Written by Gaon Hart on Monday 23 January, 2023
Earlier this month, I considered the key risks and trends that the compliance profession was likely to encounter in 2023. I conclude this exercise in horizon scanning below with a look at some of the other pertinent opportunities and threats that are emerging as the year gets underway in earnest.
Scams
Scams are a perennial problem, but new technology has spawned fresh concerns which are certain to spread in 2023. Some 4.72 billion people now use the Internet (60.1% of the global population), spending on average nearly 7 hours every day online; concurrently, economies are digitalising at a dizzying rate. With such enormous figures comes unprecedented opportunities for fraudsters.
An estimated 293 million scam reports were filed and $55.3 billion lost in scams worldwide in 2021, with the number of reported scams increasing 10.2%, from 266 million in 2020 to 293 million in 2021. The amount of money lost in scams also grew 15.7%, from $47.8 billion in 2020 to $55.3 billion in 2021, mainly due to a rise in investment scams.
The problem is not limited to one country or region. According to the Australian Competition & Consumer Authority, 96% of Australians have been exposed to a scam in the last 5 years with half of these contacted weekly or daily by scammers. In France, 61% of people were exposed to ‘alternative’ investment offers last year, while in the UK, 50% of survey respondents reported receiving an email, text or social media message that may have been phishing in one month.
Elsewhere, in Brazil the introduction of a new, easy-to-use mobile payment method called Pix led to an influx of scams in 2020/2021. In Nigeria, meanwhile, the number of transactions via mobile channels increased by 164% in 2021. As a result, scams via mobile have boomed, and look likely to continue to do so.
Some 62% of Saudi Arabian consumers received spam and scam messages in 2021, mainly on their mobiles; 14% admitted that they fell for the scam and lost money. In South Africa, two huge data breaches led to a wave of phishing attacks. In Indonesia, meanwhile, came reports that 25% of its citizens had fallen victim to online fraud, making it the second largest reported crime in the country.
In North America, Canada identified that investment scams were one of the fastest growing types of online fraud, from 501 reports and C$16.5 million lost in 2020 to 3,442 reports and C$164 million in 2021. Similarly, the US reported a loss of $575 million in investment scams. And in Singapore, an unwelcome record was attained: reports of the largest amount taken in a single case, $6.4 million.
Global fraud in 2021 was estimated to be equivalent to 6.4% of global GDP, equating to £4.37 trillion. In the UK, fraud losses stood at £137 billion, with a 19.8% increase due to COVID-19. These sobering figures reveal the depth of criminal enterprise, the extent of their potential rewards and the staggering size of the threat posed to the public.
The largest single increasing vector of fraud is authorised push payment scams, which totalled £583.2 million in 2021.[1] The majority start with some type of social engineering alongside scam texts, phone calls and emails. The victim is subjected to behavioural manipulation and is convinced by multiple sophisticated methods that a payment or access to data is being requested by a legitimate organisation or person or for a good reason or cause. Understanding how fraud is perpetrated, and communicating to colleagues and the public the scale of potential losses, will be central to helping prevent it in the year ahead.
Governments are now having to go on the offensive, so expect a raft of new legislation and regulatory focus to ‘encourage’ companies to manage fraud and scam risks. In the UK, the Online Safety Bill proposes a duty of care for organisations to manage and counter internal fraud, as well as a duty of care with regard to online advertising, which is a key source of investment scams. However, subject to government interest, there has been proposed a new online advertising series of regulations and legislation to counter scams, with the opposition Labour Party announcing that they would change the liability for corporate criminality (changing the ‘identification’ principle) and would bring in a new strict liability offence relating to failing to prevent fraud. The European Commission proposed and implemented two legislative initiatives to upgrade rules governing digital services in the EU, the Digital Services Act (DSA) and the Digital Markets Act (DMA). These will have an impact on the larger corporates, primarily focusing on those from North America.
Efforts are global – for example, on 30 March 2022 Japan introduced legislation to set up a new office and a special investigation team of the National Police Agency to deal with serious cybercrime cases. With national jurisdiction, a 200-member cybercrime investigation team will deal with serious cases such as attacks on national and local government as well as critical infrastructure. In December 2022, China’s first telecom and online fraud law came into effect, aiming to combat scammers that have long swindled people and resulted in huge financial losses. One aspect of fraud monetisation is also being reviewed by many governments, with the Turkish government suspending a cryptocurrency exchange, freezing more than $2 billion in assets and new initiatives across Australia and Europe.
Synthetic data
Synthetic data is generated programmatically; it relies on highly skilled computer scientists with expertise in deep and machine learning models. Synthetic data is annotated information that computer simulations or algorithms generate to reflect real-world data. Synthetic data is artificial, but is based on data that is real, which enables it to be used to assess models, algorithms, risk assessments and other corporate compliance requirements, without compromising the real data on which it is based. It can also be transferred to draw real-life conclusions across organisations without fear of any impact from data breaches (as it cannot be linked back to real people).
The UK Financial Conduct Authority (FCA) has identified that sufficient access to personal and non-personal data remains a key challenge for businesses of all sizes and sectors seeking to innovate, particularly SMEs. This is especially the case for the development of new products and services such as digital identity, which deploy artificial intelligence (AI) and tend to depend on large volumes of high-quality data to train algorithms that can deliver fair and ethical outcomes – for example, digital identity datasets. The FCA has shown a keen interest in how synthetic data can be used to draw conclusions and comply with due diligence requirements, while protecting the original data.
Synthetic data can also help to address the challenge of a paucity of data access while assisting to stimulate innovation and competition in markets, such as financial services. As a synthetic data source, reflective of the real data, algorithms and machine learning can demonstrate data sources relatively accurately, so that companies can draw insightful conclusions. But the call for input also raises ethical considerations on the use of synthetic data, as well as the role regulators can play in governing and encouraging its widespread use.
It certainly offers a promising way to address the tension between innovation and privacy, which is another key barrier to data sharing. Other steps, like Privacy Enhancing Technologies (PETs), are expected to play a fundamental part in balancing the innovation/privacy dimension. As the FCA explores the use of synthetic data in the financial services industry, it is vital that key findings and outputs from the consultation are shared with the Digital Regulation Cooperation Forum (DRCF) to ensure a collaborative approach and culture of knowledge sharing between regulators on this burgeoning topic.
Corporate criminal liability changes
In the year to September 2020, with caution for inaccuracies in the data, there were over 5,000 convictions of non-natural persons for corporate criminal liability, representing around 0.6% of all convictions. Many of these were for strict or absolute liability offences, such as breaches of environmental or trading regulations (or the ‘Failure to Prevent Bribery’ offence), which are often created with corporations in mind. But companies can commit offences with fault elements, which typically have been created with respect to natural persons.
The ‘identification doctrine’ is the central tenet of criminal liability in the context of corporations. This provides that a company will generally only be liable for the conduct of a person who had the status and authority to constitute the company’s ‘directing mind and will’. Offences of strict liability are used to circumvent this Principle.
A 2022 Consultation by the UK Law Commission saw specific changes proposed to prosecuting corporate criminal liability,[2] with a focus on corporate manslaughter liability.[3] Essentially, this would allow conduct to be attributed to a corporation if a member of its senior management engaged in, consented to, or connived in the offence. As someone who used to prosecute corporate manslaughter offences, I believe that this could make a tremendous difference to the way corporates are held liable. A company could be liable if a head of department or division engaged in economic crime, even if the actual role of the individual in the company overall was relatively junior.
Additionally, having considered a general economic crime strict liability offence, the Law Commission’s recommendation was against a general ‘failure to prevent economic crime’. It pushed instead for a ‘failure to prevent fraud’ offence and recommended that it should, at least for now, be limited to a narrow set of core fraud offences.
Transparency
In the UK, the implications of last year’s Economic Crime (Transparency and Enforcement) Act 2022 will be worth watching. The Act addresses three main issues: the registration of overseas entities with interests in UK land and their beneficial owners; changes to the unexplained wealth order regime; and sanctions. The register of overseas entities is intended to be a publicly available register which identifies the beneficial owners of overseas entities which hold property in the UK. In light of Russia’s invasion of Ukraine, in particular, prosecutions under this Act are likely to be of some interest.
However, it should be noted that Europe’s plans to follow this key transparency requirement, which is generally accepted to be an important initiative in the fight against financial crime, will now be limited. On 22 November 2022, the European Court of Justice ruled that public access to the registers of beneficial owners of companies in EU member states is no longer valid and it even struck down the requirement in MiFID regulations. Luxembourg and the Netherlands immediately closed their public beneficial ownership registers.
Blockchain and cryptocurrency
Blockchain and crypto in the regulatory and compliance space remains a fascinating topic. Some of the key issues for the year ahead are as follows.
- Aligning the geographic and sectoral evolution of the regulatory landscape around digital cryptographic protocols and processes for the flow of data and assets.
- Issues around compliance programme integration, for instance, blockchain and crypto that permits more instant unmonitored transactions beyond local borders and currency.
- Using blockchain as part of an anti-bribery and corruption (ABC) programme; in Kroll’s 2022 Anti-Bribery and Corruption report, 52% of respondents said that they are planning to use it in their firms; some of the 48% of respondents worldwide who are not were unsure of how to apply it within their organisation’s ABC programmes.
- For a number of years now the Middle East has been categorised as a developing crypto hub; the United Arab Emirates (UAE), for instance, has helped facilitate growth in this area, and issued blockchain strategies, including a 2021 blueprint to transition half of all government transactions onto the blockchain.
- Caution remains, however. The environmental impact of blockchain due to energy usage and carbon footprint, a difficulty to comply, a lack of understanding and other perceived challenges may well explain why blockchain technology is not being deployed at a faster pace among companies and ABC and risk professionals worldwide.
Ransomware attacks & crypto frauds
It is worth taking a moment to consider these frauds before we conclude, as they are sure to proliferate in 2023. A ransomware attack is where hackers gain access to a computer or its data, prevent the owner from accessing their computer/data, and demand a ransom in return for access.
A company making a ransom payment incurs a risk that the funds will be used to commit a crime, including a sanction violation. Unless it proves it had to make the payment under duress and its conduct was a reasonable response to the threat, it may be liable for money laundering offences, as is the case in Australia.
Illegitimate cryptocurrency operators and frauds also abound. One example is the cryptocurrency based OneCoin Ponzi pyramid scheme which raised $4 billion from 2014 to 2016, even though it had no blockchain model or payment system. Another such scheme, Argyle Coin, claiming to be backed in diamonds, was halted in 2019 by the US Securities and Exchange Commission (SEC) after it stole funds worth $30 million from 300 investors. That similar frauds will be uncovered in 2023 seems most likely.
Finally, we should return to the economic downturn the world is experiencing. It is a sad, but honest, indictment on society, but with surging inflation, high energy prices, rising costs and reduced living standards, previous experience has demonstrated that economic crime will undoubtedly follow as people supplement legitimate income. How this will impact companies directly, is probably for a separate article altogether.
_________________________________________________________________
References:
[1] UK Finance Annual Fraud Report 2022
[2] Law Commission, Corporate Criminal Liability, 2022: https://s3-eu-west-2.amazonaws.com/lawcom-prod-storage-11jsxou24uy7q/uploads/2022/06/Summary-Corporate-Criminal-Liability-Options-Paper_LC.pdf – accessed January 2023
[3] Criminal Prosecution Service, ‘Corporate Manslaughter’, 16 July 2018: https://www.cps.gov.uk/legal-guidance/corporate-manslaughter – accessed January 2023