If remote working is to be a significant part of the ‘new normal’ as we exit the COVID-19 lockdown, what are the implications of this shift in how and where business is conducted for fraud and compliance? We argue that many of the controls which may have been previously effective in the workplace, will need to change now and into the future. Adapting existing controls to the remote working environment, the use of data and analytics in monitoring risks, and the proper balance between human and technological oversight will become more important as the ‘new normal’ takes hold.
As noted in our previous article, “Modeling the End of the Lockdown”, exiting the lockdown will prioritize releasing those less likely to be harmed to protect the vulnerable while restarting ailing industries. This staged return to work will still leave many, if not most, working in a remote environment for months and quite possibly much longer.
At the same time, businesses must confront unprecedented pressures, particularly to respond to customers’ changing needs in the fall out of the COVID-19 pandemic. Revenue and supply chain disruptions, for example, introduce strong temptation to fast track new suppliers needed to source products in high demand. Wrongdoers, meanwhile, are laser focused on the opportunities presented by these circumstances to exploit businesses and individuals.
When you take into account the reduced labor available to companies due to circumstances including sickness, social distancing measures, furloughs and/or layoffs, tough decisions on the deployment of resources lie ahead. With the backdrop of unprecedented revenue pressures, it is inevitable that decision makers’ focus will be on generating new business and controlling cost. Temptations to relax, or even ignore, certain controls designed to counter fraud and corruption will grow at precisely the same time that risks from fraud and corruption skyrocket. Management should be asking: “how do we maintain effective lines of defense in such a climate?”
So what are the implications for fraud and non-compliance in this new environment, and how should businesses maintain effective lines of defense? Here we just pick on a couple of areas by way of example, when clearly there are many more which risk assessment and mitigation reviews need to consider. We think that with such significant cost and time pressures, data analytics can help to effectively assess, mitigate and monitor these areas.
The changing nature of fraud and non-compliance
In this time of rapidly changing work settings, financial services and e-commerce are two sectors that have been affected the most.
Given the multitude of operational pressures on banks, such as fewer staff than normal available to conduct compliance activities and the increased need to onboard new customers remotely, banks are scrambling to adapt to the new normal, particularly with their customer due diligence checks. At the same time, financial institutions have obligations to monitor the vast numbers of transactions they conduct every day for potential money laundering activity and ensure they comply with the sanctions in place globally all in an environment in which they are facing a greater diversity of money laundering and terrorist finance risks. Criminals are using the current adaptions to make their attacks more effective. For example by taking advantage of remote onboarding to open accounts now, so they can take advantage in the future. At the same time, fraud typologies are shifting, meaning the existing data-driven transaction monitoring systems in place will need to be adapted.
The demand for online retail is greater than ever before. In just online grocery orders, this is evidenced by event volume (account logins and account creations in addition to transactions) increasing 23% in March for the US alone. At the same time, fraud rates in this sector have increased 68% in the same period as fraudsters are able to hide within the increased volumes of e-commerce activity. Additionally, fraud detection tools and algorithms that automatically decline suspicious customer orders may not work as well and lead to large numbers of falsely declined transactions. This leads to unnecessary revenue loss in the short term by rejecting valid transactions, and in the long term generates a lower rate of return customers due to poor customer experience. The need to keep pace with demand, and maintain revenue and profitability may cause these tools and alerts to be ignored.
It is not just businesses that have become more vulnerable, but also their employees. The incentive, opportunity and rationalization for employees to commit fraud is increasing as businesses cut jobs, reduce salaries and adapt compliance controls. For example, remote working by financial traders has seen concerns around how confidential information can be protected from being overheard in the domestic setting or being passed on using individuals’ own mobile phones. This risk is much reduced in the office setting where traders’ communications are tightly controlled and personal devices not permitted on trading floors. At the same time, employees are also more at risk of being the victims of financial crime through wire fraud. There is increased evidence of procurement employees for example, being duped by fraudsters into making money transfers to fictional suppliers pretending to supply in high demand goods such as Personal Protective Equipment (PPE).
Lines of defense must adapt
This is an unprecedented time for businesses under a storm of pressures such as those noted above, while dealing with mostly unchanged regulatory obligations. Despite the tough decisions being made on how best to allocate resources, this is not the time to neglect fraud mitigation and other compliance obligations. Businesses choosing to relax compliance controls must do so with great caution and ensure transparent communications take place with regulators. Compliance with regulatory controls should remain high priority for businesses, otherwise they create opportunity for criminals and risk regulatory investigations, leading to fiscal and reputational damages in the future.
If the ‘new normal’ of remote working persists, traditional controls on fraud and non-compliance such as physical supervision will simply not be possible in some cases. Compliance departments overseeing financial traders and other regulated occupations handling sensitive information will need to rethink how communications are monitored. For many businesses, existing training on preventing wire fraud and other criminal attacks will need to be reinforced, and this is the time to provide focused training/guidance to employees and consider whether it needs to be adapted to meet new threats.
Furthermore, the existing data science models used to detect non-compliance and fraud will need to be recalibrated to effectively detect the new fraud typologies, while not creating a higher level false positive which disrupts the business. Overall, the use of technology and data-driven monitoring controls will become more important, and regulators have been urging businesses to move in this direction for a long time. Whilst some businesses have taken steps to follow this advice, the current pandemic is accelerating the digitization of the workplace and providing an opportunity for businesses to take advantage of these data-driven approaches.
That being said, technology and analytics cannot be the complete solution, as you cannot effectively replace human supervision and compliance reviews with computer automation in many cases. There is a balance to be struck between technological and human supervision, and the key is to arm compliance teams with the best data, systems, and analytics to support making informed and timely decisions.
Given the pressures we see both on businesses and their employees with the ‘new normal’ and the changing criminal threat, a smart balanced approach like this will enable organizations to both keep costs down, and at the same time maintain the focus on preventing fraud and non-compliance.
FRA’s COVID-19 Resource Center
FRA’s expertise in data analytics, information technology, and data management is at our core. We constantly integrate data analytics into our services in order to provide clients with the insights to identify an effective (and quantitatively supported) path to resolution. Find out how FRA can help you develop forward-looking solutions to manage risk, adapt and thrive in a remote economy.