Cybersecurity, Data & Cybersecurity, Fraud

2020 Fraud Perspective: Pigs, Rats and Ransomware

Before Santa Fe Group Senior Advisor Bob Jones shares his insights on 2020 fraud trends, he points out that 2019 is the Year of the Pig. “It’s also the year of ransomware,” adds Jones, who expects ransomware attacks, phishing attacks and other forms of fraudulent activities to continue to hog headlines during the next 12 months.

Jones points to another 2019 development — the Federal Deposit Insurance Corporation’s (FDIC’s) June update to its Consumer Compliance Examination Manual — that has implications for third party risk management (TPRM) professionals’ fraud prevention activities in the financial services sector. Those revisions to the manual most notably include the addition of 21 pages of new guidance on third party risk management considerations and activities in the manual’s Deceptive Practices section.

“The board of directors and management of an insured depository institution are ultimately responsible for managing activities conducted through third-party relationships, and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution” the FDIC lays out in an introduction to the manual’s new TPRM guidance. “The use of third-party relationships does not relinquish responsibility of the board of directors and management. The institution’s officials are expected to have a clearly defined system of risk management controls built into the management system that governs the institution’s compliance operations, including controls over activities conducted by affiliates and third-party vendors. The more significant the third party program, the more important it is that the institution conduct regular periodic reviews of the adequacy of its oversight and controls over third-party relationships.” 

The manual identifies four major components of an effective TPRM process: risk assessment, due diligence, contract structuring and review, and oversight (“monitoring” in Shared Assessments phrasing). “At least three of those components — risk assessment, due diligence and monitoring — and perhaps even the contract structuring piece are areas that the fraud prevention group within a company can offer significant value in helping to manage from a third party risk standpoint,” Jones notes.

The awareness and skeptical mindset that seasoned fraud prevention professionals bring to the table can add value throughout the TPRM lifecycle, as Jones and BlackRock VP Third Party Risk Emily Irving, who also serves as Shared Assessments Steering Committee Vice Chair, wrote earlier this year in their article, The Realities of Raising Fraud Awareness.

Looking ahead, Jones identifies several fraud-related topics that he thinks merit monitoring in 2020:

  • Ransomware and Phishing attacks: “Ransomware attacks increased significantly in 2019 compared to 2018, and phishing attacks are also a big deal — and steadily increasing,” notes Jones, citing McAfee’s ongoing ransomware research and the Anti-Phishing Working Group’s Phishing Activity Trends Reports. “Both activities are examples of fraudsters stealing money.”
  • Foreign Corrupt Practices Act (FCPA) risks: “Sometimes FCPA risks and violations do not make it into fraud prevention discussions, but they should,” says Jones, who points to research from Stanford Law School and Sullivan and Cromwell LLP showing that nine out of 10 FCPA enforcement actions since the law’s 1977 inception have involved third party intermediaries. The interrelated nature of fraud and TPRM makes it imperative for TPRM groups to collaborate closely with their fraud-prevention colleagues, Jones adds.
  • GDPR and CCPA: Like many other TPRM experts, Jones is paying close attention to court decisions and enforcement actions related to the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), which is set to take effect in 2020. “As violations of these rules become more onerous, companies will need to involve anti-fraud specialists more in their compliance activities,” Jones notes.

Jones also sees cause for optimism when it comes to anti-fraud professionals’ involvement in third party risk management programs. While speaking on fraud prevention at a recent meeting of Shared Assessments’ Financial Institutions Vertical Strategy Group (FI-VSG), Jones asked his audience of TPRM professionals how many of them involved anti-fraud experts in their vendor risk management activities. “More than a few hands shot up,” Jones reports, “which I found gratifying.”

These two sets of experts will certainly need to work hand-in-hand if they are to fortify their organization’s fraud-prevention capabilities as new risks unfold in the upcoming Year of the Rat.