The Future of Risk Management and Fraud Prevention - December 2020

The Future of Risk Management and Fraud Prevention – December 2020

Fake COVID-19 testing kits and lockdown puppy scams: how to protect yourself from fraud in a pandemic

Cassandra Cross, Queensland University of Technology

Fraudsters are ruthless and will use any means necessary to gain financial advantage.

Earlier this year, as Australians were battling the devastating bushfires, fraudsters were tailoring their approaches to exploit the good intentions of citizens wanting to help victims.

And come March and the declaration of COVID-19 as a global pandemic, offenders have seamlessly shifted their approaches to take advantage of yet another crisis.

Online fraud on the rise during COVID-19

Given the known links between natural disasters and fraud, it is unsurprising offenders are using COVID-19 to target potential victims. While there are limited statistics on crime rates during this period, evidence suggests fraud and other online scams have spiked.

The Australian Competition and Consumer Commission (ACCC) issued an alert this week warning of a dramatic spike in identity theft, with some 24,000 reports of stolen personal information this year, a 55% increase over the same time last year.

Further, Scamwatch has received more than 3,600 reports specifically mentioning COVID-19, with victims so far claiming losses of about $2.3 million.

Fraud costs millions of dollars annually, as shown in the ACCC’s latest Targeting Scams report. It found that in 2019, Australians reported losing more than $634 million to fraud, a dramatic increase from $489 million in 2018.

Fraud is an underreported crime, so these figures are likely to be a fraction of the actual losses incurred by victims. In addition, there are many barriers to victims reporting scams. They might not realise they are a victim, for example, or might not know where to report such crimes. Some people also feel a strong sense of shame and embarrassment at having been deceived.

The government is putting more attention on the threat of fraud and other cybercrime with its newly released cybersecurity strategy, which will see a record $1.67 billion invested in cybersecurity and cybercrime prevention over the next decade.

What types of fraud are occurring now

There is nothing new in the ways offenders are targeting potential victims at the moment. Rather, we are seeing well-established schemes reappearing under the guise of COVID-19.

Online shopping fraud

With more people at home during the pandemic, there has been a substantial increase in online shopping. Consequently, there has also been an increase in online shopping fraud.

Some of these schemes involve fake websites and social media pages being set up to sell goods to people that never arrive, including personal protective equipment and even puppies.

There has also been a rise in online sales of products that simply do not exist or work as promised, such as coronavirus testing kits or supposed cures for the virus.

Phishing

Fraudsters use phishing emails and text messages as a means of getting personal information from victims, like bank account details and passwords. Phishing attempts usually come from what appear to be legitimate sources, persuading recipients to click on a link or reply with required personal information.

In the context of COVID-19, phishing attempts are being launched under the guise of government departments. Some messages claiming to be from health authorities say the recipient has had contact with a known case of the virus, for instance, while others advertise the need for testing.

Others have pretended to be the Australian Taxation Office with offers of tax refunds or the availability of government benefits or support payments.

In addition, offenders have also used the pretext of legitimate businesses like Coles and Woolworths, appearing to offer services or discounts to those who are struggling. Other approaches are using the Australia Post logo to ask people to pay additional fees for delivery of purchased items.

Increased vulnerability to fraud

These examples highlight how offenders exploit anxiety to take advantage of people in uncertain times. They play on people’s fears and anxieties.

Everyone is vulnerable to fraud. Research suggests there is “no typical fraud victim”. However, COVID-19 has arguably made more people vulnerable to fraud across large sections of society.

Isolation and loneliness can increase vulnerability. Without the presence and accessibility of support networks (such as family and friends), individuals may be more responsive to fraudulent approaches.

Economic hardship could also make people more susceptible to fraud. Offenders do not need to offer outrageous returns for their approaches to be attractive to potential victims. People are more motivated than ever to improve their financial situations, which plays into the hands of fraudsters.

How you can protect yourself

It is important people understand how fraudsters work and are using the crisis to their advantage, so they can take the necessary steps to protect themselves. Here are a few tips to prevent becoming a victim.

Stay connected to family, friends and colleagues, even in a virtual environment. Offenders relish the isolation of victims to increase the success of their attempts.
Talk about what is happening. Ask someone directly if they have received any strange emails or phone calls. Offenders rely on secrecy and shame to keep people silent about their victimisation.
Be vigilant with emails, phone calls, texts and even those who knock on your door. Do not feel you have to respond to anything immediately and take the time to think about and seek advice. Offenders rely on immediate responses from people that overcome any rational thought.
Report any fraud attempts or losses you may have incurred to Scamwatch or ReportCyber. Also, contact your bank if you have lost money, or a service like IDcare if you have had your identity compromised. It is important for these organisations to be able to gain accurate figures on the prevalence of fraud during these times.

COVID-19 has thrown the world into uncertainty. But one thing that’s clear is fraudsters will remain active and continue to target victims. We need to recognise this changing environment, support each other and collectively do as much as possible to guard against fraud victimisation.

Cassandra Cr o ss, Senior Research Fellow, Faculty of Law, Cybersecurity Cooperative Research Centre, Queensland University of Technology

This article is republished from The Conversation under a Creative Commons license. Read the original article.

A Spartan with a laptop

Why the future of fraud prevention might need to be a lean, mean fighting machine

A wise philosopher once wrote, “prevention is better than cure”. It’s certainly true for fraud, for which there is rarely a cure once it has happened. Which means that, instead, we must place all our focus on prevention.

There are endless reports of the tidal wave of fraud that has emerged, and will emerge, from Covid-19, so fraud prevention is at the forefront of everyone’s minds, right? The truth is, it isn’t. Organisations are in turmoil – budgets set in January are a distant memory, supply chains are under significant pressure, employees are on furlough (particularly those in classic control functions), and cash flow is critical. That means investment in traditional back-office functions is minimal. Businesses don’t usually spend money on prevention in times of crisis – not when they’re struggling to pay staff and suppliers.

Contrast that depressing situation to the opportunity currently presenting itself to fraudsters – both those that have already stepped over the line and those who might be thinking about it. Normal control environments are in flux and unlikely to be fit for current operational purposes, traditional control functions are at home and unable to get out into the field, emergency funding is being issued rapidly and without the usual checks and balances, and supply chains look markedly different to how they did just six months ago. This all makes the perfect recipe for a significant increase in fraud.

So what are we seeing wise corporates do now to protect themselves, and what should they be doing in the future? The answer is, be proactive, and don’t place all your eggs in one basket.

Making fraud prevention a company-wide responsibility

Any fraud prevention system is only as strong as its weakest link, and that is invariably people. As such, clients are extending fraud risk management beyond the usual control functions and leveraging the three lines of defence. We are seeing companies implement a range of key measures, including:

Educating employees on the latest fraud trends, and providing practical advice and examples to help them remain aware and alert. This improves engagement and prevents people from zoning out during the usual annual online training they often try to complete as quickly as possible
Designing tailored control frameworks, that account for jurisdictional anomalies and cultural nuances, to ensure that the control environment is adapted to changing circumstances and environments, as opposed to a one-size-fits-all control policy
Involving internal audit in the fraud prevention strategy. This invaluable and often overlooked function has some of the best and most hands-on knowledge of how the control environment works in practice. As such, auditors can provide informed advice to the design of fraud prevention mechanisms

Smart data analytics

“It would have been so obvious if anyone had looked,” is a phrase we hear time and again in fraud investigations. The problem is, very few do. If people are the weakest links in fraud, then why does the majority of fraud prevention rely on them?

Savvy corporates, those that truly understand that fraud prevention is a cost-saving in the medium term, have deployed sophisticated data analytics, running bespoke algorithms that mine the information available to them internally, within their financial and non-financial internal systems to spot anomalies at headquarters, but also around the world, in their most far-flung operations. No one knows this “live monitoring” is happening beyond a select few, who can use the results to spot red flags and dive into the data to assess the true extent of a potential problem, or a simple false positive. These “Spartans with a laptop” can sit anywhere in the world, and do the work of tens of auditors at the push of a button. Big data is the future, but the ability to sufficiently understand your business to design appropriate queries to interrogate it sophisticatedly is what smart corporates are doing now.

Live risk assessment

Risk assessment has become something of a buzzword over the years, and frequently addresses business risk as well as bribery and corruption. The danger is these exercises become rote, and desktop focused. Only a few properly invest in well-thought-through fraud risk assessments, that are live documents. The reality is all risk assessments should be live, but ever more so in the case of fraud. All too often the risk focus is around cyber-security and the external threat, or an errant employee eliciting funds from the company – your typical frauds, so to speak. Only a handful will properly assess how their operational business environment has changed in the past six months and how controls need to be adapted to take these changes into account. What of the risk of financial misstatement, for example, or postponement of costs – all initially well intended and not an obvious immediate loss to the firm but fraud nonetheless.

So what is the future of fraud prevention? We’ve seen many corporates lose millions to fraud, and then spend further millions trying to recoup what they’ve lost, when an insignificant upfront investment in fraud prevention would likely have detected the issue before it became business critical. Who knows what the world will look like a year from now, but consider this: corporates are being attacked by organised criminal networks constantly, if silently. At the same time their defences are weakened – whether through cost cutting, or the simple and unforeseen operating environment we find ourselves in. The profile of a professional fraudster has evolved: they are creative, specialised, use technology and adapt to their operating environment.

The Spartans of ancient Greece created a focused fighting force, trained in the latest fighting techniques and capable, with a small army, of defeating a much larger enemy. Corporates should consider something similar: engage and invest in a chosen few to become fraud risk specialists, empowered to leverage the workforce internally and data externally, and keep abreast of the latest fraud trends, to become your corporate defence. By leveraging the data available to you internally, and mining it intellectually, those Spartans with laptops might just be your saving grace.

By Howard Cooper and Zoë Newman, managing directors and co-heads of financial investigations at Kroll, a division of Duff & Phelps

The trends shaping anti-money laundering in 2020

With real-time transactions gaining popularity and new legalised product markets (such as cannabis) emerging, anti-money-laundering (AML) regulations are getting tougher and more complex.

New payment transaction types allow money launderers to apply smarter schemes. The adoption of peer-to-peer payments via services such as Google Pay, PayPal, Popmoney, Square Cash, Venmo, Xoom and Zelle complicates tracing funds and catching money-laundering activities. Cryptocurrency payments are on the rise, along with related money-laundering activity. This allows money launderers to employ covert new account opening, layering and structuring schemes to facilitate faster and less detectable money laundering.

At the same time regulators are creating more-complex compliance regulations at breakneck speeds. The list of mandates related to AML is getting longer every year. Regulators are responding to and keeping up with an increasing number and sophistication of money-laundering schemes. New AML regulations effective from January 10, 2020, mandate that new kinds of organisations, beyond traditional financial services, must perform AML activities.

Preventing and reporting money-laundering activities is a key issue for financial institutions, insurers, gaming and gambling organisations, utilities and telecoms, especially during periods of economic and budgetary constraints such as the one we are currently experiencing. Forrester expects that, in the next three to four years, firms that enable customers to create an account and store and move money in and out of that account will have to comply with AML regulations in their appropriate jurisdiction:

Third-party data integration is driving AML deployments: Your decisions are only as good as the data you base them on. More and more firms are using productised vendor integration between their AML solution and third-party watchlists, alongside device ID and IP address reputation hotlists, to deliver better decision support.

AML and fraud case management are slowly unifying: Firms face pressure to unify AML and fraud case management to reduce the costs of data integration, model development and investigative labour. Since AML and fraud management both use pattern and behavioural anomaly identification, it makes sense to break down their operational silos and establish a unified fraud plus AML strategy (FRAML).

Handling AML risk-scoring models is getting harder and attracting more scrutiny: Today’s financial institutions have to maintain an agile and explainable process for continually improving their models. Lifecycle of model development has to be explicitly supported by AML solutions from the ground up.

Integrate once, communicate often

Failing to improve a business’ AML regime can expose it to regulatory fines, sanctions and even higher levels of fraud. In today’s complex and online-first environment, where faceless registration and application is the norm, it’s important to coordinate and unify efforts to build on existing data ingestion methods and create new unified methods for as few AML suites as possible. At a minimum, there should be an internal sharing database with tight access controls to disseminate hotlists about known money launderers’ identities.

It’s also important to supply as much alert and case context to investigators on one screen as possible. Solutions are getting much better at being able to customise case management screens to include map information and link analysis, and predictively recommend other cases to look at or to investigate. Having a single-pane-of-glass view of transactions and entities reduces the likelihood of investigators missing important case details.

Find out more about Forrester’s research topics on Fraud Management and Financial Services here.

by Andras Cser, VP and Principal Analyst, Forrester

Mimicking consumer behaviour is key to effectively and successfully tackling ad fraud

Ad fraud will cost businesses $35 billion this year alone, with an additional $5 billion in indirect social and economic costs, according to a recent report by digital media cyber-security specialists CHEQ. In fact, digital ad fraud is forecast to overtake today’s $27 billion in credit card fraud as criminals’ go-to medium. This is no surprise given the online population’s rapid growth as a result of Covid-19 restrictions.

To clarify, digital ad fraud is an intentional activity that prevents advertisements from being delivered to the right audience or location. The malicious risks marketers face today are getting increasingly sophisticated, and therefore greater, than previously anticipated.

The digital advertising environment now involves thousands of intermediaries, presenting a plethora of dark corners in which fraudsters can conceal criminal activity. Fraudsters know when they’re being watched and have become even more dangerous, making it all the more challenging to prevent ad fraud.

As a result, 96 per cent of consumers say they have little trust in digital advertising – making it harder for marketers to demonstrate that their ads are legitimate. So what steps should organisations take to prevent losing much of their budget to fraud and, with it, consumer trust?

Traditional approaches to combating ad fraud have proven unsuccessful so far. During 2020, fraudsters consistently evolved their techniques, making it extremely difficult to spot malicious activity related to online advertising in real-time. Some examples include creating false social media impressions, inflating app store downloads, or posting fake reviews.

The key to fighting ad fraud is to use technology that emulates a real user. This way, those involved in fraudulent activity will not know they are being watched. With data collection networks based on residential IP addresses, one can simulate the presence of legitimate users. To date, this has been proven to be the only effective way to fight fraudsters.

Data collection strategies built on IP proxy networks are already being used by thousands of global brands and businesses. Large enterprises, e-commerce companies, financial service providers, security firms and marketing agencies are all using IP proxy networks. Doing so allows them to view the internet openly, with the same complete transparency as the typical consumer.

The value of IP proxy networks – unlocked

Data collection platforms based on IP proxy networks enable businesses to access any openly available online data without being blocked or deliberately served misleading information. This gives businesses access to clean, reliable data in real time from anywhere in the world. As every advertising campaign is constructed from complex and extended digital journeys of ad content, it’s crucial for advertisers to ensure their content reaches the exact demographic they are aiming to influence.

This demographic targeting is based on an individual’s IP address. To view ads just like your desired target audience does, marketers need to have access to an IP address originating from the same market – in other words, from the same country, city or even device.

Brands may be able to do this themselves, but they carry the risk of being identified by fraudsters who will quickly cover their own tracks. Fraudsters can spot when brands using non-consumer IP addresses are watching them. When they know they are being monitored, these fraudsters will quickly respond by showing your business false information so they can continue their malicious activities.

Therefore, if brands want to effectively verify and test their advertising campaigns, and ensure that they safely reach their target audience, they need a way of viewing the internet as if they were one of the millions of global consumers they target – no matter where they are located or which device or internet service provider they are using. With an IP proxy network, they can simply follow their advertising campaign just like their target audience is meant to do.

By using IP proxy networks, advertisers can test the different ads being presented to users, which are all competing for their attention. Take a social media brand, for instance. It could leverage an IP proxy network to split a user session and check all ads served to that particular user at that particular time, without being hijacked by fraudsters.

Why businesses need to be able to learn from fraudsters

In 2020, digital advertising has grown by 6 per cent despite the pandemic. Ad fraudsters have continued to develop new methods to identify a business's advertising 'soft spot 'and exploit its revenue chain, and businesses should take a similar approach in response, taking advantage of new methods of prevention as they emerge.

Brands must protect themselves by using an IP Network, as this can leverage the real IP addresses of consumers, allowing businesses to see advertising campaigns exactly as real consumers see them. In short, this allows you to make sure that your ads are seen by the right people, in the right places, and at the right times – and that you get the right level of return on your ad spend.

To learn more about how you can fight ad fraud, increase ROI and protect your brand’s reputation through an IP proxy network, visit Luminati Networks’ website for specialist advice and a seven-day free trial.

Sustainability risk management: crazy or crucial?

Another onerous task or a boon? How is sustainability risk getting formalised and what can it bring to the table for third-party risk management?

Thanks to the emerging economic trends of the past three decades, third-party risk management (TPRM) has become a top operational risk priority.

First of all, globalisation created sprawling and hence often obscure supply chains. Outsourcing, one of globalisation’s main features, shifted responsibility further from manufacturers and service-providers while bringing unprecedented profit growth.

The more recent “platform economy” enabled by digital technology requires the collaboration of a wide array of partners and vendors, as well as the sharing of technology and data between them. And cloud computing, the biggest game changer of digital transformation, can involve storing even mission-critical data outside the perimeter of the company, thus bringing cybersecurity into sharp focus.

In the pre-digital transformation days, when consumers cared only about getting good value for their money, third parties had little visibility. Until footages of sweatshops and articles about labourers toiling away for a pittance on plantations on distant continents became available, third-party risk was an issue that corporations could avoid reckoning with.

Compare this to how environmental and ethical expectations of third parties, and indeed any corporate players, have recently become extremely nuanced. Today, providing decent wages and working conditions is regarded as the baseline.

When it comes to human rights and the environment, for example, no aspect or implication, whether direct or remote, is overlooked. A clothes manufacturer’s support of gay rights can get tarnished if their Pride-themed line had been made in countries punishing homosexuality.

Another example is how some companies are nowadays getting squeamish about their insurers and dumping them if they underwrite risks of businesses engaged in fossil fuels. Even special third parties, such as sponsors, are being brought under close scrutiny and rejected if they are associated with sectors stigmatised by climate change.

The urgency of integrating sustainability risk into TPRM

TPRM, despite being around for some time, still has its persistent problem areas. One of the classical setbacks is that the identification and assessment of the risks that vendors pose – whether reputational or compliance- or cybersecurity-related – are rather difficult thanks to their tendency to drag their feet and provide sporadic information when required to self-assess.

To make TPRM less time-consuming, pre-completed assessments are available through risk exchanges, and so are vendor-chasing services and automated risk assessment platforms.

Yet, the assessment of risk is only as accurate as the information fed into the system. And when it comes to environmental, social- and governance-related risks, it seems even harder to establish what controls your third parties have in place and make an accurate management of the risks that trading with them involves.

There are several reasons for this. First, many companies see sustainability risk isolated from traditional risk management. Experts often report being asked whether they provide sustainability risk management services, as if it was an entirely different area of expertise.

Also, there are consistent discrepancies in disclosing and communicating sustainability risk. As the time horizon for sustainability risk is two to four times as long as for general risk, it’s often felt that they don’t have materiality – or relevance – to the operation of the business.

Therefore, as an earlier report from the Cambridge Institute for Sustainability Leadership pointed out, risks discussed in sustainability reports often don’t make it into corporate risk disclosures or risk registers.

However, feedback coming from consumers as boycotts, from investors as divestiture and in the form of penalties from authorities, have the potential to lend materiality to sustainability risks that have been passed on to society up until now. Or, if companies remain in denial about them, they may morph into financial risk and impact the bottom line rather negatively.

The gathering momentum for sustainability reporting

The regulation of environmental and social risk may sound like a double-edged sword for TPRM. They make the sustainability aspect of third-party risk assessment easier for businesses, especially in the long run, and reporting harder for third parties. But the current global and digital economic system is so complex and interconnected that, more often than not, a business having third parties is also a third party to other enterprises or organisations.

In the light of broader stakeholders’ and societal interests, a regulated space with a manageable number of standards and clear-cut rules is undeniably of huge benefit, and recent developments show that this is going to be the direction of travel.

Consider the EU’s planned update to its Non-Financial Reporting Directive, significantly ramping up mandatory sustainability reporting as well as the recommendations of the Financial Stability Board’s Task Force on Climate-Related Financial Disclosure (TCFD), which the EU Directive also integrates.

These are the same recommendations referenced by Chancellor of the Exchequer Rishi Sunak on 10 November, when he announced that from 2023, all publicly listed UK companies with a premium listing will be required to “comply or explain”, a rule all three documents mentioned share. It means that if a business believes a certain environmental risk has no materiality, they need to justify it.

The fact that the idea of mandatory climate reporting is gaining wide public support from financial institutions, end-user businesses and governmental departments alike is a guarantee that it’ll bring significant improvement in the quality of reporting this time round. (The UK’s move has support from BlackRock – the world’s biggest asset management company – while 1,500 organisations back the TCFD guidance.)

Social reporting is likely to follow suit. Paris-based global consultancy Mazars pointed out early on in the Covid crisis how businesses are being watched closely and evaluated on their efforts to mitigate the social damage of the pandemic: whether they deserve kudos for absorbing some of the social shock or have adopted “bunker mentality that included cancelling orders and forcing premature redundancies on vulnerable suppliers”.

Those managing third-party risks may at first feel overwhelmed by this shift toward mandatory sustainability risk management. A new reporting framework with established standards, however, may free a lot of their time in the long run and make the assessment of third-party risks faster and their management more efficient.

To learn more about the TCFD recommendations, visit www.cdsb.net/tcfd-implementation-guide.

by Zita Goldman

Employee fraud: can technology tip the balance in favour of investigators?

People have always committed fraud and always will – and some could be your employees. However, the tools have changed, particularly in the past decade, and technology has multiplied the opportunities, resulting in an exponential increase in cyber-crime.

On the flip side, fraud investigators have many more sophisticated IT tools to prevent and detect this. So who will win the ongoing fight against fraud?

Why recruitment processes can’t eliminate employee fraud

Any robust fraud prevention strategy must encompass both the human and technical sides of fraud. Studies suggest that people fall into three equal groups when it comes to committing fraud. A third are completely honest and will not perpetrate fraud whatever the circumstances. Another third will be open to committing fraud depending on the circumstances. The final third comprise the “rotten apples” who will always seek to defraud their employer.

Sifting out the rotten apples

Organisations should always seek to employ the first third and not the last third – but clearly it’s not quite as simple as that. A well-designed recruitment screening process can remove rotten apples by confirming key dates for a candidate’s employment and education history, seeking proof of qualifications, and taking up verbal references (which may reveal more than a formal process). Explanations for gaps in work or education history should be sought, and of course criminal record checks carried out where appropriate or allowable.

None of this will identify the middle third, who by definition appear to be model employees until certain circumstances occur. According to the fraud triangle theory, these circumstances arise when two of three elements are present: for fraud to occur, the theory goes, two of three elements (pressure, opportunity and rationalisation) should be present.

Most of us believe we would never commit fraud but there may be a certain point in someone’s life, or a set of exceptional circumstances, where that may change. Triggers for pressure could include an expensive divorce, serious illness in the family, or a costly habit or addiction. The resultant pressure could arise years after the employee is hired, so the recruitment screening process will never identify it.

The higher an employee rises through the corporate ranks, the greater their opportunities tend to be and the more danger they represent. They have won colleagues’ trust (“I can’t believe he would have done that – we worked together for 15 years. I even went on holiday with him!”). They can commit the organisation to major transactions and know the controls in place – and the weaknesses in those controls. All this creates an opportunity that, combined with the right pressure, can lead someone from the middle third to commit a fraud.

This example shows why technology is an essential complement to human anti-fraud activities. Here, a technical solution is required to catch any signs of fraudulent behaviour or red flags that weren’t picked up by the recruitment screening process.

The power of artificial intelligence to detect fraud

Artificial intelligence, or AI – defined as “computers acting in ways that seem intelligent” – has been in commercial use since the 1970s in the form of rules-based expert systems. But until recently, the application of AI was constrained by computational power and data availability. Those constraints are now gone.

Modern, cloud-enabled AI can operate in real time or close to it. It can concurrently analyse transactional data alongside, for example, chat room or email communications and customer relationship management systems. With algorithms tuned for organisational specifics, more fraud can be detected faster, and with less human involvement.

But the aim isn’t to engineer humans out of the equation: it’s to create adjoined networks of humans and computers “acting in ways that seem [even more] intelligent.” The objective of identifying more fraud must be balanced against the numbers of machine-identified false positives requiring human resolution. With sufficiently large data sets, various permutations of machine learning become available and relevant, and promise to make analyses ever more effective.

Advanced AI solutions take advantage of both database and textual information from internal and external sources. Freely accessible sources, such as the UK’s Companies House, can verify against reference data. A technique used as part of the FTI Augmented Investigations® capability automatically identifies and acquires data about entities mentioned in, for example, adverse media reports. By iteratively acquiring information on companies and their directors, and then those directors’ other company affiliations, and so on, a network of related parties is created, and can then be linked to internal information.

Graph databases, made famous by the Panama Papers data breach, reveal relationships between entities. As well as presenting data visually for human review, these can mathematically identify key participants within a large group, given a sufficiently comprehensive dataset.

Focusing narrowly on specific problems allows for more efficient identification, but may miss variants, leading to false negatives. Conversely, tools that aspire to identify fraud more broadly will create more false positives and require more human engagement to resolve alerts – initially, at least.

It’s easier to use technology and data to prevent fraud than to catch it. Employee onboarding tools should make the most of available reference data and well-designed risk measures.

Like the pendulum on a clock, fraud cannot be overcome without technology powering it on one side and human analysis of data and behavioural patterns on the other. The swing from one side to the other makes investigation teams function as they should, with each element complementing and enhancing the other.

By Andrew Durant, a senior managing director, forensic accounting services and Nick Hourigan, a senior managing director, data & analytics at FTI Consulting

Why a feasible fraud management strategy needs to take the inevitability of digitalisation into account

Why a feasible fraud management strategy needs to take the inevitability of digitalisation into account

Fraud risk management has always been an essential part of any company’s overall risk management process, although the amount of effort to manage this risk will differ, depending on the type of business and industry sector. Fraud risk management has always been tricky to negotiate – today even more so, thanks to the increasing involvement of technology in all aspects of business.

Digitalisation has been a common buzzword in every industry over the past few years, even more so in the Covid-19 era. To remain competitive and reach customers faster and further, companies started embracing digital technologies in customer acquisition, product sales, receiving payments and many other areas. And in the Covid-stricken economy, reaching customers digitally was the safest way to do business. Many organisations without a digital outreach mechanism failed, or will be prone to fail as the pandemic continues. But almost every organisation seems to be determined to learn from the pandemic and improve customer experience by tapping into digital technologies. Before the pandemic, digitalisation was seen as nice to have, but the pandemic has made it a survival mechanism.

The common understanding is that companies tend to stop all discretionary spending during a pandemic or economic downturn, due to whatever might have caused the downturn. Cost saving and being economical in whatever companies do is the norm during a pandemic – continuous investments in digital technologies may be the exception, but hardly a surpising one given the benefits of engaging customers digitally.

An increasing level of fraud risk

With the increased digitalisation level in companies due to the reasons mentioned above, the remote processing of transactions and digital processing of payments have become the new normal, making it easier for fraudsters and cyber-criminals to perpetrate fraud. Customers are becoming digitally literate about how to transact online, but that doesn’t necessarily mean they understand the nuts and bolts of the risks they are facing. Therefore, it is incumbent upon companies to ensure systems can identify the vulnerabilities and flag them up before the brand’s profit or reputation are endangered.

In the digital context, manual prevention methods become impractical and less relevant. Companies need to start looking at fraud management using digital tools, and fraud management has to be performed on a real-time basis instead of being identified after it has occurred. Two areas will be crucial to fraud management in the digital economies in the future – without them working in coordination, the effectiveness of the future of fraud management will be in doubt.

Use of digital tools in fraud management

When it comes to digitalising businesses and facilitating a seamless customer experience in the battle to win customers, corporates have to remember one thing. Most of the time, there will be an increase in fraudulent activities through digital technologies and connectivity to the internet. Fraudsters are getting more sophisticated with their attacks, so companies must pay greater attention to managing digital fraud with digital tools.

Companies have to focus on the tools that incorporate AI, machine learning, and big data concepts without just limiting the rule-based fraud identification mechanism. Further, reporting of fraud red flags and fraud incidences have to be on a real-time basis to prevent fraud in the first place. The detection alone will not be the solution, because of the speed with which transactions are processed without a proper audit trail. “Prevention is better than cure” holds true in fraud management in the digital era.

Digital literacy of anti-fraud professionals

Historically, anti-fraud professionals did not need sophisticated digital know-how to understand how fraud happens and how it can be identified and prevented. But with the increasing proliferation of digital technologies and companies investing in digital tools to manage fraud, anti-fraud professionals need to be not only digitally literate, they also need to keep that digital literacy up to date.

The pace of development of fraud management tools has been rapid when compared with several years ago, in part due to the increased demand from companies. However, one issue is that those in charge of using and managing those tools are in many cases not equipped with adequate knowledge of the subject matter to be able to do so efficiently.

Therefore it becomes vital for companies to start investing in digitally literate employees when they staff forensic teams. In many cases where companies tried to educate old-fashioned forensic professionals in this new knowledge, I was reminded of the old saying, “you can’t teach an old dog new tricks”. Hence, to achieve success in fraud management in the digital era, companies need to think about the level of risk management, and the level of cyber-security knowledge in the people they hire.

If not, mere investment in the digital tools with the latest technology in fraud management would not yield the expected results and expectations of such investments.

The Institute of Risk Management has developed a Certificate in Digital Risk – this new specialist certificate, awarded by the IRM and developed with support from the WMG Cyber Security Centre and Department of Politics and International Studies at the University of Warwick, has been designed to equip individuals to apply and develop their skills in an increasingly digital world.

For more information please click here.

Saman Bandara

Global Ambassador APAC, Institute of Risk Management Partner, Head of Assurance, Financial Services, Head of Forensics & Forensic Technology, EY Vietnam

Protecting the public purse from grant fraud

Protecting the public purse from grant fraud

It seems strange to say so, but in many ways, the pandemic has brought people together. In the spring, we saw neighbours come together every Thursday night to thank and celebrate health and care staff through Clap for Carers. Thousands upon thousands signed up to be a part of the government’s volunteer army. In more recent months, the government’s decision not to extend free school meals for vulnerable children over half term and Christmas prompted councils, businesses and communities to step in to fill the breach. At individual, organisational and sub-national levels alike, we have seen inspiring displays of compassion, kindness and community spirit. If only that were all we’d seen.

As much as we’d love to be able to say that the pandemic has been the great unifier of our generation, it would ignore the fact that many have taken advantage of the chaos and uncertainty to line their own pockets. In September, HMRC told the Public Accounts Committee that up to £3.5 billion in Coronavirus Job Retention Scheme payments may have been claimed fraudulently or paid out in error. The bank advising the government on the Bounce Back Loan Scheme twice raised concerns that the scheme was at “very high risk of fraud” from “organised crime”. And over 100 councils have identified more than £8 million in fraud to the National Anti-Fraud Network. It is clear that we have seen the worst in people as well as the best.

Criminals taking advantage of uncertainty to commit fraud in the public sector is by no means a new phenomenon. However, the sheer amount of public money now being given out at pace in the form of discretionary grants means that grant fraud has been, and will continue to be, a particular risk to the public purse.

Unsurprisingly, the focus from government has been on getting funds out of the door to the businesses and people that needed them most. While this was necessitated by the crisis, the reduced emphasis on control and weakening scrutiny means that we have seen an increase in the success rate of fraud in the past year.

However, this period of increased risk has also represented an opportunity to improve the public sector’s approach to tackling fraud. During CIPFA’s annual conference in October, Neil Green, Deputy Director for Counter Fraud and Investigation at the Government Internal Audit Agency, highlighted that increased collaboration between UK local government and the Department for Business, Energy and Industrial Strategy had resulted in an increased focus on fraud prevention, rather than simply detection and prosecution.

The need for a greater focus on prevention is an issue that we at CIPFA have been emphasising to the sector for some time. For a long time, the approach to fraud in local government has been largely reactive. While fraud investigation still has its place in a robust fraud strategy, a detection-first approach to addressing the issue, more often than not, represents an attempt to close the gate once the horse has already bolted. It requires substantial time and resource to pursue and investigate potential incidents, with no guarantee that those funds will be recovered successfully.

While preventative measures mitigate against this, they come with their own challenges. Many local authorities have highlighted that making the business case for greater investment in prevention is particularly difficult in the absence of established, proven methodologies to quantify savings that would result from prevention activities.

We accept the challenges in making that case – the move to focus on prevention will need close management, strong risk assessment and room to evolve. But most of all, it will require courageous local authority leaders to strike out and pioneer these approaches to share best practice with the sector at large.

We at CIPFA will continue to support local authorities and the public sector more widely in this mission, because we are clear that a prevention-first approach represents the biggest opportunity for tackling public sector fraud and protecting the public purse.

by Rob Whiteman, CEO, CIPFA

INDUSTRY VIEW FROM CIPFA

300 years since the South Sea Bubble: the real story behind the iconic financial crash

Helen Paul, University of Southampton

Coronavirus has caused a great deal of stock market turbulence and, somewhat inevitably, comparisons have been made to the volatility caused by the South Sea Bubble 300 years ago. This was the moment when, in 1720, share prices in London boomed and then fell sharply. It is thought of as a major economic disaster and huge scandal.

In reality, it was a scandal but not much of a disaster. While some investors lost out from the speculation, it did not make much of a dent in the wider economy, unlike the more recent crashes of 1929 and 2008 – and what the long-term economic effects will be from COVID-19.

The episode shows how a perceived crisis can be the subject of intense public outcry and moral panic, even when people do not understand what has happened. It shows how the narrative told to the public can easily diverge from the truth: fake news, if you will.

What actually happened

The real reasons behind the bubble are complex. The South Sea Company, which gave its name to the event, helped the government manage its debt and also traded enslaved Africans to the Spanish colonies of the Americas. The government struggled to pay holders of its debt on time and investors had difficulty selling on their debt to others due to legal difficulties.

So debt holders were encouraged to hand their debt instruments to the South Sea Company in exchange for shares. The company would collect an annual interest payment from the government, instead of the government paying out interest to a large number of debt-holders. The company would then pass on the interest payment in the form of dividends, along with profits from its trading arm. Shareholders could easily sell on their shares or simply collect dividends.

The debt management and slaving aspects of the company’s history have often been misunderstood or downplayed. Older accounts state that the company did not actually trade at all. It did. The South Sea Company shipped thousands of people across the Atlantic as slaves, working with an established slave trading company called the Royal African Company. It also received convoy protection from the Royal Navy. Shareholders were interested in the South Sea Company because it was strongly backed by the British state.

By the summer of 1720, South Sea Company shares became overvalued and other companies also saw their share prices increase. This was partly because new investors came into the market and got carried away. In addition, money came in from France. The French economy had undergone a huge set of reforms under the control of a Scottish economist called John Law.

Law’s ideas were ahead of his time, but he moved too quickly. His attempts to modernise France’s economy did not work, partly because the rigid social system remained unchanged. The French stock market boomed and then crashed. Investors took their money out of the Paris market – some moved it to London, helping push up share prices there.

Once the South Sea Bubble had started to inflate, it attracted more naive investors and those who would prey upon them. While it was clear that the high prices were unsustainable, canny speculators bought in hoping to sell out in time. This pushed up prices even more, in the short term. The stock price went up from £100 in 1719 to more than £1,000 by August 1720. The inevitable crash back down to £100 per share by the end of the year came as a shock to those who thought they could make their fortunes overnight.

The backlash

The crash provoked huge public outcry. Politicians demanded an inquiry. South Sea Company directors were accused of treason and fraud. Poems, plays and satirical prints criticised the market and those in it. The chancellor of the exchequer was briefly locked up in the Tower of London. The company’s directors were forced to appear in front of parliament.

The amount of noise generated by these reactions helped make the South Sea Bubble famous. From then on in, it became a byword for financial scandal. Yet many people could not really explain what had happened. Perhaps surprisingly, economic historians can find little evidence of a prolonged economic recession. The bubble burst but without the major effects of later financial crises.

So why all the fuss? First, the crash happened in the early days of the stock market. There was no body of financial theory or financial journalism which could help explain it to laypeople. They turned instead to conspiracy theories or strange ideas about people becoming gambling mad.

Second, there was talk of people being given their money back. This gave losers every incentive to talk up their losses. It is human nature to complain, even about a small loss. The popular perception is that great fortunes were destroyed, but there is little evidence of this beyond one or two cases.

Third, this was a glorious opportunity for schadenfreude and various sorts of prejudice to be expressed. Female investors were lampooned by misogynists. Foreigners and various religious groups were the subject of racist commentary. There was no expert analysis available and commentators, with no real understanding of finance, provided scandal and scapegoating instead of accurate reporting.

The South Sea Bubble has been a symbol of financial crisis for 300 years. But like other more modern crises, its public image diverges from the reality. The same probably can’t be said for the COVID-19 pandemic, which will have a much more deep and lasting effect on the world economy.

Helen Paul, Lecturer in Economics and Economic History, University of Southampton

This article is republished from The Conversation under a Creative Commons license. Read the original article.

How Covid-19 can drive safe digital insurance transformation

Almost 20 per cent of insurance claims contain an element of fraud, according to a recent FRISS survey of insurers from 52 countries.

That’s a high number. Insurance is founded on honesty, and most policyholders are honest; those who aren’t drive up premiums. Fraud cannot be accepted as a cost of doing business – as Celent analyst Marty Ellingsworth says, “Fighting fraud is not a strategic competitive advantage. It’s the right thing to do.” And with Covid-19 impacting the industry, automated risk analysis is a strategic necessity for a safe digital transformation.

Covid-19 insurance trends

Covid-19 has left us with the worst economic crisis in living memory, and the effects will be long-lasting. As government support tapers off, the anticipated increase in unemployment and economic uncertainty will put more pressure on households and businesses. That will give rise to an increase in insurance fraud. Fortunately, most insurers realise quality data and real-time analytics can help solve the problem.

The survey shows Covid impacting insurance companies in three major ways:

Increased workloads
Fewer inspections because of remote working
An increase in suspected or proven fraud

While fewer claims have been made since the pandemic, insurers are also reporting more fraud. The schemes are similar, but people are committing fraud earlier due to anticipated financial problems.

The need for real-time fraud checks

Covid-19 has also forced organisations to focus more on digitalisation and reducing costs. A more digital process without fraud checks can leave insurers exposed.

A recent example was a tattoo parlour that reported a break-in, with a lot of cash stolen. The amount represented a lot more than the shop’s normal turnover, which real-time detection can flag.

Such proactive alerts that are based on events and data need to be part of your digital process – they can help streamline the workload, reduce the cost of claims and prevent payout of fraudulent claims. Consistently applied, they’ll help you fast-track genuine claims while freeing up time to investigate suspicious activity.

Leverage the potential to drive trust

We all hope the impact of coronavirus will soon fade – however, the economic fallout will last for a long time. In a survey by the ACFE, 92 per cent of respondents expected an increase in fraud over the next 12 months. As insurers drive digital change, it is important they remember to include fraud prevention as part of their digital toolkit. We see insurers moving towards the real-time monitoring of risks and fraud and proactively monitoring policies and claims throughout the life-cycle, to make sure they can run a healthy portfolio.

We are working closely with our customers to keep risk and fraud schemes relevant and up to date – and we’re proud to note that last year our customers were able to save more than $1 billion as a result. So let’s not wait for what Covid brings us, but proactively start fighting fraud. Your honest customers deserve it.

By Christian van Leeuwen, CTO and co-founder, FRISS

Christian.van.leeuwen@friss.com