Economic crime continues to evolve, leading to added risk, increased regulatory compliance demands and burdens on businesses. This increasingly complicated landscape creates challenges for organisations seeking to balance resources and growth. Although not universally defined, economic crime is taken to consist of crimes impacting organisations such as Fraud, Bribery & Corruption, Anti Money laundering, Cybercrime and Market Abuse.
PwC’s newly published Middle East Economic Crime survey shows that economic crime remains a persistent threat to the region with a rise in the number of businesses reporting economic crime compared to the date of our last survey two years ago. Over a quarter of respondents (26%) reported economic crime, up from 21% of respondents in 2014.
The damage caused by economic crime
The financial impact – a changing picture
The financial impact of economic crime on local organisations remained significant, with the latest results showing the cost to be even higher than those reported globally
in the same categories.
In the Middle East, 35% of organisations that had suffered economic crime estimated a financial impact of between USD 100,000 and USD 5,000,000 in value in the prior 24 months – down from 51% in 2014. Over the same period, 9% (up from 6% in 2014) of respondents suffered total losses valued at between USD5,000,000 and USD100,000,000 whilst 1% (down from 6% in 2014) suffered losses exceeding USD100 million. The value of the losses identified by respondents continues to highlight the extent and significance of economic crime.
What about the non-financial impact of economic crime?
The collateral damage from economic crime is wide-ranging and affects different organisations in different ways. Damage to employee morale was the number one collateral impact affecting an organisation as a result of economic crime according to the 2016 survey. This, coupled with more traditional ‘commercial’ effects (such as weakened business relations, a damaged brand or reputation and greater regulatory scrutiny) impacts an organisation’s productivity and ability to generate revenues. Whilst this is difficult to quantify, it is clear that both the financial and non-financial costs of economic crime are significant.
Perpetrators of economic crime attack organisations from multiple angles in multiple ways. Whilst firms should implement robust fraud prevention controls and procedures across the full suite of business activities, how does a firm know which areas they should prioritize?
Recent economic crime trends – what’s hot right now
The 2016 economic crime survey indicates that reported incidences of economic crime increased from 2014 though the most significant forms of economic crimes remained the same.
Asset misappropriation remains the number one type of fraud encountered by organisations in the Middle East, suffered by 61% of respondents who had suffered economic crime (down from 71% in 2014). This is unsurprising as the theft of assets often requires minimal technology and sophistication – it is hard to see a time in the near future where simple theft is not a significant problem.
Cybercrime was the second most reported economic crime in the region affecting 30% of organisations (down from 37%) in the region. Respondents perceive the greatest threat of cyber-crime coming from outside their organisation – yet 66% of respondents did not have a cyber-incident response plan in place.
Procurement fraud featured as the third most significant type of economic crime experienced in the Middle East as reported by 25% of respondents who had suffered some form of economic crime (down from 33% in 2014).
Bribery and corruption remains a significant threat in the Middle East in spite of improvements to the Transparency International Corruption Perception Index ratings for a number of Middle East countries. In the region, 33% of respondents expect to experience bribery or corruption in the next 2 years.
In addition, the survey revealed that over 20% of respondents were not aware of the existence of a formal ethics and compliance programme within their organisations
thus raising the effectiveness of their tone at the top approach. Over three quarters of organisations rely on internal audit to ensure the effectiveness of such programmes.
So where to look? Regrettably the survey shows that a significant proportion (33% of respondents) suffered fraud at the hands of their own employees.
Combating economic crime – get smarter, get innovative
Regular risk assessments allow an organisation to assess, understand and mitigate exposure to economic crimes. But the survey highlights two key issues in the region.
Firstly, the region is far below the global average as regards organisations taking steps to protect themselves from economic crime (just over 50% of respondents from our survey had performed a risk assessment in the last 24 months). We must continue to ask the obvious question here: If no risk assessment is conducted how can you be sure that your controls are targeting the real problem? And if controls are not designed properly how do you know what you have been able to prevent?
Secondly, fraudsters are getting smarter and using more sophisticated methods to bypass internal controls, but not all organisations have responded appropriately.
We look here at two methods which we see used with increasing effectiveness to combat economic crime.
1. Corporate intelligence – gatheringand analysing information that can help your organisation make strategic and well-informed decisions
Wouldn’t it be useful to know the credibility of your business partners before conducting transactions with them? Many organisations don’t conduct even basic due diligence procedures. Three levels of due diligence can be performed:
1) Online research
Online research of a range of sources provides access to information on relatively straightforward issues, such as company registrations, or to uncover any allegations of illegal or unethical business practices. We use around 10,000 international media sources to perform targeted searches of the internet and social media, in English and local languages. The process need not be costly, and can reveal extensive information available in the public domain.
2) Full public record research
This is a more detailed search mechanism, accessing corporate filings (including archived versions), court and bankruptcy records and performing archive searches of relevant off-line media publications. This method provides a comprehensive overview of an individual’s or organisation’s reputation and highlights market integrity issues/risks relating to corruption and other economic crime.
Fraudsters are getting smarter and using more sophisticated methods to bypass internal controls
3) Human source inquiries
In addition to the two levels above, corporate intelligence professionals have access to human sources across the world. This allows access to real-time, on the ground information which can supplement and support the information obtained from online searches and may identify material adverse information not readily available in the public domain.
Performing adequate due diligence up-front lowers the risk of third parties defrauding your organisation and reduces the chance of your organisation engaging in unethical activities with these business partners. Doing your homework can help you protect your organisation from the outset.
2. Data Analytics – identify the pattern, minimize the impact
Organisations have vast banks of valuable financial and non-financial data. They use this data to create forecasts, identify possible areas for expansion and to make strategic decisions to help the organisation grow.
Potential economic crime trends can be identified from this data. Are travel and subsistence claims unusually high? Do more employees have access to critical systems than you expected? Are duplicate payments being made to suppliers?
Conducting data analytics need not be time consuming or expensive. Searches can be targeted, parameter driven and, to an extent, automated. This makes data analytics a fantastic tool for organisations to use to fight economic crime, as it identifies ‘red flag’ indicators in data sets quickly.
Cybercrime – the emerging threat
Cyber crime is the fastest growing, most sophisticated fraud threat affecting organisations across all industries. The most commonly occurring cyber threats in this region are to applications; systems and networks, but mobile devices, removable storage devices and data held by third parties are also at risk.
The most dangerous aspect of cyber attacks is the speed at which they are carried out. Organisations may suffer significant financial, data or other losses before realizing that an attack is in progress and are not always sure how to respond to this threat. So what are some of the key considerations your company should have in place to protect itself from the developing threat?
Crown Jewels Analysis
This involves identifying your organisation’s highest risk IT assets from a cyber threat perspective, as these are likely to be the most attractive target for cyber attackers. Once you have identified the assets, you need to benchmark your controls in place. This can be done by running simulations on your key assets to evaluate their cyber readiness and resilience against attacks. It is also worth checking whether any of the high risk assets have been compromised or experienced recent attacks, as this will
demonstrate the speed at which you may need to take responsive action.
Breach Indicator Assessment
Conducting a breach indicator assessment will allow you to identify compromised hosts and assets. It can illustrate the areas of your information technology infrastructure that are most likely to be breached. We help our clients by monitoring network traffic to detect threat attempts, analyse endpoints and servers and extract breach indicators and evidence of what has and what might happen in the future.
Cyber Incident Response
Whilst preventative methods are great at mitigating risks, companies need to have a back-up plan. Having an incident response plan is like having a first aid kit in your home which you may never have to use but, when you do, you’re glad it’s there. The best protection in the world is not always enough and responding quickly can limit the damage an attack may cause.
There are two types of businesses: those who know they have been attacked and those who don’t. For the former, the key information that the firm generally wants to know is what data has been stolen and which systems have been compromised. With the latter, ignorance may be bliss in the short term, but provides no defense against the losses that can follow.
Organisations should ensure they protect their systems before a cyber attack happens – and just with any other type of risk, proper risk assessment drives effective controls.
A look to the future
What does this all mean for organisations in the Middle East? The main message readers should take away is to remain on the front foot. Economic crime continues to be a major issue in the Middle East and will not disappear any time soon. Organisations need to reassess continually whether their systems and controls have been adapted accordingly.
Taking simple steps such as conducting risk assessments on an annual basis can play a key role in protecting your organisation and will help you understand the key threats facing your organisation in today’s world.
Going one step further and using some of the more innovative and cutting edge tools discussed in this article will allow you to develop a robust mechanism which will protect your organisation from economic crime.
Being proactive is the best advice we can share. Understand what risks your organisation is exposed to and put in place adequate controls and procedures to mitigate the risks.
JAMES TEBBS, CA, is the regional head of financial crime for PwC in the Middle East.