In 2018, the World Economic Forum indicated that fraud and financial crime was a trillion-dollar industry, reporting that private companies spent approximately US$8.2 billion on anti-money laundering (AML) controls alone in 2017. According to the Association of Certified Fraud Examiners’ global report on occupational fraud, organisations typically lose 5% of their annual revenue to fraud every year.
In PwC’s 2020 Global Economic Crime and Fraud Survey, half of the respondents indicated that they had experienced some form of economic crime or fraud in the recent past. The list of crimes suffered by organisations include, in no specific order, fraud, money laundering, corruption, cybercrime and tax evasion, among others.
Meanwhile, the top four instances of fraud identified by the survey were Customer Fraud, Cybercrime, Asset Misappropriation, and Bribery and Corruption. The survey also showed that as many as 47% of companies experienced a fraud in the past 24 months with an average of 6 frauds reported per company.
Moreover, only 56% conducted an investigation into their worst fraud incident even as a staggering US$42 billion was reported as total fraud losses by respondents, on top of the damage to brand, reputation, and market share. Most worryingly, nearly half of reported incidents resulting in losses of US$100 million or more were committed by insiders.
Playback of this video is not currently available
Bringing this closer to Mauritius, our jurisdiction has recently been added to the Financial Action Task Force’s (FATF) list of jurisdictions under increased monitoring, which consists of economies that have deficiencies in their regimes to counter money laundering, terrorist financing, and proliferation financing.
This comes on the back of the recent assessment conducted in Mauritius against the standards of the FATF by the Eastern and Southern Africa Anti-Money Laundering Group (ESAAMLG). As a result of this development, Mauritius has recently reviewed its AML/CFT (Countering of Financing of Terrorism) legal framework. In addition, the Bank of Mauritius and the Financial Services Commission have issued new guidelines to be adopted by regulated entities.
To compound this issue, we are currently living in a world gripped by a COVID-19 crisis, the likes of which we haven’t seen before. This has meant new ways of working and operating, mostly remotely and digitally. In Mauritius, the outbreak of the pandemic meant that lockdown measures were in effect for a prolonged period since mid-March 2020. This situation has created additional risks for organisations as less resources may be available to devote to managing financial crime at this time.
Taking all this into account, it becomes quite clear that managing financial crime in an increasingly complex operating environment is taking its toll, both from a cost and time perspective. As one local banking CEO quipped recently, it feels like the CEO’s job nowadays is mostly dealing with risk and compliance without much success.
With 13 years of experience in advising clients in the East African market on ethics and compliance, antibribery and corruption, due diligence, fraud risk management, corporate investigations, AML, cyber security, crisis management, business review and insolvency proceedings, I would like to share my indepth insights into how companies can manage financial crime risk in an optimum manner.
Historically, financial crime has generally meant money laundering and other criminal transgressions that involve the use of financial services to support criminal enterprises (think terrorism financing, proliferation financing, tax evasion, bribery and corruption). Financial crime is generally viewed as a compliance issue in terms of adhering to relevant regulation and averting regulatory fines with AML/CFT programmes.
Fraud and cybercrime, on the other hand, are viewed as deception of financial personnel or services to commit theft. These are often viewed as less of a regulatory burden and more of an operational loss problem, with detection measures put in place to reduce the loss.
However, this approach is no longer effective. The boundaries between different financial crimes have blurred, especially since the rise of cyberthreats, which reveal the extent to which criminal activities have become more complex and interrelated.
Consider a realistic example: a cyber intrusion carried out by sanctioned states and/or terrorist groups (cybercrime) can lead to theft of customer and financial data (fraud) and these funds are then laundered through a myriad of financial institutions (money laundering) and used to finance purchase of weapons and/or terrorism activities (proliferation and terrorism financing).
In the example above, from an organisation’s perspective, who is responsible for identifying, detecting and resolving the matter? In a siloed environment, the aforementioned scenario would make it difficult to detect and join the dots, and the resolution of the matter would probably involve duplication of effort, inefficiency and would ultimately prove to be very costly to the organisation.
Consider the following emerging themes in financial services:
When things change faster, it is more difficult to predict what happens in the future. Hence, businesses face more unexpected events and have less time to respond to them.
Business processes, technologies, products and regulatory regimes are increasingly becoming more complex. As a result, there is a higher chance for the existence of hidden flaws or appearance of unforeseen outcomes.
The world is transferring towards a multi-polar global order with multiple major political and economic players. The interaction and rivalry between these players create a more uncertain business environment.
The globalisation trend means that businesses have more interactions and interdependencies with other businesses all around the world. Therefore, the impact of any risk at any location spreads quickly among many other regions.
Interdependency of different types of risks is increasing. One type of risk can evolve into many other types of risks: cyber enabled fraud, money laundering incidences etc.
The current reality of financial crime risk management relies on rule-based scenarios, depends on manual interventions, has generic risk scoring models, encourages a silo-based approach and is unsuitable for the emerging needs of the business and the customer.
The current reality as described has resulted in increasing compliance costs and poor customer experience without a corresponding increase in compliance levels, risk mitigation and loss prevention. In the current context of working remotely or less available resources, this model would be inadequate to manage the risks and prevent financial loss.
Organisations lose 5% of annual revenue to fraud every year.
In considering integrated financial crime risk management, our view is that all risks associated with financial crime involve a three-step process of identification and authentication of the customer; monitoring and detection of suspicious or anomalous behaviour; as well as the action taken in terms of response, investigation and crisis management.
Each of these activities are also governed by the same Board/Senior Management and are supported by similar data and technologies. In taking a more holistic view of the underlying governance, risk management framework and processes, financial institutions can create an appropriate operating model for the management of these risks in an efficient and cost-effective manner.
This also inevitably leads to simplified processes and better customer experience e.g. through deduplication of KYC efforts which leads to lower customer acquisition costs, better turnaround times, reduced service disruptions and, ultimately, happier customers.