Guidance on Implementing a Fraud Hotline
The Federal Deposit Insurance Corporation (FDIC) encourages financial institutions to consider implementing a fraud hotline to assist in their enterprise risk management, corporate governance and fraud protection efforts. The FDIC has established the following guidelines for institution management to consider when implementing a fraud hotline to ensure its overall effectiveness.
Awareness
For maximum effectiveness of the fraud hotline, institutions should advertise and market the hotline's existence to employees, suppliers, third-party service providers and customers. Suggested channels are bank newsletters, memoranda, written policy, and internal and external bank Web sites.
Define Reportable Events
To minimize inappropriate calls or complaints to the hotline that do not involve wrongdoing, institutions should communicate the hotline's purpose. Institutions should also define guidelines about what types of improprieties are reportable events. Risk-awareness training about situations and suspicions that merit reporting will help to create a corporate culture that supports this type of confidential reporting mechanism.
Operations
Institutions should analyze the cost/benefit of operating a fraud hotline internally or contracting with a third party. Banks should recognize that they may initially incur start-up costs; however, once the hotline has been established, the savings in loss prevention should outweigh the cost. Factors to consider are budget, staffing and the expected volume of calls to the hotline. Some of the communication channels for operating a fraud hotline include a toll-free telephone line, a secure e-mail address, a designated mailing address or a combination of methods. Planned hours of operation should be extensive to ensure availability. Hotlines should be operated by experienced interviewers who can ask pertinent follow-up questions to determine whether an investigation should be initiated.
Independence
Regardless of whether the hotline operates internally or by a third party, operations should be independent from bank management. The more independently the hotline is administered, the more confidence the complainants will have in reporting misconduct.
Privacy
Institutions should consult with legal counsel on privacy/whistleblower protections to ensure the source of the information remains confidential. Avoid implementing features such as caller ID or call-back functions that could intimidate callers. Confidentiality should be assured to avoid callers fearing possible reprisals.
Tracking
Institutions should assign a secure tracking system to the complaints, the follow-up, the investigation, the disposition, and the final closure of the compliant. Regular status updates on each complaint should be reviewed with internal audit and personnel in charge of fraud prevention.
Investigations and Reporting
Decisions to investigate should be made on a case-by-case basis. Investigations and their conclusions should be included in reports to the audit committee. Once a fraud scheme is identified, management should develop internal control procedures to avoid future incidents.