A dramatic rise in geopolitical instability and persistent cyber-attacks are pushing organizations to be more vigilant about planning to guard against, and respond to, internal and external threat actors, says a report by EY Fraud Investigation and Dispute Services (FIDS).
“The geopolitical risk facing companies is manifesting itself with increased exposure to bribery, fraud, cyber breaches, and terrorist financing,” says Brian Loughman, EY Americas FIDS leader.
Loughman says that companies are being confronted with risks on all fronts at the same time that their ability to invest in the compliance function is under pressure.
“Companies will need to stay vigilant, work harder at providing the right training to their employees, and focus more on monitoring risks proactively,” says Loughman.
Factors you should be watching
EY FIDS identified the following top trends that companies should address in their 2016 planning:
1. Focusing on the individual.
As the U.S. Securities and Exchange Commission and the Department of Justice have continued to invest in specialized resources to combat fraud, bribery, and corruption, there is increased focused on the individual.
While statutory safeguards exist to protect and motivate whistleblowers, the DoJ Yates Memorandum of September 2015 advances expectations for companies to fully identify all individuals who took part in corporate wrongdoing if they are to secure credit for cooperation with the authorities.
2. Data privacy and information sharing.
The European Court of Justice recently invalidated the Safe Harbor Data Privacy regime between the U.S. and the European Union. That regime had enabled the movement of personal information across the Atlantic. In addition, the Cybersecurity Information Sharing Act provides for corporations to share information to help reduce cyber breaches and attacks, but requires protection of the data privacy of individuals using their systems.
The ongoing focus on how personal information is handled internationally and how commercial information is shared between companies and the government during a cyber-breach investigation will drive companies to revisit their information governance strategies.
3. Sanctions and their commercial implications.
As governments continue to enforce trade sanctions against individuals, companies, and other governments, companies are left navigating a difficult regulatory compliance environment. They need to be vigilant about understanding risks posed by third parties and individuals that are often masked by corporate structures often involving illicit drug trade or terrorist financing. Companies will need to build more robust local compliance teams and increase oversight and training.
4. Compliance expectations will be expanded for broker-dealers and investment advisors.
Continued areas of focus will include protection of confidential customer information, potential Market Access Rule violations, and compliance with recordkeeping requirements. New and evolving areas of focus are likely to include broker-dealers’ anti-money laundering compliance programs, and how domestic broker-dealers address risk exposure to foreign wrong doers.
5. Providers will see more oversight into retail asset management.
Regulators are bringing scrutiny to asset managers’ supervisory systems, fee disclosures, and marketing incentives relating to the sale of municipal bonds, mutual funds, and closed-end-funds. Noted failures to adequately monitor customer account concentrations and leverage suitable customer risk tolerances resulted in censures and fines that will likely continue.
6. Increased controls and protection will be required for customer assets.
The U.K.’s Financial Conduct Authority has already fined financial institutions for failing to comply with rules that protect customer money and assets in the event of insolvency. This action has triggered inquiries by the SEC and similar enforcement for failures to comply with the Customer Protection Rule, which requires the safeguarding of customer money and full-paid-for and excess-margin securities.
7. Preparing for the inevitable cyber breach.
Cyber breaches will continue and recent destructive attack techniques will be adopted by hacktivists to drive their agenda.
More than one-third of global organizations still lack confidence in their ability to detect sophisticated cyber-attacks, according to EY’s Global Information Security Survey.
Companies are looking to technology to reduce cybersecurity risks associated with both insider and external threats. Cyber-savvy companies and their boards are demanding more information about the specific threats they face, evaluating their resources, bolstering protection for critical assets, and preparing for incursions by advanced threat actors.