The COVID-19 outbreak has wrought huge changes in short order, transforming business practices, and provoking a steep economic downturn – so adding greatly to the risks of fraud and other financial crime.
Crucially, long established checks and balances have been eroded by working from home, and by a lethargic reaction by middle management to changing circumstances.
In response, companies must put in place measures aimed at mitigating the risk of fraud, at responding to malfeasance as it arises, and at recovering funds lost to corporate crime.
Sadly, this pandemic has not heralded any outbreak of honesty.
The new risks
The pandemic has led to a sudden, and lasting, shift towards remote working, which has meant that many staff now rely on insecure internet connections on shaky home systems. This dependence on inadequate infrastructure, and insecure video communication media, poses huge risks.
One obvious threat is that home-based systems are much more vulnerable to penetration by cyber-criminals. These insecure systems thus present opportunities to those seeking to steal funds, or to gather confidential information.
An increasing concern is “business email compromise”, whereby hackers gain access to communications, and monitor these over time for traffic related to payments. Intruders often seek then to arrange payment for a seemingly legitimate reason; and a lack of proximity means staff working from home cannot readily check on the veracity of urgent demands.
A further critical concern relates to intellectual property. In March 2019, CNBC and Forbes reported that CITRIX, an important software provider, had been penetrated by hackers, presenting risks to those companies that rely on it. A reliance on unsecured home networks will only augment comparable risks.
Worse, companies currently have much diminished control over their employees’ handling of confidential information, posing the threat of the significant loss of intellectual property and sales data. The risks related to staff decamping with commercial information are also enhanced, given looming, traditional times of departure, such as Chinese New Year, or the end of the financial year.
Act in haste…repent at leisure
In addition to cyber-risks, knee-jerk reactions in response to the pandemic seem sure to result in a new crop of frauds – perhaps linked to efforts to claim extensive funds from, or underwritten by, governments, such as furlough allowances for non-existent staff, or to fake requests for soft loans for businesses via banks.
In time, the scale of these losses will become clear – but the cost will be large. The United Kingdom government in September 2020 mooted that some GBP3.5 billion of “furlough” claims were paid in error, or were fraudulent, and California’s authorities estimated that some USD11 billion of unemployment claims were probably fake, as of January 2021.
In the coming months, the financial crimes attracting most attention will probably relate to historical procurement actions, such as contracts for personal protective equipment (“PPE”), or vaccines. After all, intense competition for key goods at the height of the pandemic not only raised prices, but encouraged parties to skimp on controls.
The tide goes out
The broader economic malaise heralds different risks. A sudden withdrawal of credit always exposes questionable practices, or incentivises some directors to cheat.
Accounting fraud seems sure to rise, as companies seek to inflate receivables, or to overstate asset values. In some cases, the use of complex structures or financial instruments may initially hide the real scale of losses – as with Luckin Coffee, a Chinese coffee business that overstated earnings on a huge scale.
Other companies may also find themselves tempted into questionable deals, in an effort to boost cash flow. Multi-national firms are particularly at risk here, as in-country teams not only need to prove their worth, but also have local ties that can sometimes engender corruption; and the current inability of senior management to travel will only weaken vulnerability to such scams.
As if this were not enough, a further problem is the rising tide of nationalism, which will complicate enforcement measures.
The German regulatory authorities played down allegations against Wirecard, a significant internet payment system, in 2020. Other governments may yet seek to protect chosen companies, particularly if in strategic sectors, or if targeted by perceived opponents.
Act Now to Prevent Financial Ruin
This situation promises a sharp rise in fraud in the coming months.
Companies must act now. In particular, management must bolster internal compliance mechanisms, so as to identify fraudulent activity early, and thereby limit losses. Dependence on audit – external or internal – will not protect most companies.
Key steps to take include: strengthening the integrity of data systems; implementing tighter control over staff approvals; and bolstering protections for confidential information.
Staff must also be trained, drilled, and supervised, so as to ensure they understand the need to act cautiously, in releasing payments or critical data.
Companies must also examine transactions made during the pandemic in more detail, so as to contain losses. Key measures include establishing sound audit trails and gathering all documentation, in retrospect if necessary, so as to understand what happened, and thereby predict what problems may yet emerge.
Finally, companies must adhere to robust due diligence standards, even if under pressure to contain costs. Boards should require detailed background investigations of investments or partnerships, and ensure that oversight measures are in the hands of the general counsel, or of another relatively “neutral” party, rather than a local deal team. “Virtual Due Diligence”, done by Zoom, will only result in “Virtual Profits”.
Appropriate Responses to Fraud
Pre-emptive measures will only go so far, though. Companies must also act decisively on the discovery of red flags. Key triggers might include the unusual involvement of third parties, a dubious transaction structure, or excessively high fee levels, amongst other issues.
Companies should make sure to undertake a thorough investigation into any suggestions of fraud, and to report findings in full. Attempts to “sweep matters under the carpet” will only lead to bigger problems in time. SVA is often called in to assess quickly the damage caused, and methodology used, in any suspicious activity.
Management should also consider involving the relevant authorities, such as the police or regulators, if need be. In doing so, though, they must also take account of the political risks, given that some counterparties can benefit from political sponsorship. Again, SVA can advise as to dealing with such regulatory risk.
Finally, companies should launch external asset search and tracing measures, and recovery actions, so as to recoup stolen funds as an urgent priority. Many MNCs now take out fidelity, and other, insurance measures to cover expenditure in such circumstances.
Such asset recovery initiatives are frequently complex, and will need not only to identify assets hidden in offshore jurisdictions, which are often structured through corporate or trust structures, but also operate as part of a broader legal strategy aimed at reclaiming pilfered funds.
SVA has a great deal of experience in responding to incidents, investigating frauds, and in tracing and recovering assets. If we can be of any assistance to your organisation in dealing with these complicated issues, and if you wish to protect your business from the negative consequence of poorly conducted due diligence efforts, please do not hesitate to contact us.
SVA (www.stevevickersassociates.com) is a specialist risk mitigation, corporate intelligence and risk consulting company. The firm serves financial institutions, private equity funds, corporations, high net-worth individuals and insurance companies and underwriters around the world.