Intelligence Report | November 2026 - Flipbook - Page 16
“They’re getting snapshots
rather than movie reel, and I
think they need the movie reel.”
and executive level, because so many decisions must be
Steve Sanders, CSI
made and because of the interdisciplinary demands of the
response, involving legal, communications, federal and state
reporting, insurance and regulatory reporting. “It’s often
sort of a wake-up call for companies who haven’t seen that
kind of thing before,” La Marca notes, “because it can be
the organization, but few banks conduct formal fraud risk
quite stressful, and there are a lot of complicated decisions
assessments, says Bob Sprague, managing director in the
to make in real time.”
forensics and valuation services practice at Forvis Mazars.
He describes a best practice as bringing together stake-
Boards can also ask outside and inside experts to give
updates and presentations on cyber risks and emerging
holders across the organization, from the business lines to
threats, staying current on new trends such as the introduc-
different geographies, to identify risks, assess controls and
tion of stablecoins and artificial intelligence, so they can ask
close any gaps. The CFO and the COO shouldn’t sit down in a
good questions of management.
room together and figure it out by themselves.
More importantly, the risk assessment cannot be a one-
Internal Fraud
time exercise. A common pitfall is to do the review and put it
One of the largest risks to the bank is internal fraud, as
on a shelf to collect dust. “Risk profiles do not stay stagnant,”
investigators have tied numerous small bank failures to bank
Harrington says. “As banks grow in terms of geography, as
officer fraud.
banks enter into new product lines, as banks grow their cus-
Some 43% of occupational frauds were detected by a
tomer bases in new ways, they are always taking on and poten-
tip, more than three times as many as any other method,
tially in some cases walking back from new types of risk.”
according to the Association of Certified Fraud Examiners
The full loop works like this: “You need to identify the
2024 report. Depending on the complaint, a best practice is
risks, you need to assess the risks, you need to mitigate the
to route fraud complaints to someone independent of man-
risks, and then you need to monitor and review whether or
agement, such as the head of the audit committee, Sprague
not that mitigation works,” Harrington says. The board can
says. Hotlines work best when they’re accessible not just to
help with the process. If directors haven’t heard from man-
employees but also to customers and vendors.
agement about an updated risk assessment in a few years,
they can ask why.
The importance of whistleblower programs has increased
significantly since the Anti-Money Laundering Whistleblower
For a small board, a simple process might be ensuring
Improvement Act of 2022, which created financial incen-
the chief compliance officer or chief risk officer has engaged
tives for reporting financial crimes. A successful prosecution
in an annual review of the bank’s risk, which should include
that results in a fine of over $1 million nets a whistleblower
fraud. The board can look at ways the bank’s risk profile has
between 10% and 30% of the fine. With investigators rely-
changed that year and a summary of steps management is
ing on such tips, boards need visibility into whistleblower
taking to address those changes, Harrington says.
complaints and trends presented as part of routine board
materials, Harrington says.
Cyber Challenges
The worst-case scenarios rarely happen when it comes to
One risk that has been on the rise is cybercrime. A
fraud. Even significant events are usually survived, as in the
common problem is that banks don’t address audit findings
case of the employee selling pictures of customer files. But
about problems with cyber risk, says Harrington. He recom-
sustained attention, regular assessments and education can
mends significant findings and issues be put on the board
go a long way in ensuring the bank is safe and sound.
meeting agenda as a line item until they are mitigated.
Directors can help a bank prepare in the event of a
major attack. La Marca advocates for exercises at the board
14 | BANK DIRECTOR INTELLIGENCE REPORT
Naomi Snyder is editor-in-chief at Bank Director.
