Last month, I considered the key risks and trends that the compliance profession was likely to encounter in 2023. I conclude this exercise in horizon scanning below with a look at some of the other pertinent opportunities and threats that are emerging as the year gets underway in earnest.
Scams And Corruption
Scams are a perennial problem, but new technology has spawned fresh concerns which are certain to spread in 2023. Some 4.72 billion people now use the Internet (60.1% of the global population), spending on average nearly 7 hours every day online; concurrently, economies are digitalizing at a dizzying rate. With such enormous figures come unprecedented opportunities for fraudsters.
An estimated 293 million scam reports were filed, and $55.3 billion was lost in scams worldwide in 2021, with the number of reported scams increasing by 10.2%, from 266 million in 2020 to 293 million in 2021. The amount of money lost in scams also grew 15.7%, from $47.8 billion in 2020 to $55.3 billion in 2021, mainly due to a rise in investment scams.
A Global Problem
The problem is not limited to one country or region. According to the Australian Competition & Consumer Authority, 96% of Australians have been exposed to a scam in the last five years, with half of these contacted weekly or daily by scammers. In France, 61% of people were exposed to ‘alternative’ investment offers last year, while in the UK, 50% of survey respondents reported receiving an email, text, or social media message that may have been phishing in one month.
Elsewhere, in Brazil, the introduction of a new, easy-to-use mobile payment method called Pix led to an influx of scams in 2020/2021. In Nigeria, meanwhile, the number of transactions via mobile channels increased by 164% in 2021. As a result, mobile scams have boomed and are likely to continue to do so.
Some 62% of Saudi Arabian consumers received spam and scam messages in 2021, mainly on their mobiles; 14% admitted that they fell for the scam and lost money. In South Africa, two huge data breaches led to a wave of phishing attacks. In Indonesia, meanwhile, came reports that 25% of its citizens had fallen victim to online fraud, making it the second-largest reported crime in the country.
In North America, Canada identified that investment scams were one of the fastest growing types of online fraud, from 501 reports and C$16.5 million lost in 2020 to 3,442 reports and C$164 million in 2021. Similarly, the US reported a loss of $575 million in investment scams. And in Singapore, an unwelcome record was attained: reports of the largest amount taken in a single case, $6.4 million.
Global fraud in 2021 was estimated to be equivalent to 6.4% of global GDP, equating to £4.37 trillion. In the UK, fraud losses stood at £137 billion, with a 19.8% increase due to COVID-19. These sobering figures reveal the depth of criminal enterprise, the extent of their potential rewards, and the staggering size of the threat posed to the public.
The largest single-increasing fraud vector is authorized push payment scams, which totaled £583.2 million in 2021.[1] The majority start with some type of social engineering alongside scam texts, phone calls, and emails. The victim is subjected to behavioral manipulation and is convinced by multiple sophisticated methods that a payment or access to data is being requested by a legitimate organization or person or for a good reason or cause. Understanding how fraud is perpetrated, and communicating to colleagues and the public the scale of potential losses, will be central to helping prevent it in the year ahead.
New Legislation and Regulatory Focus
Governments are now having to go on the offensive, so expect a raft of new legislation and regulatory focus to ‘encourage’ companies to manage fraud and scam risks. In the UK, the Online Safety Bill proposes a duty of care for organizations to manage and counter internal fraud, as well as a duty of care with regard to online advertising, which is a key source of investment scams. However, subject to government interest, there has been proposed a new online advertising series of regulations and legislation to counter scams, with the opposition Labour Party announcing that they would change the liability for corporate criminality (changing the ‘identification’ principle) and would bring in a new strict liability offense relating to failing to prevent fraud. The European Commission proposed and implemented two legislative initiatives to upgrade rules governing digital services in the EU, the Digital Services Act (DSA) and the Digital Markets Act (DMA). These will have an impact on the larger corporates, primarily focusing on those from North America.
Efforts are global – for example, on 30 March 2022, Japan introduced legislation to set up a new office and a special investigation team of the National Police Agency to deal with serious cybercrime cases. With national jurisdiction, a 200-member cybercrime investigation team will deal with serious cases such as attacks on national and local government as well as critical infrastructure. In December 2022, China’s first telecom and online fraud law came into effect, aiming to combat scammers that have long swindled people and resulted in huge financial losses. One aspect of fraud monetization is also being reviewed by many governments, with the Turkish government suspending a cryptocurrency exchange, freezing more than $2 billion in assets and new initiatives across Australia and Europe.
Synthetic Data
Synthetic data is generated programmatically; it relies on highly skilled computer scientists with expertise in deep and machine learning models. Synthetic data is annotated information that computer simulations or algorithms generate to reflect real-world data. Synthetic data is artificial but is based on data that is real, enabling it to be used to assess models, algorithms, risk assessments, and other corporate compliance requirements, without compromising the real data on which it is based. It can also be transferred to draw real-life conclusions across organizations without fear of any impact from data breaches (as it cannot be linked back to real people).
The UK Financial Conduct Authority (FCA) has identified that sufficient access to personal and non-personal data remains a key challenge for businesses of all sizes and sectors seeking to innovate, particularly SMEs. This is especially the case for developing new products and services such as digital identity, which deploy artificial intelligence (AI) and tend to depend on large volumes of high-quality data to train algorithms that can deliver fair and ethical outcomes – for example, digital identity datasets. The FCA has shown a keen interest in how synthetic data can be used to draw conclusions and comply with due diligence requirements while protecting the original data.
Innovation and Competition in Markets
Synthetic data can also help to address the challenge of a lack of data access while assisting to stimulate innovation and competition in markets, such as financial services. As a synthetic data source, reflective of the real data, algorithms, and machine learning can demonstrate data sources relatively accurately, so that companies can draw insightful conclusions. But the call for input also raises ethical considerations on the use of synthetic data, and the role regulators can play in governing and encouraging its widespread use.
It certainly offers a promising way to address the tension between innovation and privacy, which is another key barrier to data sharing. Other steps, like Privacy Enhancing Technologies (PETs), are expected to play a fundamental part in balancing the innovation/privacy dimension. As the FCA explores the use of synthetic data in the financial services industry, it is vital that key findings and outputs from the consultation are shared with the Digital Regulation Cooperation Forum (DRCF) to ensure a collaborative approach and culture of knowledge sharing between regulators on this burgeoning topic.
Corporate Criminal Liability Changes
In the year to September 2020, with caution for inaccuracies in the data, there were over 5,000 convictions of non-natural persons for corporate criminal liability, representing around 0.6% of all convictions. Many of these were for strict or absolute liability offenses, such as breaches of environmental or trading regulations (or the ‘Failure to Prevent Bribery’ offense), which are often created with corporations in mind. But companies can commit offenses with fault elements, which typically have been created with respect to natural persons.
The ‘identification doctrine’ is the central tenet of criminal liability in the context of corporations. This provides that a company will generally only be liable for the conduct of a person with the status and authority to constitute the company’s ‘directing mind and will.’ Offenses of strict liability are used to circumvent this Principle.
A 2022 Consultation by the UK Law Commission saw specific changes proposed to prosecuting corporate criminal liability [2], focusing on corporate manslaughter liability.[3] Essentially, this would allow conduct to be attributed to a corporation if a member of its senior management engaged in, consented to, or connived in the offense. As someone who used to prosecute corporate manslaughter offenses, I believe this could make a tremendous difference in the way corporates are held liable. A company could be liable if a head of a department or division engaged in economic crime, even if the actual role of the individual in the company overall was relatively junior.
Additionally, having considered a general economic crime strict liability offense, the Law Commission’s recommendation was against a general ‘failure to prevent economic crime.’ It pushed instead for a ‘failure to prevent fraud’ offense and recommended that it should, at least for now, be limited to a narrow set of core fraud offenses.
Transparency
The implications of last year’s Economic Crime (Transparency and Enforcement) Act 2022 will be worth watching in the UK. The Act addresses three main issues: the registration of overseas entities with interests in UK land and their beneficial owners, changes to the unexplained wealth order regime, and sanctions. The new register of overseas entities is intended to be a publicly available register that identifies the beneficial owners of overseas entities which hold property in the UK. In light of Russia’s invasion of Ukraine, in particular, prosecutions under this Act are likely to be of some interest.
However, it should be noted that Europe’s plans to follow this key transparency requirement, generally accepted as an important initiative in the fight against financial crime, will now be limited. On 22 November 2022, the European Court of Justice ruled that public access to the registers of beneficial owners of companies in EU member states is no longer valid. It even struck down the requirement in MiFID regulations. Luxembourg and the Netherlands immediately closed their public beneficial ownership registers.
Blockchain and Cryptocurrency
Blockchain and crypto in the regulatory and compliance space remain fascinating topics. Some of the key issues for the year ahead are as follows.
- Aligning the geographic and sectoral evolution of the regulatory landscape around digital cryptographic protocols and processes for the flow of data and assets.
- Issues around compliance program integration, for instance, blockchain and crypto, permit more instant unmonitored transactions beyond local borders and currency.
- Using blockchain as part of an anti-bribery and corruption (ABC) program; in Kroll’s 2022 Anti-Bribery and Corruption report, 52% of respondents said that they are planning to use it in their firms; some of the 48% of respondents worldwide who are not were unsure of how to apply it within their organization’s ABC programs.
- For a number of years now, the Middle East has been categorized as a developing crypto hub; the United Arab Emirates (UAE), for instance, has helped facilitate growth in this area and issued blockchain strategies, including a 2021 blueprint to transition half of all government transactions onto the blockchain.
- Caution remains, however. The environmental impact of blockchain due to energy usage and carbon footprint, difficulty to comply, a lack of understanding, and other perceived challenges may well explain why blockchain technology is not being deployed faster among companies and ABC and risk professionals worldwide.
Ransomware Attacks And Crypto Frauds
It is worth taking a moment to consider these frauds before we conclude, as they are sure to increase in 2023. In a ransomware attack hackers gain access to a computer or its data, prevent the owner from accessing their computer/data, and demand a ransom in return for access.
A company making a ransom payment incurs a risk that the funds will be used to commit a crime, including a sanction violation. Unless it proves it had to make the payment under duress and its conduct was a reasonable response to the threat, it may be liable for money laundering offenses, as is the case in Australia.
Crypto Frauds are Everywhere
Illegitimate cryptocurrency operators and frauds also abound. One example is the cryptocurrency-based OneCoin Ponzi pyramid scheme which raised $4 billion from 2014 to 2016, even though it had no blockchain model or payment system. Another such scheme, Argyle Coin, claiming to be backed in diamonds, was halted in 2019 by the US Securities and Exchange Commission (SEC) after it stole funds worth $30 million from 300 investors. That similar fraud will be uncovered in 2023 seems most likely.
Finally, we should return to the economic downturn the world is experiencing. It is a sad, but honest indictment of society. Still with surging inflation, high energy prices, rising costs, and reduced living standards, previous experience has demonstrated that economic crime will undoubtedly follow as people supplement legitimate income. How this will impact companies directly, is probably for a separate article altogether.
This article was first published by the International Compliance Association (ICA), the leading professional body for the global regulatory and financial crime compliance community. For more information on the benefits of becoming an ICA member, including access to the ICA’s complete content library of articles, videos, podcasts, blogs, and e-books, visit: Become an ICA Member – Application Form (int-comp.org)
About the author
Gaon Hart is experienced in developing Parliamentary and regulatory relationships as a renowned expert in designing, developing, and implementing global corporate compliance programs. He has recently been Head of Public Policy in the economic crime arena for Amazon, covering UK & Ireland, and prior to that, he was Head of Global Anti-Bribery & Corruption Advisory, Policy & Training for HSBC Bank, designing and implementing a global anti-corruption program from scratch covering 64 countries and 230,000 staff. These roles led from his experience as a Senior Crown Advocate with the Special Crime & Counterterrorism Division of the CPS, where he was seconded to the Attorney-General’s Office, acting as Lead Solicitor for the Government’s 2006 Fraud Review change program, developing the UK counter-fraud architecture that still exists today.
Publicly, he represented the UK at GRECO, UNCAC, and at an EU Mission to Romania, was Co-Chair of the UK Finance Anti-Bribery & Corruption Committee, advised the UN on their report, ‘Bankrupting the Business of Human Trafficking,’ co-authored the UK Finance definitive guide to the ‘Definition of Public Official’ and undertook multiple public engagements including appearing before a Parliamentary Treasury Select Committee on behalf of Amazon.
Gaon is currently also a Non-Executive Director for the NHS Counter-Fraud Authority and Managing Director of Legal Advisory Worldwide (a boutique legal consultancy company).
References
[1] UK Finance Annual Fraud Report 2022
[2] Law Commission, Corporate Criminal Liability, 2022
[3] Criminal Prosecution Service, ‘Corporate Manslaughter’, 16 July 2018