Economic crime against financial services firms continues to rise around the world, according to an audit firm’s 2014 Global Economic Crime Survey. Some 45pc of financial services respondents to PwC’s survey say they have been victims of economic crime. And 39 per cent say they have been victims of cybercrime, as fraudsters increasingly turn to technology as their main crime tool. Around half who have experienced economic crime during the survey period report an increase in the number of occurrences and the financial value of economic crime during the period (more so than other industries’ respondents).
The survey, which includes 1,330 responses from the financial services sector across 79 countries, found that theft remains the most common form of economic crime for financial services firms, reported by 67 per cent of respondents. It is followed by cybercrime, 39 per cent, money laundering, 24 per cent, accounting fraud, 21 per cent and bribery and corruption, 20 per cent.
Respondents reported significant collateral damage of economic crime to their reputation with 29 per cent of respondents citing this as the most severe impact of money laundering.
Andrew Clark, partner in PwC’s forensics practice, said: “Financial services organisations are finding that economic crime persists despite ongoing efforts to combat it and no organisation of any size anywhere in the world is immune to the impact of fraud and other crimes. The direct financial impact of economic crime harms organisations but such crimes also damage internal processes, erode the integrity of employees and tarnish reputation.
“Whilst the financial services sector may be ahead of many industries in terms of prevention and detection of economic crime, more can be done. Of particular concern are the clear weaknesses in some organisations’ fraud risk assessments, whistleblowing mechanisms and awareness of the pervasive and sustained threat of cybercrime.”
The survey shows that cybercrime is still the second most common type of economic crime reported by financial services respondents (after asset misappropriation) – 39 per cent in 2014 (this compares to only 17 per cent in other industries). However, this percentage of respondents is alarmingly low – our experience has shown that a clear majority of financial services organisations (especially retail banks) suffered cybercrime during the survey period.
Similarly, only 41 per cent believe it is likely that they will experience cybercrime in the next 24 months (45 per cent in Africa and 36 per cent in Asia Pacific). A further 19 per cent are unsure whether they are likely or unlikely to experience cybercrime. Financial services respondents perceive a greater increase in the risk of cybercrime compared to counterparts in other industries (57 per cent compared with 45 per cent in other industries). Clearly, financial services organisations believe that cybercrime is becoming a greater threat than ever before, and yet many do not believe that it will actually happen to them.
Andrew Clark, partner in PwC’s forensics practice, said: “The financial services sector was one of the first to be targeted by cybercrime – little wonder, as there have always been significant potential financial gains to be had from subverting computerised processes and corporate controls in banks.
“Less than 40 per cent of economic crime in the financial services sector was reported as cybercrime in our survey. In our experience, financial services organisations do not always identify and log the cyber-element of economic crime experienced. This leaves them exposed to cyber threats in spite of any existing cyber defence: if cybercrime is not being accurately tracked, the true risk of cybercrime cannot be fully grasped and understood.
“Cybercrime is growing and the methods are constantly evolving – we see no abatement in attacks on banks’ infrastructure. So it is concerning that 40 per cent of all financial services respondents believe that it is unlikely their organisations will experience cybercrime in the next 24 months. Financial services organisations need to recognise cybercrime as a risk type and establish proper cybercrime reporting.”
Economic crime is a pervasive, global threat to financial services organisations but there are regional variations – in Asia Pacific at least half of financial services respondents reported an increase; in contrast, nearly 40 per cent of respondents from South and central America reported a decrease.
Certain cyber threats ebb and flow – for instance, the Middle Eastern cyber-attacks that targeted several large US banks in 2012 and 2013 appear to have receded. The US has seen dramatic increases in financial services economic crime – from outages created by Distributed Denial of Service (DDOS) attacks to massive ATM withdrawals by organised criminal groups. Credit card fraud has become more pervasive as the US has yet to embrace the Chip and PIN system.
In Japan, phishing scams have targeted bank customers’ personal computers via virus, using fake pop-up windows or e-mails masquerading as legitimate internet banking interfaces to trick customers into inputting their personal information.
PwC cybersecurity experts have also perceived a rise in cybercrime from Africa, which correlates with big government initiatives to roll out broadband in that region. Industry sources also indicate that cyber-criminals are relocating to South Africa from Europe due to increased co-operation between law enforcement agencies in the European Union.
Who commits fraud?
External fraudsters are still the main perpetrators of economic crime for the majority of financial services organisations (57 per cent). Most internal frauds are committed by junior staff (39 per cent) and middle managers (39 per cent) with a fifth of internal economic crime committed by those in senior management. The profile of the typical financial services internal fraudster is a male between 31 and 50 years with a university level education.
Andrew Clark, partner in PwC’s forensics practice, said “Typically economic crime is committed when three conditions are present: life pressure, opportunity and personal rationalisation for the crime. Financial services organisations are prime targets for external fraud given the amount of money fraudsters could potentially obtain and also the importance and sensitivity of data held by organisations, for example, credit card and personal identity details. Cybercrime is most often externally perpetrated and not just for monetary gain but also for valuable information about individuals.
“Internal fraudsters in financial services are more likely to hold at least a university degree qualification than in other sectors, a reflection of the entry requirements of recruitment in the sector. Our survey results suggest that the average financial services internal fraudster is able to carry out fraud from quite a junior level in the organisation. This may be due to the fact that financial services products can be complex by design and function, and consequently more difficult to ‘police’ despite internal controls.”
How is fraud found?
The financial services sector tends to be more strictly regulated and as a result many business processes and functions have corporate controls in place. This makes it more difficult for frauds to be internally perpetrated without discovery. Of the financial services respondents who knew how the economic crime in their organisation had been detected, 61 per cent attributed the detection to having corporate controls in place compared to 56 per cent in other industries.
About the 2014 Global Economic Crime Survey
It was completed by 5,128 respondents from 95 countries between August and October 2013. Of the respondents, 50 per cent were senior executives, 35 per cent represented publicly listed companies, and 54 per cent were from organisations with more than 1,000 employees. The responses included 1,330 responses from financial services organisations across 79 countries.