The next step in improving an institution’s fight against fraud is to assess its infrastructure and cybersecurity program. A gap analysis is critical to understanding any further fraud mitigation that may be needed. If the BSA officer finds any gaps, do they need to increase mitigation, or is the institution’s risk tolerance enough for that risk? The answer to this question will differ among financial institutions and should come from senior management.
When thinking about the risk tolerance for a financial institution, it is usually considered a hard dollar loss. If the institution loses a couple of thousand dollars, will they lose sleep at night? The financial institution may have a risk tolerance for that amount, maybe more, maybe less. However, when we're talking about national security, terrorist financing, cyber-attacks shutting down the economy, halting the U.S. energy supply or food chain, cyber-attacks and cyber fraud are much more than a hard dollar loss. Institutions should consider what its true risk tolerance is for cyber fraud, including its reputational risk. Most financial institutions have almost 0% risk tolerance for these more severe threats.
Establish the enterprise-wide security policies and procedures; that's important. Institutions have them, but are they thorough enough?