The Gaps We Create: Controls, Strategy, and Process Misalignment w/ Angela Diaz

What’s up, fraud fighters, and welcome back to Fraud Forward! 

In this episode, I’m sitting down with Angela Diaz to talk about something that sounds simple on the surface, but honestly, it creates more fraud gaps than a lot of teams realize. We throw around terms like controls, strategy, and process all the time in fraud operations. We say them like they mean the same thing. They do not. And when we start treating them like they are interchangeable, that is exactly where things begin to break down.

This conversation came directly from Angela, and I loved that immediately because when a practitioner says, “we need to talk about this,” that usually means there is something real happening inside fraud programs right now. And this one is real. I have seen it. You have probably seen it too. Teams are busy, alerts are firing, processes are moving, and yet losses are still getting through. That is usually not because nobody cares. It is because the foundation is off.

So this episode is really about getting back to basics in the best possible way. We slow down and separate fraud controls from fraud strategy and from fraud processes, because if we cannot define those correctly, we are going to build the rest of the fraud program on top of confusion. And once that happens, fraudsters do what they always do. They find the gap and they use it.

What you’ll hear in this episode:

• The real difference between fraud controls, fraud strategy, and fraud processes
• Why preventative vs detective controls matter more than most teams realize
• How process mapping in fraud helps expose operational fraud gaps
• Why control performance monitoring needs to be part of every fraud risk management conversation
• What the Chase check fraud incident shows us about fraud loss prevention controls
• How fraud leaders can tell whether they have a true layered approach or just more stuff
• Why fraud monitoring needs to connect back to strategy, not just activity
• Where process gaps in banking show up in ATM fraud controls, payments risk controls, and check fraud control in banking
• Why vendor management fraud risk and lack of line of sight create another layer of exposure

You should listen to this episode if:

• You work in fraud operations and feel like your team is doing a lot but still not getting ahead of loss
• You are trying to mature your fraud program and need clearer thinking around financial institution fraud controls
• You are working on a fraud risk assessment and need a better way to think about risk entry points
• You know your team has processes in place, but you are not sure whether they are actually functioning like controls
• You want a more practical way to think about fraud control strategy in banking without making it overly complicated

Subscribe and stay connected

If this episode makes you pause and rethink something in your own program, send it to your team. Really. Start the conversation. Pressure test the way controls, strategy, and process actually show up in your environment. And if you want more of these real conversations, make sure you are subscribed to Fraud Forward and signed up for the Monday Fraud Fix.

Episode notes & key takeaways

Preventative vs detective controls are not the same thing

One of the biggest points Angela makes in this episode is that teams often confuse a process with a control. And I get why that happens. If somebody is doing a step every day that reduces risk, it feels like a control. But that does not automatically make it one. A process is the repeatable work. A control is the thing built to catch it if that process fails or does not perform the way it should. That distinction matters a lot more than people think.

That is also where preventative vs detective controls becomes such an important conversation. If your fraud team is only finding the issue after the money is already gone, then yes, maybe you detected it, but you did not prevent the loss. And in banking fraud, that difference is everything. Because once funds are gone, especially in a fast-moving environment, the conversation changes from prevention to recovery, and those are not the same fight.

Fraud strategy, fraud processes, and fraud controls each have a different job

Angela explains this in such a clean way. Strategy is the big picture. It is your why, your risk appetite, your decisions around customer experience, cost, and how you want to approach fraud risk management. Process is the set of tasks your team follows every day. Controls are the specific risk-mitigation points layered into or over that process. When those three things are aligned, the program works a whole lot better. When they are not, that is when fraud starts finding room to move.

And honestly, this is where I see teams get tripped up all the time. We assume that because we have a strategy, we must have coverage. We assume that because we have alerts, we must have controls. We assume that because we have a process, it must be working. But those are assumptions, and fraud loves assumptions. That is what makes this episode so useful. It is not just semantics. It is operational reality.

Control performance monitoring is one of the most overlooked parts of fraud program maturity

This was one of my favorite parts of the conversation because it gets at the next obvious question. What happens if the control itself breaks? That is where control performance monitoring comes in. If we are not checking whether controls are actually performing the way we think they are, then we are putting a lot of trust in something we have not pressure tested.

And that matters for fraud program maturity because a control inventory is not helpful if it is cluttered, outdated, or inefficient. Angela gives a great example of a person reviewing a giant report every single day and never finding anything. That may sound disciplined on paper, but in real life, it may be a sign the control is not designed well. A better approach could be exception-based monitoring, targeted thresholds, or a more efficient fraud monitoring process that only pulls a person in when something actually needs attention.

Process gaps in banking create operational losses long before anyone calls it fraud

Angela points out that process gaps in banking do not just create external fraud opportunities. They can create internal loss, technology failures, balancing issues, and operational risk that keeps bleeding in the background. That can happen in ATM fraud controls, payments risk controls, or in the day-to-day functioning of systems teams depend on.

That is why process mapping in fraud is so important, even if it feels boring when you are doing it. Once you map out the process, define the steps, and identify where the real risk entry points sit, you start to see where nobody actually owns a certain moment, where controls are missing, or where your team thinks something is happening but cannot prove it. I have lived that. And once you see it, you cannot unsee it.

The Chase check fraud example shows exactly why this matters

We spend a good chunk of the episode talking through the Chase check fraud incident because it is such a clean example of how things can go wrong when strategy, process, and controls are misaligned. Maybe the institution made a strategic decision around funds availability. Maybe some controls were in place but did not deploy the way they were expected to. Maybe multiple things failed at once. The point is not to pick on one bank. The point is that the underlying process exists everywhere.

What made that example so important is that it showed what happens when institutions plan around average behavior but do not fully account for worst-case scenario behavior. A few bad checks is one thing. A viral social-media-driven event at scale is something else entirely. And that is where strong fraud risk assessment has to start with inherent risk, not just what happens on a normal day. Because fraudsters are not grading your program on average conditions. They are looking for the one moment your assumptions fall apart.

A true layered approach is not just adding more controls

I really wanted this part of the conversation because I think a lot of teams say they have layered controls when what they really mean is they added more things. But more is not always better. A layered approach only works if each layer can stand on its own and if each one is doing the job it is supposed to do. If a team starts relying on a control to do the work of a broken process, that is not layering anymore. That is weight shifting.

Angela’s brake and emergency brake example is such a good one. Your regular brake is your process. Your emergency brake is your control. If you start using the emergency brake every day because the regular brake is failing, you have not built a stronger system. You have just started misusing the backup. And that is exactly what happens in fraud operations when teams stop fixing the process and start leaning too hard on downstream controls to save them.

Ask your team one simple question: Why?

If there is one practical takeaway I would want fraud leaders to use right away, it is this: ask your team why they do something the way they do it. Not in a gotcha way. In a real way. Why do we do this step? What risk is it supposed to mitigate? What are we finding? How often are we finding it? And does that reason still exist today?

Because a lot of the time, especially in mature environments, teams keep doing things because they have always done them that way. But the process may have changed. The technology may have changed. The fraud pattern may have changed. Or the risk may have moved entirely. If that happened and your control did not move with it, then you have got a disconnect. And disconnects are where operational fraud gaps show up fast.

Fraud leaders are in the best position to see the whole picture

Toward the end of the episode, we also touched on something that deserves a full follow-up conversation, vendor management fraud risk and lack of line of sight. Because a lot of our discussion here focused on internal controls, internal processes, and internal ownership. But the second a bank relies on vendors, third parties, or external systems, the conversation gets a lot more complicated.

And that is exactly why fraud leaders need to keep advocating for a bigger view. Fraud teams often do have the most holistic perspective on how the organization actually works. They can see how the controls connect, where the process breaks, what the customer experiences, and where the gaps are starting to open. But that only helps if the team is willing to do the foundational work and use that perspective to pressure test the program honestly.

Final takeaway

If I had to boil this episode down, it is this: controls are not a strategy, strategy without process does not work, and process without alignment creates gaps. And those gaps are exactly where fraud wins.

So if this episode makes you rethink something in your fraud program, do not let that thought go. Use it. Go back to your team. Look at the process. Map the flow. Identify the risk entry points. Revisit the why behind your controls. Make sure your preventative vs detective controls are actually doing what you think they are doing. Because the strongest fraud programs are not the ones doing the most. They are the ones where strategy, process, controls, and monitoring all work together the way they should.