3rd July 2020
How COVID-19 Changed the Course of Compliance
COVID-19 has caused a lot of social changes at an incredible pace. Distancing rules, track and trace, face masks, and staying indoors – despite the heat – have all become standard parts of our way of life, in a way that no-one could have expected at the start of the year.
Unprecedented social restrictions have also changed how we interact with money.
Cash transactions are currently unwanted by many legitimate businesses. Online purchases are at a historic high in many countries; in the UK and Europe, for instance, online shopping increased by 129% week-on-week in March, at the start of the lockdown period. Because of these significant changes to how we are using money, there also needs to be changes in how businesses ensure money is being used in a legitimate way – a genuine purchase, say, rather than a scam, fraud, or evolving money laundering technique. That is the role of compliance, and it needs to adapt to a socially distant world.
This is all the more important because things are not going to revert to ‘normal’ quickly. Even with lockdowns easing or lifting across the world, there are still plenty of businesses that are refusing to use cash and only accepting contactless payments from customers. Easing of social restrictions has often been partial and has not meant a return to normal operations or behaviors. Compliance officers still need to be aware that money may be moving in strange ways as criminals and normal people are still not engaging with money as they did pre-lockdown.
COVID-19 and the Drugs Trade
The major source of funds for organized crime is the drug trade, which has faced mixed impacts as a result of the crisis. Some supply chains for drug cartels and other groups have been damaged, while others less so. Shipping routes into Europe have been largely undamaged, but the overland routes for heroin from Asia have faced real difficulty.
Street-level drug dealers have been able to continue doing business through the crisis. However, according to Europol, the EU’s policing agency, retail prices of drugs have gone up during the lockdown, suggesting logistical issues with delivery – though that may simply be the additional difficulty of delivering drugs when police were cracking down on people going outside.
There has also been an additional challenge of what to do with the proceeds of the sales. Because many businesses are refusing to process cash, and bank branches are more watchful of cash deposits, drug dealers are now sitting on large amounts of physical cash they are still unable to launder effectively. Law enforcement agencies have been able to make impressive cash seizures as a result. Financial crime in a cashless society is still facing many challenges.
Countless scams and cons have also cropped up thanks to the pandemic, often focused on the copious amounts of cash made available by governments to cope with the crisis. The growth of such funds – often under relatively loose control – have made defrauding public finances a more attractive opportunistic proposition. Indeed, there is plenty of evidence of these funds being targeted by criminals; for example, reports indicate that funding application websites in Germany have been spoofed, meaning that there has been no way to identify just how much money was illegitimately claimed by criminal enterprises through fraud.
There have also been media stories from other countries about the legal – if potentially unethical – use of public funds. In the US, there has been a great deal of controversy because billion-dollar enterprises have claimed government funding under similar programs. And although many did later return the money, some have not, leading to questions of reputational risk for the firms in question, as well as their major counterparties. These cases highlight how apparently legitimate money movement can sometimes cause adverse media coverage and confuse the landscape as to what is legitimate and what’s not.
This moral blurring goes beyond the behavior of corporations. Federal stimulus and support payments of $1200 for some in the US were not treated as vitally important by all individual recipients. A sizable portion of Americans used some of their stimulus money to trade stocks rather than tide themselves over on essentials while being out of work. Which is a legitimate way to use their money but isn’t necessarily an expected transaction for financial institutions (FIs) to see. This isn’t necessarily a matter that firms should be looking to identify via their AML controls, but it is behavior that causes problems for systems, potentially triggering a false positive depending on the transaction monitoring rulesets in place.
The ‘People’ Vulnerability
COVID-19’s impact on overall economic activity is also likely to be providing new opportunities for financial criminals to launder funds. Unemployment is already at high levels in many countries; in the US figures recently reached 40 million unemployed, and in the UK it’s at 2.8 million. This creates a large pool of economically inactive – and historically well-behaved – citizens that could easily be targeted to act as money mules in the laundering process.
We saw examples of this early on during the pandemic, in the Vasty Health Care Foundation case in Canada where many individuals were unwittingly laundering money through a false healthcare company by accepting ‘donations’ into personal bank accounts and were told to keep a percentage of it for themselves. It has to be hoped that a rapidly reopening economy and recovering markets will help people to get back into work quickly, and avoid ever being targeted by exploitative criminals. But this may just be wishful thinking, so FIs will need to maintain vigilance towards potential money muling activity as the economy slowly recovers.
Cuckoo smurfing, the use of an intended transaction between innocent parties to provide a cover for the transfer of value between criminals, may also have been more easily conducted during the lockdown – as corrupted staff at a whole range of FIs are less likely to be under the microscope compared to an office environment. Consequently, as companies transition back to in-office work structures, there may be a flurry of revelations as transactions are examined more closely and criminals make mistakes. It also raises the question of whether compliance can be effectively done from home if staff are not monitored.
But internal threats are not the only ones to be careful of during compliance in this unique situation. Technology has both afforded the possibility of remote work and heightened chances of crime through sophisticated cyber attacks.
COVID-19 and Cybercrime
Arguably the biggest growth area for crime during the crisis has been cybercrime, which has been on the rise throughout the lockdown period in the West. Perhaps this was inevitable with projections of this particular criminal industry to reach $6 trillion by 2021, but the pandemic is certainly helping it reach that target a little faster.
Ransomware attacks have been an unfortunate reality for the lockdown. Much like cybercrime in general, it’s a criminal industry that’s projected to have high growth as the digital transformation of business increases and we become more technologically-dependent.
Hospitals and other medical facilities were feared to be most at threat of these types of cyberattacks and criminals didn’t disappoint in proving these fears correct. In what’s been described as a “free-for-all” by John Hultquist, Director of Threat Analysis at FireEye, with all sorts of parties beyond North Korea, Russia, Iran and the US supposedly involved in firing off cyber attacks. One target of note was supposedly the Wuhan Institute where COVID-19 was first identified; apparently the many attacks the institute suffered were an attempt to discover if the virus was synthesized there.
But beyond the intrigue of global political cyberattacks, there has been a general increase in cybercrime that has seen billions of records breached. COVID-19 drug maker, Gilead, was targeted by Iranian cybercriminals. It’s not possible to know whether or not it was a ransomware attack, companies are rarely open about their security systems being breached, especially when handling sensitive information.
One thing is clear, cyberattacks are increasing in scope and frequency with phishing emails involving the pandemic increasing by 600% and the UK’s National Cyber Security Centre reportedly dealt with over 2000 online COVID-19 scams in just the first month of lockdown.
The money obtained from these attacks and scams needs to be identified at speed, made more difficult by victims’ reticence to share information on the attack with the world at large. As well as sources of illicit revenue, these attacks also often occur as a response to international sanctions – affected countries look for a vulnerable workaround to move money from a high-value economy back home. It’s seen commonly with North Korea as a method to breach sanctions, the isolated nation has previously used cybercrime to amass an estimated $2 billion from banks and cryptocurrency exchanges, but with the US recently sanctioning China we may see a further spike in such activity – as has happened in the past with state-sponsored cyber attacks from Iran.
This matters to financial institutions because facilitating a sanctions breach could result in strong actions brought against the company. By allowing a payoff to happen for a ransomware attack increases your business’s risk exposure, as OFAC is unmerciful in these situations, having stated in the past: “Regardless of whether a transaction is denominated in a digital currency or traditional fiat currency, OFAC compliance obligations are the same.”
COVID-19 and Business
The lockdown has had a significant impact on small businesses, with some shutting down for good, and others with questionable futures. The pandemic has also either been a benefit or a curse for fintechs, depending on how they’re positioned. Some, such as the recent case of Wirecard, have gone into insolvency, although that was due to non-pandemic related reasons. Amongst those who have so far survived, many have had to drastically reduce employee numbers or cut senior staff salaries.
But it’s not just consumer-facing businesses that have been affected – B2B fintechs that are focused on facilitating FIs have also seen an interesting change as a result of the pandemic.
What about the more specific problems caused by changing patterns of financial crime, and how are businesses responding? For small to medium enterprises (SMEs), as much as individuals, a great deal of public money has been made available through various government schemes.
Unfortunately, as noted above, these have been targets of fraud and criminal activity. Some FIs have adapted to this behavior quickly and – as part of vetting processes or onboarding clients for new loans – have developed good practice on whether the business is legitimate. This can be done by making sure recipient account numbers are not replicated (as happened in Germany) to start with, and by verifying ownership of the accounts. FIs that have identified how fraudsters are faking their appearance as legitimate customers are better insulated against the misuse of further bailout fund applications in the future – if or when such bailouts occur.
Firms are also finding how invaluable certain technologies are at detecting potential financial criminals. Highly configurable screening and Transaction Monitoring systems are proving vital in such a fluid situation. But other regtech platforms, especially Adverse Media Solutions (AMS), are increasingly delivering granular insight into the risks – criminal and reputational – around existing and potential customers. As outlined above, there has been a swathe of Ponzi schemes, scams, frauds, and various other financial crimes during the lockdown period. And on top of that, there have been false cures and other snake oil products being touted by businesses of ill repute. All of which will have been committed by potential customers that you may or may not want to do business with.
Adverse media tools are allowing FIs to vet their potential customers more comprehensively and quickly, without having to waste time on manual searches. Given how overwhelmed compliance teams are likely to be in the near future, it’s a solution that is likely to see wider usage, as compliance officers focus on the more difficult investigative work.
COVID-19 and the Future
All of this has an impact on how businesses have reacted and will continue to react to financial crime. Criminals are not going to simply give up profitable new avenues of criminal enterprise, especially if the WHO Director-General, Dr. Tedros Adhanom Ghebreyesus, is correct and “the worst is yet to come,” and we’re subjected to further lockdowns due to the COVID-19 pandemic. There is plenty to learn from the crisis already, and businesses and their compliance teams will benefit from learning from them now. Knowledge and preparation will be vital.