Intelligence Report | November 2026 - Flipbook - Page 15
HOW BOARDS CAN OVERSEE FRAUD RISKS AT BANKS
By: Naomi Snyder
One bank that was recently hit with a data breach
did a thorough investigation only to find a bank
employee had been taking pictures of customer files
and sending them to a criminal — she was paid per
picture. Other banks have been targets of sustained
person-to-person payment or check fraud that cost the
bank five figures, says Steve Sanders, chief risk officer
and chief information security officer for CSI, a provider of banking and risk management solutions.
warns, “they are going to have naturally competing priorities
The board isn’t responsible for stopping all fraud in all
What’s the emergency switch if there’s an uptick in a cer-
its forms. But it is responsible for providing oversight to
in terms of what they’re going to put in front of the board.”
Sanders recommends boards ask for information about
trend lines for different types of fraud over time and fraud
detection rates. “That contextual data is often what I think
the board is missing,” he says. “They’re getting snapshots
rather than movie reel, and I think they need the movie reel.”
Other questions board members should consider asking:
How often are we stopping fraud before it hits the books?
tain type of fraud?
ensure the bank’s policies and procedures are effective in
counteracting the bank’s risks, including fraud.
“It doesn’t matter how robust your technical controls
The Risk Assessment Imperative
Small banks aren’t expected to have the compliance
are, most cyber incidents are a result of human failure,”
structures of a big bank. But banks are responsible for tai-
says Michael La Marca, a partner at the law firm Hunton
loring their mitigation to the unique risks of the bank, an
Andrews Kurth. “So, it comes back to the board and the
area that the board must understand.
necessity of having oversight, not only of technical resources
Boards are responsible for setting the risk appetite of
involved, but the culture and the readiness as an organization, because it all takes one weak link.”
Part of that responsibility lies in creating an ethical,
compliance-focused corporate culture, says Jonathan “Jack”
Harrington, a partner at the law firm Bradley Arant Boult &
Cummings and former assistant U.S. attorney investigating
complex fraud cases, including cybercrime and money laundering. “That really does start with the board of directors
at any financial institution, whether it’s a small community
bank or a JPMorgan [Chase],” he says.
Resources and Reporting
One way to ensure the board sets the correct tone is to
give the chief risk officer or chief compliance officer a direct
reporting line to the board. “If you’re trying to filter that
“It doesn’t matter how robust
your technical controls are, most
cyber incidents are a result of
human failure. So, it comes back
to the board and the necessity
of having oversight, not only of
technical resources involved, but
the culture and the readiness as an
organization, because it all takes
one weak link.”
information through a traditional business line,” Harrington
Michael La Marca, Hunton Andrews Kurth
THE FRAUD MENACE: PROTECTING YOUR BANK | 13
