Your guide to combatting financial crime

.

Keep your accounts safe.

Your guide to combatting financial crime

Understanding financial crime

Financial crimes form a multitrillion-dollar industry which affects every business sector and geographical area. The term ‘financial crime’ covers all areas of criminal conduct involving money, including fraud, terrorist financing and money laundering.

Financial crimes are sometimes referred to as a victimless crime – but this is not the case. Individuals, businesses, nongovernmental organisations and public sector organisations can all be targets in financial crime. Furthermore, financial crimes are often related to hugely harmful practices, which include modern-day slavery, drug trafficking, human trafficking and unsafe labour practices.

How big of an issue
is financial crime?

Fraud costs added up to £3.89 trillion globally in 2019, which equates to 6.05% of global GDP (Crowe). Over the last two years, 47% of companies have experienced and reported fraud (PwC). By 2017, 40 million people were victims of modern slavery (International Labour Office and Walk Free Foundation).

Key terms in financial crime

1. Fraud
Fraud involves deliberately misleading or deceiving another party in order to make some form of gain, often financial. Fraud can take on many forms, from using someone else’s identity to tricking someone into sending money to a (seemingly) genuine cause.

2. Bribery and corruption
Bribery is the attempt to influence judgment or behaviour by offering or receiving money or another reward. For example, paying officials a fee to ensure a business deal is completed quickly. Corruption is the misuse of power for personal or organisational gain, which may or may not include bribery.

3. Money laundering
Money laundering involves transactions that attempt to conceal the origin or destination of money and often involves money being transferred through multiple accounts or jurisdictions. The goal of money laundering is to deliver the money to the recipient while concealing any links to illicit activity.

4. Terrorist financing
Terrorist financing involves financially supporting terrorist organisations or individuals. The financer may directly provide money or indirectly channel funds through an intermediary.

5. Modern slavery
Modern slavery involves people being forced to work against their will. Victims may have been trafficked or lured to a country under false pretences, then had their passport taken away. People in modern slavery may be paid, but it will not be enough to survive on or to escape the situation in which they find themselves.

6. Sanctions
Financial sanctions are the prohibition of carrying out transactions with an individual, organisation or an entire country. Sanctions are a key part of the global fight against financial crime. They may involve a targeted asset freeze on an individual or a comprehensive ban on transferring funds to a specific country. Some financial sanctions are imposed by the United Nations or other international organisations such as the European Union, while others are imposed at the national level. Organisations must comply with financial sanctions – non-compliance is a criminal offence.

Have you ever been a victim of fraud?

Yes – personally
Yes – my organisation
Yes – personally and in my organisation
No

Financial crime risk assessment checklist

<small> How well do you understand financial crime in your business?

Recognising the scale of financial crime is your first step in fighting it. The next step is to understand how your business is affected. All businesses are vulnerable to financial crime, regardless of their size, geography or industry. For organisations without a formal team managing financial crime, the following checklist is a good place to start assessing your risk.

Where does your risk lie?

You need to start by understanding where the main risks to your business lie. Key factors that will affect your risks include:

Industry

There are different ways of assessing industry risk.
According to OECD, high-risk industries for foreign bribery include extraction, construction, transportation/storage and information/communications.

Size of business

Usually, the larger the business, the greater the risk. This is because money is entering and leaving the business in greater volumes and through more channels.
However, smaller organisations are not immune to risk as they may have fewer resources to detect financial crime.

Jurisdictions in which the
business operates

There are a few different ways of assessing which jurisdictions should be considered high risk.
The Financial Action Task Force produce a list of high-risk and other monitored jurisdictions.
The Basel AML Index 2020 ranks countries by risk for money laundering and terrorist financing.

Complexity of supply chain

The supply chain is a major source of financial crime risk. The more complex the supply chain, the greater the risk.
Consider how well you know your suppliers: do you know where goods are manufactured? Are they in any high-risk jurisdictions? How are they transported? Who are your supplier’s suppliers?

Larger organisations tend to have more complex supply chains, with each supplier having their own suppliers and so on. The more complex the supply chain, the greater the risk of financial crime.

How has the organisation
been affected before?

The next step is to ask whether you understand the latest fraud risks and financial crime exposure. Consider where fraud has been detected previously in your organisation. If there has never been fraud detected in the organisation, this may be a sign that fraud monitoring is lacking. Do not assume that it means your organisation is safe.

Where fraud and financial crime has been detected, consider what lessons have been learned, what has changed since it happened and whether the same thing could happen again.

What expertise do you
have in-house?

There will be some people in your organisation who will have key skills in detecting and fighting financial crime. Larger organisations are likely to have specific compliance specialists, whilst in smaller organisations it may be that finance specialists do this alongside their day job.

Some professionals have specific skills which may be of particular use. In the UK, for example, accountants with fee-paying clients must be supervised by their professional body or HMRC, which requires that they declare activities and keep up to date with legislation and guidance relating to anti-money laundering guidelines.

It is key not to underestimate the inherent knowledge that your team has built up from working in an organisation for a long time. Someone who has worked on organisational accounts for a decade may be able to spot an unusual transaction more effectively than a fraud expert or a piece of software. This learned expertise is often forgotten, and risks can be created by making someone redundant without recognising their thorough knowledge of the way business is done in an organisation.

How has the risk changed
and are you prepared?

A risk assessment is an assessment made at a point in time, but risk is not static - it is constantly evolving as new suppliers are onboarded, new clients acquired and employees come and go. As technology advances, financial criminals have access to increasingly sophisticated software, new criminal organisations enter the market and new pressures force increasing innovation.

Risk assessments should be revisited and revised – both on a regular schedule and whenever an event, internal or external, causes a material change in the risk profile. If you see any changes, they should be documented and communicated to senior management.

What is the regulatory environment?

All countries will have slightly different regulations around financial crime. It is key that you understand which jurisdictions you operate in and where you have a duty to comply with regulations. There may be associated reporting requirements. For instance, the UK Modern Slavery Act requires businesses operating in the UK that meet certain criteria to publish an annual statement on modern slavery.

In addition to nationally imposed regulations, watch out for supranational acts. For instance, the European Union for has the 5th Money Laundering Directive which is transposed into law in each member country and aims to prevent money laundering and terrorist financing across the European Union.

Regulations change frequently — so horizon scanning for upcoming changes to regulation should be a key part of a financial crime mitigation plan.

COVID-19 and
financial crime

The COVID-19 pandemic has undoubtedly changed the financial crime risk landscape.

It has changed the way we are working. Employees are working from home around the world – does this mean that controls are less effective? For example, are documents which would previously have been evaluated in person now being verified online? Does this create a new risk? Are existing IT systems secure and able to cope with increased use?

Organisations are looking to make financial savings as pressures mount. Are compliance budgets being cut?

Are you losing key employees to redundancy, or have compliance staff temporarily stopped working?

Criminals are also affected by the virus. Some forms of financial crime involve physical cash being moved around the world, so restrictions on international movement may mean that criminals are looking for new ways to get money where they want it to go. There have been numerous attempted attacks on remote working software, such as video conferencing applications. Phishing attacks have also been seen worldwide, with criminals mimicking official government communications demanding payment of fines for breaking lockdown regulations or supposedly offering tax breaks.
Criminals are trying out increasingly creative schemes for stealing money, and so organisations must ensure they are constantly monitoring risk and updating controls.

To find out more about financial crime and COVID-19, read FM Magazine’s Ethics column from October 2020.

Financial crime governance

<small>Fighting financial crime in your organisation requires a robust system of controls.

After identifying and defining the key risk areas in your specific business, you need to ensure that there is a robust series of controls in place to detect, monitor and prevent financial crime.

Board-approved policies
and procedures

Policies are a bedrock of risk management. An organisation should have policies on key risk areas (see the following table) including data privacy, gifts and hospitality, expenses and procurement. These policies should be board-approved and have buy-in from senior leadership.

All new employees should receive training about key policies and be required to attest to the fact that they have read and understood them. It may also be appropriate to require annual training and attestation on certain policies. Many organisations for example require annual training on the company code of conduct or ethics, and information technology and security policies.

Senior-level
fraud champion

A senior manager should be a designated fraud or financial crime champion. Some organisations have a chief fraud officer, whilst others will assign it to the CFO or a risk specialist to manage financial crime risk. No matter how it is done, someone at the board level should have financial crime risk specifically assigned to their role and responsibilities.

Internal reporting
mechanism

Another key element of any financial crime governance plan is a simple and effective way for employees and third parties to report concerns. Vitally they must have the option to do this anonymously should they wish and must be confident that they will not face harassment or put at a disadvantage as a result of making a report.

A common way of doing this is through offering a whistleblowing or ‘speak up’ service, often run by a third-party provider which allows reports to be made via a phone call or online. This may not be specific to financial crime – the same service can often be used to report any concerns of breaches in a code of ethics or conduct. All employees should be aware of how to access this service, and it should also be available to other stakeholders including contractors, vendors and potentially end users or customers.

Fraud response plan

An organisation should have a fraud response plan, which lays out how the organisation will respond to an incident. The plan should be available to all employees to ensure that everyone is clear about their responsibilities. Publicising the plan may also help deter fraud as potential perpetrators will be aware of the potential consequences.

The plan should include:

An explicit statement requiring every member of staff to report suspected fraud. There may also be specific duties for line managers.
Who is responsible for running investigations into concerns when they are raised.
How the investigation will be run, including departments which will be involved and communication back with the person who has made the report.
An escalation plan up to board level, including triggering reporting when designated thresholds have been breached.
A plan for reporting to internal parties (such as internal audit) and external parties (such as regulators or law enforcement) if required.

It is also key that the plan links to a business continuity plan, which outlines how the organisation will continue to operate should it be affected by fraud or financial crime. For example, this could include how the organisation would operate should access to IT systems be lost due to a malware or ransomware attack.

Who is ultimately responsible for financial crime risk in your organisation?

CFO
CEO
Chief fraud officer
Other C-suite
Someone else
Undefined
I don’t know

The role of management accountants

<small>Management accountants can play a key role in understanding and countering financial crime risk.

What can management accountants bring to the table when it comes to fighting financial crime? Clearly those in leadership positions will have a greater influence over policy and governance. However, management accountants at all levels and in all roles can have an important part to play in the fight against financial crime.

Patterns and outliers

Often it is not the person with fraud in their job title who detects something is amiss; it is the person who spends every day looking at transactions, completes monthly accounts and recognises when something has changed or is out of the ordinary.

Those in junior positions should not underestimate the impact that they can have. Finance professionals at all levels of the organisation can and should be part of the frontline defence against fraud and financial crime.

An inquiring mindset

A management accountant should approach their role with an inquiring mindset. This means questioning when something feels wrong, asking the difficult questions and challenging when no adequate explanation is available.

This might include:

Questioning a transaction which does not fit with the expected outgoings or incomings for a time period.
Ensuring all documents are in order before processing payments and challenging when something is amiss.
Asking for documented justification from the approver if asked to do something which seems out of the ordinary.

By approaching their work with a degree of scepticism and a desire to find the facts, management accountants can help defend their organisation against fraud. For example, questioning why payroll figures have changed could lead to uncovering employee-led fraud, or highlighting missing documentation before approving payment could reduce the risk of inflated payments to a fraudulent vendor.

This approach is not always easy, especially when someone is relatively junior or new in a role. However, links to financial crime is a major risk and so raising concerns is in the best interests of the business. An organisation should have a clear method for reporting, including the option for doing so anonymously in order to allay fears about reporting.

Translating risk

Management accountants have key skills when it comes to understanding and communicating risk. Using data to bring risk to life is a key element of helping stakeholders understand financial crime – explaining to senior stakeholders the scale of potential losses to fraud and the need to invest in counter-measures requires someone who is financially literate and can also explain to non-experts.

A formal training in finance and membership of the accounting profession means that your voice is trusted when it comes to money.

A commitment to
the public interest

CIMA members and students are required to follow the CIMA Code of Ethics at all times in their professional lives. Their commitment to ethical behaviour and upholding the reputation of the management accounting profession sets CIMA members apart. Part of this is a commitment to act in the public interest, which when it comes to financial crime means detecting, responding and preventing it.

For junior members of staff, this might mean flagging concerns when something seems amiss in the accounts.

For more senior employees and finance leaders, this could mean ensuring that the organisation’s risk profile is understood and that a robust governance plan is in place.

How confident would you feel speaking up if you had concerns about potential fraudulent behaviour?

Not confident at all
I would be happy to report anonymously but would not do so otherwise
It would depend how senior I am
I would always speak up about a concern

Thank you

Chartered Global Management Accountant^® (CGMA^®)

CGMA is the most widely held management accounting designation in the world. It distinguishes more than 137,000 accounting and finance professionals who have advanced proficiency in finance, operations, strategy and management. In the United States, the vast majority also are CPAs. The CGMA designation is underpinned by extensive global research to maintain the highest relevance with employers and develop competencies most in demand. CGMA designation holders qualify through rigorous education, exam and experience requirements. They must commit to lifelong education and adhere to a stringent code of ethical conduct. Businesses, governments and not-for-profits around the world trust CGMAs to guide critical decisions that drive strong performance.

cgma.org

Association of International Certified Professional Accountants

The Association of International Certified Professional Accountants^® (the Association) is the most influential body of professional accountants, combining the strengths of the American Institute of CPAs^® (AICPA^®) and the Chartered Institute of Management Accountants^® (CIMA^®) to power opportunity, trust and prosperity for people, businesses and economies worldwide. It represents 650,000 members and students in public and management accounting and advocates for the public interest and business sustainability on current and emerging issues. With broad reach, rigor and resources, the Association advances the reputation, employability and quality of CPAs, CGMA designation holders and accounting and finance professionals globally.

aicpa-cima.com

Report author:

Bryony Clear Hill
Associate Manager
Ethics Awareness – Management Accounting
Association of International Certified Professional Accountants

With thanks to

Tim Langton
Senior Risk and Compliance Executive
Managing Director at Ethics Works Ltd
Board Member, The Institute of Business Ethics

Sudheera Senaratne, ACMA CGMA
Regional Counter Fraud Advisor, South Asia
British Council in Sri Lanka

For information about obtaining permission to use this material other than for personal use, please email mary.walter@aicpa-cima.com. All other rights are hereby expressly reserved. The information provided in this publication is general and may not apply in a specific situation. Legal advice should always be sought before taking any legal action based on the information provided. Although the information provided is believed to be correct as of the publication date, be advised that this is a developing area. The Association, AICPA and CIMA cannot accept responsibility for the consequences of its use for other purposes or other contexts.

The information and any opinions expressed in this material do not represent official pronouncements of or on behalf of the AICPA, CIMA or the Association of International Certified Professional Accountants. This material is offered with the understanding that it does not constitute legal, accounting or other professional services or advice. If legal advice or other expert assistance is required, the services of a competent professional should be sought.

aicpa.org
aicpa-cima.com
cgma.org
cimaglobal.com

October 2020

The information contained herein is provided to assist the reader in developing a general understanding of the topics discussed but no attempt has been made to cover the subjects or issues exhaustively. While every attempt to verify the timeliness and accuracy of the information herein as of the date of issuance has been made, no guarantee is or can be given regarding the applicability of the information found within to any given set of facts and circumstances.

Brought to you by the Association of International Certified Professional Accountants, the global voice of the accounting and finance profession, founded by the American Institute of CPAs and The Chartered Institute of Management Accountants.

© 2020 Association of International Certified Professional Accountants. All rights reserved. CGMA and Chartered Global Management Accountant are trademarks of the Association of International Certified Professional Accountants and are registered in the United States and other countries. The Globe Design is a trademark owned by the Association of International Certified Professional Accountants. 2009-66665