Published on

Published in: Economy & Finance, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Fighting Economic Crime in the Financial Services sectorFinancial Services sectoranalysis of our sixth GlobalEconomic Crime Survey
  2. 2. ContentsAbout the report 1Key highlights 2Cybercrime – protecting against the growing threat 3Fraud – avoiding complacency 7Conclusion 11Contacts 12
  3. 3. About the report We are pleased to present the Financial Services1 (“FS”) sector report from the results of PwC’s sixth Global Economic Crime Survey, one of the most comprehensive studies of economic crime in the business world. The focus of our current survey is the growing threat of cybercrime, considering the significance and impact of this form of economic crime and the way in which it affects organisations globally. The last two years have continued to be characterised by economic uncertainty. Our survey examines the current fraud landscape against this background, taking a closer45% of Financial look at what new frauds are emerging and who isServices organisations committing them.have suffered frauds “People are highly motivated by fear of losing economic and socialin the last 12 months status relative to others (and sometimes in absolute terms too). Therefore, when times become harder, those who do not have strong ethical standards or fear being shamed, are more likely to commit frauds” – The Australian Institute of Criminology. Furthermore, in this report we turn the spotlight onto the global trend of increased regulatory interest in fighting economic crime and associated pressures on FS organisations to have robust preventative and detective controls in place. Our survey data of 3,877 responses spanning across 78 countries allows us to dig deeper and analyse the results by industry. The FS sector represented 23% of our overall survey population with 878 respondents from 56 countries. Respondents were asked a number of ‘core’ questions on economic crime in general, to enable us to detect long term trends, as well as questions specifically relating to cybercrime. Our findings provide some action points for those FS organisations who may no longer be achieving best practice. 1 Financial Services: Including retail and investment banking, insurance, investment management, stock broking and private equity. Financial Services report – Global Economic Crime Survey 1
  4. 4. Key highlights The Facts: • The FS industry continues to be the fraudsters’ target of choice, primarily for asset misappropriation2 • 45% of FS organisations have suffered frauds in the last 12 months compared to 30% in other industries • Cybercrime is the 2nd most commonly reported type of economic crime for FS organisations • Nearly a third of staff in FS organisations have not received any cyber security related training • External fraud remains the principle threat for FS organisations, but internal fraud is catching up • The percentage of frauds where senior management are involved has seen a 50% increase in the last 2 years • 1 in 5 of FS organisations failed to carry out a fraud risk assessment in the last 12 months • Whistleblowing mechanisms are underused and under promoted by FS organisations How to protect your organisation against economic crime: • Cyber security should be embedded into the business and the risks fully defined and understood • A fully defined cyber crisis response plan to protect against financial and non-financial loss should be in place • Senior management need to proactively lead in the fight against economic crime • More regular fraud risk assessments should be conducted to identify ever changing economic crime risks • Whistleblowing mechanisms should be promoted and supported 2 Asset misappropriation (including embezzlement/deception by employees): The theft of assets (including monetary assets/cash or supplies and equipment) by directors, others in fiduciary positions or an employee for their own benefit.2 PricewaterhouseCoopers LLP
  5. 5. Cybercrime – protecting againstthe growing threatCybercrime is a growing threat in a Perhaps the biggest challenge when Whilst cybercrime isn’t that new forworld where most individuals and assessing cybercrime risks is the lack the FS sector, it is a particularlyorganisations rely upon the Internet of any globally agreed definition; the prevalent issue for FS respondents inand connected technologies, opening same event might be categorised as comparison to other industry sectorsthemselves up to the risk of attack from “industrial espionage”, “IP theft” as and one that puts its customers, brandglobal criminals from anywhere in the well as “cybercrime”. For the purposes and reputation at significant Against a background of rising of this survey we have defined Regulators are increasingly viewingincidents of data losses and theft, cybercrime as: cybercrime as a key area of focus. FSpharming, phishing, computer viruses organisations are expected to haveand hacking, our survey scrutinised the “An economic crime committed using appropriate systems and controls insignificance and impact of this type of computers and the internet. It includes place to fight the growing threat ofeconomic crime and the way in which distributing viruses, illegally downloading cybercrime. For example, in the UK theit affects organisations worldwide. files, phishing and pharming, and Financial Services Authority (“FSA”) stealing personal information like bank has included “Data Security” within its details. It’s only a cybercrime if a computer, top economic crime risks for some or computers, and the internet play a time. At a recent conference in China4, central role in the crime, and not an Premier Wen Jiabao stated that the incidental one.”3 nation needed to put more emphasis on the fight against cybercrime.Cybercrime accounted forof economic crime incidents forFinancial Services organisations. 38%3 As defined in our 2011 Global Economic Crime Survey (PwC in conjunction with our survey academic partner, Professor Peter Sommer.)4 The Fourth National Conference on Financial Work held in Beijing, January 2012. Financial Services report – Global Economic Crime Survey 3
  6. 6. FS respondents reported cybercrime Figure 1: Top 5 types of economic crime experienced in the last 12 months as the second most common type of in the FS sector economic crime experienced by their organisations in the last 12 months, 67 Asset misappropriation after asset misappropriation (see 59 figure 1). Cybercrime accounted for 38 Cybercrime 38% of economic crime incidents for 0 FS organisations, compared to 16% 26 Accounting fraud for other industries. This is not wholly 19 surprising as the FS sector holds 24 Money Laundering large volumes of the type of data cyber 28 criminals are interested in and there is 16 Bribery and corruption an established underground economy 19 servicing the needs of the market for 0 10 20 30 40 50 60 70 80 stolen and compromised data. % reported frauds 2011 2009 Whilst FS organisations have historically taken significant steps to control their customers’ data (e.g. call centre protocols, disabling computer ports, two factor identification for FS respondents believe that the risk of FS organisations need to consider who internet access etc) they are nevertheless cybercrime is lowest within the HR is responsible for tackling cybercrime, concerned about the growing threat. (13%) and legal departments (7%), assess where the growing and evolving Half of FS respondents perceive the risk which is consistent with our Global threat is coming from and respond of cybercrime to have increased in the survey results (see the “Other Industries” appropriately to any cybercrime last 12 months, compared with 36% column in figure 2). However, the incidents. They need to have a holistic for other industries. Some of the sensitive information held within and integrated response. Seeing this as developing technologies such as using HR systems can be of interest to an IT risk and not a financial crime risk ‘Apps’ to access banking services and fraudsters as well as customer data. is likely to lead to an inefficient and mobile phones to make payments are FS organisations should recognise that incomplete response to the risk. likely to increase, rather than decrease the internal threat can come from these risks. anywhere within the organisation and should not be considered as solely an Where is the threat of IT risk. cybercrime coming from? FS respondents predominantly see Figure 2: Internal departments perceived to present the biggest cybercrime risk cybercrime as an external threat, although historically FS organisations Department FS Other industries have reported that staff have been 1. IT 63% 49% targeted by criminal gangs seeking 2. Operations 47% 37% data and that ‘sleepers’ have been placed by criminal gangs into 3. Finance 39% 30% organisations to gain access to data. 4. Sales and Marketing 33% 34% The perception of cybercrime therefore continues to evolve and many 5. Physical/information security 31% 23% organisations also recognise the threat 6. Senior exec/board level 19% 16% of internal cybercrime. 7. HR 13% 15% 8. Legal 7% 8%4 PricewaterhouseCoopers LLP
  7. 7. What concerns do organisations Figure 3: Collateral damage concernshave about cybercrime?We asked organisations what aspects Reputational damage 54of cybercrime they were most 36concerned about. Figure 3 shows Theft/loss of personal 49 identifiable information 32that FS respondents have a greaterconcern around all of the categories IP theft 41of collateral damage listed when 33compared to other industries. This is Service disruption 40not unexpected given the higher risks 32within the FS sector. The greatest Actual financial loss 39concern raised by FS respondents was 28around reputational damage, with Regulatory risks 32more than half expressing concern. 19This is understandable given the Cost of investigation 21impact that negative media can have 17on the perception of a brand. 0 10 20 30 40 50 60 % all respondentsHow prepared are organisations FS Other industriesin responding to incidentsof cybercrime?When a cybercrime incident occurs,the first few hours are crucial. It is Figure 4: Cybercrime incident response mechanismsparticularly important to react quicklyand decisively, as the consequences of In-house capabilities to 69not doing so can be severe in terms of prevent and detect cybercrime 57both financial and non-financial damage. 63 Shut down procedures 51We expected most FS organisations Media & PR 53to have cybercrime incident response management plan 41mechanisms in place. To our surprise, In house capabilities to 51only 18% of FS respondents said that investigate cybercrime 37they had in place all five measures Access to forensic 45specified in our survey (see figure 4 technology investigators 37for details on these measures). 17 OtherIt appears that some FS organisations 23are complacent about the risks that 0 10 20 30 40 50 60 70 80cybercrime poses, in spite of serious % all respondentsconcerns about potential damage FS Other industriesarising from cyber threats. However,our survey results highlight that theFS sector is slightly better placed whencompared to other industries. Figure 4shows that over half of FS respondentshave a media and PR management planin place, nearly two thirds have shutdown procedures in place, and overtwo thirds have an in-house capabilityto prevent and detect cybercrime. Financial Services report – Global Economic Crime Survey 5
  8. 8. Who should be taking ownership Figure 5: Cyber security awareness training received for preventing cybercrime? Email announcements/ 50 Our survey results show that FS posters/banners 37 respondents see cybercrime as Human-based events 34 predominantly an IT issue. This (Presentations/team meetings/workshops, etc.) 22 mirrors the results for other industries. 30 In our view, overall responsibility for Computer based training 19 managing cybercrime risks rests with 29 senior management. It is therefore None 46 essential that senior management understand the potential risks and 0 10 20 30 40 50 opportunities that the cyber world % all respondents can present and ensure that there is FS Other industries clear accountability and responsibility within the organisation for dealing with these risks and opportunities. It is also essential that the responsibilities go across business lines and operations so that cybercrime is seen as a holistic corporate responsibility and not just an ‘IT’ problem. FS organisations have placed significant emphasis on cyber security related training and awareness programmes. Only 29% of FS respondents didn’t receive cyber security training compared to 46% for other industries (see figure 5). This statistic is encouraging and suggests that FS organisations are being proactive. However, a lot more could be done. That nearly a third of staff in FS organisations have not received any cyber security related training is a significant concern. This is heightened by the ambiguity around the definition of cybercrime and general lack of clarity around responsibilities for managing cybercrime risks. It is important for FS organisations to ensure that staff and senior management understand cybercrime concerns and are equipped to tackle day-to-day cyber security as well as any crises.6 PricewaterhouseCoopers LLP
  9. 9. Fraud – avoiding complacencyThe FS sector has always been a target What are Financial Services Money laundering remains a significantfor fraudsters. It continues to remain organisations’ experiences of economic crime for the FS sector atvery attractive due to the significant 24% (3% for other industries) and economic crime?amount of cash, assets and sensitive bribery and corruption remains in theclient data that is available to them as Figure 1 (page 4) shows the top 5 types top 5 types of economic crime for thewell as the nature of the industry. 45% of economic crime experienced by FS sector at 16% (27% for otherof FS respondents suffered frauds in the FS respondents in the last 12 months. industries). Interestingly, both moneylast 12 months. This is a much higher Asset misappropriation and accounting laundering and bribery and corruptionfigure compared to the fraud levels fraud continue to rise in the FS sector. as types of reported economic crimereported by other industries (30%). As highlighted earlier in this report, have decreased slightly since our 2009This may be because the FS industry cybercrime has emerged as the second survey. This could be due to strongerhas extensive controls for identifying most common type of economic preventative controls being in place.external frauds perpetrated against it, crime well as enhanced second and third FS organisations have historicallyline testing. This may also be due to The rise in accounting fraud from 19% needed to maintain strong systemshaving defined and extensive internal in 2009 to 26% in 2011 differs to other and controls in order to prevent moneycontrols which mitigate the risks and industries where it fell significantly laundering. Whilst the slight declineassist in detection. from 38% in 2009 to 22% in 2011. The in money laundering and bribery and decline could be explained by stricter corruption could be attributed to controls being implemented by organisations following regulatory organisations, stricter penalties being requirements and implementing suitable faced by staff, and greater opportunities systems and controls, it is clear that for fraud to go undetected and both types of economic crime remain therefore unreported. The FS sector’s significant risks for the FS sector. increase in accounting fraud may be partly due to greater incentives for staff “The risks arising from any abuse to hit targets, together with other of the financial system for money factors such as personal pride in being laundering purposes apply equally seen as a success and meeting a myriad if criminals seek to embroil it in the of stakeholders’ expectations. financing of terrorism or in acts of fraud. It is therefore especially important that financial institutions do their utmost to combat and prevent The Financial Services sector such crimes” – BaFin, the German Financial Services regulator. remains the fraudsters’ target of choice. Financial Services report – Global Economic Crime Survey 7
  10. 10. Should Anti-Bribery and Figure 6: Main perpetrators of external fraud in last 12 months for FS organisations Corruption be a key concern? There is a general misconception that 44 Customer 55 the FS sector has been less impacted by bribery and corruption. Our survey 18 Agents/Intermediaries 17 shows that this is not the case. Bribery and corruption is in the top 5 types of Vendor 3 4 economic crime experienced in the last 12 months. The plethora of global 20 Other 21 bribery and corruption laws, including the US Foreign Corrupt Practices Act 15 Don’t know 3 (“FCPA”), UK’s Bribery Act and Canadian Corruption of Foreign Public 0 10 20 30 40 50 60 Officials Act means that FS organisations % reported frauds need to consider how they could be 2011 2009 impacted by bribery and corruption and how they can mitigate their risks. Regulatory interest is increasing and there are likely to be more regulatory Who’s committing fraud? Figure 6 shows that the main penalties for anti-bribery and corruption perpetrators of external fraud over failings. Recent examples include FCPA The FS sector is typically seen to be the last 12 months are still considered settlements with Siemens (USD 800m) targeted by external fraudsters and our to be an organisation’s customers and Daimler (USD 185m), and two fines survey results substantiate this. (44%). This has fallen significantly by the UK’s FSA against Willis Limited However, there has been a significant since our 2009 survey (55%), with a (£7m) and Aon (£5m). However, it reduction from 71% to 60% in externally corresponding rise in FS respondents needs to be recognised that enforcement perpetrated frauds since our 2009 survey. stating ‘other’ or ‘don’t know’. This may levels of bribery and corruption laws This shift suggests that better controls be a result of the increase in cybercrime, will vary by jurisdiction. may be in place or that different types where the crime is not usually of external fraud are not being detected. perpetrated by the customer against There has been a 50% increase in the FS organisation, but rather by a senior management fraud in FS criminal against the customer and the organisations (12% in 2009 to 18% in FS organisation. This could be either 2011). This suggests that the “tone at through account takeover, siphoning the top” and overall senior management off money, or by stealing the customer’s attitude to fighting fraud is worsening, data and using it to impersonate the and presents an increasing challenge customer, or selling the data so that for Non Executive Board members. others may impersonate the customer. This could have a detrimental impact It also suggests that organisations on an organisation’s ongoing ability to might not be conducting thorough prevent and detect fraud. investigations to actually identify the perpetrators of fraud. There has been a 50% increase in senior management fraud in FS organisations.8 PricewaterhouseCoopers LLP
  11. 11. How do organisations detect Figure 7: Detection methods of economic crimeeconomic crime?We have seen a correlation between 21 Fraud risk management 25the frequency of fraud risk assessments 5(“FRAs”) and the extent of reported 19 Corporate control Suspicious transactionfrauds across all industries. This reporting 7 18indicates that organisations which 9perform FRAs at least once or more a Internal audit 12year are able to detect more frauds and 16therefore report more economic crime. 5 Other 8Our survey shows that the most 10effective detection method in the FSsector was fraud risk management. 8 Corporate culture21% of all frauds reported by FS Tip-off (external) 12 6respondents were detected by fraud 7risk management (see figure 7), of Tip-off (internal) 7which FRAs are a key activity. This 13clearly shows the importance of FRAs Whistleblowing 3in fighting fraud. 7 mechanism 6Our survey also shows that FS 7organisations have performed FRAs Beyond the influence By accident 15 of managementmore often when compared with other 8industries. This could explain why the By law enforcement/ 5FS sector has reported higher levels of 3 investigative media 4fraud (45% compared to 30% for other Other detection 16industries). One other possible reason methods (including 4for the high levels of fraud being don’t know) 14reported by the FS sector is that a 0 10 20 30 40proper risk assessment process was in % all respondentsplace during the last 12 months, whichenabled more fraud to be detected. 2011 2009 Other industriesHowever, 1 in 5 FS respondents hadn’tperformed an FRA during the last12 months. If they had done so we detection method from 7% in 2009 to “Recent statistics show that financialcould have seen a much higher level 19% in 2011. Whilst this is consistent institutions are particularly vulnerableof economic crime. with other industries it is a little from within, when criminals use existingWhen asked why no FRA was surprising that the figures were so low channels and systems to defraud theseperformed, 36% of FS respondents in 2009. FS organisations have used institutions, or use them to launder theweren’t sure what a FRA actually suspicious transaction reporting for proceeds of crime. Effective controls suchinvolved (compared with 29% of other many years, primarily for money as transaction monitoring can helpindustry respondents). This lack of laundering reporting purposes. institutions to protect themselves andawareness is of real concern, particularly Reports are usually made to external their customers against such the FS sector has traditionally been authorities without knowing what However, this also places an obligationseen as stronger than other industries actual crime has been committed and on regulators to ensure that thein carrying out FRAs. It is clear that a FS organisations tend to use the necessary controls have been put in placenumber of FS organisations need to reporting framework to comply with to limit these risks” – Murray Michell,raise their game when it comes to regulatory reporting requirements. Director of the South African Financialassessing and identifying the risks and Organisations should invest in their Intelligence Centre.costs associated with economic crime. systems and ensure that the parameters they set for detecting potentialThe second most effective detection suspicious activity are appropriate.method reported by FS respondents This will help ensure that staffwas suspicious transaction reporting, resources are effectively utilised andwhich has increased significantly as a results quickly analysed. Financial Services report – Global Economic Crime Survey 9
  12. 12. Is whistleblowing underrated as a detection method? Figure 7 (page 9) shows that whistleblowing mechanisms have been generally ineffective in detecting economic crime. Some FS organisations dislike the term There appears to be a lack of awareness Figure 8: Effectiveness of a whistleblowing “whistleblowing” preferring to refer to amongst FS organisations in the mechanism for FS organisations a “Speak Up” procedure. We appreciate potential effectiveness of whistleblowing that there are sensitivities mechanisms. Organisations could do 5% in this complex area but have used the a lot more in promoting, supporting term whistleblowing to cover all and more effectively utilising them. procedures of this type. Many FS This will need senior management 22% organisations have whistleblowing commitment in order to be successful mechanisms in place, but our survey and reiterates the importance of having 45% results tell us that they have had a strong “tone at the top” in the fight limited success as a key detection against economic crime. Even the best mechanism and deterrent to fraud. Is designed whistleblowing arrangements 22% this because: will not be effective unless they can be embedded within the wider culture of 6% • Whistleblowing procedures are in the organisation. place but have not been made effective via training and awareness Whistleblowing mechanisms should be Very effective programmes? an important tool in detecting many types of economic crime. Attitudes to Effective • There is a “tone at the top” issue whistleblowing will vary significantly Only slightly effective where senior management fail to between countries; hence management Not effective show that they promote and respond of global FS organisations must not to the use of whistleblower My organisation does not employ assume that “one size fits all”. Five key a whistleblowing mechanism mechanisms? milestones should be followed when • In the past a whistleblower’s developing an effective whistleblowing interests have not been protected, mechanism as follows: leading to a general lack of faith in 1. Gaining top level commitment; the process? 2. Developing a whistleblowing policy; • There is a cultural resistance to ‘shopping’ a work colleague? 3. Designing whistleblowing reporting mechanisms; One of the surprising facts of our survey is that 45% of FS respondents 4. Embedding a whistleblowing stated that their organisation did not programme; and employ a whistleblowing mechanism 5. Reporting, monitoring and evaluating and 28% of FS respondents said their the whistleblowing arrangements. whistleblowing mechanism was either not effective or only slightly effective (see figure 8).10 PricewaterhouseCoopers LLP
  13. 13. ConclusionThe FS sector continues to be a hugely FS organisations should consider the Senior management must be proactiveattractive target for fraudsters. Our following 5 ways to protect their in taking the lead in the fight againstsurvey shows that traditional types of organisation against economic crime: economic crime. The rapidly changingeconomic crime remain prevalent, market place and delivery mechanisms, 1. Ensure that cyber security is embeddedhowever, it is significant that cybercrime as well as the global regulatory into the business and that the riskshas become the second most common environment and tougher enforcement are fully defined and understood,type of economic crime reported. FS actions makes this essential. Senior and the impact of changingorganisations are very concerned about management need to focus on both technologies in the market place arethe reputational damage that could preventative and detective economic fully addressed and planned for.arise from a cybercrime incident, but crime controls. They should ensurecould do a lot more in being prepared. 2. Ensure there is a fully defined cyber that fraud risk assessments regularlyWith the rapid changes in the delivery crisis response plan to protect take place and that the approach takenof banking and other financial services against financial and non-financial addresses the risks. Making sure thatand the ever increasing reliance on loss and to mitigate the reputational there is a holistic approach across thetechnology for the delivery of those risks associated with an incident. FS organisation that is fully embeddedservices, cyber security and cybercrime and operating in business as usual 3. Ensure that senior managementare risks that cannot be ignored. processes is key. Economic crime and proactively take the lead in the fightHaving cyber security effectively cyber security are not just a compliance against economic crime.embedded in your routine procedures or IT issue but are an importantand a cyber crisis response plan in 4. Conduct more regular fraud risk business issue that must be is vital. assessments to identify ever changing economic crime risks. For those interested in the detailedWhistleblowing appears underused as methodology used in our survey, or thea detection method, which may be 5. Promote and support the embedding Global results, these can be found at:symptomatic of a wider “tone at the of whistleblowing mechanisms.” issue. The support and promotionof whistleblowing mechanisms mustincrease. This will also provide seniormanagement with an opportunity todemonstrate their overall dedication tothe fight against economic crime. Financial Services report – Global Economic Crime Survey 11
  14. 14. Contacts If you would like to find out more about the information contained within this report, or to discuss any issues around economic crime and how our team can help you, please contact us: Andrew P Clark Christopher Cowin Partner, Europe, Middle East & Africa Survey Project Manager, UK +44 (0) 20 7804 5761 +44 (0) 20 7212 6185 Steve Ingram Jeff Lavine Partner, Asia Pacific Partner, Americas +61 (3) 8603 3676 +1 (703) 918 1379 Forensic Services The PwC forensic services network is comprised of forensic accountants, economists, statisticians, former regulators and law enforcement, fraud examiners, and forensic technologists. We help organisations tackle the major financial and reputational risks associated with economic crime. We identify financial irregularities, analyse complex business issues, and mitigate the future risk of fraud.12 PricewaterhouseCoopers LLP
  15. 15. PwC firms help organisations and individuals create the value they’re looking for. We’re a network of firms in 158 countries with close to 169,000 people who arecommitted to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon theinformation contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to theaccuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers does not accept or assumeany liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in thispublication or for any decision based on it.© 2012 PwC. All rights reserved. Not for further distribution without the permission of PwC. “PwC” refers to the network of member firms ofPricewaterhouseCoopers International Limited (PwCIL), or, as the context requires, individual member firms of the PwC network. Each member firm is a separatelegal entity and does not act as agent of PwCIL or any other member firm. PwCIL does not provide any services to clients. PwCIL is not responsible or liable for theacts or omissions of any of its member firms nor can it control the exercise of their professional judgment or bind them in any way. No member firm is responsible orliable for the acts or omissions of any other member firm nor can it control the exercise of another member firm’s professional judgment or bind another memberfirm or PwCIL in any way.Design & Media – The Studio 21050 (03/12)
  16. 16.