EY Identifies Top Fraud and Corruption Trends for 2016

EY Fraud Investigation & Dispute Services (FIDS) announced top fraud and corruption trends for 2016, which include a dramatic rise in geopolitical instability and persistent cyber-attacks that are pushing organizations to be more vigilant about planning to guard against, and respond to, internal and external threat actors.

New guidance for prosecutors from the United States Department of Justice (DoJ) in the form of the Yates Memorandum, as well as the ongoing protection provided to whistleblowers, suggest that law enforcement and regulators will play a bigger role as an integrity gatekeeper. Meanwhile, renewed interest in data privacy in Europe is forcing organizations to revisit their strategies for information governance.

Brian Loughman, EY Americas FIDS Leader, commented, “The geopolitical risk facing companies is manifesting itself with increased exposure to bribery, fraud, cyber breaches, and terrorist financing. Companies are being confronted with risks on all fronts at the same time that their ability to invest in the compliance function is under pressure. Companies will need to stay vigilant, work harder at providing the right training to their employees, and focus more on monitoring risks proactively.”

EY FIDS identified these top trends that companies should address in their 2016 planning:
1. Preparing for the inevitable cyber breach. Cyber breaches will continue and recent destructive attack techniques will be adopted by hacktivists to drive their agenda. With more than one-third of global organizations still lacking confidence in their ability to detect sophisticated cyber-attacks, according to EY’s Global Information Security Survey, companies are looking to technology to reduce cybersecurity risks associated with both insider and external threats. ‘Cyber savvy’ companies and their boards are demanding more information about the specific threats they face, evaluating their resources, bolstering protection for critical assets, and preparing for incursions by advanced threat actors.
2. Focusing on the individual. As the United States Securities and Exchange Commission (SEC) and DoJ have continued to invest in specialized resources to combat fraud, bribery, and corruption, there is increased focused on the individual. While statutory safeguards exist to protect and motivate whistleblowers, the DoJ Yates Memorandum advances expectations for companies to fully identify all individuals who took part in corporate wrong doing if they are to secure credit for cooperation with the authorities.
3. Data privacy and information sharing. The European Court of Justice recently invalidated the Safe Harbor Data Privacy regulation between the US and the European Union that enabled the movement of personal information across the Atlantic. In addition, In addition, the Cybersecurity Information Sharing Act passed the Senate and is close to being signed into law. If passed, corporations will be sharing information to help reduce cyber breaches and attacks, but will need to protect the data privacy of individuals using their systems. The ongoing focus on how personal information is handled internationally and how commercial information is shared between companies and the government during a cyber-breach investigation will drive companies to revisit their information governance strategies.
4. Sanctions and their commercial implications. As governments continue to enforce trade sanctions against individuals, companies and other governments, companies are left navigating a difficult regulatory compliance environment. They need to be vigilant about understanding risks posed by third parties and individuals that are often masked by corporate structures often involving illicit drug trade or terrorist financing. Companies will need to build more robust local compliance teams and increase oversight and training.

In addition, there are special considerations for regulated industries.

Life Sciences

• Specialty pharmacy and distributors should expect increased scrutiny. There will be greater examination of third-party relationships such as therapeutic and specialty pharmacy relationships. Pharma companies will need to be even more careful with service-based agreements and marketing/distribution contracts.
• Use of data analytics in monitoring will be on the rise. More companies will use sophisticated forensic data analytics to self-identify issues combined with Centers for Medicare & Medicaid Services open payment databases. Elements under investigation will include average payment per doctor.

Energy

• Economic challenges will impact compliance standards. The fall of oil prices has roiled the energy sector and geopolitical tensions are rising. These issues will challenge investment in compliance at all levels and companies operating in this segment will need to be thoughtful and vigilant about maintaining anti-bribery/anti-corruption compliance efforts. In addition to working with third parties, companies will need to be aware of insider threats posed by disgruntled employees. Weighing these concerns with performance expectations will require a balanced approach.
• Dodd-Frank transparency reporting for extractive industries will mean additional compliance reporting and challenges. The SEC is expected to release a revised transparency rule in 2016 to replace Dodd-Frank Section 1504 that was struck down by a federal court in 2013. Registered extractive companies will have to actively capture payments made to all foreign governments – both federal and local -- and file those payments with the SEC.

Financial Services

• Compliance expectations will be expanded for broker-dealers and investment advisors. Continued areas of focus will include protection of confidential customer information, potential Market Access Rule violations, and compliance with record keeping requirements. New and evolving areas of focus are likely to include broker-dealers’ anti-money laundering compliance programs, and how domestic broker-dealers address risk exposure to foreign wrong doers.
• There will be more oversight into retail asset management. Regulators are bringing scrutiny to asset managers’ supervisory systems, fee disclosures and marketing incentives relating to the sale of municipal bonds, mutual funds and closed-end-funds. Noted failures to adequately monitor customer account concentrations and leverage suitable customer risk tolerances resulted in censures and fines that will likely continue.
• Increased controls and protection will be required for customer assets. The UK’s Financial Conduct Authority has already fined financial institutions for failing to comply with rules that protect customer money and assets in the event of insolvency. This action has triggered inquiries by the SEC and similar enforcement for failures to comply with the Customer Protection Rule, which requires the safeguarding of customer money and full-paid-for and excess-margin securities.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.

Organizations rely on application innovation, particularly API-driven applications, to fuel their business transformation and growth. Attackers know this and are constantly looking for ways to find the unfindable and break the unbreakable. They’ve got tools, motivation, and time on their side.