Fraud is an issue that organizations often think will never happen to them until it does. The numbers speak volumes. According to the Association of Certified Fraud Examiners (ACFE), a typical organization loses 5% of its revenue to fraud annually. Its 2024 Report to the Nations, which analyzed 1,921 real cases that cost victims about $3.1 billion combined, showed the median loss per case at $145,000 and the average at about $1.7 million. Worse, the fraud typically takes about 12 months to get noticed.
A fraud risk management framework is how you stay ahead of all of that. It's an organized strategy for identifying your organization’s vulnerabilities, implementing controls to make fraud more difficult to commit, and developing the practices to detect it early when it does get through. The most common blueprint is from Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the ACFE. The Fraud Risk Management Guide was first published in 2016 and updated in 2023 and assembles the work around a few core principles: Governance, risk assessment, prevention, detection, and continuous monitoring.
This guide walks you through building that framework from the foundation. There is no template for every company, but the structure is in place.
The following topics are going to be covered in this article;
- What Is a Fraud Risk Management Framework?
- Why You Need a Framework (Not Just Individual Controls)
- The COSO/ACFE 5 Principles: The Global Standard
- Step 1: Establish Governance and Accountability
- Step 2: Conduct a Fraud Risk Assessment
- Step 3: Design and Implement Preventive Controls
- Step 4: Implement Detective Controls (Monitoring and Detection)
- Step 5: Build Investigation and Response Capabilities
- Step 6: Training and Culture
- Step 7: Measure, Report, and Improve
- Tools and Automation: Technology That Powers the Framework
- How Sanction Scanner Supports Your Fraud Risk Management Framework
1. What Is a Fraud Risk Management Framework?
A fraud risk management framework is a comprehensive system of policies, procedures, controls, and technologies that an organization uses to identify, assess, prevent, detect, investigate and respond to fraud. The framework provides a structured approach to managing fraud risk across the organization. It includes governance, risk assessment, control activities (prevention and detection), investigation and corrective action, and monitoring.
It is important to clarify the scope, as that last phrase encapsulates the main point. Fraud risk assessment and fraud prevention are significant topics and are discussed in separate articles. This article is about the framework itself. How each component fits together into a program that actually works.
The difference is more important than it sounds. A risk assessment is going to tell you where you’re exposed, but it’s just a document on its own. Controls make fraud more difficult, but if no one checks them, you never know if they are holding. Monitoring flags anomalies, but without a response process behind it, flagging is just noise. Risk assessment without controls is ineffective, controls without monitoring are unproven, and monitoring without response is performative. The framework is what ties it all together to make sure each piece exists.
You don't have to come up with any of the standards yourself. Three authority frameworks cover the same ground from different perspectives:
- COSO and the ACFE Fraud Risk Management Guide (2nd edition, 2023) highlight five principles: Governance, risk assessment, control activities (prevention and detection), investigation and corrective action, and monitoring.
- The GAO Fraud Risk Framework (2015) breaks the work into four components: Commit, assess, design and implement, evaluate and adapt.
- The IIA Three Lines Model (2020) offers an answer to the “who owns what” question by dividing responsibility between operational management, risk and compliance functions, and independent internal audit.
This guide helps to turn these approaches into steps you can implement.
2. Why You Need a Framework (Not Just Individual Controls)
Fraud controls are in place at many organizations. Fewer of them have a framework. The difference is visible in the results.
If a framework doesn't exist, controls are reactive. Most companies only add or adjust controls after they have already been hit by a fraud. This indicates that you are always fighting the last incident, not the next one. The ACFE recognized this trend in action: Many organizations don’t change their controls until fraud has already occurred. Discovery is also a matter of luck rather than design in these setups. Tips are still the most common way to surface fraud by far, flagging 43% of cases. This percentage is more than three times greater than that of the next most common method. Although this reality is useful, it means these organizations are depending on tips, not a system spotting it. Meantime, the work is siloed. The fraud team, the AML team, and IT security can each only observe from one limited view instead of the whole picture. Without established standardized metrics, management cannot know if fraud risk is going up or declining. Examiners increasingly expect a documented program. Saying “we have some controls” is a weak answer during a review.
The gap is real. The ACFE found that more than half of occupational frauds occurred where internal controls did not exist or were overridden.
The same controls begin to work together with a framework. You can see threats before they become losses. Each unit has clear ownership and reporting lines so accountability isn’t fuzzy. Program effectiveness is measured by KPIs that you track over time. That is exactly what the regulators want to see, a documented program.
The payoff is visible through the data. The 18 anti-fraud controls that the ACFE examined were associated with faster detection and fewer losses. There were four in particular: Surprise audits, financial statement audits, hotlines, and proactive data analysis. These anti-fraud controls were each associated with at least a 50% decrease in both the size and time span of a fraud. A framework is what organizes those controls and keeps them functioning properly.
3. The COSO/ACFE 5 Principles: The Global Standard
The Fraud Risk Management Guide, first published in 2016 and updated in 2023, organizes the work around five principles: Governance, risk assessment, control activities (prevention and detection), investigation and corrective action, and monitoring.
Here is a summary of each component and what they’re really asking you to do:
Principle 1: Fraud Risk Governance
Leadership develops and articulates the program on paper. In practice, the board and senior management own the risk and set it out in policy with defined roles and a code of conduct and back it with real resources and budget. Ultimately, the tone of the leadership is crucial. If the leaders treat fraud as someone else’s job, everyone else may do the same.
Principle 2: Fraud Risk Assessment
On paper, you need to identify specific schemes, rate likelihood and impact, evaluate existing controls, and address the residual risk. In practice, scheme by scheme, map out exactly how someone could defraud your business, then identify the cracks in your existing defenses. A vague notion that "fraud is bad" is insufficient. You need named schemes that relate to your operations.
Principle 3: Fraud Control Activities
Implement preventive and detective controls. In practice, you build the controls that prevent fraud from happening. Examples of these controls can be segregation of duties, approval processes and access limits. Also build the controls that catch it fast when it slips through. These are reconciliations, management review, and data analysis. Prevention and detection are two separate jobs.
Principle 4: Fraud Investigation and Corrective Action
Set up a communication process for receiving information about possible fraud. Take a coordinated approach to investigation and corrective action. In practice, provide people with a safe channel to raise concerns. This channel is usually a hotline with whistleblower protection.
Follow a defined playbook for investigating, disciplining, recovering losses, and closing the gap that allowed it afterward.
Principle 5: Fraud Risk Management Monitoring
Run ongoing evaluations to verify all principles are present and working. In practice, don’t assume that you have a program just because you built it once. Review it on a schedule and communicate any shortcomings to senior management and the board for correction.
The pattern is visible. COSO tells you what to do. It doesn't explain how. This article aims to guide through the "how" part.

4. Step 1: Establish Governance and Accountability
Governance is the fundamental basis. If fraud risk is not clearly owned by someone, the rest of the framework has nothing to stand on. Successful programs start with two questions. Who owns responsibility? And what are the rules?
- Who owns the fraud risk? The board provides oversight. This oversight is often through an audit or risk committee with an explicit mandate to address fraud risk.
- The program is owned by a chief compliance officer or chief risk officer.
- A fraud risk "champion," a senior leader, is driving it on a day-to-day basis.
- There is a clear reporting line from the fraud team to the CCO or CRO and then to the board committee. No dead ends and no ambiguity on who hears what.
This structure is how governance looks on paper. A real program is not the assumed one but the documented one:
- A board-approved written policy on fraud risk management. The policy also has to be reviewed at least annually.
- A fraud risk appetite statement that clearly articulates the amount of fraud loss the organization is willing to accept.
- A code of conduct that defines expectations of behavior and anchors the anti-fraud culture.
- A whistleblower and hotline policy that offers a safe way to report.
- Tone from the top: Leaders who champion the program visibly and consistently support it. Just signing off on it is not the desired case.
Three Lines Model (IIA, 2020). Here's how you can share the responsibility so it's not all dropped on one team:
- First line, business operations. The units carrying out the processes own and control the fraud risk within them. Branch managers, customer service and accounts payable are the front line of defense.
- Risk and compliance are the second line. The fraud risk function creates policy, designs controls, and monitors if they work. At this point, screening, transaction monitoring, and detection tools operate.
- Third line, internal audit. Independent assurance that the whole thing works. It tests controls, validates the risk assessment and reports to the board directly.

Diagram 1: Three Lines Model with Fraud Risk Management Responsibilities
5. Step 2: Conduct a Fraud Risk Assessment
Governance is the foundation, but the engine is risk assessment. It tells you what you are really defending against, and all downstream control decisions are based on it. Fraud risk assessment is a broad subject with its own detailed guide, so consider the following an overview and head to our full fraud risk assessment article for the step-by-step.
The main process is performed in six steps:
- Identify the schemes. Analyze the specific methods of how fraud can actually hit you, not the vague categories. Synthetic identity fraud, invoice and vendor fraud, authorized push payment (APP) scams, account takeover (ATO), and internal fraud all present differently and require different defenses.
- Assess likelihood. What are the odds of each scheme, considering your industry, geography, business model, and your own incident history?
- Assess impact. If it happens, what is it costing you in monetary terms, reputation, and regulatory exposure? Some low-probability schemes are high-impact enough to matter anyway.
- Inspection of existing controls. What do we already have in place, and does it work? A control that exists on paper but is ignored is worth very little.
- Inspect existing controls. This is the risk left over after your current controls have done their job. It's like inherent risk minus control effectiveness.
- Set priorities. Rank what remains so investment goes where residual risk is greatest, not where action is easiest.
The output is a ranked picture of your exposure and where your defenses are lacking. That picture is the basis for the subsequent steps, controls, detection, and monitoring. For a detailed guide on conducting a fraud risk assessment, including templates and scoring methodology, see our Fraud Risk Assessment Guide.
The assessment is not a one-and-done exercise to put it right. Fraud risk assessments are living documents. Update it at least annually and again whenever there is a material change, whether that is a new product, a new market, or a merger or acquisition, and after any actual fraud incident occurs. Threats change. A two-year-old assessment speaks about a company that no longer exists.
6. Step 3: Design and Implement Preventive Controls
Preventive controls are those that stop fraud before it occurs. They are more cost-effective than post-fraud cleanup, and regulators are increasingly viewing them as the primary objective. The UK’s mandatory reimbursement regime for authorised push payment (APP) fraud, which has been live since 7 October 2024, puts it bluntly: sending and receiving firms now share the cost of APP scams 50/50, up to a cap of £85,000 per claim. It is a direct financial interest, not just good hygiene, to stop a bad payment before it leaves. Prevention is divided into three groups.
Onboarding controls (who you let in)
- KYC and KYB verification: Verify identity, documents and beneficial ownership before an account or vendor goes live.
- Sanctions, PEP & adverse media screening: Screen all customers and counterparties against watchlists and negative news. This layer is handled by the screening tools.
- Risk scoring at onboarding: Auto-approve low risk, manual review for medium risk, reject high risk
- Device intelligence & fraud scoring: Flag suspicious devices and behaviour at sign-up.
Access and authorisation controls (who can do what)
- Segregation of Duties: The person who adds a vendor cannot be the person who approves its payments.
- Multi-factor authentication on high-risk actions, not only logins.
- Role-based access on a need-to-know basis
- Dual authorization for any transaction above a certain threshold.
Process controls (how money flows).
- Three-way matching: A payment is only cleared if the purchase order, goods receipt and invoice all agree.
- Callback verification before any change to banking details, using a number you already hold, never the number in the request.
- Confirmation of payee on outbound payments: checking the account name before the transfer is made. It is now deployed across virtually all UK Faster Payments and CHAPS traffic, around 99% coverage.
The pattern is consistent for all three groups: Fraud requires the involvement of multiple people, checks, and systems to succeed. A single control is a single point of failure. It's the layered controls that actually hold. For detailed prevention best practices, see our Fraud Prevention Guide.
7. Step 4: Implement Detective Controls (Monitoring and Detection)
No level of prevention is perfect. Detective controls catch the fraud that slips past the front door and work best in a continuous rather than periodic sweep. Think of prevention and detection as two halves of the same job. Prevention reduces the number of attempts; detection catches what does get through.
Transaction monitoring. This is the core.
- Velocity, amount, geography and counterparty patterns are detected through rule-based detection.
- Behavioral analytics that recognise deviations from a customer’s own baseline.
- AI and machine learning models that reveal anomalies static rules would miss.
- A configurable rule engine matters here. Sanction Scanner allows no-code rule creation and comes with numerous pre-built scenarios. These features let teams be able to tune detection without waiting on engineering.
Alerts in real time. Detection is only useful if you can act on it quickly..
- Rank alerts by risk score so the worst cases are surfaced first.
- Automated enrichment brings customer profile, transaction history and screening results into the alert, so analysts aren’t looking for context.
- Escalation workflows that cleanly route cases through L1 triage, then L2 investigation, and finally senior review.
Ongoing screening (perpetual KYC).
- Ongoing sanctions, PEP and adverse media monitoring. Not just a one-time onboarding check.
- Automatic rescreening when watchlists change.
- Negative media alerts for the existing customer base, not just new customers.
Mule identification: Money mules are a growing and specific problem.
- Behavioural flags: Thin-file account suddenly receives rapid inbound funds and pushes them right out.
- Network analysis that identifies shared IP addresses and devices across supposedly unrelated accounts.
Internal fraud detection. The danger is not always from the outside.
- After-hours access monitoring.
- Override and exception tracking, as insiders often circumvent controls.
- Vendor master file anomaly detection to detect fake or manipulated suppliers
The bottom line is that detection and prevention are not mutually exclusive. One limits the fraud that comes to you; the other catches what does. A platform that can run both together, like Sanction Scanner’s Fusion, closes the gap between the two so that nothing falls between prevention and response.
8. Step 5: Build Investigation and Response Capabilities
Detection is most valuable when it is followed by an action. This step is the engine that transforms an alert into a decision and a decision into recovered money or a filed report. Speed is an important factor all through the steps.
Alert Triage
- Risk ranking: Critical, high, medium, low.
- The common SLA frame is critical in 4 hours, high in 24 hours and medium in 48 hours.
- Auto-close clear false positives where regulators allow it so that analysts spend their hours on real cases
Investigation
- Collect evidence: History of the transactions, customer profile, screening results, and communication records.
- Full documentation of the case: Timeline, evidence, analysis, conclusion. If it isn’t written down, an examiner treats it like it never happened.
- Set out pre-agreed escalation triggers so that people know when to call in senior management, legal counsel or law enforcement.
Actions taken in response
- Block or place a hold on the transaction. Restrict or freeze the account.
- Contact the customer. This is the intervention that halts a scam in the making. The FBI’s Operation Level Up found that 77 percent of the pig-butchering victims that the FBI contacted had no idea they were being defrauded. This means, one phone call may save the next payment.
- Refer out to IC3 in the US, Action Fraud in the UK, or local police.
Regulatory reporting
- If the fraud is suspected of money laundering or terrorist financing, file a SAR or STR.
- Employ the correct FinCEN fraud key terms and SAR fields to make the report actually usable downstream.
Recovery
- Immediately send recall and freeze requests to the receiving bank.
- The FBI’s Financial Fraud Kill Chain (FFKC) can freeze international wire transfers, but only if the transfer is $50,000 or more, international and reported with a SWIFT recall notice within 72 hours. In 2024, the FBI's Recovery Asset Team used the process to freeze about $561 million, a 66% success rate on the funds it acted on.
- File insurance claims where cover applies
Post-incident review
- Root cause analysis: How did the incident pass through the controls?
- To address the gap, update the rules and add new detection scenarios.
- Share lessons learned throughout the organisation, not just within the team that detected it.
This step is a continuous process, not a final destination. Every case should return information to your risk assessment and controls so the same scheme can't work a second time.
9. Step 6: Training and Culture
Every control in this framework is ultimately operated by a person. A perfect rule engine still needs someone to act on its alerts, and the single most common way fraud gets caught is still a human deciding to speak up. That makes training and culture the parts of the framework that most organizations underinvest in.
Who needs training, and it shouldn't be one-size-fits-all:
- All employees: Fraud awareness basics, the code of conduct, and how the whistleblower process actually works.
- Frontline staff: The red flags specific to their role. Branch staff, customer service, and the accounts payable team each see different warning signs.
- Fraud and compliance analysts: Investigation method, case management, and how to write a SAR that holds up.
- Senior management: Their oversight duties and what effective board reporting should contain.
How often:
- At least once a year for everyone.
- Quarterly for the fraud and compliance team, since their threats move fastest.
- Conduct ad hoc training sessions whenever a new scheme appears. This ensures that people are aware of it before it impacts them.
Culture matters more than controls. You can buy controls. You can't buy culture, and it does more work over time. The ACFE data keeps proving the point: Tips are the top detection method at 43%, more than three times any other single method, and more than half of those tips come from employees. Organizations with a reporting hotline are nearly twice as likely to catch fraud through a tip, and they experience roughly 50% smaller losses than those without one. But none of that lands without three things: A real tone at the top, genuine protection for people who report, and visible consequences when fraud is found.
Technology supports this process; it doesn't replace it. A platform like Sanction Scanner hands people faster signals and cleaner cases to work on, but the decision to act and to speak up stays human. Build the culture first, so the tools pay off afterwards. Skip it, and they mostly produce alerts nobody trusts.
10. Step 7: Measure, Report, and Improve
You can't manage what you don't measure, and a board won't keep funding what it can't see. This step turns the program into numbers, puts those numbers in front of the people who own the risk, and uses them to improve each cycle.
Core fraud risk KPIs :
|
KPI |
What it measures |
Target |
Red flag |
Frequency |
|
Fraud loss rate |
Total fraud losses ÷ revenue |
Below industry benchmark |
Rising, or above peers |
Quarterly |
|
Detection rate |
Fraud caught by controls ÷ all fraud (incl. tips) |
Above 50% |
Most fraud found by luck |
Quarterly |
|
Time to detection |
Median days from event to discovery |
Falling |
Flat or rising |
Quarterly |
|
False positive rate |
False alerts ÷ total alerts |
Falling |
Rising (analyst fatigue) |
Monthly |
|
SAR conversion rate |
SARs filed ÷ alerts investigated |
Stable |
Sudden spike or collapse |
Quarterly |
|
Recovery rate |
Funds recovered ÷ fraud losses |
Above 30% |
Declining |
Quarterly |
|
Training completion rate |
Staff completing fraud awareness training |
Above 95% |
Below 95% |
Annually |
|
Whistleblower usage |
Reports via the hotline |
Non-zero |
Zero (nobody trusts it) |
Quarterly |
Table 1: Core Fraud Risk KPIs
Treat those targets as starting points and benchmark them against your industry and your own history, not an abstract number. For context, the ACFE puts the median time to detect a fraud at about 12 months, so a falling detection time is a strong sign the program is working. And a KPI that always looks perfect is often measuring the wrong thing.
Board reporting.
- Quarterly dashboard: the KPIs above, trend lines, the quarter's top incidents, and emerging threats.
- Annual review: refreshed risk assessment, control effectiveness, and an honest read on program maturity.
- Incident reports: major events escalated to the board within 24 to 48 hours, not held for the next quarter.
Where are you? A maturity model. Most organizations sit lower than they'd like to admit:
- Level 1, Reactive: No formal program, incidents handled as they come.
- Level 2, Basic: A written policy, a risk assessment done, and basic controls in place.
- Level 3, Defined: Documented framework, KPIs tracked, regular training.
- Level 4, Managed: AI-assisted detection, converged fraud and AML monitoring, and proactive threat intelligence.
- Level 5, Optimized: Continuous improvement, industry benchmarking, and fraud risk built into board strategy.
Find your level honestly, then aim for the next one, not the top. At Level 2, the move isn't to buy AI; it's to document the framework and start tracking a few of the KPIs above. At Level 3, convergence and stronger detection come next. Skipping levels rarely holds.
The ultimate goal of measuring is to improve. Numbers that don't change a decision are just decoration.
11. Tools and Automation: Technology That Powers the Framework
Technology doesn't create a framework. It runs the one you've already built. Used well, the right tools take the manual load off each step so your people can spend their time on judgment instead of data entry. Here’s how the main categories align with the steps outlined above.
- Step 2, Risk assessment: risk-scoring engines and data analytics that surface where threats concentrate.
- Step 3, Prevention: KYC and KYB platforms, sanctions and adverse media screening, and authentication systems at onboarding.
- Step 4, Detection: Transaction monitoring, fraud detection, behavioral analytics, and network analysis.
- Step 5, Response: Case management, workflow automation, and SAR filing tools.
- Step 7, Measurement: Dashboards and KPI tracking that feed board reporting.
The convergence advantage. The bigger shift is structural. The old model ran fraud and AML on separate tools, separate teams, and separate data. That is the silo problem from earlier in this guide: Each side sees half the picture. The modern model puts both on one platform that shares data, alerts, and risk scores across the two workstreams. This is not a fringe idea. In recent studies, more than half of the respondents indicated that they plan to expand their fraud and AML convergence, and nearly every institution surveyed is either already integrating these efforts or planning to do so. The logic is simple: A fraudster and a money launderer often surface in the same transaction, and splitting that view across two systems is how both slip through.
Sanction Scanner’s AI-powered risk intelligence platform FUSION sits across several of these, mainly screening, monitoring, and case management, so one platform can carry prevention through to response.
One caution: Match the tools to your maturity level, not to the sales demo. At Level 2, a solid screening and monitoring setup does more for you than a custom AI build you can't yet operate. You reach convergence by connecting what you have, not by buying everything at once.
12. How Sanction Scanner Supports Your Fraud Risk Management Framework
You now have the full framework: governance, assessment, prevention, detection, response, and monitoring. The last question is a practical one. What actually carries all of it? Sanction Scanner is a financial crime compliance platform built to sit under most of these steps at once, so you run one connected system instead of stitching separate point tools together. The below is the list of how its capabilities line up with the framework.
- Governance: A compliance dashboard and regulatory reporting that give senior management and the board a live view of program status, rather than a slide deck built by hand each quarter.
- Risk assessment: Customer risk scoring and geographic risk data to help rank where your exposure actually sits.
- Prevention: Sanctions screening, PEP screening, and adverse media screening at onboarding, tied into KYC and KYB checks so risky customers and vendors are caught before they're inside.
- Detection: AI-assisted transaction monitoring, configurable fraud detection rules, and behavioral analytics to catch what prevention misses.
- Response: Case management, alert workflows, and SAR-ready documentation, so investigations move quickly and produce filings that stand up to review.
- Monitoring: Ongoing screening (perpetual KYC), automatic rescreening when watchlists update, and adverse media alerts on existing customers, not just new ones.
Taken together, that covers the technology side of every step in this guide, which is why it's fair to call a platform like this the backbone of a modern fraud risk management framework. Keep the point from the last two sections in mind, though: The backbone holds the body up, but it isn't the whole body. The governance, the trained people, and the anti-fraud culture are still yours to build. Effective technology enables a small team to efficiently manage a program that would typically require a larger team. All components become connected rather than being scattered across incompatible tools.


