Reducing third-party fraud risk
August 2019 | TALKINGPOINT | RISK MANAGEMENT
Financier Worldwide Magazine
August 2019 Issue
FW moderates a discussion between Richard Shave and Natalie Butcher at BDO LLP on reducing third-party fraud risk.
FW: How would you characterise the level of fraud risk that can arise from third-party relationships in today’s business world?
Shave: It is difficult to overemphasise the level of fraud risk that third-parties represent to organisations in the modern world. Research carried out as part of our annual FraudTrack report found that third-party fraud was the most common type of fraud in 2018, making up some 24 percent of the value of reported fraud. Transparency International has described third-parties and intermediaries as “the single greatest area of bribery risks”. With risks coming from so many different sources, whether it be customers, suppliers, agents, intermediaries or other advisers, it is critical that organisations not only know who they are dealing with, but also have systems and procedures in place that are sufficiently nimble to keep pace with the ever changing fraud risks. When most people think about fraud they think of money being misappropriated in some way, but it is important to remember that the risks faced by organisations are much broader than that. Third-party frauds can manifest themselves in a number of different forms, ranging from bribery and corruption, bid rigging and accounts manipulation to large-scale data theft and reputational harm. Organisations face a huge challenge in recognising the key risks in their business and establishing appropriate systems and safeguards to mitigate those risks.
FW: How are regulatory and legislative developments influencing the way companies understand and deal with third-party fraud risk? To what extent are potential liabilities increasing in this area?
Shave: There has been a growing trend in recent years towards obligating companies to take greater responsibility for averting third-party fraud. Among the more significant developments was the introduction of the Criminal Finances Act 2017 in September 2017 making companies liable for failing to prevent third parties facilitating tax evasion. The Act also enhanced UK fraud legislation capabilities through changes to the suspicious activity report (SAR) regime, increased proceeds of crime powers, new disclosure powers to combat money laundering and the unexplained wealth orders regime. As legislative developments increase pressure on UK companies to mitigate third-party fraud risk, geopolitical developments are also expected to potentially influence risk levels. In May 2019 the UK National Crime Agency (NCA) warned that a ‘no-deal’ Brexit could push UK companies to greater contact with corrupt markets, potentially impacting the prevalence of bribery and corruption.
“The types of fraud most commonly encountered have shifted from simple schemes, such as the basic falsification of invoices, to the use of social engineering, hacking and email spoofing.”
FW: In your experience, what are some of the common failures and shortcomings when it comes to managing third-party fraud risk? What can companies do to ensure they do not end up repeating mistakes?
Shave: A common failure is organisations completing an insufficiently thorough fraud risk assessment in the first place, rendering their mitigation measures insufficient. Such organisations often end up pursuing more of a reactive approach to third-party fraud, spending a disproportionate amount of time dealing with emerging fraud issues, while remaining vulnerable to other, still unidentified fraud risks. Companies that adequately train their staff to understand third-party fraud risk will find employees more willing to follow procedures. Making it easy for staff to report concerns and even rewarding employees for identifying and mitigating third-party fraud risk can contribute to building a culture of fraud awareness and help organisations to proactively avoid repeating mistakes.
FW: What advice you can offer to companies on implementing and maintaining robust fraud monitoring systems? What red flags should companies try to identify among their third parties?
Shave: Organisations should perform regular assessments of specific fraud risks relevant to their particular organisation, and then design their monitoring programme around those risks using a range of internal controls, policies and data analysis processes. Modern systems allow for large-scale data analysis and automatic tripwires to be built into monitoring systems to help identify red flags such as transactional outliers, manual overrides, unusual patterns in data downloads, and changes to standing data or system authorisation levels. Third-party fraud involving employee collusion remains one of the more challenging types of third-party fraud to detect and we have seen an increase in fraudsters looking to embed ‘insiders’ into organisations. Monitoring of recruitment processes therefore remains a critical part of any organisation’s processes along with conducting regular fraud awareness training programmes. Such training can help organisations to actively promote the right culture and ensure that employees act as their ‘eyes and ears on the ground’, proactively looking for red flags. Among the key trends that staff should be made aware of are the increased use of social engineering by fraudsters when targeting employees, along with practical advice regarding the increased risk posed by cyber crime attacks.
FW: How important is technology and data analytics becoming, as a means to help detect instances of actual or potential fraud?
Butcher: The volume of electronic data created on a daily basis has exploded and continues to grow exponentially. In addition, the types of data being generated have become more complex. These developments render the traditional methods of data analysis obsolete, as technology is required to overcome these obstacles. In addition, the types of fraud most commonly encountered have shifted from simple schemes, such as the basic falsification of invoices, to the use of social engineering, hacking and email spoofing. These more sophisticated crimes are more difficult to identify, and technology solutions are required to efficiently discover these activities. Platforms exist that ingest financial data and apply a number of tests to assign a risk score to every transaction. The system can also build an artificial intelligence model, negating the need for specific tests but allowing anomalous transactions to be flagged automatically. These technologies can identify high-risk transactions within millions of records within minutes, and more effectively than the human eye. Tools can also graphically show the key themes within textual datasets and map email traffic between individuals. This helps to identify unusual activities and the people involved. Concept searching can effectively search for evidence of wrongdoing and uncover the use of code words to mask fraudulent behaviour.
“Monitoring of recruitment processes therefore remains a critical part of any organisation’s processes along with conducting regular fraud awareness training programmes.”
FW: To what extent should fraud detection systems be customised based on the different types of third parties that companies deal with?
Shave: Fraud detection systems should be carefully aligned with an organisation’s fraud risk assessment and reviewed for effectiveness on a regular basis. Different types of third parties present varying levels of risk and well-designed systems will pay careful attention to the risks identified from such factors as the territory, transaction type and the sector involved. Red flags can arise from a range of sources, including the involvement of brokers, unusual or advance payments, failure to cooperate with the organisation’s due diligence process, and the involvement of complex or unusual organisation structures. Automated systems and system-generated tripwires provide an increasingly valuable role in fraud detection, but organisations should be careful not to dismiss more traditional detection resources. Ensuring employees are both aware of, and confident in, the organisation’s use of whistleblowing channels can dramatically increase chances of detection. The often undervalued role of the internal audit team can also be crucial: a carefully customised series of fraud detection tests can also significantly enhance detection rates.
FW: What specific steps can companies take to address cultural and business attitudes toward fraud when working with third parties in emerging markets?
Shave: When considering geographic risk, organisations should consider carefully where the country is ranked on Transparency International’s Corruption Perceptions Index, and tailor their approach accordingly. Ultimately, different sectors and territories present different fraud risks and organisations will need to do all they can to mitigate those identified risks. Where organisations are contracting with third parties in countries less motivated to actively prevent financial crime through regulation and enforcement, organisations may consider adding right-to-audit clauses in agreements as well as putting the third parties through a thorough onboarding, monitoring and periodic audit process. Organisations operating in emerging markets may also consider educating third parties about compliance requirements set out in legislation such as the US Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act, in order to help avoid potential liability for the actions of their contractors. Organisations may also choose to proactively review their contractors’ ethics and compliance policies rather than simply taking them at their word.
FW: What benefits can be derived from engaging expert external advice on reducing third-party fraud risk?
Shave: Expert advisers can provide independent, objective assistance in conducting business-wide fraud risk assessments and designing robust fraud monitoring systems. With huge volumes of data split across multiple platforms now readily available at most organisations, specialist data analysis plays an increasingly important role in fraud detection and prevention. Experts can provide access to the latest forensic review platforms and data analysis tools, provide anti-fraud training and also be a valuable source of up-to-date intelligence regarding emerging fraud threats in the sector. A pre-existing relationship with an external fraud expert can add real value as, should the organisation fall victim to a fraud, it will have rapid access to fraud specialists who can provide urgent investigatory assistance. This may include capturing digital evidence in a forensically secure manner, conducting data analytics work, reviewing accounting entries and conducting interviews. External assistance can help organisations to manage the balancing act between robustly reacting to a live fraud issue while not losing focus on their ongoing business activities.
Richard Shave is a forensic accountant who specialises in leading fraud and financial crime investigations. He has over 20 years’ experience of assisting corporate entities, financial institutions, regulators and law firms in UK and international investigations. Mr Shave has also led confidential and sensitive investigations into a range of financial fraud, bribery and corruption, accounting misstatements, theft and other forms of employee and institutional misconduct. He can be contacted on +44 (0)20 7893 3546 or by email: richard.shave@bdo.co.uk.
Over the past 15 years, Natalie Butcher has worked on a significant number of large e-disclosure projects, working with corporate clients in addition to their legal advisers and government bodies. She is an expert in handling complex disclosures and is also experienced in data analytics. She can be contacted on +44 (0)20 7893 3480 or by email: nat.butcher@bdo.co.uk.
© Financier Worldwide