EN ES
Request a consultation

Practice area

Fraud risk.

Assessments, control design, and forensic support when a case requires it. The point is to find the fraud before your examiner does.

The practice

Fraud risk is a discipline. Treat it as one.

Most institutions discover fraud risk after a loss. We come in before.

The vast majority of financial-institution fraud loss comes from a small number of typologies — wire fraud, ACH origination, check kiting, internal collusion, application fraud, account takeover — and a smaller number of control failures (segregation of duties, dual-control overrides, alert disposition, exception handling). Our practice helps institutions assess where their exposure actually is, design the controls that would catch it, and respond when something has already happened.

We engage in three modes: enterprise fraud risk assessments (typically annual, sometimes tied to regulatory expectations); fraud control design (process redesign, system configuration, alert routing); and forensic support when a specific case is open. The forensic work is partner-led; we do not turn it over to a junior team.

Fraud risk is also where AI most clearly changes the conversation. Synthetic identities, deepfake-enabled social engineering, machine-generated phishing — the typologies that mattered in 2020 are not the ones that will matter in 2027.

The work

The work in this practice, named.

  1. Enterprise fraud risk assessment Typology inventory, loss data analysis, control mapping, residual risk rating.
  2. Control design Process redesign, system configuration, alert routing, exception handling.
  3. Forensic support Case-specific investigation support, evidence preservation, root-cause analysis.
  4. AI & synthetic identity Emerging-typology assessment, model-based detection, identity verification posture review.
  5. Insider risk Segregation of duties, privileged-action monitoring, dual-control governance.
  6. Recovery & reporting Loss event reporting, board-level fraud reporting, regulator communication.
A typical engagement

A fraud risk assessment, end to end.

Phase Timing Deliverable
Loss & typology review Weeks 1–3 Three-year loss data analyzed, typologies catalogued against industry data.
Control mapping Weeks 4–6 Each typology mapped to existing controls; gaps identified and rated.
Residual risk Weeks 7–8 Inherent risk × control effectiveness = residual; calibrated to the committee's appetite.
Roadmap Weeks 9–10 Control remediation plan, sequencing, owners, dates.
Related practice areas