Industry Perspectives

It Ain't What You Do (It’s The Way That You Do It)

Sep 15, 2020 | by Neira Jones |
Image of a globe with a woman touching the surface

My how the world has changed since I wrote my last post …

On the whole, it is undeniable that the pandemic has driven a massive adoption of digital services, and led to an even greater surge in popularity for fintech companies. The ability to access financial services without having to handle cash or other “unsafe” payment methods has been welcomed by businesses and consumers alike.

As digital services adoption surged, so did the dependency on the digital supply chain. We couldn’t help pondering what effects a failure in the supply chain would have on the various stakeholders, but we all hoped for the best. We weren’t left to wonder for very long.

As many watched in horror at the most epic governance failure leading to the Wirecard demise, we were reminded that whilst the pandemic brought its own environmental and economic challenges, and opportunities, now more than ever, organisations must continue to address the challenge of protecting consumers’ personal data and assets.

Rather than relax risk postures, businesses must continue to apply (or step up) the rigour and governance needed to manage risks associated with employees and supply chains, all the while trying to navigate the on-going unprecedented health crisis.

For Wirecard, the writing was on the wall…

In January 2019, a Financial Times investigation highlighted underlying problems with potentially false accounting and money laundering in the Asian operation of Wirecard. Surprisingly, the accounting executive in charge, Edo Kurniawan, remained in position after the investigation. Records show that Wirecard was plagued with less than optimal accounting and internal controls for more than a decade. Subsequent clean audits from EY gave it a semblance of respectability. Sadly, when contacted by the FT, Wirecard stated that it “took all compliance and regulatory obligations extremely seriously,”and that it had “stringent internal and external audits” and any concerns were “always thoroughly and appropriately investigated.” Does that verbiage remind you of something? Ah, yes, the famous PR trope when a company gets breached and state that they “take security seriously.”

Further unsavoury information emerged subsequently, such as the fact that Wirecard processed transactions for a Maltese Mafia-linked casino, known for moving cash out of Italy in a sophisticated money laundering operation. Investors, analysts and regulators, with few exceptions, largely ignored the warning signs.

To add insult to injury, the once darling of the fintech world was suspended by several regulators, leaving many of their fintech customers unable to process payments, and consumers unable to access their funds, a situation many could have done without given the current challenges of the pandemic.

In any instance, Wirecard’s ex-COO is now on Interpol’s most wanted list, and its assets are gradually being sold off.

Reading the signs…

Some industry commentators have ventured that this was perhaps a failure in regulatory frameworks. I would argue that external regulations are no substitute for proper behaviours and risk management processes. Examining the individual components of the Wirecard scandal, there are many lessons that can be learned and applied equally to cybersecurity management as they are to fraud prevention.After all, good governance is good governance, regardless of where you need to apply it.

Let’s draw some parallels and have a look at what “best practice” should look like:

  • Heed early warnings. An effective corporate risk and governance framework will spot irregularities. The technologies are there to help, but if appropriate processes are not in place to triage, report and action early warnings, it will be wasted technology investment. Going back to Wirecard, it took the action of a whistleblower to bring the matter to light. The cybersecurity community faces the very same problems. Don’t wait to be outed in this way.
  • Have an efficient governance framework. A governance framework needs to be objective, transparent and impartial. This means sticking to the rules. In Wirecard’s case, the complacency of auditors, who took senior executive reports as evidence without appropriate checks led to continuous failings. Is it so different for cybersecurity? Transparency is always key, as the ex-Uber CISO learnt at his own expense.
  • Take regulatory compliance seriously. Regulations are there for a reason, and they ensure that any given ecosystem can operate effectively and safely by defining and enforcing appropriate controls. For cybersecurity, regulatory controls are there to prevent cybercrime in its many forms. For fraud prevention, they help to spot accounting irregularities and internal fraud. McKinsey warned Wirecard’s Board a year before that some “non-existent” controls had created a “significant risk” and concluded that Wirecard’s risk and compliance culture was in need of “substantial change.” They suggested hiring up to 50 additional staff (from the current 20, which is substantially below industry average), including a group compliance officer. Wirecard decided to hire PWC as their auditor instead, creating a potential conflict of interest as they were also the auditors for Wirecard Bank. Equally, for cybersecurity, oversight and culture are key. Lead from the top.
  • Focus on internal controls. Following on from the example above, we all know that threats are not always external. Either deliberate or through a lack of knowledge, insider threats have consistently been on the CISO agenda over the last few years. For example, some are very quick to blame cloud providers for the many media worthy cloud data breaches of late, when in fact, cloud misconfiguration is generally the issue.
  • Focus on supply chain governance. Nowadays, with our increasingly stretched supply chains (e.g. cloud, everything-as-a-service, etc.), the impact of supply chain failures can be significant, leading to operational and reputational risks. The failure of Wirecard resulted in significant impact on their B2B customers, largely fintech firms. The more able of these clients had already put plans in place to distance themselves from Wirecard. Sadly, consumers relying on those services were left in the lurch and unable to access their funds, affecting vulnerable segments particularly hard. This dented consumer trust in those services. This is of course an issue that the cybersecurity community should be very familiar with.
  • Have a committed and accountable Board. It is obvious that Wirecard’s executive management were not leading by example with respect to risk management, which in turn led to cutting corners at the front line, in order to achieve the outcomes desired by the Board. As bad behaviour was rewarded (or at least overlooked), a toxic corporate culture took hold. Boards need to be educated, and accountable. To achieve this, whether in fraud prevention or cybersecurity, communication is key.

And that's what gets results…

There are many parallels that can be drawn between cybersecurity and fraud prevention. In fact, I would go as far as saying that cybersecurity and fraud prevention are two sides of the same coin. A multitude of cyber and information security failures lead to financial fraud. For example, what is a business email compromise (BEC) attack other than a lack of 1) Security (e.g. email security, anti-phishing, security awareness, and 2) governance (e.g. disbursement of funds to a fraudster’s account without the appropriate checks).

The two functions are so intrinsically linked that I fail to understand why they are generally not working together more closely. They are, after all, addressing the same (or similar) issues, from a slightly different angle. They will both invest in technology and processes to address these issues. These technologies and processes often overlap. Better communications would lead to better processes, but also substantial savings. In addition, we understand and sympathise with the usual CISO complaint regarding the lack of budget, but have you ever heard a corporate risk executive (who will generally be responsible for the fraud prevention function) complaining about lack of funds? No, nor me. That is because corporate risk is well understood. Cyber risk – which should be an inherent part of corporate risk – has not yet reached that level of maturity. Tip for my security friends: get closer to your fraud colleagues and understand what they do, they might just have the budget you need for the problem at hand. Again, that means communicating effectively.

Regulations are there to provide a “responsible” operating framework. But regulators also recognise that more stringent regulations are not effective by themselves, and that culture and behaviours are the main drivers for risk management to be effective.

Although unlikely to slow down the overall popularity of fintech, the Wirecard scandal has put more focus on transparency and trust. Admittedly, young businesses may consider themselves technology companies, and therefore subject only to technology-related risks. But losing sight of the need for effective processes, a conducive culture and appropriate governance frameworks (especially in financial services), only leads to more failure. Wirecard will be used as a case study of “what not to do” for years to come. Let’s make sure we learn from it and hope the convergence of cybersecurity and fraud prevention happens sooner rather than later.

Neira Jones is a global advisor and thought leader in the fraud, payments and cybersecurity industries. She is a partner for the international Global Cyber Alliance and an ambassador for the Emerging Payments Association. Follow her on Twitter at @neirajones.

Check out Neira Jones’ other work: