How do you build an EFM program? : About Fraud

Introduction

We’ll start by answering these simple questions:

• Is your existing fraud management program a fragmented mess?
• Is your head on fire because of escalating fraud rates and losses?
• Are you at risk of losing your payment partners and processors?
• Are you facing the challenge of dealing with fraud for a new or existing product?
• Have you just joined a new organization in a role that must improve or implement a fraud management program in place?
• Are you looking to buy or build a new fraud management solution?

If the answer to any of the above questions is yes, then this article is for you.

Building and running an Enterprise Fraud Management program is not an easy task. Unfortunately, it takes a lot of time and effort. There are also a great many ways to get wrong. 

Here is my 8 step guide, distilled by personal experience over the last 19 years, where my journey in the world of fraud prevention began…

My step-by-step guide on ‘how to build an EFM program  from scratch’

Each of the 8 steps should be treated as an area that has to be carefully reviewed, studied and understood. Try not to take shortcuts or rely on someone else’s conclusions and analysis, your view is imperative to the success.

1. Study in detail  how your product works – whether you are a new joiner to the organization or have been there forever, or you are about to launch a brand new product or work on a legacy one that is your ‘must do’, starting exercise. You have to make sure you are 100% clear that the financial product you are about to solve fraud for works. 

Ask yourself:

1. Is it an account based, stored value product or not?
2. How are user accounts, of any type and nature, created?
3. What are all financial flows in, out, p2p, etc. I.e. How does money move, no matter fiat, crypto, APMs?
4. Who are your payment partners? 
5. What is their risk appetite and how important is your business to them?
6. What, if any, are the product level controls that are available – limits, velocities, any internal product level switch that may exist – make sure you find and understand how it works?

Important Point: Banking, payment and liquidity partners and providers are the lifeblood of any payments or fintech business. Safeguarding and managing these relationships is of paramount importance.

What can go wrong? Jumping into assessment, design or solution mode without deep understanding of your organization’s product is usually a recipe for disaster. Do not approach this with the ’been there, done that’ attitude, even if it is all the same on the surface. This is especially true if you are switching roles in the same industry niche.

Expert Tip: Don’t underestimate the importance of product level controls. These will be your safety net, when that century storm comes. Not all fraud problems should be solved with external solutions.

2. Identify your exposure angles and risks – Identify and list all risks and elements of your exposure, look beyond the surface of just fraud losses.

Take a look at the following:

1. Start with fraud loses ( make sure you capture fraud related fees too!)
2. Look at lost revenue due to your fraud prevention effort
3. Look at the overall cost of fraud – people, tech, customer tickets – it is a very broad plethora of items that must be factored in here.
4. Partnerships with banking and payment vendors – these are critical. What happens if you lose one or more?
5. Have you considered reputational damage in the cost?
6. Of course – regulators and ombudsman should be kept happy too.

Important Point: Try to capture all risks and areas where things can go wrong that will damage your business when these occur. Fraud losses are just the tip of the iceberg.

What can go wrong? Focus only on the tip of the iceberg and neglect some equally if not more important risks, that may not be as immediate as financial losses.

Expert Tip: Even if you are in a low risk environment, don’t completely drop some risks that may seem far fetched. Just make sure, these are accurately assessed.

3. Assess risks – yeah, that is not the most exciting thing to do but it is yet another must have. Try to grade the likelihood and impact of all risks that you have identified. Not all risks will be easily measurable and for some you wont be able to produce an entirely informed figure for the financial impact. 

Regardless of this, when doing a risk assessment you should always apply common sense and align expected impacts to the size of your organization and your growth plans. Risk assessment is just the start, periodical update of these is also necessary and that is not just for audit purposes… Risk assessments are something you should communicate with all of your internal stakeholders, not to demonstrate how much work your function has done but to educate them about the anti-fraud measures that are being applied and the scale of the problems you are combating.

Important Point: Don’t get into paralysis through analysis. You should pick a certain risk assessment framework that you will follow but don’t do so blindly. So risk assessment aspects will require adaptation.

What can go wrong: Neglecting or exaggerating the impact of certain risks just to draw attention to the problem is never a good strategy. Sooner or later this will put the quality and integrity of your risk assessments under doubt.

Expert Tip: A good risk assessment should be easy to understand from any internal stakeholder. Don’t overcomplicate the RAs, these are your tools for internal education and fostering cooperation, as fraud prevention is a complex process that requires a team effort too.

4. Determine what fraud looks like and what are you missing – you should take this literally and not ;). Now that you are proficient in how your organization’s product works, all risks are identified,  and assessed, it is time to understand what fraud looks like and measure it.

You should do the following:

1. Make sure you capture and study as many as possible of the fraud patterns that you are experiencing. 
2. Don’t just look at aggregate numbers, charts and reports. Look at fraud cases, fraud accounts, fraud reports, look at your transactions, sign-ins, sign-ups. Fully understanding a pattern can be only done this way. A fraud pattern usually has many aspects and tell-tell signs. No AI will do the work for here.
3. Make sure your fraud reporting is accurate.
4. Try to forecast fraud performance for upcoming months, so you don’t get surprised and end up in a constant fire fighting mode.
5. Work closely with functions like finance and reconciliation to constantly double check your numbers.
6. Ensure monitoring for fraud alerts, chargebacks, notifications, anything that speaks of fraud, is under close monitoring – DAILY!
7. Always look at your full cost of fraud.

Important Point: Scrutinize closely your reporting of fraud figures, KPIs and metrics. It must be accurate.

What can go wrong? When setting up a new product, payment rail, banking partner, etc. do not forget to connect the dots on fraud and complaints reporting. Follow up on any missing reports or data feeds.

Expert Tip: Reports on fraud metrics and some KPIs should be shared internally to qualified audiences. Being transparent helps cooperation and build trust. Being a black box of a fraud organization does the opposite. That’s from where the term – Business prevention department comes from.

5. Evaluate objectively your resources, experience and capacity – here is one that may fall victim of simple human subjectivity and ego. Before you put together your roadmap for the implementation of EFM program your organization needs, ask yourself the following questions:

1. Do we have the necessary knowledge and experience to tackle not just the existing fraud problems but also the future ones?
2. Is the inhouse human resource sufficient? Are we experts or just venturing into this field?
3. How much investment is needed? Over how long?
4. What level of investment will be justified? In fraud prevention you should always have a proper business case. 

Important Point: There is no shame in looking for external support and advice. FInding the right source for that is a whole different conversation.

What can go wrong? Skipping this consideration and jumping into solution mode with a ‘ we know it all ‘ attitude.

Expert Tip: Don’t just build a fraud organization for the sake of empire building. An efficient EFM and fraud prevention organization is one that enables the business to reach its objectives and has a positive ROI. Fraud prevention is not AML compliance.

6. Develop a roadmap to mitigate risks – in simple terms: you must have a robust plan. Even if you are in a house on fire situation, a good plan is the key to success. This is even more true if you start from scratch – a new product launch, or fraud vendor replacement and-or implementation. 

You should consider the following:

1. Develop a roadmap that is informed by your risk assessments.
2. Prioritize based on impact and likelihood.
3. Work closely with tech and product stakeholders – you will need them for almost anything.
4. Try to stay ahead of new product launches and features, perform timely risk assessment and share it with the business. 
5. Avoid building products and features that are not core for your organization. This on its own is a lengthy and complex conversation.
6. Architect a multilayered setup that combines product level controls and external transaction monitoring solutions and vendors.

Important Point: When it comes to implementing third party solutions, a lot of the future success depends on the implementation stage. Don’t cut corners even if under pressure for resources and time.

What can go wrong? Shift in organisations priorities often slashes fraud related projects, especially in BAU circumstances. If third party solution integrators are involved, expect delays due to their own prioritization and resourcing.

Expert Tip: Often, during the selection process of external vendors and solutions, a lot of their shortcomings and deficiencies are hidden by their sales teams during the deal process. Most of these start to surface during implementation, so be quick to address that.

7. Implement in a phased approach – even with a planned roadmap, informed by careful risk assessment and prioritization, you should not tackle multiple fraud use cases simultaneously. This only increases the risk of non completion due to priorities shift. Engaging with multiple back end teams is not an easy task for any fraud team. Taking small but frequent steps allows you to evaluate more frequently what has been achieved and if the commissioned external solutions are living up to their product expectations. This approach also shortens the time to results and ROI, that you will be under pressure to deliver.

The best approach:

1. Define clear success criteria for each item on your roadmap for EFM deployment.
2. try to incorporate convenience clauses with external vendors that can give you leverage in a situation of underperformance.
3. Are there any more to fit with the length of the others?

Important Point: This approach might not be always applicable, especially if you are in a high fraud situation. 

What can go wrong? Reducing scope under pressure by tech and back end teams. Don’t take ‘No’ for an answer. Back end teams will often have their own view about how the implementation of an external vendor should be done. Rather frequently they will try to descope certain data elements just because these require some development effort for internal collection. Working with a qualified product manager or having it in your fraud team, will make a difference.

Expert Tip: Do not underestimate the importance of getting the buy from your technical teams. Sharing what is the problem you are trying to solve, how important it is to your company and its success will help you get that tech buy in.

8. Operate, measure, improve – fraud never sleeps or falls behind, so should you too. Any change in your product’s features and offering will be exploited. Whether your team will be prepared for this depends on selling your risk assessment to the business. This is the harsh reality. Oftentimes the decision of the business will be to do nothing and accept the cost. 

Also often this is not a long term solution as when fraud is left untreated, it will escalate. Don’t get too comfortable with your metrics and KPIs being all in the green zone for some time, there is always an incident waiting to happen. It is not a matter of IF but of WHEN. Keep your running shoes handy and exercise regularly :).

Important Point: Breaches of your own infrastructure, vendor downtimes and internal fraud are some of the incidents you can not predict in terms of WHEN. Regardless of that, plan for handling these emergencies – start with basic plans on who does what and look into having internal safety net, product level controls. 

What can go wrong? Anything. From the most mundane issues like missing fraud reports to major incidents. So running a fraud team is a 24/7 job, like it or not.

Expert Tip: Fraud teams have a central role in almost any organization. This really increases the number of your internal stakeholders – customer service, product, tech, reconciliation, finance, compliance and more. Keep an open door policy, this will make your life much easier.

Building a Strong EFM Program Takes Vision and Grit

Building an Enterprise Fraud Management (EFM) program isn’t about tools or quick fixes — it’s about strategy, precision, and relentless execution.

Here’s what truly matters:

• Know your product inside out. You can’t stop what you don’t understand.
• Uncover every risk. Fraud losses are only the beginning.
• Trust your data. Inaccurate reporting kills good decisions.
• Be realistic about your capabilities. Get expert help when needed.
• Plan smart, act in phases. Small, steady wins build strong defenses.
• Stay alert. Fraud never rests — neither can you.

The best EFM programs balance prevention with customer experience, control with agility, and tech with human intuition.

If you’re ready to turn that mission into a competitive advantage, partner with NOTO – 360 Fraud and Compliance — we help organizations worldwide build scalable, data-driven fraud defenses that last.