WIXLIB

CONFIDENTIAL WHEN COMPLETEDCounter Fraud FundamentalsSelf-Assessment Questions The IASME Consortium Limited 2021This document is made available under the Creative Commons BY-NC-ND license. To view a copy of this license, /4.0/You are free to share the material for any purpose under the following terms: Attribution — You must give appropriate credit to The IASME Consortium Limited, provide a link to the license, and indicate if changeswere made. You may do so in any reasonable manner, but not in any way that suggests The IASME Consortium Limited endorses youor your use (unless separately agreed with The IASME Consortium Limited)Non-Commercial — Unless your organisation is a licensed IASME Certification Body or IASME Product Assurance Partner, you may notuse the material for commercial purposesNo Derivatives — If you remix, transform, or build upon the material, you may not distribute the modified materialInformation contained in this document is believed to be accurate at the time of publication but no liability whatsoever can be accepted by TheIASME Consortium Limited arising out of any use made of this information. Compliance with this standard does not infer immunity from legalproceeding nor does it guarantee complete information security. 2021, The IASME Consortium. All rights reserved.

CONFIDENTIAL WHEN COMPLETEDVersion 1.4January 2021IntroductionThis booklet contains the question set for the Counter Fraud Fundamentals verified self-assessmentThe Counter Fraud Fundamentals scheme was developed by IASME in partnership with the Open BankingImplementation Entity. Organisations of all sizes can prove that they have the fundamental counter fraudcontrols in place.Further guidance on the Counter Fraud Fundamentals scheme can be found nswering the questionsThe booklet is intended to help you to understand the questions and take notes on the current setup in yourorganisation. In order to complete assessment, you must enter your answers via IASME’s online assessment platform.You must answer all questions in order to achieve certification.Your answers must be approved by a Board level representative, business owner or the equivalent, otherwisecertification cannot be awarded.Need help?If you need help with understanding the questions, get in contact with IASME on 44 (0)3300 882752 or emailinfo@iasme.co.ukAlternatively, IASME has a network of Certification Bodies who are skilled information assurance companies who canprovide advice on the standards and who can help you make changes to your setup in order to achieve compliance.Visit the IASME website at www.iasme.co.uk to find you nearest Certification Body. 2021, The IASME Consortium. All rights reserved.

CONFIDENTIAL WHEN COMPLETEDIntroductionIn this section we need to know a little about how your organisation is set up so we can ask you themost appropriate questions.Q1. Which of these describe your organisation? Payment Initiation Service Provider (PISP)Account Information Service Provider (AISP)Account Servicing Payment Service Provider (ASPSP)Card Based Payment Instrument User (CBP11)Technical Service Provider (TSP)Other[Notes]Q2.1. Is the company regulated by the relevant regulator? YesNoThis might be a financial regulator or a different industry regulator[Notes]Q2.2. If ‘Yes’, which regulator is itIf you are regulated, please specify to which body you report.[Notes] 2021, The IASME Consortium. All rights reserved.2

CONFIDENTIAL WHEN COMPLETEDQ3.1. Is there a cyber security certification in place? YesNoIt is important that your organisation has achieved a basic level of Cyber Security. You should choose the securityaccreditation that is most suited to your needs. Cyber Essentials confirms that your organisation has implemented key securitycontrols. Both IASME Governance and ISO27001 standards go beyond Cyber Essentials to confirm that your organisation istaking a managed, risk-based approach to Information Security.[Notes] Q3.2. If ‘Yes’, what certification does the company hold? Cyber EssentialsCyber Essentials PlusIASME GovernanceISO27001Other[Notes] Q4. What is the company’s name as registered at Companies House (if appropriate)?The answer you give to this question will be used as the company name on your certificate. Please provide the full name forthe company being certified.[Notes] 2021, The IASME Consortium. All rights reserved.3

CONFIDENTIAL WHEN COMPLETEDQ5. What is the registered company or charity number?[Notes]Q6. What is the company’s registered address?Please provide the legal registered address for your organisation. This answer will be included on your certificate.[Notes]Q7. What is the size of the company? MicroSmallMediumLargeBased on the EU definitions of Micro ( 10 employees, 2m turnover), Small ( 50 employees, 10m turnover), Medium ( 250employees, 50m turnover) or Large[Notes]Q8. What is the company’s industry sector?This is the standard government list of industry sectors[Notes] 2021, The IASME Consortium. All rights reserved.4

CONFIDENTIAL WHEN COMPLETEDQ9. Why is your company doing this certification? Requested by supplier/customerRequired by an insurance organisationTo demonstrate good practiceOtherWe use this feedback on the scheme.[Notes]Q10. Is this the first time the company is completing this certification or is it a renewal? First timeRenewalWe use this feedback on the scheme.[Notes]Q11. Does this assessment cover the whole organisation? YesNoThis assessment covers all customers, products, channels and business units across the organisation. If there is a small divisionthat is not included, the company must answer this question as "No".[Notes]Q11.1. If “No”, please describe the scope of this assessmentPlease describe the scope which is included. This will appear on the certificate or the online record of your certification.[Notes] 2021, The IASME Consortium. All rights reserved.5

CONFIDENTIAL WHEN COMPLETEDOversight and ControlQ12. Has the company identified its fraud risks? YesNoYou can answer yes if you have identified your fraud risks even if these are not documented in a formal risk assessment.[Notes]Q13. Has the company documented its fraud risks? YesNo[Notes]Q14. Are the fraud risks reviewed and reported internally? YesNo[Notes]Q15. Does the company have a documented fraud policy and/or strategy? YesNoFraud Policy and Strategy could be a separate document or combined into one. The document will define what is classed asfraud within the organisation and the likelihood of it occurring. It may also document a strategy that mitigates and responds tothe risks.[Notes] 2021, The IASME Consortium. All rights reserved.6

CONFIDENTIAL WHEN COMPLETEDQ16. Does the company have processes in place to investigate internal fraud? YesNoThis may be included as a response plan or within the Fraud Policy or in another document either as a standalone orincorporated with others[Notes]Q17. Has the company estimated the financial impact of its fraud risks? YesNoFor each fraud risk the organisation should consider the frequency and potential loss that could be incurred. The combination offrequency and potential loss gives the company the estimate of the financial impact.[Notes]Q18. Does the company have audit trails of user access and activity? YesNoSystem records can show when individuals sign in/out and what activity was undertaken by them when signed in by date/time.[Notes]Q19. Has the company assigned responsibilities of counter fraud to an individual? YesNoThis role could be part of another role or a dedicated role.[Notes] 2021, The IASME Consortium. All rights reserved.7

CONFIDENTIAL WHEN COMPLETEDQ20. Please provide the name and job title of the individual assigned with the counter fraudresponsibility.Please include job title[Notes]Q21. Does the company have agreed metrics to manage fraud? YesNoThese are metrics that enable Senior Management to understand the level of fraud and any mitigation. For example, numberof cases detected/prevented or outstanding audit points.[Notes]Q22. Do the fraud metrics have defined targets and link back to company's objectives? YesNoYour organisation should monitor the metrics and link them to wider objectives to assist with performance of fraud.[Notes]Q23. How often does the company complete fraud risk assessments?Risk assessments should contain a date to be reviewed & whether the review has been completed or otherwise[Notes] 2021, The IASME Consortium. All rights reserved.8

CONFIDENTIAL WHEN COMPLETEDQ24. Has the company defined its fraud risk management response to the fraud risks identified? YesNoThe organisation needs a documented paper identifying how each identified risk is managed.[Notes]Q25. Has the company assessed and documented its fraud risk appetite? YesNoRisk appetite is an agreed level of fraud risk willing to be accepted by the company in order to achieve its strategic objectives.For example, if the company is on a growth stage, the company may have a conscious decision to reduce the fraud controlsand increase its fraud risk appetite.[Notes] 2021, The IASME Consortium. All rights reserved.9

CONFIDENTIAL WHEN COMPLETEDPrevent and DetectQ26. Does the company undertake background checks for customers, staff and suppliers? YesNoDoes the company complete fraud checks on the customers, staff or suppliers.- For example, are they who they say they are, validating the information provided using third-party information;- Checking to see if there are any anomalies in the information provided;- Checking if there was any adverse media or prior fraud by the customer;- Checking that staff or suppliers or anyone associated with them have not done fraud before (known frauds either identified bythe company or by the third-party provider).[Notes]Q27. Does the company undertake ongoing due diligence on suppliers, staff, and contractors in order toidentify, assess and manage fraud risks? YesNoDoes the company complete on-going checks on the customers, staff, or suppliers. This question will not appear for TSPorganisations.[Notes]Q28. Is liability for fraud losses arising from outsourced activities included within contractual arrangements? YesNoContracts would be expected to include a paragraph defining who is responsible in what circumstances and defining the liabilityif there are losses incurred. This question will not appear for TSP organisations.[Notes] 2021, The IASME Consortium. All rights reserved.10

CONFIDENTIAL WHEN COMPLETEDQ29. Does the company have the ability to block / force logout a suspected fraudster? YesNoIf you identify access to your systems by a suspected fraudster, can you log them out or block them?[Notes]Q30. Does the company monitor and assess the fraud risk created by privileged (or admin) access rights? YesNoYou would be expected to monitor the activity undertaken by those with access rights for fraudulent activity?[Notes]Q31. Does the company have a whistle-blower process for staff to report suspected internal fraud? YesNoThe organisation would have an email/telephone or online reporting line for staff to report suspicions about fraud and then adefined and documented follow-up process.[Notes]Q32. Does the company monitor and identify potentially fraudulent activity? YesNoFraudulent activities that are monitored and identified cover third-party fraud, fraud by the company's customers or suppliersand internal fraud.[Notes] 2021, The IASME Consortium. All rights reserved.11