理，至少在一开始是没有的。相反，处理外部威胁时情况就不同了，它可能采取任何伪装。罪犯的心态是不可预知的、没有边界、不会理会法规或者时间。他们的目标就是金钱收益，并且无所不用其极。 A good example is where organised crime tries to put one of their associates on an important position within a company. This poses a serious threat and takes enormous time and effort to identify the mole within. Or, what we are witnessing today is where cyber criminals intrude your internal systems placing sniffers and malware that can easily be controlled remotely. Malware can reside in your system for a long time and when the time is right can easily be accessed remotely. Corporations must take appropriate protective measures. 一个很好的例子就是有组织犯罪，他们会将同伙放在某个公司的一个重要位置上。这对公司会构成严重的威胁，公司需要花费大量的时间和精力把这个人找到。或者，我们会看到网络罪犯闯入你的内部系统，装上嗅探器和恶意软件，并且可以很容易的进行远程控制。恶意软件会在你的系统中驻留很长一段时间，在适当的时候可以很容易的被远程控制。企业必须采取适当的保护措施。 Recent data breaches within the payment industry have proven that even with all the extra Payment Card Industry Data Security Standard (PCI DSS) rules in place, vigilance and constantly updating different levels of security is a must. Make sure to also keep track of what is going outside from your system. 最近支付行业内的数据缺口可以证明，即使符合所有额外的支付卡行业数据安全标准规定，保持警惕并不断更新不同级别安全保障是必要的。并且对从系统中流失的东西要随时追踪。 These intrusions can quickly cause a huge damage and be a driver for negative publicity. It will also have its impact on the morale of the hard working, loyal employees. Look at the different forms of staff member extortions, fear of retaliation and physical harm to themselves or family members will prevent the employee from reporting this. Not really aware of what may happen will make them an easy target that can be pushed to another level. Or the man in the middle approach, driven out of greed or frustration that will have no problem transferring funds or assets to anywhere asked, in order to keep up the life they are leading. Add it all up and you have the right ingredients for a financial nightmare. 这些入侵可以迅速导致巨大的损害，并推动负面宣传。还会影响工作努力、忠诚员工的士气。看到工作人员以不同形式被勒索，害怕自己被报复，害怕对自己及家人造成物理伤害，这些都会阻止员工对上检举。还没有真正意识到发生了什么，他们的一个简单的目标就可能会被推到另一个层面。或者有些人是由于贪婪或者挫折，为了保持自己较好的生活，并且又有能力将资金或资产转移到任何指定地方。综合所有因素，你完全有这个可能陷入金融噩梦。 When looking at huge losses caused by internal fraud, and aware of the steady increase, it provides corporations with pause to think. Initiatives to deploy an internal fraud solution module, where employees would play a main role are needed. Employee fraud can happen on every level within a company and can cause extra barriers when done by a board member or highly placed executive. It is the main fear of all companies, being betrayed by employees that have always been trustworthy and loyal during their entire career. It also has an impact on recruitment, internal trust and confidence that the public has in a company. It requires a strong, transparent but firm policy and management backup. It needs to clearly define the company point of view and internal fraud approach. Any organisation should have the ability to prevent, detect and investigate fraud, and take the necessary action to pursue potential fraudsters as far as necessary. The only way to reach this is with a decisive management and the right tools to do so. 看到内部欺诈造成的巨大损失，并且意识到损失不但增长，企业不得不停下来思考一下了。主动部署一个内部欺诈解决方案模块，并由员工扮演主要角色是必要的。雇员的欺诈行为可能发生在公司中的每一个层面，如果由董事会成员或公司高管来执行会导致额外的障碍。对于公司，最担心的莫过于一直以来都忠于公司、值得信赖的员工背叛了自己。此外，它对公司的招聘、内部信任和信息都会有所影响。公司需要有一个强大、透明、坚定的政策和管理备份。公司需要清楚的知道自己的观点和内部欺诈的方法。任何组织都需要有能力阻止、检测和调查欺诈行为，并采取必要的行动尽全力追查潜在的诈骗者。唯一可以实现这点的方法就是一个决定性的管理和正确的工具。 The rise of e-banking across continents has spiked identity theft cases big time and victimised unsuspected e-bankers and corporations. Yearly, thousands of customers are fooled with dubious sites or known website look-alikes. Identity phishing is still a widely used tool for criminals to obtain personal data and launch fraudulent scams. 跨洲电子银行的兴起大量激发身份盗窃案件，使大批无辜的电子银行和企业受害。每年，成千上万的客户的权益因可疑网站或知名网站的盗版网站受到损害。身份网络欺诈仍是获得个人数据及罪犯实施欺诈骗局广泛使用的工具。 So end users need the possibility to pause dubious payments, to further investigate the origin or beneficiary and take appropriate action to either release or block payments manually. We chose to add an embedded IP locator tool where dodgy IP addresses can easily be identified and blacklisted. In conjunction with an SMS server to notify customers of problems, the right tools are at hand to prevent hackers trying to hit banks or corporate customers through their e-portal. 所以终端用户可能需要暂停付款，以进一步调查起源或受益人，随后采取适当的行动，要么支付，要么手动支付。我们选择添加一个嵌入式IP定位器，这样可疑的IP地址就能很容易的被识别并加入黑名单。与用短信服务器通知客户问题的方式相结合，正确的方式是防止黑客通过企业电子门户打击银行或者企业客户。 Whatever compliance suite you choose working on one single platform is crucial, where all reporting modules are centralised for clarity and behaviour-spotting purposes. Sharing obtained intelligence and results provides corporations with an increased risk scoring result and better capabilities to fight fraud. 无论你选择什么样的合规套件，单一的平台是至关重要的，所有报告模块都集中于清晰和行为识别目的。分享已得情报和结果可以为企业风险增加得分，并且更好的打击欺诈行为。 译者：王娜 文章来源： ………………………………………………………………………………………………………………………… 办公地址：北京昌平区天通西苑26号楼三层