“What is the key determinant of the credit card fraud risk assessment in Indonesia? An idea for brainstorming”

This study examined the direct effect of brainstorming on fraud risk assessment at credit card issuing banks in Indonesia. Therefore, it was expected to help improve their performance in dealing with various credit card frauds. This study involved 80 participants from the credit card fraud risk management team from four major credit card issuing banks in Indonesia, consisting of the risk management team (anti-fraud specialist) and the internal auditor team. The research was analyzed using the experimental method with a 2X1 factorial design. Analysis of Variance (ANOVA) would test the experimental data. The individuals’ performance (without brainstorming) or the brain-storming group was analyzed using the statistical ANOVA technique. ANOVA analysis produced a sig value of less than 1% and an F-count of 50.556 > 0.143443, which was higher than the F-table. The ANOVA test results concluded that there were differences in assessing the fraud between the respondents with brainstorming and those without it. Through the brainstorming method, it turned out that the respondents in the fraud risk management team provided a more accurate credit card fraud risk assessment from the point of view of the fraud causes and the credit card fraud impacts. Hence, it is crucial for credit card issuing banks in Indonesia to consistently implement anti-fraud governance by adopting brainstorming to produce a better fraud risk assessment.


INTRODUCTION
Based on statistical data from 2012 to 2015, several countries had a high risk of facing the threat of credit card fraud, such as Ukraine with the highest fraud rate of 19%, Indonesia at 18.3%, Malaysia at 5.9%, Turkey at 9%, the United States at 1%, and the rest was under 1% (Sorournejad et al., 2016).Indonesia is apparently a country that is susceptible to cybercrimes, including rampant credit card crimes.In one of the 2011 AADC (ASEAN Australia Development Cooperation Program) reports, Indonesia was ranked 2 nd in the list of the worst countries in the world for credit card fraud cases based on total incidents.According to a report from AKKI (Indonesian Credit Card Association), the existence of this credit card fraud has damaged Indonesia's image in the world of e-commerce.It was proven several years earlier, in the early 2000s, online merchants such as Amazon.comand eBay had placed the Republic of Indonesia on the list of "Dangerous Countries" in conducting online transactions because Indonesia was deemed to have violated the law: acting through the collection of illegal credit card information at the time of the transaction (Yogi, 2012).
Many studies show the importance of brainstorming in assessing fraud risk.However, none has analyzed whether this brainstorming can be the key to assessing cybercrime risk, especially credit card fraud in Indonesia.Thorough research is needed on whether overcoming credit card fraud in Indonesia needs to be continuously improved, not only from the technology side but also from the people and process side of the experts who handle card fraud management.An anti-fraud team's expertise is needed to analyze the system and the combination of credit card fraud risks.In addition, anti-fraud experts from issuing banks must brainstorm and communicate with law enforcement agencies or international networks to analyze reporting data and fraud patterns that occur at their respective banks.

LITERATURE REVIEW
The studies by Suman and Nutan (2013), Goldmann (2015), and Trivedi et al. (2020) state that one important anti-fraud strategy that needs to be implemented to reduce the risk of fraud and overcome credit card fraud is to assess the risk of fraud.As one of the primary keys to fraud risk assessment, identifying fraud risk is very important to detect credit card fraud.Several transactions are observed and identified, whether genuine or fraudulent.
One study by ACFE (2018) explains that fraud risk assessments must be carried out regularly to identify possible fraudulent schemes, especially by experts, namely internal auditors and the risk management team.The performance of these two experts is compared in the studies by Joyce and Biddle (2017), Chui et al (2022), Albrecht et al. (2018), and Boritz et al. (2014) regarding the role of anti-fraud experts (fraud specialists and internal auditors) in fraud risk assessment.Their research proves that fraud is often easy to hide but hard to detect, especially by untrained observers.
To deal with credit card fraud, Dar et al. (2020) also conclude that each party must provide support in making a fraud risk management plan through a fraud risk assessment.All specialist teams involved in this activity must be trained to solve problems that arise in the process.Arens et al. (2019), Vona (2017) further explain that through fraud risk assessment, company auditors can assess and obtain adequate audit evidence, which will be used as a reference for identifying parts with a certain level of fraud risk.Information retrieval regarding which parts of the business process are vulnerable to fraud must be carried out because it is vital to assess the possibility of fraud risk occurring.
Management must assess the risk of credit card fraud as a routine and structured process, not just as a formality.Every finding must be appropriately followed up to close the gaps that arise from each operation.In addition, it is necessary to pay attention to the control costs incurred in conducting a fraud risk assessment by looking at a company's business complexity (company size or scope of units to assess fraud risk) and company needs.For that reason, the importance of fraud risk assessment by Payne and Ramsay (2005) concluded in a statement, i.e., failure to state that the risk of fraud is low at the time of fraud risk assessment -despite evidence to the contrary -can lead to future audit failures.
In line with this, studies by Alon and Dwyer (2010), Carpenter (2007), Mubako and O'Donnell (2018) agree that brainstorming can result in better performance in assessing fraud risk more accurately.The Standards and Guidelines regarding brainstorming applications during fraud risk assessments also support it.The SAS (Statement of Auditing Standards) guidelines No. 99 describe brainstorming as a must because it helps discuss possible fraud.By brainstorming, Brazel et al. (2010) prove that knowledge and experience will be a tool to improve auditor fraud assessments.Ajzen's (1991) study also explains the importance of brainstorming through the Theory of Planned Behavior (TPB).He states that it is crucial for the fraud risk management team to brainstorm or share knowledge, experience, and interpersonal skills, communication skills or problem-solving to implement the internal control.
Several other studies prove the importance of brainstorming in assessing the risk of fraud, such as research by Armitage and Conner (2001), Arthur and Huntley (2005), Bock et al. (2005), and Borthick et al. (2006).They explain that social pressure and intervention will motivate experts, including auditors, to shape knowledge-sharing behavior through a brainstorming process.In contrast, and Hoffman and Zimbelman (2009) prove the need to share ideas and transfer quality knowledge in assessing fraud risk because they are considered to improve internal control assessments for information systems.
A study by Byron (2012) considers brainstorming a creative problem-solving strategy or method proposed by Alex F. Osborn in 1953.According to him, this method focuses on expressing creative opinions.In addition, Carpenter et al (2008) prove that brainstorming is a fact in collecting opinions without considering who issued them.This method can be used in the world of business and finance.Moreover, verbal brainstorming can help auditors to identify the type of fraud.In brainstorming, views about the causes of fraud can be obtained based on the information or evidence collected.
Furthermore, research by Carpenter (2007), Hoffman and Zimbelman (2009), and Brazel et al. (2010) give results that brainstorming will help auditors correctly assess fraud risk, whether it is caused by technical errors or just fraud.Hoffman and Zimbelman (2009) prove that brainstorming in making an audit plan is only influential when it comes to cases of high risk of fraud.At the same time, the Association of Certified Fraud Examiners (2018) further proves that fraud risk assessment will be more difficult for the auditor to understand in making an audit plan because fraud cases often involve sophisticated engineering to cover up.Therefore, brainstorming is needed to overcome these problems.
Several previous studies, such as from Mohd-Nassir et al. ( 2015), Omar and Din (2010), Kerr (2013), and Kozloski (2011), prove that there is a significant interaction between the auditor's knowledge and expertise with and the application of brainstorming when conducting a fraud risk assessment.LaSalle (2007) proves that auditors with specific knowledge, such as accounting, will be more trained in providing audit judgment than those without knowledge/expertise.Studies by Fukukawa and Mock (2011), Mubako (2012), and Mubako and O'Donnell (2018) obtain the result that an assessment of fraud risk, including credit card fraud, will help the auditor determine the appropriate audit procedure.
Although there is a positive view of the need for brainstorming in fraud risk assessment, it turns out that there is research from a psychologist's point of view, i.e., Kohn and Smith (2010), which gives the result that there is a possibility of "Collaborative Fixation" during brainstorming.The problem arises when several people brainstorm, and 60% to 75% speak up.Introverts tend not to participate at all.Research results by Beasley and Jenkins (2003), Li and Vasarhelyi (2018), De Dreu (2007) show that if there is a hierarchy in the audit team, including a team of assessors who do brainstorming, it can cause adverse effects such as anxiety when evaluating results, group thinking, and ideas barriers in brainstorming.Thus, the quality of information sharing or brainstorming among team members will affect the effectiveness of discussions and decisions made by the team.
Based on the various views above, this study tries to analyze whether brainstorming in the credit card business fraud risk assessment process has a better value than without brainstorming.It is because team members are more critical in showing judgments based on the causes of fraud and the impact of fraud on the credit card business.This research hypothesis states that individuals who brainstorm would be more likely to assess the risk of credit card fraud more effectively than those who only worked individually in investigating cases of the causes and effects of fraud.

RESEARCH METHODOLOGY
This study used 80 respondents.They were members of a credit card fraud risk management team, and they were responsible for conducting fraud risk assessments.They were a team of fraud risk management specialists and internal auditors at Indonesia's top four issuing banks.This study used these respondents to control for the effect of variability experienced by credit card fraud risk assessment bias.Fraud specialists and internal auditors still receive the same training despite the different functions of their reporting lines (Moyes & Hassan, 1996).
Furthermore, this study used a 2X1 factorial design.The variables examined in this study were brainstorming and credit card fraud risk assessment.Brainstorming in this study discussed the causes of fraud and its impact.The treatment/ brainstorming variable consisted of two factors: 1) without brainstorming and 2) brainstorming.The factorial design is described in Table 1.The table shows four cells: Cell 1 assessed the risk of credit card fraud without brainstorming; Cell 2 used brainstorming.High fraud risk and low fraud risk were the two credit card fraud risk assessment categories.
To avoid the threat of internal validity and increase the accuracy of the results, the design of this research paid attention to randomization by selecting the participants randomly; history deterrence by conducting the experiment after 5:00 pm to provide comfortable conditions from busy work; maturation deterrence by conducting the experiment in 1-hour duration.
This study required homogeneity of variance to compare variables between groups.This study tested the null hypothesis using the Levene Test.ANOVA was used to compare two or more treatments to assess the research hypothesis.

Experiment procedure
The experiment procedure was as follows: Stage 1: The participants were randomly assigned to work individually (non-brainstorming) by grouping (brainstorming) as a treatment group and completing a series of manipulative questions.

Stage 2:
The participants were randomly assigned to high-risk or low-risk fraud conditions to review case-related information and to complete case-related questions (manipulated variables).In a given case, they would be asked to identify potential fraud risk factors and assess the impact of fraud risk.

Stage 3:
The participants completed a post-experimental questionnaire.They were asked to complete questionnaires and comment on anything related to the experiment.
During this experimental procedure, the stimulus provided to the participants was related to (i) the causes of the occurrence of fraud and (ii) an analysis of the effects of fraud.
The stages in this experiment were generally as follows: 1) Provide briefing to the participants regarding the research topic explanation, the question case explanation, how to fill in the worksheet, and the experiment duration.Before the experiment started, the participants were also given some information about SAS No. 99 and the reasons for which the brainstorming session was to be conducted.These instructions were adapted from Carpenter (2007).
2) Coding the participants as the treatment group and the control group.
Changing the context of credit card fraud changes the risk of fraud.Random credit cards, petty purchases, major scams (including social media scams and fake websites), point-of-sale skimming, and phishing were used in this experiment.A researcher would modify the fraud risk factors of this case into high and low-risk factors, and internal and external fraud possibilities.
In this experiment, the participants would be asked to detect possible risks of fraud or errors in case examples, examine internal and external elements, and estimate the likelihood and importance of the risks found.On a scale of 1 to 5, 1 to 2 means low probability, 3 means medium, and 4 to 5 means high.

RESEARCH RESULTS
This study was to determine whether the brainstorming method could make the fraud risk management team assess fraud risk more accurately or not.It was done by assessing the fraud cases pre- sented by looking at the causes due to credit card fraud.Table 2 presents the demographic statistics of the 80 experiment participants.
Table 2 reveals that the fraud risk management team has more RMUs than the internal auditor team.Most respondents are over 30 and have an S1 (bachelor's degree).Most respondents have fraud training.This is aligned with ACFE's identification of the following as fraud risk assessment personnel: 1) accounting/finance personnel; 2) non-financial business units and operations personnel; 3) information technology personnel; 4) risk management personnel; 5) legal and compliance personnel; 6) internal audit personnel; 7) external consultant, if no internal expert; 8) These are risk assessment-competent management, senior management, and business unit leaders.They control company fraud risk.
Tables 3 and 4 show participant reactions to experiment instruments.
In this experiment, participants rated fraud situations as (1-2), ( 3), (4-5) as low, moderate or high risk.Tables 1 and 2   Based on Table 5, overall based on the cases given, the reason participants assessed fraud was because of the bad fraud prevention system.

Classic assumption test result
Next is the assumption test, where the data to be modeled need to be tested for assumptions in order to obtain a good model.

Test for normality result
Tests for normality results can be analyzed at a glance by plotting or testing one of them using a statistical test.
Figures 1 and 2 show that no brainstorming and brainstorming data traveled diagonally.The data are generally distributed at first look.Figures 3  and 4 also show that the data were normally distributed, but it is hard to be sure, thus more statistical calculation was done to determine if the data were normally distributed.Normality test involves statistical calculations, including the Kolmogorov-Smirnov test.
In this study, the Kolmogorov-Smirnov test was conducted because the amount of material used was more than 50 respondents, instead of using the Shapiro Wilk test, which is usually used for data with less than or equal to 50 respondents.For information, good data have experiment tools that spread normally.In the test of Kolmogorov-Smirnov, the data distribution is declared to meet the assumption of normality if it has a Sig.value greater than 0.05.In the table above, it was visible that the Sig value for group non-brainstorming was smaller than 0.05, i.e., 0.012 < 0.05, thus it can be said that the data obtained from group non-brainstorming did not meet the normal distribution.On the other hand, the Sig value also  showed that the brainstorming group was bigger than 0.05, namely 0.077, thus it can be concluded that the data obtained from group brainstorming, the assumption of normality was fulfilled.If the normality test shows results that tend to be abnormal, the assumption of the limit central theorem can be used, that is, if the amount of monitoring is quite large (n > 30), then the normality assump-   tion can be disregarded (Gujarati, 2003).This is because data that have large and even unlimited observations will spread out following a normal distribution.In this study, the total samples were 80, thus the data were assumed to be normally distributed.

Homogeneity test result
The homogeneity test serves as a point of reference when making a decision for the subsequent statistical test.It is possible to explain that the variance of the two population data sets is the same if the value of Sig. is bigger than 0.05.(homogeneous).
On the other hand, if the value of Sig. is less than 0.05, then it indicates that the variance of the two data population groups is not the same (that they are not homogeneous) (Erjavec, 2014).Levene's test, Fisher's test, or Barrelett's test are all viable options for conducting a homogeneity test.
In the earlier test of normality, it was discovered that the data coming from the non-brainstorming group were not distributed.As a result, Levene's test was applied in this investigation to determine whether or not the results were consistent with one another.Levene's test is for the homogeneity of variance that is used for non-normally distributed data or those who do not meet the assumption of normality.It is known that the Sig Based on Mean value is larger than 0.05, specifically 0.814 > 0.05, which means that it is possible to say that the variance of the two population data groups is homogeneous.This is because the result above shows that the value is greater than 0.05.There is evidence to support the homogeneity assumption.

Hypothesis test result
The hypothesis test in this study used analysis of data variance or known as ANOVA (Analysis of Variance).The assessment test of the participants of the fraud risk management team is as presented in Table 8.
According to the findings in Table 8, the F test was statistically significant when the sig value was less than 1%.This shows that there was a significant difference between the credit card fraud risk assessments for each participant.This means that the participants who did not get the opportunity to brainstorm had a smaller tendency to assess the risk of fraud, even though the credit card fraud occurred due to the poor fraud prevention system.The participants in the non-brainstorming group could not accurately identify fraud risk based on the available evidence.After receiving a brainstorming treatment, they were able to discuss and had better sensitivity and judgment in assessing fraud risk based on the evidence they had.The participants would better understand the possibility of fraud from the results of brainstorming between those with less experience and less knowledge, and those with wider experience and knowledge.If someone in the fraud risk management team tends to have a higher perception of assessing fraud risk, then that person will automatically be more careful to analyze the possibility of fraud (Dionne et al., 2007).This is in line with Boyle et al. (2015) and Agwu (2018) that in assessing fraud risk, including credit card fraud, it should always consider the likelihood and impact or significance.Or, in other words, the frequency of fraud that often occurs, yet has a smaller impact on losses, will be valued more than the fraud that rarely occurs yet has a greater impact on losses.The impact of losses due to internal or external fraud is assessed by considering all risk factors, including financial and reputational risks.
The results obtained from this research are in line with Ajzen's theory of planned behavior, that the existence of pressure and social intervention motivates the risk assessment team in shaping the behavior of sharing knowledge and experiences through the brainstorming process.

DISCUSSION
This study found that the credit card fraud risk assessment differed between the fraud risk management team, which included internal auditors, and the risk management team, which included both brainstorming participants and non-brainstorming participants.With the help of the group's brainstorming session, any potential fraud concerns might be isolated and addressed.The results of the credit card fraud risk assessment with brainstorming were greater than the assessment without brainstorming for scenarios when a company's fraud protection system was less effective, therefore the risk was high.
However, for the low-risk fraud cases, there was no significant difference in the ratings of the brainstorming and non-brainstorming groups.This was because, through brainstorming, the team mem-bers shared knowledge and experience, therefore the assessment bias can be reduced or the assessment would be more accurate, especially for the cases of credit card fraud with high risk.Although in the end, the management's justification became an important factor in setting a rating score for the risk of fraud.From the results of this study, it was concluded that brainstorming significantly affected the success of fraud risk assessment.This idea is in line with some previous studies ( Second, since brainstorming is carried out by a combination of internal auditors and risk management personnel with experience and expertise as fraud specialists, it will provide opportunities for internal auditors to add quality ideas that lead to improving the efficiency of the audit program.This finding is important because based on SAS No. 99 the auditor must evaluate the company's programs and controls in reducing fraud risk, through gathering information related to fraud risk. According to research, engaging in brainstorming will result in a more accurate assessment of the potential for fraud, which will in turn allow internal auditors to develop a superior audit strategy.The second part of this study will concentrate on the application of Governance, Risk, and Compliance (GRC) as a method for detecting and preventing fraudulent carding.

CONCLUSION
This study aims to help credit card issuing banks in Indonesia improve their performance against various credit card fraud by examining the direct effect of brainstorming on fraud risk assessment in the credit card sector.The results indicate differences in credit card fraud risk assessment between the fraud risk management team consisting of internal auditors and risk management teams who do brainstorming and those who do not.The brainstorming process will help the entire team to identify fraud risks from the evidence gathered.With brainstorming, the results of a credit card fraud risk assessment, especially for cases where the company's fraud prevention system is less effective and high risk, are higher than the assessment without brainstorming.
For the next stage, this study will be focused on implementing GRC (Governance, Risk, and Compliance) as a detection and prevention step in carding, whether GRC has a different mindset and contribution to improving the performance of FRA (fraud risk assessment), and to what extent management's assessment influences the considerations in the FRA.
of total Nilai for Non Brainwashing group

Table 3 .
Composition of the factorial design

Table 5 .
Reasons for fraud risk assessment Figure 1.Normal line graph (non-brainstorming group)

Table 6 .
Normality test results