Introduction
The crisis fraud risk management is born out of a highly volatile atmosphere which can upend and overwhelm even the most structured fraud risk management program. This volatile atmosphere is here with us today and comes in the form of COVID-19. COVID-19 represents the single greatest challenge to fraud risk management (“FRM”) because pandemics and their effects were never identified as a driving force in the escalation of both existing and new types of emerging fraud. Moreover, business continuity plans had an isolated focus on operations rather than people and operations, with much shorter timeframes envisaged.
“1In a new survey conducted by the Association of Certified Fraud Examiners (ACFE) about the effect COVID-19 has on fraud, 90% of respondents reported that they have seen an increase in scams targeting consumers, with 51% believing the increase has been by a significant amount. Respondents reported seeing an immediate increase in a number of specific fraud schemes. Of those surveyed, 75% said they already have encountered an increase in phishing through government impersonation, and 71% report seeing an increase in charity fraud. They also have experienced an increase in fraudulent vaccines, cures or tests for the coronavirus (66%); third-party seller and buyer scams on legitimate online retail websites (64%); business email compromise scams (62%); and cyberbreaches (61%). Link to survey: ACFE COVID-19 survey.”
Pandemic effects
There is no doubt that a Pandemic can cause economic and financial hardship on a massive scale both on an individual and corporate scale. In times of economic crisis, employees’ personal financial pressures tend to rise, which is often where the decision to steal and embezzle is rationalized. This justification can proliferate as many key individuals are wearing multiple hats with a dilution of segregation of duties. This rationalization extends to companies that face pressure to falsify their financials in order to meet earnings targets or secure and maintain financing. Constrained supply chains and reliance on key third party vendors may increase the incidence of bribery and corruption as the need to meet and support company objectives becomes paramount.
In this threatened environment, companies may seek to cut costs which will often target non-revenuegenerating departments e.g. compliance, internal audit, while at the same time reducing budgets for control training.
The lack of fraud assessments that are integral to a comprehensive anti-fraud program only serve to leave organizations more vulnerable to the growing likelihood of fraud. As organizations make cuts in the attempt to operate with a leaner staff, they can find themselves caught in a perfect storm for fraud: mounting financial pressures motivating employees and customers alike providing a common co-operative cause, fused with a highly toxic emotional, irrational and survival based mindset acting as a powder keg.
Social distancing from the virus has increased the online risk with fraudsters having already found ways to use coronavirus warnings as a veil for malware injections and other fraud schemes. Social distancing has meant the need and increased usage for contactless payments and with it a proliferation of social engineering attempts leading to an uptick in fraud in the space of e-commerce and online payments with an incessant increase in both identity theft and account manipulation. This increase in social engineering has escalated with the reliance on home office environments, which by themselves offer fraudsters the opportunities to both degrade and infiltrate organizations’ data and information systems.
Response
The first thing is to realize that such a crisis raises the vulnerability of the organization to fraud and is a true test of the fraud resilience of the organization. Outlined below are three countermeasures that the fraud risk program should adopt and introduce in the new challenging environment.
1. Re-evaluate and reassess fraud policy and procedures
The existing FRM framework needs to be re-evaluated and reassessed knowing that a scan of the environment and the resultant ensuring pressures will create new emerging opportunities and stronger motives for the performance of fraud. The new normal will create new avenues as outlined above for the fraudster which may expose the soft operational underbelly of the organization. There may be a need to get ahead of the fraud curve and proactively amend and adapt the policy and procedures to reflect the new normal, e.g. a new fraud taxonomy. Existing policy and procedures that may now be compromised in terms of operational efficiency will have to be adapted in a timely fashion in respect to the redrawing of fraud risk appetites and tolerances, with greater insight and participation from stakeholders.
2. Review and renew the fraud control environment
The external environment will be constantly updating and changing according to the political pressures of the day, with both public and private organizations offering different and varied responses, leading to potentially confusing messaging. Temporary legislation will create loopholes and opportunities with the need to constantly rethink the identification and assessment of likely fraud risks that can emerge due to exceptional management measures, especially in the short-term. Exemptions that have been granted by the authorities to existing policies and procedures resulting in a relaxation of controls should be documented for future reviews and audits.
The external environment will be constantly updating and changing according to the political pressures of the day, with both public and private organizations offering different and varied responses, leading to potentially confusing messaging. Temporary legislation will create loopholes and opportunities with the need to constantly rethink the identification and assessment of likely fraud risks that can emerge due to exceptional management measures, especially in the short-term. Exemptions that have been granted by the authorities to existing policies and procedures resulting in a relaxation of controls should be documented for future reviews and audits.
3. Improve the fraud message, communication, and data channels
As the crisis continues, there is a greater need to engage and communicate the fraud message without overloading the individual with information. Sharing experiences and observations is paramount and can act as an early warning system. Fraud Risk will be elevated in conjunction and heavily correlated with the increased incidences and risks of cybersecurity and anti-money laundering. Information flows to understand this triage of threats need to be on a timely basis and aligned in a coordinated fashion from internal and external data sources such as Compliance, Information Technology, Audit and Third-Party Vendors. The organization must understand the interconnectedness of fraud with all the other risks facing the organization and be able to respond at the enterprise level.
One result of the new working environment has meant information flows have increased as the number of whistleblowers who are now either disengaged or emboldened from working at home have decided to come forth. According to a recent Wall Street Journal article, the U.S. Securities and Exchange Commission received about 4,000 tips from mid-March to mid-May, which is a 35% increase2 from the previous period last year. The whistleblowing hotlines mean that there is a readymade, low cost source and credible assessments that can be conducted providing the organization has the resources and resolve to investigate.
Fraud risk managers need to tailor their message to different audiences at a faster pace and need to be better communicators. Fraud communication needs to be reinforced and this extends to training needs, with the need to be creative, involving topics which are current, so the message is easily assimilated and on point. The importance of training needs to be emphasized and for once must be rigorously enforced with penalties for noncompliance.
With this information overload, fraud risk managers will have to provide clean, accessible, robust, and sustainable data with the need to keep vast amounts of data for future inspection and audit. The amount of big data being generated will enable the more astute to redesign their control processes using a comprehensive data management set of both public and private data sets. The data flows need to be treated in perspective with any anomalies explained with the number of false positives created by the increased data flow. Sanitization and regular inspection are a must to power the behavioral analysis which can detect those new and existing incidences of fraud.
Moreover, certain segments of the customer base will be more prone to high risks, and fraud investigators will have to employ key behavioral analysis to drive informed decisions on whether transactions are fraudulent or genuine. Machine Learning and Artificial intelligence will have to be woven into the fraud risk manager’s fabric, providing data analytics that can be used to understand device vulnerability and attacks.
These challenges will alter the role and responsibility of the fraud risk manager who will become data custodians, model risk managers and ad hoc technologists.
Passing thoughts
Crisis fraud risk management means that fraud risk managers must have an adaptable and credible plan and stay focused rather than become embroiled in the crisis themselves. The three countermeasures above offer insight and guidance to alleviate the vulnerability and mitigate the number of fraud incidences in a crisis.