Compliance in the Age of Covid-19 – Professor Rob McCusker

London, United Kingdom, 9 September 2020

Covid-19 has impacted upon every aspect of our personal and business lives and it is certainly the case that the criminal fraternity, which systemically targets individuals and organisations in ordinary times, has not been shy in exploiting this latest pandemic to a significant degree. The principal target of organized criminals has, perhaps not surprisingly, been healthcare. In one unnamed EU member state, one EU company transferred €6.6 million to a company in Singapore for the purchase of alcohol gels and FFP2 and FFP3 masks. The goods were not received. Organized crime groups have systematically placed operatives in key positions within hospital management and health departments which facilitates the ability to influence procurement processes and divert resources. Operation Pangea, organized by Interpol and involving 90 countries between 3 and 10 March 2020, discovered 34,000 counterfeit masks being sold online with 2,000 web-links to products related to Covid-19. It also revealed an increase in unauthorised antiviral medicines and anti-malarial chloroquine with 4.4 million units of pharmaceuticals seized with a value of €3 million. It is likely that legitimate companies may unwittingly assist in the distribution or purchasing of such products for their own staff, buyers and subsidiaries.

The COVID-19 outbreak has led to significant restrictions on business operations globally, with remote working still largely the norm and face to face, day to day physical interaction with, and checking of, production within a global supply chain deprived of international movement, near impossible to achieve. With most businesses instructing the majority of their employees to work remotely, there is greater scope for financial crimes such as business e-mail compromise (BEC) scams in which spoofed emails from CEOs, suppliers, or other trusted sources are sent to financial or administrative staff to request large money transfers. With physical contact between staff curtailed, administrative personnel might be less inclined to check whether an order to pay a supplier, or a subsidiary of the company, is genuine. By way of example, the Financial Action Task Force (FATF) noted a case in which a company received spoofed emails similar to those sent by their business partner to redirect payment transfers to scammers’ controlled bank accounts, under the pretext of paying for large supplies of surgical masks and hand sanitiser. In terms of mounting a compliance response, cyber incident response has been rendered more difficult since it has been difficult for organisations to marshal a team to tackle cyber breaches and to coordinate an appropriate response. This danger is magnified by the fact that required remote working increases network traffic and thereby increases the likelihood of systems failure and criminal incursion. The FATF posits that criminals may find ways to bypass customer due diligence checks by exploiting temporary challenges in internal controls caused by remote working situations, in order to conceal and launder funds and increasing the misuse of online financial services and virtual assets to move and conceal illicit funds. The increasing pressure on organisations to shift their supply chains to alternative locations and suppliers without necessarily being able to effectively vet suppliers and ensure that procurement processes are strictly adhered to raises the dual spectres of procurement fraud and modern slavery within the lower (and already under-assessed, in terms of risk) tiers of the global supply chain.

Compliance therefore has never been more critical and there has been a flurry of output from advisory firms identifying how compliance might be achieved during Covid-19. In truth, many of those posited responses have tended to fall along logical, if familiar lines, focussing upon the need for organisations to convey to staff and suppliers their continued requirement for compliance with compliance and to reinforce their continued zero tolerance for any breach of the regulatory architecture no matter what the market pressures Covid-19 might present. This typical ‘tone at the top’ messaging is standard practice. It is also important, however, to consider the ‘mood in the middle’ and the ‘action on the ground’ since there will often be a disconnect between and within each level of the organisation. Crucial, if elementary, though that message from senior management might be, it is far more important that the true state of compliance regimes within organisations is understood, the real appreciation of understanding of their risk and threat landscape gauged and organisations’ compliance models, policies and procedures re-aligned to reflect both actual and prospective threat vectors.

Naturally, for organisations that had operated a truly effective compliance regime (based on lateral anticipation rather than vertical reaction) before the pandemic, which routinely located and analysed both current and prospective threats, Covid-19 should not be posing any significant difficulty in terms of their compliance regime since it is a risk whose type, if not magnitude, should have been on organisations’ landscape of prospective threats. The reality, however, is that, for many organisations, the degree of perceived risk has become inversely proportionate to the amount of money available for risk management. Thus, the question has become not, ‘how much spend is necessary to mitigate the risk’, but rather, ‘how much risk can be mitigated for the level of spend the organisation is prepared to commit to its management’.

In that context, therefore, it is important to remember that it would be dangerous to proceed to speak about compliance in a Covid-19 age without recognising that the state of compliance within organisations prior to the arrival of the pandemic was not perfect and that any pre-existing imperfections will be exaggerated and exploited during the current pandemic. Compliance has become a legally mandated requirement for most private sector organisations but there has been a tendency by many of those organisations to adopt a ‘tick box’ mentality where compliance is demonstrated by the existence of policies and procedures rather than the effectiveness of, and adherence to, of them by staff and stakeholders. Within most organisations, to a greater or lesser extent, prior to Covid-19, there was a range of risk factors on the part of individual employees in relation to achieving and maintaining compliance, including their lack of knowledge, integrity and practical skills and knowledge, pressure created for them within the work environment and the inadequate supervision of them, or review of their working practices and output. Moreover, many organisations displayed a number on internal risks, including poor strategic and operational guidelines policy, inadequate policies, procedures or systems, poor or inconsistent internal acts and regulations, weak managerial and administrative measures, inadequate or weak work review supervision, oversight or control and an absence of rules and procedures that promote ethical behaviour and transparency.

Whilst inherently impactful upon compliance efforts generally, when placed in the context of the ‘three lines of defence’ model employed by many organisations, the danger increases because it contains a number of potential choke points, some or all of which present very real challenges for managing risk in a Covid-19 and post-Covid-19 environment. First, there is the issue of ambiguous responsibilities in terms of who has/owns responsibility for key activities? If this is unclear, responsibilities may become blurred and control and monitoring weaker, particularly in a Covid-19 environment of remote working. Secondly, where ambiguity around roles and responsibilities exists there may be a tendency for first line mangers to neglect their responsibilities and leave (advertently or otherwise) the second line of defence to take up the slack. Thirdly, it is important for the three lines to operate separately in terms of their contribution to effective management, monitoring and assurance but they should not operate in silos – i.e. there must be shared understanding of risks and controls so that there are no gaps in risk coverage. Fourthly, a lack of objectivity, authority and critical mindset when combined with poor business and communication skills may lead to professionals within the second line of defence operating without the requisite stature, credibility or willingness to speak up when the situation demands that they do so. The role of the second line as a countervailing power cannot be underestimated. Fifthly, risk governance and the organisational structure require alignment with the constantly changing nature of business such that new risks that emerge trigger the need for new expertise, processes and tools etc. Typically, the reaction to a major breakdown in controls is the introduction of yet more controls in the form of policies, procedures etc. but these will not be effective unless soft controls in the form primarily of risk governance principles and behaviour are also inculcated into the organisation. When all of the aforementioned factors are placed into the context of Covid-19, their actual and prospective impact resonates even more clearly not least of all because new risks can appear quickly, and existing risks can materialize into real problems as control structures no longer operate optimally. It is essential therefore that compliance teams, armed with a full understanding of the real threat environment, undertake regular dynamic risk assessments which do not follow the typical cost-benefit analysis approach typical of many organisations. Covid-19 provides criminals with fast-moving opportunities to exploit pre-existing corporate vulnerabilities which have become more pronounced because the usual controls are not able to operate as normal. Compliance teams have to start to adopt a mindset which looks at their organisations’ vulnerabilities from the perspective of those seeking to exploit them and not regard risk simply as an easily quantifiable risk which they can place conveniently in a category of ‘high’, ‘medium’ or ‘low’. In the Covid-19 environment, risks should perhaps be set at a default position of ‘high’ until the evidence proves otherwise.