The compliance risk that already has a security pass

Cher Billins, Specialist Resourcing Consultant at Equinti, works at the sharp end of employee onboarding. Her perspective reveals just how sophisticated the threats have become and how basic some of the gaps remain.

Job title inflation is widespread. Candidates routinely claim roles they never held, banking on the fact that most references now only confirm dates of employment, not actual responsibilities. Referencing houses (companies that provide fabricated employment histories for a fee) are a growing industry. Some are dormant companies listed on Companies House with no employees and no revenue, yet they claim to have had HR departments managing hundreds of staff.

Name changes present another blind spot. In one recent case, standard checks turned up nothing. Only a media search revealed that under a previous name, the candidate had committed fraud in a similar role. Without knowing the name had changed, there was no way to connect the dots.

Then there’s the “bait and switch” phenomenon. Desperate job seekers are paying upwards of £14,000 for services where someone else sits the interview on their behalf, and the actual candidate turns up on day one. With remote work now standard, it’s increasingly difficult to detect—and some individuals are juggling multiple full-time roles simultaneously without any employer being the wiser.

Here’s where things get encouraging. Claire Rees, Global Financial Crime Regulatory Specialist at ThirdEye, made a point that should reassure any compliance team feeling overwhelmed: you probably don’t need new systems to address insider threat.

Transaction monitoring and AML compliance platforms are, at their core, big databases with sophisticated monitoring technology. Most firms already run these systems to detect external threats. The same infrastructure can be turned inward.

The key is thinking like a fraudster. Which processes create exposure? Where are the loopholes? By working with business subject matter experts to identify vulnerabilities, you can build monitoring rules that target the specific insider threat scenarios most relevant to your organisation.

The scenarios themselves are straightforward: colleagues transacting on their own accounts or family members’ accounts; repeated overrides for the same customer; transactions hovering just below approval thresholds; dormant account activations; compensation payments going to the same destination account again and again.

Behavioural monitoring adds another dimension. If someone’s contracted hours are 8am to 4pm, why are they accessing customer information at 9pm? If the average employee in a department views 10–15 accounts per hour, what’s happening when someone’s accessing 50–100 accounts without performing transactions or adding notes? These patterns are detectable and your existing systems can surface them.

One of the most powerful insights from the panel came from Maya Braine, Managing Director and Head of Financial Crime at Cosegic: the parallels between managing insider threats and managing customer risks are striking.

When onboarding a company as a client, firms check Companies House, verify addresses, use ID verification software, employ fake document checkers. Most organisations don’t apply the same rigour when onboarding employees. The same risk-based approach that works for customer due diligence (proportionate controls based on where the risks concentrate) applies just as well to your workforce.

Ongoing monitoring follows the same logic. You don’t onboard a customer and never look at them again. Employees shouldn’t pass initial checks and then operate without scrutiny either. Circumstances change. Someone who joined in good faith might face financial pressures, become disgruntled, or be approached by external actors. Continuous, risk-proportionate monitoring matters.

Offboarding emerged as a particularly vulnerable period. Employees who posed no threat while employed can become bad actors the moment they hand in their notice.

Redundancies create ill feeling and financial pressure. Resignations often carry resentment and a belief that consequences won’t catch up before the last day. Employees joining competitors know that information they take with them could be valuable. The level of access matters enormously, privileged IT users, compliance team members with access to sensitive data, anyone with elevated permissions: these are the highest-risk leavers.

Practical controls exist for this period: freezing new data access requests, reviewing and potentially removing existing access rights, monitoring file downloads and unusual patterns in customer file access, and watching for odd working hours or excessive activity. The question to ask: were they preparing for departure before they formally resigned?

The failure to prevent fraud offence, which came into force in September 2025 under the UK’s Economic Crime and Corporate Transparency Act, adds regulatory urgency to what was already a serious operational risk. Under this legislation, if a specified fraud offence is committed by an employee, agent, or associated person, the organisation itself can be held criminally liable. The only defence? Having reasonable fraud prevention procedures already in place.

This applies to large organisations meeting at least two of three criteria: more than 250 employees, more than £36 million in turnover, or more than £18 million in total assets. The message is clear: reactive responses are no longer sufficient.

One of the panel’s strongest recommendations was deceptively simple: have a documented process before an incident occurs. Don’t wait until something goes wrong and then scramble to work out who investigates, who gets informed, when to escalate, when to involve HR or legal, and when to report externally.

Map it out in advance. Internal escalation chains, thresholds for involving senior management and the board, and clear criteria for reporting to external authorities; law enforcement, the National Crime Agency, and fraud prevention databases like Cifas. As Rachael Tiffen, Director of Learning and Public Sector at Cifas, reinforced: cross-sector information sharing creates a network effect that prevents bad actors from simply moving to the next organisation.

What emerged from this discussion was a framework that’s both comprehensive and achievable. It doesn’t require wholesale system changes or massive investment. It requires a shift in perspective; turning the same rigorous approach used for external threats inward.

Start with a thorough risk assessment. Apply robust checks at onboarding. Not procedural boxes to tick, but genuine verification using tools already employed for customer due diligence. Repurpose your existing transaction monitoring systems to look for internal threats. Pay particular attention to high-risk moments like offboarding. Document clear processes for investigation and escalation. Share information across the sector.

And critically, make sure monitoring is proportionate and risk-based. Different roles warrant different levels of scrutiny based on access and risk profile. Everything should tie back to the risk assessment, satisfying both security needs and data protection requirements.

The insider threat isn’t going away. But the controls, the data, and the technology to manage it are already within reach. The question is whether your organisation will act before an incident forces its hand.

Hear directly from senior industry experts across consultancy, technology, recruitment and fraud prevention as they discuss practical approaches to managing insider threat in this on-demand webinar.

Download the insider threat whitepaper: Published in partnership with Cosegic, our guide covers covers practical approaches to detecting and preventing insider fraud in financial institutions.