This article was first featured in Accountancy Daily.
Around the world, businesses have been caught unprepared in dealing with the challenges brought by COVID-19 in early 2020. The finance sector in particular is neither immune to, nor has escaped, the impacts of the pandemic. As countries went into lockdown one by one, remote working and reliance on digital platforms and online transactions have become the new norm. This new way of working has also brought about a heightened risk of fraud in the sector. This takes many forms:
Since the beginning of global lockdowns the number of social engineering attempts has increased significantly, exposing financial services companies to both internal and external fraud risks. This feeds on the human element and vulnerability of systems controls, employees having their guards down and access to confidential information which may then lead to financial and identify fraud. As explained below, monitoring and compliance become far more challenging with a dispersed workforce.
Running parallel systems – the ‘side hustle’
With employees working remotely, it is extremely challenging to monitor whether they are using their personal laptop and telephone side by side with the company issued equipment. This allows staff to trade on their own behalf or run parallel businesses whilst they are ‘at work’.
We should not underestimate the effect of psychological pressure and stress as a result of the pandemic and ensuing recession, that is faced by individuals working in the finance sector. As government funded furlough schemes are wound down, uncertainty regarding the ability and speed of economies to recover and job losses are announced, personal pressures increase on employees and their families. At the same time, business pressures to deliver on targets, and ongoing restructuring of teams, some of which had started before the pandemic means that individuals’ ethical compasses become less rigid and employees more susceptible to potential compromise and an increase in insider fraud.
Oversight & monitoring – use of devices
While the usage of personal devices for formal business operations is largely prohibited, this can become more difficult to enforce and monitor with remote working. Conversely there is a far greater risk of personal use of company equipment, either by the employee, or their families. Consider a scenario where children are home-schooling, and their computer breaks. The employee may feel significant pressure to let the children use the work laptop. Monitoring controls and compliance need to be alert to both potential scenarios, as well as weaknesses in employees’ home IT infrastructure.I
Oversight & monitoring – on-site compliance
Many companies in the finance sector have a global presence. However, with restrictions on travel imposed as a result of the virus, compliance and internal audit teams have not been able to travel to perform on-site audits and reviews. While those functions have taken to undertaking their work remotely, there is undoubtedly no replacement for the benefits and effectiveness of on-site audits and reviews.
So what should companies in the finance sector do to protect themselves against fraud risk in light of the pandemic? As may be expected, the elements of a robust control environment are applicable, including:
- Risk Assessment – this is still the cornerstone of a compliance programme. With increased and changing business pressures, ensuring ongoing consideration of the risks of fraud must be key to being able to demonstrate to stakeholders an institution’s robust response to changing circumstances.
- Control Activities – based on the risk assessment, adapting procedures to the new circumstances, updating business continuity plans and considering changes that need to be made to security protocols.
- Communication – increasing training of staff to these new challenges, as well as taking the time to ensure that employees do not feel isolated or disenfranchised due to the enforced circumstances of constant remote working.
- Monitoring – given reductions in levels of business, companies should, where possible, resist the inclination to cut the lines of defence. As discussed, remote monitoring and audit will be more difficult, but previous audit and compliance plans will need to be updated to address the changing fraud risk landscape.
These are not activities in a vacuum; they are important to ensuring that ongoing changes in the world, affecting the business, the way in which business is undertaken and the employees who support the businesses are continually reflected in the culture of the organisation.
Businesses have been adept in changing the way in which they operate in light of the pandemic. However it has also meant exposure to increased vulnerabilities with less face-to-face human contact and dependency on financial systems and platforms.
Whilst remote working has enabled business continuity and the flexibility for employees to continue work from the safety of their own homes, it has also heightened fraud risks in the sector. As we settle into the new norm of remote working, companies need to ensure that appropriate safeguards are implemented to protect companies in the finance sector and those businesses that are reliant on the sector.