Trusting your organisation UK Card Fraud Conference 2012 Keith Dewey, 28 March 2012

UK Card Fraud Conference 2012 Trusting your organisation Page 2 Introduction Trusting Your Organisation Effective Fraud Management engages the whole business A centralised approach must create direction and ownership The business components must know what to do The activities must be performed correctly and effectively Effective Fraud Management engages the whole business A centralised approach must create direction and ownership The business components must know what to do The activities must be performed correctly and effectively Frameworks for the holistic picture Some case studies from our experience Frameworks for the holistic picture Some case studies from our experience

UK Card Fraud Conference 2012 Trusting your organisation Page 3 About Ernst & Young Fraud Management FS Fraud Management Systems and Controls Policies and Procedures Strategy & Approach Technology Enablement IT Security Deployment & Review Investigations Remediation Performance Improvement Partnering with clients to support their business

UK Card Fraud Conference 2012 Trusting your organisation Page 4 Common Fraud Management Framework Governance Operational Systems Reporting Analytics Risk and Control Assessment Strategy Processes Operational Integration Internal and External Intelligence Assurance Deter Prevent Detect Investigate Remediate Data Management Customer Proposition

UK Card Fraud Conference 2012 Trusting your organisation Page 5 Common Fraud Management Framework Revenue and Profit Governance Operational Systems Reporting Analytics Risk and Control Assessment Strategy Processes Operational Integration Internal and External Intelligence Assurance Deter Prevent Detect Investigate Remediate Data Management Customer Proposition

UK Card Fraud Conference 2012 Trusting your organisation Page 6 Common Fraud Management Framework Management Approach Governance Operational Systems Reporting Analytics Risk and Control Assessment Strategy Processes Operational Integration Internal and External Intelligence Assurance Deter Prevent Detect Investigate Remediate Data Management Customer Proposition

UK Card Fraud Conference 2012 Trusting your organisation Page 7 Common Fraud Management Framework Lifecycle Governance Operational Systems Reporting Analytics Risk and Control Assessment Strategy Processes Operational Integration Internal and External Intelligence Assurance Deter Prevent Detect Investigate Remediate Data Management Customer Proposition

UK Card Fraud Conference 2012 Trusting your organisation Page 8 Common Fraud Management Framework Process Governance Operational Systems Reporting Analytics Risk and Control Assessment Strategy Processes Operational Integration Internal and External Intelligence Assurance Deter Prevent Detect Investigate Remediate Data Management Customer Proposition

UK Card Fraud Conference 2012 Trusting your organisation Page 9 Common Fraud Management Framework Technology Governance Operational Systems Reporting Analytics Risk and Control Assessment Strategy Processes Operational Integration Internal and External Intelligence Assurance Deter Prevent Detect Investigate Remediate Data Management Customer Proposition

UK Card Fraud Conference 2012 Trusting your organisation Page 10 Common Fraud Management Framework Consistency Governance Operational Systems Reporting Analytics Risk and Control Assessment Strategy Processes Operational Integration Internal and External Intelligence Assurance Deter Prevent Detect Investigate Remediate Data Management Customer Proposition

UK Card Fraud Conference 2012 Trusting your organisation Page 11 Case Study 1 - Governance Trust was placed in each function to perform their role High credit losses, low fraud, low recoveries Fraud losses erratic What we saw Increased centralised oversight and integration Shared understanding of risks and controls Ensuring the right staff are doing the right job correctly Managing functional overlaps and gaps Opportunities

UK Card Fraud Conference 2012 Trusting your organisation Page 12 Case Study 2 - Investigations Trust was solely placed in Internal Audit to manage fraud Cases were approved for investigation by the board Low fraud reported (gross, recoveries, net) What we saw Utilisation of the “3 lines of defence” model Independent training and process review Redefine, analyse, investigate and report fraud losses and costs Cross functional integration and delivery of cultural change Proactive data utilisation – structured and unstructured sources Opportunities

UK Card Fraud Conference 2012 Trusting your organisation Page 13 Case Study 3 – IT Architecture Trust was placed in the IT solution Extensive industry benchmarking and vendor selection Adoption of “best of breed” prevention systems Losses and costs far exceeded those of competitors What we saw Enhance data management – availability and quality Build insight (analytics and reporting), configuration & optimisation Strategic systems review – what is needed, where and why Attune functions – IT, Ops, Risk, Compliance – cultural change Total cost analysis and programme support Opportunities

UK Card Fraud Conference 2012 Trusting your organisation Page 14 Case Study 4 – System Security Trust was placed in the prevention controls Rapid development of online customer proposition Extensive penetration testing to create “secure” IT solution Considerable and erratic fraud losses What we saw Additional data capture and collation to identify root causes Formal, multi-function fraud risk and control assessment Enhanced detection and monitoring controls Cross platform analytics (CRM value add) Greater integration between Business, IT and IT Security functions Opportunities

UK Card Fraud Conference 2012 Trusting your organisation Page 15 Case Study 5 – Third Parties Trust was placed in the extended organisation Highly secured loan offering Extensive use of third parties for remote sales Complex chains of resellers Customers managed through brokers What we saw Multidimensional performance analytics (long term measures) Profitability based incentives over referral rates Extensive due diligence and third party training Enhanced Know Your Intermediary process Revised go-to-market approach and control via online portal Opportunities

UK Card Fraud Conference 2012 Trusting your organisation Page 16 Trusting appropriately, with controls ManagementStaffIntermediaries CustomerForesight Insight Systems DataAnalytics

UK Card Fraud Conference 2012 Trusting your organisation Page 17 Questions and Comments Keith Dewey Senior Manager Financial Service Advisory +44 (0) (0) Trusting Your Organisation

UK Card Fraud Conference 2012 Trusting your organisation Page 18 ► The information in this pack is intended to provide only a general outline of the subjects covered. It should not be regarded as comprehensive or sufficient for making decisions, nor should it be used in place of professional advice. ► Accordingly, Ernst & Young accepts no responsibility for loss arising from any action taken or not taken by anyone using this pack. ► The information in this pack will have been supplemented by matters arising from any oral presentation by us, and should be considered in the light of this additional information. ► If you require any further information or explanations, or specific advice, please contact us and we will be happy to discuss matters further. Important Information