PWC'S GLOBAL ECONOMIC CRIME SURVEY 2018: UK FINDINGS - PULLING FRAUD OUT OF THE SHADOWS
Page content transcription
If your browser does not render page correctly, please read the page content below
PwC’s Global Economic Crime Survey 2018: UK findings Pulling fraud out of the shadows www.pwc.co.uk/gecs
Welcome to the UK results from our 2018 Global Economic Crime Survey (GECS). The findings from this year’s GECS confirm that the long-term global trend towards higher levels of fraud is continuing, and clearly show the destructive impact that this rising tide of economic crime is having on businesses. According to our study, nearly a quarter of frauds Rising usage of digital technologies is a futher occurring in the UK over the past two years factor. With businesses relying ever more heavily resulted in a loss of over $1m (£700,000). The on the benefits of technology and the use of data, direct costs are increased still further by the it is hardly surprising that our survey has revealed burden of investigating and remediating after a yet another rise in the number of UK organisations fraud, and businesses are feeling the resulting experiencing cyber attacks in the past two years. impact on their reputation, brand, employee Our survey showed that cybercrime is the most morale and relationships with business partners. commonly experienced fraud, overtaken by asset misappropriation for the first time. Yet we have Fran Marwood Investigations Partner, Experience shows that times of uncertainty often also seen increases in the number of organisations Forensic Services create new openings for fraudsters to exploit gaps reporting other types of fraud, notably bribery PwC UK or weaknesses in controls, and it’s significant and corruption and procurement fraud, despite that over a quarter of respondents to our survey the overall level of UK businesses experiencing felt that the current geopolitical climate would fraud falling from 55% in 2016 to 50% in 2018. lead to more opportunities for people to commit It is also apparent that the UK is lagging behind fraud. As such findings underline, it’s now more much of the rest of the world in harnessing crucial than ever that businesses understand technology to prevent and detect fraud. the fraud risk landscape and all the possible avenues of attack. In this year’s report, we use the UK results from GECS to explore three key themes: • How do you make the best choices around preventing and detecting fraud? • How can you focus your resources and use technology more effectively? • What do the results say about UK businesses’ approach to bribery and corruption?
3 PwC’s Global Economic Crime Survey 2018: UK findings Know Top 5 frauds that respondents think what fraud 50% of UK are most likely to be 42% looks like respondents the most disruptive in the next two reported experiencing years Cybercrime economic crime in the past 24 months, in line with the global 10% 8% average of 49% and a reduction in Bribery and corruption Accounting fraud the UK from 55% compared to 2016. Top 5 types of reported 7% 8% fraud in 2018: 49% Cybercrime 44% Consumer fraud Money laundering Asset 32% misappropriation 49% $ lost through fraud in the past 24 months >$1M $100,000 - Procurement fraud 23% $1M 18% $50,000 -$100,000 Bribery and 23% corruption
4 PwC’s Global Economic Crime Survey 2018: UK findings 55% of frauds were committed by Cybercrime is external perpetrators (Global: 40%). high on the 33% were committed by internal agenda for UK perpetrators (Global: 52%) boards... External 55% Internal 33% remaining respondents either don't know or prefer not to say 82% ...with 82% of CISO’s* Half the frauds committed by internal perpetrators were committed by senior reporting into the management, up from 18% (in 2016) board (compared to + 61% globally) 32% 19% of frauds were detected through fraud risk management and 15% were detected by internal audit. The success of suspicious transaction monitoring (from 22% in 2016 to 10% 45% 24% in 2018) and data analytics (8% to 1%) has declined in the UK. of respondents felt that the main have been reason was the opportunities asked to pay a bribe in the last two presented to the individual. years – up from 5% in 2016. *CISO – Chief Information Security Officer
PwC’s Global Economic Crime Survey 2018: UK findings Making good choices: How well do you understand your fraud risks? www.pwc.co.uk/gecs
6 PwC’s Global Economic Crime Survey 2018: UK findings Fraud imposes significant costs on UK business. Organisations face potential attack from multiple 24% Half of the respondents to our survey reported angles – customers, suppliers, cyber criminals, that they have experienced fraud in the last organised crime, employees, and many more. two years, similar to the global level – and our of frauds saw the victims experience suggests that many more may have The range of fraud also continues to expand and, lose more than fallen victim to fraud without realising it. for every threat and risk that an organisation $1M Our study also shows that the incidence of fraud identifies and manages today, new risks arise as it develops and grows its activities over time. (£700,000) is continuing to trend upwards over time, both in the UK and globally. Experience shows that times of economic uncertainty and change, with businesses expanding into new global markets, holding These findings are borne out by frequent media and utilising more data, and implementing new reports covering the full spectrum of fraudulent technologies, give rise to increased opportunities activity, ranging from the latest cyber scams and pressure on individuals to commit fraud. against businesses and consumers, to corporate executives facing serious charges. 27% of our respondents expect that the geopolitical environment will result in increased The continuing flow of frauds takes a heavy economic crime in the next two years, and only financial toll on the businesses affected. Over 9% are expecting a decrease (compared to half of the most disruptive frauds in the UK 18% globally). resulted in losses of over US$100,000 (£70,000), while some 24% of frauds saw the victims Business conduct and misconduct lose more than US$1m (£700,000). These are significant costs both to UK business and the This year we have included a new category wider economy. Also, importantly, the proceeds of fraud: business conduct/misconduct. We often end up in the hands of organised criminals, define this as frauds where the company is the funding a range of activities from terrorism to perpetrator, with the criminal activity typically human trafficking. affecting customers or suppliers through activities such as deliberate overcharging. This type of crime affected 21% of those respondents in the UK who reported experiencing a fraud in the last two years.
Both globally and in the UK, we have also seen The wider cost of fraud a rise in the percentage of frauds committed by senior management. In the UK this category While some of the losses from fraud can be increased from 18% of all frauds in 2016 to 50% quantified clearly, others are much harder to in 2018. In our experience, these types of fraud understand. For example, on top of the losses can relate to a range of activities, including the sustained as a direct result of a fraud, businesses manipulation of accounting records to influence also face the costs of investigation and remedial results and deliberate overcharging of customers activities, as well as potentially significant where contractual arrangements may be vague. disruption to wider business activities. Interestingly for UK businesses with operations Of those respondents who had experienced a overseas, accounting fraud or misstatement of fraud in the last two years: results was by far the more common overseas fraud, with 40% of businesses affected. This is also by far the most disruptive fraud in organisations’ overseas locations. 78% 77% Many businesses do not consider the risk of fraud 68% 68% 68% from the perspective that the business or one of its subsidiaries may be the perpetrator, yet it is these types of fraud that are typically the most 68% said that 77% said it 78% said it damaging to brand, reputation and shareholder the fraud had had an impact had an impact value. Frauds perpetrated by management an impact on business on employee present some unique challenges: on their relations morale reputation • They are often harder to spot, as management and brand may be in a position to override controls; • As a result, the direct loss from the fraud can At the same time, UK organisations are be much greater; spending more than ever on compliance. 54% • Related activity may set a culture and “tone of UK organisations have seen an increase in from the top” that unethical behaviour compliance spend over the past two years (vs is acceptable; 42% globally), and 51% expect it to increase in • Employees may be pressured to turn a the next two years (compared to 44% globally). It blind eye; and is clear that UK businesses are taking compliance • The incentives and pressures can be complex, spending significantly more seriously than the for example, to maintaining the continuity global average. of the business rather than for direct personal gain. Source: Global Economic Crime Survey 2018
8 PwC’s Global Economic Crime Survey 2018: UK findings Fraud risk assessments Fraud risk is an increasingly multifaceted and 50% complex issue that develops over time. Both Given the continuing rise in fraud, it is worrying fraud techniques and threats evolve alongside that 50% of the UK businesses surveyed had not the business’s activities, operations, people carried out a general fraud risk assessment, which and structures. of UK businesses looks at the key risks facing particular parts of surveyed had not their business or activities in the past two years. This makes it vital that risk assessments are carried out a general fraud risk assessment This is broadly consistent with the global position. refreshed regularly to ensure developing threats looking at key fraud are addressed, and means the lack of frequency risks in the past two In our view, a well-considered and closely with which we know risk assessments are being years. This compares targeted assessment should be the technique that, reviewed is a significant concern. to 46% globally first and foremost, drives all other anti-fraud activities. Its absence means that the business’s With risk assessments being an increasing feature other anti-fraud activities may be poorly targeted of enforcement actions (as well as part of an and lack effectiveness and specificity. “adequate procedures” or “reasonable procedures” Key questions to ask: defence under the UK Bribery Act and the • Am I maintaining More positively, some companies do report Criminal Finances Act), it’s more important than a view of my undertaking more focused risk assessments ever that a business’s fraud risk assessment is fit evolving risks – relating to specific risk areas such as cyber for purpose. Key questions to consider include: including fraud, vulnerability (52%), anti-bribery and corruption cyber and bribery? (50%), anti-money laundering (28%), sanctions • Are you just focusing on the obvious areas, • Is this detailed and export controls (25%), and anti-competitive where you probably already have the and tailored to my behaviour (17%). However, it’s clear that coverage best controls? organisation and is patchy across all areas. • When did you last update your risk how it operates? assessment? Does it adequately reflect your • Are each of the In our experience, very few organisations have put business as it is today? risks identified processes in place to identify major changes in the • Do you have a holistic view of fraud risks, or covered by risk profile of the business or parts of the business, have your risk assessments been carried out appropriate anti- such as new products or new markets. Fraud risk in silos? fraud measures? assessments, when prepared, are often static • Have you engaged with all relevant documents, reflecting a snapshot at a moment stakeholders, and do your senior management in time, rather than responding to a complex have a sufficient level of oversight? and evolving environment. This type of static • Would your risk assessment stand up to assessment is not enough. scrutiny in the event of an unexpected investigation under the Criminal Finances Act or the UK Bribery Act.
9 PwC’s Global Economic Crime Survey 2018: UK findings Technology 2.0: How can you focus your resources and use technology more effectively? www.pwc.co.uk/gecs
10 PwC’s Global Economic Crime Survey 2018: UK findings The top fraud in the UK in 2018 was cybercrime, As a result of its prevalence, impact and the 49% suffered by 49% of these respondents who had requirements of EU General Data Protection experienced fraud in the past two years. As a Regulation (GDPR), cybercrime is high on the result it overtook the traditional “winner”, asset agenda for UK boards. One sign of this is that of the frauds in the misappropriation (32%), for the first time since 82% of Chief Information Security Officers past two years were our survey started. A closer look at the figures (“CISOs”) in the UK report directly to the board, cybercrime underlines the scale of the issue. compared to only 61% globally. This echoes the findings from PwC’s recent Global CEO Survey, Given the number of high-profile cyber and data which revealed that cybercrime was one of the loss issues reported in the media recently, it isn’t top current concerns of business leaders. surprising that 42% of UK respondents felt that cybercrime will be the most disruptive economic Fortunately, UK business appears to be taking the crime over the next two years, far higher than challenge of cybercrime seriously, with a higher the global average of 26%. level of UK businesses than the global average having put cyber security programmes in place. As a developed economy, the UK represents an That said, 25% of UK respondents still do not attractive target, especially for overseas threat have such a programme, or are still evaluating actors. Their attacks are causing significant whether to have one. This is a risky position to business disruption, and are often used as a be in. channel to commit more traditional frauds such as the theft of assets, cash, or Intellectual Exhibit 1: What type of economic crime was Property. Cybercrime is often simply a new take committed through cyber attack? on old-fashioned confidence tricks, but can also be highly sophisticated. Disruption of 29% business 30% processes Asset 26% misappropriation 24% Intellectual 22% Property (IP) theft 12% 13% Extortion 21% 12% Insider Trading 10% UK Global Source: Global Economic Crime Survey 2018
11 PwC’s Global Economic Crime Survey 2018: UK findings Gone Phishing? Over half of the cyber attacks reported in the last year involved phishing, which seems to be more prevalent in the UK than in the rest of the world (20% higher than the global average). It could also be that the UK is just better at spotting Technology and fraud detection phishing attacks. This year, our survey shows that the most However, what is clear is that phishing (a broader successful fraud detection methods in the UK term to cover mass attacks that are playing the rely on people – with fraud risk management the most successful odds) or spear-phishing (more targeted attacks techniques (detecting 19% of frauds), internal fraud detection on an individual) are often just the starting point tip offs and whistleblowing (detecting 16% of methods in 2018 have for a wider attack. Phishing allows fraudsters to frauds) and internal audit (detecting 15% of relied on people gain access to a company’s systems, whether for frauds) coming out top. The percentage of frauds the purposes of stealing information, blackmail, detected by all of these methods has increased or simply to cause disruption. compared to 2016, suggesting that anti-fraud measures are getting better at detecting issues. Email filtering will catch some phishing attacks, but given that businesses almost always need to However, while people-based detection methods let through external emails, it is difficult to catch are essential, they can also be labour and cost every phishing attack. intensive. In the current climate, the best fraud detection harnesses the power of both people Also, criminals’ phishing tactics are changing and technology to balance higher effectiveness, over time. The consequences of attack can be with tight control of costs. devastating, so awareness and diligent behaviour on the part of technology users is a vital defence. Exhibit 2: How are companies detecting fraud? Phishing capitalises on our vulnerabilities as Fraud risk management 19% humans, playing on our curiosity or fear and 14% acting as a trigger that causes us to do something Whistleblowing and 16% we wouldn’t usually do. Phishing files are internal tip off 13% deliberately titled to exploit human behaviour – names such as ‘Pay_details_for_all_staff.xls’ and Internal Audit 15% ‘Planned_redunancies.ppt’ have both been used 8% in the past. Suspicious 10% transaction monitoring 22% Ultimately, defence against phishing attacks By accident 7% relies on humans, as well as technology, so 8% training, awareness and escalation procedures Data analytics 1% are key tools to use. 8% 2018 2016 Source: Global Economic Crime Survey 2018
12 PwC’s Global Economic Crime Survey 2018: UK findings Making technology work for you, not The known unknowns: what is against you lurking in your data? When technology is used well, it can be of a With data analytics detecting only 1% of frauds
13 PwC’s Global Economic Crime Survey 2018: UK findings Bribery 2018: the ongoing impact of the UK Bribery Act on business’ approach towards bribery and corruption www.pwc.co.uk/gecs
14 PwC’s Global Economic Crime Survey 2018: UK findings One of the most surprising statistics in this year’s So, is this trend telling us that bribery is suddenly 2018 survey was the big increase in the proportion of UK more prevalent in the UK? Or is something 2016 organisations that reported having experienced else going on? Our experience tells us that it’s 6% bribery and corruption in the last two years – a the latter. figure that has leapt to 23% from just 6% in 2016 23% 23% (with the global average in 2018 being 25%). Policies, backed up by actions The number of organisations While research done by observers such as In the past ten years, the UK has gone from experiencing bribery Transparency International, indicates that the lagging behind the rest of the world in its anti- and corruption, in the level of bribery and corruption in the UK remains bribery laws and enforcement activities, to past two years has relatively low from a global perspective, our being at the forefront of global anti-corruption increased from 6% survey suggests that the issue is having a serious efforts. It now appears that these developments, to 23% impact on our UK respondents. and the greater openness they have helped to generate, are having a significant impact on our Our survey also finds that nearly a quarter of UK findings. UK businesses had been asked to pay a bribe in the past two years, either in the UK or in their overseas operations. In 2016, only 5% reported that they had been asked to pay a bribe. Exhibit 2: What percentage of those who experienced fraud experienced bribery & corruption? UK 23% Africa 32% Asia Paciﬁc 30% Eastern Europe 31% Latin America 26% Middle East 22% North America 13% Western Europe 13% Source: Global Economic Crime Survey 2018
15 PwC’s Global Economic Crime Survey 2018: UK findings The UK Bribery Act, which came into force Managing your bribery and 3/4 in 2010 has been instrumental in bringing to corruption risk light a number of high-profile cases, and has without doubt led to huge improvements in The starting point for developing processes and how UK business prevents and detects bribery. of the UK controls to manage bribery and corruption risk It has also led to massive increases in the sums respondents to our should be conducting a risk assessment – this is business spends on ensuring compliance. At the survey said their also the first principle of “adequate procedures” organisation had same time, the UK has remained committed under the UK Bribery Act. Given this, and the a formal ethics to an agenda of fostering transparency and number of cases of bribery and corruption that and compliance responsible business behaviour, as set out in the programme in place have been in the news recently, it is surprising recently published UK anti-corruption strategy that only half of respondents to our survey had 2017-2022. Both the OECD (Organisation for carried out a bribery risk assessment in the past Economic Co-operation and Development) and two years. Transparency International have praised the UK’s efforts, particularly with regard to foreign In addition, we found that a significant minority bribery offences. of respondents are not using any kind of monitoring technology in relation to bribery This commitment to tackling bribery is also and corruption. While these kinds of frauds are, evident among UK businesses. Three-quarters arguably, harder to detect than cyber breaches of the UK respondents to our survey said their (which the vast majority of respondents do organisation had a formal ethics and compliance use technology to monitor), all organisations programme in place. Of these, 62% said that this have access to data that, if analysed properly, included specific anti-bribery and corruption will enable them to pinpoint anomalies and policies, well above the global average of 50%. inconsistencies that require further investigation. These figures indicate that a number of factors, This approach is particularly relevant in including an increased focus on creating a relation to bribery, as such ongoing monitoring culture of transparency, the promotion of is a key part of any “adequate procedures” whistleblowing hotlines, and encouragement defence, and is also an area where we see many from the authorities for organisations to self- organisations struggling. report, have all contributed to an environment in which UK organisations are far better informed than only a few years ago, regarding potential incidences of bribery and corruption in their global operations.
16 PwC’s Global Economic Crime Survey 2018: UK findings The legacy of historical offences The risks of doing business Of those UK respondents who had experienced fraud in the past two years, only 5% felt that bribery and corruption had the most disruptive Whilst there has been a sustained effort in the UK to tackle bribery and corruption, our survey suggests that this type of fraud is still 21% of the UK impact on their business. This may be because having a big impact on UK organisations. As an respondents felt many have spent considerable sums putting illustration, some 21% of our UK respondents that they had lost an opportunity to in place extensive compliance activities and felt that they had lost an opportunity to a global a global competitor frameworks, and believe the risk of future competitor who they believed had paid a bribe, who they believed bribery and corruption is low. up from just 7% in 2016. had paid a bribe Significantly, a large proportion of the high- The UK’s strong focus on the anti-bribery and profile cases that have come to light recently corruption agenda may also explain why over have been historical in nature, involving half of our respondents reported that they Key questions to ask: investigations centred on allegations of improper included specific anti-bribery and corruption • Do I understand behaviour stretching back many years. Many of due diligence as a part of work undertaken when the detailed these have been uncovered through the recent acquiring another business. bribery risks facing focus on corporate integrity. my organisation? This is higher than the global average of 45%, • Is my programme Similarly, looking forward, only 10% of and second to regulatory compliance as a priority of adequate respondents think that bribery and corruption for due diligence. procedures linked will be the most disruptive economic crime that to these risks? they experience over the next two years. This aligns with our experience of client demands for such services as well as even greater • Is the ethical due focus on volume based integrity due diligence diligence on those I do business with on businesses’ third parties. Such measures are adequate? sensible, given that 55% of fraud threats come from sources external to the organisations, as referred above. What3:additional Exhibit due diligence What additional do you due diligence dodoononacquisitions? do you acquisitions? Source: Global Economic Crime Survey 2018 Anti-bribery and Anti- Cyber security Sanctions and Regulatory Tax compliance corruption competititive / export control compliance anti-trust 53% 52% 57% 49% 43% 43%
Contacts If you want to know more about any of the issues discussed above, be it fraud or bribery risk, cyber threat prevention, forensic technology or integrity due diligence, then please contact one of our subject matter experts. Fran Marwood Ian Elliott Umang Paw Mark Anderson Investigations Partner, Partner, UK Forensic Head of Digital & UK Anti-Bribery and Forensic Services Services Leader Forensic Investigations Sanctions Leader T: +44 (0) 20 7213 4709 T: +44 (0) 20 7213 1640 M: +44 (0)7931 304 666 T: +44 (0) 20 7804 2564 M: +44 7841 491400 M: +44 7711 912415 firstname.lastname@example.org M: +44 7770 921256 email@example.com firstname.lastname@example.org email@example.com Survey editorial team Marketing team Kathryn Westmore Jennifer Miranda Senior Manager Marketing Manager T: +44 (0) 20 7213 2941 T: +44 (0)20 7213 3939 M: +44 7715 211090 M: +44 7715 033797 firstname.lastname@example.org email@example.com
www.pwc.co.uk/gecs At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 countries with more than 223,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com. This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. © 2018 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to the UK member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. Design Services 31157 (02/18).
You can also read