The fraud risk landscape is continuously taking on increasing complexity and velocity. Modern-day auditing professionals are increasingly making use of forensic specialists and technology.
Over time, the development of economic crime has progressed in parallel with the development of trade and business technologies. As value transmission moved from barter to financial instruments, and the relationships between traders became ever more remote and reliant on intermediaries, so has the scope widened for abuse of the enabling mechanisms that underpin effective trade. Has the change in business technology brought about by the digital revolution had a similar impact on economic crime commissioning, detection and prevention?
EY and the Association of Chartered Certified Accountants examine this question and its implications in a report, which can be accessed in full here (pdf). It draws on recent thinking from senior leaders across our networks to reflect on the current position and highlight some key pointers for the way ahead.
The evolving digital environment
Digitalization has led to an increase in the volume and velocity of economic crime attacks, as well as an expansion in scope.
As technology advances, the scope for supplementing or even replacing existing trust mechanisms with technological tools has expanded.
Our panel of interviewees are unanimous that digitalization has led to an increase in the volume and velocity of economic crime attacks, as well as an expansion in scope.
Historically, “cold call” frauds would have been carried out by letter or by phone, with corresponding linear resource costs for the perpetrators. Mass mailing and the availability of harvested lists of email addresses have hugely increased the number of victims that a scammer can target in a single attack.
As Anthony Harbinson, Director of Safer Communities, Northern Ireland, observes, “If you send out 1,000 emails and only 1 comes back, that one could get you significant amounts of money.”
The existence of underground chat rooms and encrypted communications, meanwhile, has enhanced criminals’ ability to exchange and refine ideas. Harbinson notes that “if you go on to the dark web, you can actually buy, for anything from US$5 to US$55, a range of templates that you can send out to any organization that look specifically like their own templates, except it will relate back to whatever bank account or address that you actually put on top of it.”
Patrick Craig, Partner, Ernst & Young LLP United Kingdom and EY EMEIA Financial Crime Technology Leader, warns that: “To recruit an army of virtual agents to carry out attacks, you can buy malware, networks of compromised machines and mule accounts from the dark web to enable money-laundering needs, versus recruiting a human army to help launder the proceeds of crime.” New technologies are allowing even criminals who lack the skills to design an authentic-looking fraud to pose a significant threat to their targets.
The global village
Just as the internet has legitimate business from the shackles of geographical location, so crime too has been able to operate across borders. Many consumers might be wary of a foreign postmark on their mail, or a foreign accent on a cold telephone call. But spoofing of email or web addresses, and use of native-speaker-reviewed documentation, can remove all these warning signs from an online attack.
Rachel Sexton, Partner, Ernst & Young LLP United Kingdom, Forensic & Integrity Services, has noticed a shift in behavior: “I think technology has allowed criminals to sit remote from their victims. We see attacks coming from all over the world — for example, targeting UK banks. It does make it much more sophisticated, that the criminals can sit somewhere else and make these attacks and remain relatively anonymous.”
As well as the simple proliferation of existing crimes, technological developments have introduced new vectors for crime. The development of cryptocurrencies and their availability as mechanisms for storing or transmitting value in an anonymous or pseudonymous fashion have transformed some aspects of economic crime. Nonetheless, conventional business fraud seems, for the time being, likely to continue to be carried out using fiat currency.
As Claire Jenkins, Forensic Accountant at UK Companies House, puts it, “I think then the question is: how comfortable would someone be doing business with an individual [who] wants you to pay him entirely by cryptocurrency? Is it likely, even now, that people will accept the payment? I have my doubts.”
While the majority of respondents to the EY Global Fraud Survey 2018 stated that their organizations would soon be regularly using digital payment systems, just 4% expected to be conducting business using cryptocurrencies. But in situations where trust is already compromised, the picture is very different. The ability to transfer value anonymously has huge implications for both money laundering and the broader fields of economic crime, such as human trafficking.
Driven by globalization and digitalization, the fraud risk landscape is continuously taking on increasing complexity and velocity. Modern-day auditing professionals are increasingly making use of forensic specialists and technology to identify and respond to these fraud risks.
Keeping records and managing data have always been fundamental to successful business decision-making. Auditing, and the trust that it creates for stakeholders, relies on manageable and trustworthy data. But the digital era has brought more data than ever, in both volume and variety.
There is an opportunity here for accountants to derive an even greater advantage from the increasing data by generating better insights and extracting the maximum value from the resource. To this end, accountants can work with compliance and risk departments to identify risk areas and can help assess the effectiveness of the controls in place.
On the other hand, this opportunity for legitimate business has a mirror in the criminal world. The usefulness of customer lists to direct competitors has long been recognized, but increasingly it is simply the personal information held by a business that motivates criminals to attack.
Economic crime may sound like an age-old topic on the surface. Underneath it, new fraud vectors and players emerge all the time. As you tirelessly chase these new risks, you may be better off by taking a pause to assess whether it’s time to take bigger leaps to transform the way you deploy people, processes and technology.
Working out where in the matrix of economic crime such activities fit will be a challenge that informs the regulatory response. Arguably, in a spectrum that ranges from fraud through money laundering and even possibly encompassing human trafficking, there is a place for the deliberate targeting of a business’s revenue-generating machinery as a means of generating revenue for thieves.
Policy and practice
The challenge: ensuring that regulatory and related infrastructures are proportionate and equipped to help innovation thrive while providing vital safeguards.
Given the changing technological landscape, ACCA and EY have explored the evolving role of the regulator, other government institutions and accounting professionals in combating economic crime in the digital age. A clear point arose from these discussions: professionals interviewed for the report agreed that the overall objective of regulation, and the historic tensions within industry and innovation, have not changed.
There is still a pressing need to create a regulatory environment that supports financial innovation, while at the same time limiting the risks for consumers and businesses, supported by audited information to inform decision-making. Auditors could assess whether a company has adequately put in place controls to comply with the sector-relevant laws and regulations in the jurisdiction in which it operates.
These laws and regulations would not only be those relating, for example, to money laundering, corruption and tax evasion — but also those concerned with data protection, environmental impact and the treatment of the workforce, among other concerns.
For regulators and policymakers, economic crime in a digital age presents some particular challenges in addition to those dealt with before. These include, at a minimum, challenges pertaining to anonymity, accessibility and accountability.
Transacting through the online environment has provided avenues by which fraudsters can avoid disclosing their identity or provide false identities. The idea of opaque fund holdings or complicated financial structures to obfuscate the view of regulators is not new in itself. And cash is, of course, the classic tool for facilitating untraceable, “under the table” payments.
Now, the anonymity associated with cryptocurrencies adds a new method for facilitating payments. These currencies are anonymous by design (or pseudonymous, to be more exact). In other words, it is possible to see the target addresses to which funds are going, but this does not provide a reliable confirmation of the identity of the actual counterparties or individuals in the background.
As a result, we see that “cryptocurrency has fueled secondary markets for criminal activity [because] of this inability to directly track and trace the beneficial owner of the funds,” observes Narayanan Vaidyanathan, Head of Business Insights, ACCA. “And that’s a challenge that we didn’t have in the same way previously.”
This increased anonymity creates new challenges for policymakers, regulators, compliance and audit professionals working to tackle activities such as money laundering. The related challenge of “know your customer” (KYC) lies at the heart of dealing with this issue. It is already a space keenly contested between those committing crimes and those seeking to catch them — and this will intensify as a key battleground for the future.
“The ability to identify and do proper KYC checks quickly and efficiently is still the holy grail of a financial crime compliance department,” says David Higginson, Partner, Ernst & Young LLP United Kingdom, Forensic & Integrity Services.
Financial crime has become a more accessible activity, with experts identifying reduced barriers to entry for undertaking a financial crime, the proliferation of information on the internet and many of the perpetrators conforming to stereotypes of the “hardened criminal.”
The marketplace characteristics of the digital crime mean that it may be possible, for example, to hire the services of cybercriminals even if one does not know how to commit the crime oneself. This level of accessibility does not presuppose any connection to the world of cyber hacking or the need to have an extensive network of contacts or knowledge in the area.
Craig highlighted that “You can have a 14-year-old in their bedroom download[ing] malware and recruit[ing] a botnet to take part in a sophisticated attack, perhaps unknowingly to some degree. There’s a worrying aspect of ‘gamification’ to cyber attacks.”
Another facet of the accessibility challenge is the significant increase in cross-border activity or the globalization of economic crime. Regulation remains jurisdictional by nature.
“You are as likely to be scammed from Jakarta, as you would be from Kiev, as you would be from any one of the islands within the Philippines,” warns Harbinson.
The locations of a criminal and their target could be in completely different jurisdictions, whose law enforcement agencies have no interaction with one another. This unprecedented access to a global pool of targets has given economic crime a previously unthinkable level of scalability. And the regulatory challenges to dealing with this are significant because it is difficult for government agencies to coordinate across borders at the same speed as the perpetrators of crime.
Increasingly, artificial intelligence — or more specifically, augmented or assisted intelligence — has the potential for automating not just processes but also decisions. That presents difficult questions of judgment, given the sophistication of some of the technologies involved. Algorithmic models, for example, can be complex, and it may not be easy for compliance departments or the regulators providing oversight to understand how and why these models are performing in a certain way.
This, however, should not become a reason for corporate actors to absolve themselves from responsibility. Ultimately, legal structures as they stand look at a legal “person” as being an individual or corporate entity. The implication is that human oversight cannot be dispensed with by simply outsourcing responsibility to an algorithm.
“It’s great that we have algorithms that can help review false positives, or identify suspicious activity, or flag fraudulent activity or patterns. But it is difficult to rely completely on them because if they do not flag money laundering or dismiss a false positive, the risk remains with the firm,” says Sexton.
The important challenge here will be to achieve the right regulatory balance between human oversight and reliance on the machine. Getting this wrong could create a wider discontent among organizations in that when things go well, the technology gets the credit, but when things go wrong, the individual gets the blame. There is a challenge here in ensuring proportionate and fair regulatory and associated regimes that will allow innovation to flourish while providing essential safeguards for accountability.
Should regulatory or legal responsibility be applied differently in the case of a flawed credit model that is intentionally manipulated for fraudulent intent as opposed to one that is unintentionally fed with biased data input? Having an appreciation of this requires some level of granularity in regulators’ understanding of technological development and how that translates to issues of accountability and integrity.
A spotlight on good practices
While it creates opportunities for abuse, new technology can also aid in the fight against crime, in both detection and prevention.
The use of AI and forensic data analytics to enhance risk assessment at banks and financial institutions has significant implications for the effectiveness of anti-money laundering (AML) and sanctions controls. In addition, the application of RPA will allow for the streamlining of operations and enhanced consistency, while alleviating compliance and auditing professionals from routine, rule-based tasks and enabling them to focus on high-risk areas.
Cross-checking of identity details for account verification can be undertaken quickly and cheaply enough to improve security without unduly compromising customer experience, raising the prospect of achieving Higginson’s “holy grail,” as mentioned in the prior chapter.
Equally, analyzing expense account expenditures in sales teams could aid in the identification of bribery or of facilitation payments made outside company policy.
Harbinson sets out the concerns that, “If you start getting large amounts of money being spent on bars, hotels, restaurants, strip clubs … there should be someone looking and confirming: Is that real? Is that allowable? … If you give a credit card to someone, a hospitality account to someone, what are they using it for? And is the organization either knowingly or unknowingly breaking the law?”
Beyond this, more focused tools can assist with due diligence and investigation. Custom applications can be used to perform due diligence and conduct investigations by taking into account unique risks specific to sectors, geographies or organizations.
The availability of advanced AI and forensic data analytics tools allows businesses to go far beyond simply identifying single illicit payments.
The ability to analyze unstructured data alongside structured data sources and to integrate the findings using behavioral and social networking analytics allows employers, within the bounds of local privacy laws, to combine other techniques, such as predictive modeling, audio analytics, text mining and geospatial analysis, to build a comprehensive picture of risk indicators to guide those escalation decisions and target interventions where they will be most effective.
Nonetheless, while these tools can be useful internally for an organization, their use in combating the new cross-border development of economic crime can be more problematic.
“We are only scratching the surface of what AI and data analytics technologies can do to help prevent and detect fraud,” says Todd Marlin, EY Global Forensic Technology Leader. “However, they are a means to an end. As organizations invest in greater technology adoption, they need to bear in mind that the ultimate goal is to drive better insights and transparency, and having a sound and secure data strategy is the key to achieving that goal.”
Many jurisdictions impose restrictions on data transfer, potentially posing a challenge to businesses in cross-border transactions where they need to interrogate data sources. Developments such as homomorphic encryption, which allows the interrogation of encrypted data at a distance without the need for cross-border transfers, could enable the use of the full range of analytical tools.
Widespread deployment of technology such as zero-knowledge proofs, allowing for the verification of encrypted information, and self-sovereign identity, which verifies an individual’s identity without the need for extensive data transfer, could reduce still further the need for data aggregation within businesses. Without the need to hold large archives of potentially valuable information in reusable form, the attractiveness of business as a target for criminals would decline.
Collaborating for improved detection and prevention
A common recommendation by interviewees was the need for information sharing and institutional collaboration. They described this response at a variety of scales — starting with cooperation between regulators and individual companies, up to the level of international cooperation.
This was often described as a more effective response to economic crime than a traditional sanctions regime; supporting a culture of cooperation between institutions and companies was seen as more effective than merely applying penalties.
As Anne McCormick, Ernst & Young EMEIA Public Policy and Network Engagement Leader, notes: “Auditors have a role to play, but are only one element of a much wider ecosystem.” Cyber executives identified different scales of information sharing that are important in improving the detection of economic crime:
- Within the organization. Scott Jarrell, EY Americas Forensic Data Analytics Leader, Forensic & Integrity Services, noted that improvements are still required in how companies share information internally across departments. He stated that, “Historically, a lot of financial institutions have operated in silos, [and] being able to cross-reference data in some sort of cross-company [way] should become more important.” A 2015 report from EY and Chartis concludes that, “What will be needed, therefore, is an integrated approach to the management of financial crime risk and compliance that will help [with] better detect[ion of] criminal attacks and fraud.”
- Within the public and private sector. Interviewees described the need for regulators and financial institutions to work more closely together in collectively tackling economic crime. There are clear benefits from supporting real-time information sharing across sectors to aid the detection and prevention of crime — but there are also challenges. For example, Mark Le Page, Director, Ernst & Young LLP United Kingdom, Advisory, notes that some regulators, such as the Financial Conduct Authority in the UK, also have a competition mandate. Therefore, there were concerns that any information sharing across sectors and financial institutions must have due regard for commercial concerns, such as the protection of intellectual property.
- Across the world. Interviewees noted that the expansion of cross-border crime requires a similar scale of response by regulators and law enforcement. Sexton is clear that “because financial crime is very global now as well, it is not [occurring just] within one jurisdiction or even within the EU, for example. It spans many different jurisdictions.” A key message from across ACCA and EY Small and Medium-sized Enterprises (SME) Network was the need for governments and financial institutions to work together.
The right to individual privacy is a clear barrier to open information sharing. “The data privacy laws that we have now, and GDPR [the General Data Protection Regulation] in particular, are making [information sharing] more difficult,” says Nick Maginot, Partner, Ernst & Young Australia, Forensic & Integrity Services. There is clearly a need to reconcile state intervention in individual privacy, as well as information sharing across institutions without consent, with the variety of new challenges posed by economic crime in a digital age.
Jack Jia, Partner, Ernst & Young China, Forensic & Integrity Services, also explained that the “sharing of data to third parties or using data to perform additional analysis [can be] a challenge. Say a bank is worried about certain credit card transactions. They want to send the credit card transactions to a third-party data analytics firm to perform the review. Transferring of data to third parties can be a breach of data privacy.”
Shifting the window — preventing economic crime
The usefulness of new detection tools to detect crime in the corporate environment should be recognized by management, regulators and law enforcement alike and their use encouraged within legal frameworks adapted to give weight to evidence generated and curated by AI tools. Criminals are more likely to refrain from illegal activities if they judge that the risk of detection is too great.
Integrity is key to the organizational “hostile environment” for economic crime. Building on the core elements of governance, culture, controls and insights, the business can blend human factors with enhanced tools using innovative techniques to bridge the gap between organizational intentions and actions.
As organizations invest in greater technology adoption, they need to bear in mind that the ultimate goal is to drive better insights and transparency.
As the information gathered from enhanced monitoring and analysis in the control environment feeds into a better understanding of the human decisions that characterize the business, so the governance mechanisms can adapt to create and enhance a culture of compliance, in which doing the right thing, and avoiding the opportunity cost of dealing with the aftermath of doing the wrong thing, becomes the default position.
These updated and evolved structures will demand changes in the skills and approaches of employees and management, as well as in policies and processes. Companies will need to invest in their staff so that they will understand the implications of the effective use of AI, and to appreciate the legal and reputational consequences of failure to understand the risks that AI presents.
One intrinsically human element of the fight against crime is the whistle-blower. A number of the interviewees we consulted pointed to the importance of effective whistle-blowing mechanisms that support both the prevention and detection of economic crime. For example, Harbinson saw the “development [of] whistle-blowing programs within your own organization” as a critical step in the defense against economic crime. He went on to note that this protection must “be accessible to your suppliers and your customers.”
A series of surveys by ACCA into the awareness of, and impact on, smaller businesses of bribery and corruption found that respondents ranked high-profile prosecutions as only the fourth most effective option of the five offered, with whistle-blowing laws and mechanisms rising from third place in 2007 and second in 2013 to being ranked the most effective of the options by 2019.
In the resource-constrained SME sector, access to stakeholder programs, whether provided by government or supply-chain partners, will be essential. In practice, the challenges of effectively implementing whistle-blower programs must not be underestimated. Creation of regulation and process is less than half the battle, with cultural factors both in business and society at large often compromising the effectiveness of such initiatives.
The role of auditing professionals
In addition to the internal controls used by business, the scope for impact on the audit profession should be explored. Survey work by ACCA measuring perceptions among the general public uncovered a widespread belief in respondents that auditors should be responsible for uncovering fraud at every level (notwithstanding materiality considerations and current regulatory frameworks).
Globally, just 30% of respondents recognized that there might be some limitations to auditors’ ability to detect fraud, while in the UK, 69% of the public respondents expected auditors to detect fraud that would affect financial statements or detect and report all fraud, regardless of size or impact.
Historically, the response to this from the profession might well have been that, however attractive such an aspiration might be, and regardless of the conceptual role of the auditor, 100% analysis would require such intensive resource deployment as to be economically impossible. But the techniques being used to detect and predict anomalous behavior in real time could be deployed in a historic audit to uncover patterns apparent only in hindsight.
Of course, detecting all economic crime will remain impossible in the face of determined criminals deploying equivalent technologies to evade detection; but if the cost of hiding the crime outweighs the benefit of committing it, then this alone will act as a deterrent to the rational criminal.
Even with the benefit of analysis for flagging areas of concern, there will still be a role to play for the skilled and skeptical auditor. The effectiveness of these mechanisms relies not just on the effective use of technology, but also on human intervention. ‘We should put as much effort into how we train people to use predictions as we do into the predictions’, was the conclusion of Alex Albright, a Harvard researcher investigating claims of bias in AI-assisted bail decision scoring, as quoted in Wired.
The challenge for the audit profession will lie in addressing the skills gap as much as the technology gap. Professionals must, of course, develop the ability to use new tools to support internal compliance functions by assessing their fraud countermeasures, but to maximize the impact of that work, they will need to interpret and present their findings to management and regulators effectively.
Clear and effective communication of the outputs of their assurance work will assist those responsible for fraud detection to develop better systems, and those responsible for developing regulation to implement frameworks and obligations that reflect the capabilities of the new technology.
Ultimately, this integrated and responsive framework of countermeasures and assurance will help to build trust in the ability of business to manage the risks to society posed by digital economic crime.
Technology cuts both ways: it is a vector for crime, but it is also a tool for creating tremendous value and protecting it from financial criminals. But tools alone are not enough to fight crime. People will make the difference, and professional accountants, as widely trusted actors, are at the center of the action in every organization.