Assessing 2020: Lessons learned for the financial crime landscape

Supply chains tested

Financial criminals immediately seized on the climate of disruption, fear, and uncertainty that characterized the onset of the coronavirus pandemic.

“The conditions were ripe for vendor fraud,” explains James Wood-Rickett, AML/financial crime course director at the ICA. “International border restrictions and the associated disruption to global supply chains coincided with a need for organizations and governments to rapidly source PPE (personal protective equipment), meaning that the usual due diligence checks for new vendor relationships may have been overlooked.”

Naturally, the level of such activities varied across different sectors and supply chains. “In private banking, invoice and supply chain fraud has been somewhat absent, focusing on the client side,” Anastasia Savvateeva, senior compliance officer at Swiss multinational private bank Pictet Group, says. “… However, for companies that work in the industrial sectors, such as aeronautics, construction, or international trade, invoice and supply chain fraud most certainly increased.”

Relief measures exploited

Fraudsters were also quick to take advantage of opportunities created by the rapid rollout of government relief measures. But while some early prosecutions have been reported in relation to furlough fraud, for example, only time will reveal the full extent to which COVID-related support schemes have been abused.

The U.K.’s Bounce Back Loan Scheme demonstrated the challenge facing financial institutions regarding balancing the need for speed of delivery of financial support against requirements for due diligence. As Wood-Rickett explains, “Some loans have gone through in less than 24 hours, from application to payment in account, because financial institutions do not want to be seen as preventing businesses from succeeding during lockdown.”

Work from home poses new challenges

As the immediate shock of the early phase of the crisis subsided, it became clear some element of work from home (WFH) would be retained over the long term for many organizations. WFH has intensified the challenge of fraud prevention and detection, notably in relation to cyber-threats.

“The COVID crisis has exacerbated fraud risks and showcased the existing weaknesses in internal controls,” suggests Andrey Shapoval, deputy AML officer at investment management firm Finance in Motion. “This was mainly driven by higher detection risk in the context of remote work, as well as the increased burden on organizations’ IT systems and the lack of direct oversight of employees. Overall, the risk-based approach to fraud prevention and detection has been extremely challenged by the crisis.”

According to PwC, “the current environment is ripe for a spike in insider fraud,” while the firm’s Global Economic Crime and Fraud Survey 2020 found “business partners remain a risk and fraud committed by management is trending upward.” Under these circumstances, many have implemented additional measures. “Work from home has seen an intensification in transaction monitoring, including employees’ personal transactions (for possible market abuse),” notes Savvateeva.

“I have always believed, even before the crisis, in helping each other in a network of professionals in the same field and have always tried to be active in different compliance- and ethics-related groups. But to be honest, the fact that we could attend conferences online and from home made it easier to do so, and I have probably attended more events this year than I would have if I had to be physically present.”

Adam Rommel, Ethics & Compliance Manager, UGI International

The conditions created by lockdown are readily superimposed on the traditional “Fraud Triangle,” as Shirin Rahman, financial crime officer at mortgage lender Optimum Credit, points out. “The impact on mental wellbeing, the feelings of detachment from work due to furlough, and anxieties due to job security could tip an employee to become an insider threat,” she adds.

The crisis has therefore focused attention on psychological aspects of fraud and fraud prevention, with the suggestion employee vigilance against threats may be diminished when away from the office environment. “It may be that when individuals are working in an office, they feel certain constraints on what they can and can’t do, but when they are working from home, some of those constraints are not present, so there may be an increased propensity for fraud,” says ICA Head of Qualifications Tim Tyler.

Practitioners have highlighted the importance of establishing clear lines of communication with colleagues and the value of regular face time in maintaining team spirit, mental wellbeing, and risk awareness. Many have gone further. “We set up an anonymous phone line to offer psychological support,” recalls Adam Rommel, ethics & compliance manager at energy distribution and services company UGI International. “We also increased communications on ethics- and compliance-related topics. If there were cases of fraud in other companies that were made public, we made sure to communicate these for a targeted audience within the business in the form of a newsletter to keep people aware and for them to be alert.”

Without doubt, the move to WFH has multiplied external threats to IT security. “Preserving the confidentiality and privacy of client data and ensuring that IT systems are strong enough to rebuke any potential attack is both a huge responsibility and a major challenge,” says Savvateeva. “This is especially true with WFH, where employees may have to use their domestic internet. Considering this threat, IT departments have become key players and almost the most important people in every company.”

When targeting attacks, criminals have “tweaked existing forms of cybercrime to fit the pandemic narrative,” according to Europol’s 2020 Internet Organized Crime Threat Assessment report. Social engineering was a “priority threat,” as cyber-criminals capitalized upon pandemic-induced fears, insecurities, and vulnerabilities. Phishing attacks have particularly grown in number and sophistication, with the report noting “cybercriminals are now employing a more holistic strategy by demonstrating a high level of competency when exploiting tools, systems and vulnerabilities, assuming false identities and working in close cooperation with other cybercriminals.”

The growth in phishing in 2020 builds on a pre-existing trend. In the United Kingdom, the Information Commissioner’s Office reported phishing was the No. 1 vulnerability between April 2019 to March 2020, accounting for 28 percent of cyber-related data breaches.

From a U.S. perspective, the picture is similar. The F5 Labs 2020 Phishing and Fraud Report suggests “2020 is on target to see a 15% increase in phishing incidents compared with last year” and that “phishing incidents rose by a staggering 220% compared to the yearly average during the height of global pandemic fears.”

For Rommel, training and communication have been fundamental to improving cyber-risk awareness. “We experienced phishing attempts, but our IT and cyber-security team did a great job of communicating the risks,” he explains. “For example, they sent test emails that looked like phishing attempts, and any individuals who failed the test had to do additional training on security, phishing risks, and other cyber-attack risks.”

Opportunities arise

Amid this year’s difficult circumstances, practitioners have taken opportunities, where available, for personal and professional development. For Savvateeva, her new working arrangements created some free time that enabled her to focus on training. “I’ve chosen to enhance my AFC (anti-financial crime)/compliance skills and have undertaken some related projects such as speaking in Webinars, writing articles, giving lectures, and mentoring my students,” she says.

“As a mom to two young children, working from home has given me the liberty to be more organized,” explains Rahman. “With the constant rush of an office life gone, there is certainly more time to devote for my fraud learning and overall career development. Also, the ease of e-meetings and virtual platforms have certainly boosted my network strength, which is a great contributor for any career development.”

Indeed, and paradoxically given the restrictions it has placed on physical movement and contact, lockdown has potentially strengthened networking efforts. “I have always believed, even before the crisis, in helping each other in a network of professionals in the same field and have always tried to be active in different compliance- and ethics-related groups,” says Rommel. “But to be honest, the fact that we could attend conferences online and from home made it easier to do so, and I have probably attended more events this year than I would have if I had to be physically present.”

Hopes and fears for 2021

Many of the changes necessitated by the pandemic look set to remain with us, and the associated fraud risks will evolve as we enter 2021. Notably, as lockdown has forced us to live more and more of our lives online, it is worth remembering the same conditions have applied to criminals.

For compliance practitioners, therefore, cyber-crime will remain a key risk area. Savvateeva suggests cyber-fraud will “break new ground,” with attacks potentially becoming more frequent, more aggressive, or changing their targets.

“My biggest concern is that the post-COVID economic recovery measures implemented by governments worldwide will be targeted by fraudsters in 2021, which will diminish the effect of such measures,” says Shapoval. “This is especially relevant for the developing world, where corruption and financial abuse risk remain elevated while economies are suffering significant losses due to the pandemic.

“This concern, however, comes alongside the hope that fraud risk management systems will keep being enhanced in terms of prevention, detection, and mitigation. Hopefully, we as compliance professionals can take advantage of technology in this regard. It is impossible to eliminate fraud completely, but it is possible to reduce the scale to a socially acceptable level in current circumstances. That would be my hope for 2021.”

The International Compliance Association is a sister company to Compliance Week. Both organizations are under the umbrella of Wilmington plc.