We are all acutely aware that the amount of data that organizations use and store has been growing exponentially over the past few years. Much emphasis is being placed on the potential rewards of unlocking valuable information from such data volumes – the so-called promise of Big Data. However, the associated potential risks for companies that may be buried in these voluminous datasets are clearly growing too.
Big Data is largely untagged file-based and unstructured data, about which little is known. This means not only that large quantities of potentially useful data is getting lost, for example data which could allow a consumer goods company to draw insights on consumer behavior and generate greater value from marketing campaigns, but that fraud, bribery and corruption, money laundering and other white collar criminal activity may remain either very difficult to detect or, even worse, undetected because it lies buried in the morass of data.
A company that does not have sufficiently robust internal controls and security measures is at risk of both internal and external perpetrators leveraging the proliferation of data to their advantage in order to hide fraudulent transactions, improper payments, layering of funds and even “forge” electronic documentation in support of illicit acts. Equally, we find that companies with systems are un-integrated or poorly integrated are unable to effectively identify compliance breaches such as the payment of bribes, procurement fraud, money laundering, etc. as they have no means of analysing the complete transaction flow or to identify anomalous or unauthorized payments.
Data mining combines data analysis techniques with high-end technology for use within a process. The more data sources can be mined, analysed and tested, the more likely anomalies will be detected and/or alerts raised. Further, we find that companies that take an holistic approach and are able to integrate and consistently test and analyse data from systems across geography, business unit, etc. can identify schemes(even if they are cross-border) more quickly and effectively.
Data forensics is also part of our arsenal in the detection of illicit activity that might be hidden within sets of Big Data. Fraud inherently requires efforts at concealment, so detection may require a discreet collection of data belonging to the potential perpetrator, for example where the corporate suspects the theft of commercially sensitive data, collusion or misappropriation of funds. Frequently, when we find a problematic transaction or series of transactions we will leverage our data forensics skills to identify the relevant sources of data, such as email or instant messaging, in support of the investigation.
Best practices for implementing Big Data for fraud prevention
- We recommend starting with small and specific uses for big data. For example, identify one or two business problems or risk areas that can be resolved by improving fraud detection, and create a task force comprised of compliance, legal, IT and business unit representatives to devise an outcome based plan. Get senior level buy in – this is part of a risk management strategy.
- It is critical to ensure that the company is working with high quality data. Impress upon your team (and external consultants, as necessary) the need to ensure the proper data is being collected and the signal is separated from the noise to allow for effective, meaningful data analysis.
- Assess and plan for the relevant regulatory environment. It is critical to understand the boundaries for using customer data and the relevant privacy laws. Obtain legal and other expert advice on this area and acknowledge the added complexity for companies that operate globally, particularly in Europe. This will, in our opinion be a, if not the, major challenge.
- Finally, we would stress that in our opinion this technology will be most effective if used by experienced forensic accountants, data analysts and both internal and external compliance and security professionals as part of a strategic approach to this aspect of risk management. In our experience over reliance on IT solutions without sufficient human expertise and analysis may lead to at best too many false positives (and a diversion of valuable resource to resolve them) and at worst missed inappropriate activity.