Cyber Security: How to Maintain GDPR Compliance?

The European Union’s (EU) General Data Protection Regulation (GDPR) came into force in 2018. The GDPR was a response to massive worldwide data breaches that were undermining the trust and security of private citizens whose personal information was at stake. As this data was exposed by both hackers and, in some cases, simply through poor security measures, governments of the EU felt it was time to create a strong piece of governance to bolster protection. While the initial rollout of GDPR held some uncertainty and unknowns for organisations subject to its guidelines, there is now a much clearer picture of how its standards apply. The punishments for being caught out of compliance can be severe: Violators of the GDPR may be fined up to €20 million or up to 4 percent of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.

Cybersecurity is a Priority for the Management

Even with extremely high fines and stringent requirements, GDPR violations and data breaches have been skyrocketing across the world. In 2020, the overall increase of fraudulent activities has been detected, based on ACFE’s “Fraud in the Wake of COVID-19: Benchmarking Report”: 77% of survey participants have seen an increase in the overall level of fraud as of August, compared to 68% who had observed an increase in May. Earlier we wrote how the COVID-19 crisis triggered fraudulent activities and what can businesses do to support anti-fraud movements in their organisations and to strengthen their immunity to fraud. However, cyber-attacks are on the rise – the survey by the gov.uk continues to show that cybersecurity breaches are a serious threat to all types of businesses and charities. 39% of businesses and 26% of charities reported having cybersecurity breaches or attacks in the last 12 months. Like previous years, this is higher among medium businesses (65%), large businesses (64%) and high-income charities (51%).

The study suggests that the risk level is potentially higher than ever under COVID-19 and that businesses are finding it harder to administer cybersecurity measures during the pandemic: 35% of businesses compared to 40% last year are now deploying security monitoring tools. This reduction suggests that these organisations might simply be less aware than before of the breaches and attacks their staff are facing.

However, among those that have identified breaches or attacks, around 27% of businesses experience them at least once a week. The most common by far are phishing attacks (83%, and 79% in charities), followed by impersonation (for 27% and 23%). Based on a survey by the gov.uk, despite COVID-19 stretching many organisation’s cybersecurity teams to their limits, cybersecurity remains a priority for management boards. But it has not necessarily become a higher priority under the pandemic. Three-quarters (77%) of businesses say cybersecurity is a high priority for their directors or senior managers, while seven in ten charities (68%) say this of their trustees.

The Most Notable Data Breaches

In the climate where organisations are putting more emphasis on strengthening their online security systems, there is no shortage of data breaches or GDPR violations. Our experts have noticed and shortlisted a few most notable cases in any order for you to be aware:

1. Booking.com

The very recent case, when travel booking website Booking.com has been hit with a  €475,000 ($560,000) fine after failing to report a data breach within the time period mandated by the GDPR. It happened back in 2018 when telephone scammers targeted 40 employees at various hotels in the United Arab Emirates (UAE). The hackers were able to get login creations for the booking system and to access the personal details of more than 4000 customers who booked hotel rooms via booking.com. The scammers exposed the credit card details of 283 customers, and in 97 cases the CVV code was also compromised. Based on GDPR, the data breach must be reported within 72 hours. Booking.com was late for 22 days (!) to report the breach to the Dutch Data Protection Authority and was issued a fine in April 2021, as reported by Forbes.

2. Twitter

Another company that was late to report the security flaw is Twitter – it was discovered in December 2018 but the social media giant did not report it to Ireland’s Data Protection Commission (DPC) until the following month. As a result, Twitter has been told to pay a €450,000 GDPR fine by Ireland’s data regulator for failing to report a 2018 data breach in the legally required timeframe. The DPC also determined that Twitter failed to adequately document the breach, another requirement under GDPR.

3. Vodafone

The firm that has been warned or fined smaller amounts on at least 50 occasions between January 2018 and February 2020, is in the news again: the Spanish data protection authority has fined Vodafone €8.15 million (approximately £7 million) for aggressive telemarketing tactics and repeated data protection failures. The fine was issued as a result of an investigation that was prompted by hundreds of complaints, with the regulator discovering a system that held up to 4.5 million contact lists purchased from third parties without user consent.

4. Facebook

And another social media giant – Facebook. Ireland’s data protection watchdog is demanding answers from Facebook over the release of records on 533 million people that appeared to stem from the social media site. As reported in April 2021, a spokesman for the Data Protection Commission (DPC) – which regulates Facebook in the European Union – said “a dataset, appearing to be sourced from Facebook, has appeared on a hacking website this weekend for free and contains records of 533 million individuals.”

5. H&M

The Data Protection Authority of Hamburg, Germany, fined clothing retailer H&M €35,258,707.95 — the second-largest GDPR fine ever imposed. H&M’s GDPR violations involved the internal monitoring of employees. After employees took vacation or sick leave, they were required to attend a return-to-work meeting. Some of these meetings were recorded and accessible to over 50 H&M managers. It has violated the GDPR’s principle of data minimisation — don’t process personal information, particularly sensitive data about people’s health and beliefs, unless you need to for a specific purpose.

6. Google

The biggest penalty (€50 million) was issued to Google for its alleged failure to provide notice in an easily accessible form, using clear and plain language, when users configure their Android mobile devices and create Google accounts, and obtain users’ valid consent to process their personal data for ad personalisation purposes. 

COMPLIANCE & ETHICS HOTLINES, REPORT NOW

How to Maintain GDPR Compliance

What can we learn from these case studies? Maintaining GDPR compliance is a complex process, and requires a lot of diligent work. At CRI Group, we recommend looking at it as a part of your risk management strategies, together with your compliance policies and procedures.

To help you with maintaining compliance with GDPR, our integrity due diligence experts created the following top 10 GDPR best practices for any business or entity that deals with collecting, storing or using personal information:

1. Employ a Data Protection Officer (DPO)

It is a GDPR requirement that entities who carry out regular and systematic monitoring of individuals on a large scale, or large-scale processing of certain special categories of data, have an assigned DPO. It is also recommended, however, for all other entities to help ensure data security. While the GDPR does not specifically list the necessary training or qualifications of a DPO, the regulation does require the DPO to have “expert knowledge of data protection law and practices” (Digital Guardian, 2019). Implement thorough background screening processes and make sure they are trained and qualified to be your DPO.

2. Train Your Employees

Ensure that all personnel are aware of the GDPR and your organisation’s commitment to compliance. Make sure that all leaders, and especially key personnel charged with collecting, handling or storing data, understand their responsibilities under GDPR. Make date protection training a regular part of your employee curriculum.

3. Confirm the Legality of Your Data Collection

GDPR requires that you have a legal basis to collect personal data. For most businesses, the following are the most likely to be applicable:

• The information is necessary to perform a contract between the organisation and the individual;
• You have a legal obligation to process the data (such as a court order);
• The organisation has a legitimate interest in collecting and processing the data – in other words, there needs to be a relationship and business reason to collect the date (it cannot be random);
• The individual has provided direct consent to the processing of the data.

4. Maintain thorough Records

For larger organisations (more than 250 employees), GDPR requires that records of data collection and processing be maintained. Again, this is also a best practice for smaller organisations, as well. It can help establish that the organisation is dutifully complying with the data protection principles in GDPR. Take inventory and make a record of the data you have collected and are storing to date. Create a detailed matrix to understand what types of data you are holding, where/how it is collected, how and where it is held, and whether it is still needed. Based on this information, you can also develop a data-retention policy to govern how long personal data is kept and stored. Keeping data on file longer than needed is a liability, and serves no business purpose.

5. Establish Consent Policies for Data

For some of your records, consent is your lawful basis for holding it. Under GDPR, it is no longer acceptable to assume consent in your collected data, or treat silence as consent. Create clear and unambiguous consent forms for your data collection that demonstrate adherence to GDPR principles. And remember, under GDPR, you must make it a simple process for an individual to withdraw their consent at any time.

6. Perform Due Diligence on Third-Parties

Under GDPR, your organisation is responsible if third-party partners collect, store or manage data for your organisation. You must ensure their compliance with GDPR as if it is your own since they are responsible for your data. This is the time to update your contracts with them to include compliance measures, as needed. It is also important that you review their control systems and their data handling processes. They must be comprehensive and meet all of the GDPR requirements to keep data secure. CRI Group’s third-party risk management experts can help you conduct effective reviews of your partners and their processes.

7. Be Responsive

Under GDPR, your organisation must respond to requests from individuals whose data you have collected and/or are storing. These requests are spelt out as individuals rights in regards to their personal data and they include the following:

• Right to be informed about what data is collected and why;
• Right of access to data that has been collected;
• Right to rectification/correction of inaccurate data;
• Right to erasure of data (“right to be forgotten”);
• Right to restrict processing of personal data;
• Right to data portability;
• Right to object to use of data; and
• Right not to be subject to automated decision making, including profiling.

Have a process in place to timely respond to requests and provide data when requested in order to stay in compliance.

8. Have Written Policies in Place

Develop your internal policies in regards to GDPR and how you protect personal data, and communicate them across your organisation. Take special note to spell out policies on data retention, cross-border processing of data, and how you collect and handle data for persons under the age of 16, as GDPR has special requirements in regards to children’s data.

9. Conduct Risk Assessments

GDPR requires Data Protection Impact Assessments in certain cases. These assessments measure your organisation’s ability to protect personal data and risks associated with that protection. If your data processing is considered high-risk, uses new technology, or deals in large-scale processing of data in certain categories, the assessments are required – but for any organisation, they are recommended. Data protection experts at an outside firm like CRI Group™ can help you prepare robust risk assessments and follow-up plans to address their results.

10. Be Prepared for a Breach

A worst-case scenario in data security is a breach that exposes personal information. Under the steps above, your organisation should be well-positioned to prevent or limit any breach to your data security. However, you should always have a contingency plan in place to immediately respond to a breach should it occur. Understand that GDPR requires that the applicable EU data protection supervisory authority be notified within 72 hours of a breach. Gone are the days where a company can announce it weeks or even months after the fact. Be ready to notify the affected individuals that their data has been compromised, so that they can take the appropriate steps to respond.

Organisations don’t like to think about the impact of a data breach – but major cases have pushed governments to act in the public’s interest. Perhaps nowhere is this more true than in the EU, where the GDPR is now the governing policy for organisations that deal with individuals’ personal data. By being proactive with the steps above, your organisation can be better prepared and maintain compliance with the GDPR. Most importantly, you will have the confidence and trust of your consumers through effective best practices in handling and protecting their data. CRI Group’s experts are here to help. Contact us today so that we can walk you through the steps of GDPR compliance. If you have any further questions or interest in implementing compliance solutions, please contact us.

Stay Updated on the Go

Sign up for risk management, compliance, corporate and background investigations, business intelligence and due diligence related news, solutions, events and publications.

Filed under: All Industries, Compliance Solution, Industry Insights, Resources, United Kingdom, London by admin
No Comments »

What are the Stages of ISO 37001 Certification?

The ISO 37001:2016 Certification is an Anti-Bribery Management System Certification critical for organisations in the public, private and non-profit sectors. After all, consider the benefits: Certification adds a distinct level of credibility to the organisation’s management systems and ensures that the organisation implements a viable anti-bribery management program utilising widely accepted controls and systems. It assures management, investors, business associates, personnel and other stakeholders that the organisation is actively pursuing internationally recognised and accepted processes to prevent bribery and corruption. ISO 37001:2016 certification also protects the organisation, its assets, shareholders and directors from the effects of bribery. But what, exactly, is the process for getting ISO 37001:2016 certified by CRI Group? Once your organisation has submitted questionnaire information and completed the approval and contract stage, the certification cycle is ready to begin.

A Breakdown of the Stages of ISO 37001:2016 Certification

Step 1: Audit Confirmation

An audit plan will be developed with your organisation and confirmed to the Certification’s Body Assessment Team at least three months before the organisation’s first audit.

Step 2: Pre-assessment Audit (optional)

The organisation can opt to perform a pre-assessment audit to identify any possible gaps between its current management system and the standard requirements. This audit is optional and helps the organisation check its preparedness for the stage 1 and 2 assessments by identifying any major non-conformities that have not been addressed.

Step 3: Stage 1 Audit

Review the results of the audit, including:

• General observations
• Non-conformities (major or minor, see below)

Minor Non-conformities: 

These are not seen as serious. The organisation must complete an internal Corrective Action Plan (CAP) before Stage 2. CAP is not required to be sent to the Assessment Team at Stage 1.

Major Non-conformities: 

These are more serious. The organisation will need to submit a CAP within ten days of receiving the audit report, with all actions scheduled to be completed before Stage 2. The CAP should be sent to the Assessment Team. The major non-conformities raised during Stage 1 will be re-assessed during Stage 2 Audit.

Step 4: Stage 2 Audit

This is an on-site audit and takes place after the organisation has successfully completed Stage 1 and corrected any major non-conformities identified during the Stage 1 audit. Stage 2 confirms that the organisation’s management system is fully aligned to the standard. The evaluation is of management system implementation and its effectiveness.

Outcome: The audit report will detail the following:

• Any positive observations
• Opportunities for improvement – suggestions for improvement and any findings that could lead to potential non-conformities.
• Non-conformities (Major or Minor)
• Recommendation for Certification

Minor non-conformities: The organisation must complete an internal Corrective Action Plan (CAP) and submit this to the Assessment Team within 45 working days of receiving the audit report. The Assessment Team will review the CAP; it must detail the non-conformity, the cause, the proposed corrective action, who is responsible and the date the action will be implemented. Based on the evaluation of CAP, the recommendation for certification will be made.

For minor non-conformities, if an organisation has a corrective action procedure, this will not delay the certificate.

Major non-conformities: The organisation must complete an internal Corrective Action Plan (CAP) and submit it within 90 days (or 180 days depending on the number and risk of major non-conformities) of receiving the audit report be sent to the auditor.

What Comes Next?

Stay tuned for more on ISO 37001:2016: sign up for our newsletter HERE! ISO 37001:2016 Anti-Bribery Management System certification is offered under CRI Group’s ABAC™ Centre of Excellence, an independent certification body established for Anti-Bribery Management System training and certification, ISO 37301 Compliance Management Systems and Risk Management System certification. The program will be tailored to your organisation’s needs and requirements. For assistance in developing and implementing a fraud prevention strategy, contact ABAC™ today or get a FREE QUOTE now!

Who is CRI Group™?

Based in London, CRI Group™ works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening, Business Intelligence, Due Diligence, Compliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background-screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are we have the network needed to provide you with all you need, wherever you happen to be. CRI Group™ also holds BS 102000:2013 and BS 7858:2012 Certifications, is an HRO certified provider and partner with Oracle.

Filed under: Anti-Bribery Anti-Corruption Solution, Industry Insights, ISO 37001, Resources by admin
No Comments »

Q&A: Corporate Fraud & Corruption in the UK 2021

The United Kingdom scores 77 out of 100 on Transparency International’s (TI)  2020 Corruption Perceptions Index (CPI), as is one of the 25 least corrupt countries across the globe. However, it all seems great on the surface as corporate fraud and corruption cases have been noticeable in various industries across the UK. TI reports that corrupt actors enjoy their illicit gains by “buying luxury property in the world’s most sought-after cities, like London”. Based on the article “CPI 2020: Trouble in the top 25 countries”, “While the UK (77) is the first G20 country to launch a public register of beneficial ownership, a loophole in the law allows foreign companies to purchase real estate anonymously. This is particularly problematic as research shows that over 75 per cent of properties subject to criminal investigations between 2004 and 2015 used offshore anonymous companies to hide their owners’ identities. The UK government committed to closing this loophole by introducing a register of beneficial ownership for property, but it has yet to be implemented. The necessary legislation has been subject to significant delays. In the meantime, rich businesspeople linked to autocratic regimes are allegedly purchasing property via shell companies, such as billionaire and daughter of former President of Angola, Isabel de Santos.”

To discuss the situation of corporate fraud and corruption, CRI Group™ and its ABAC™ Center of Excellence were invited to share the expert views in the special InDepth Feature by Financier Worldwide “Corporate fraud and corruption 2021”. In this edition, CRI Group’s CEO Zafar Anjum and ABAC®’s Scheme Manager Huma Khalid talk about how corporate fraud and corruption affect businesses not only in the UK, but across the globe, and provide solutions and insights for businesses to become better protected from corporate fraud, bribery and corruption. Read on the answers to the below questions:

• To what extent have you seen a notable rise in the level of corporate fraud, bribery and corruption uncovered in your country of focus?
• Have there been any legal and regulatory changes implemented in your country of focus designed to combat fraud and corruption? What penalties do companies face for failure to comply?
• In your opinion, do regulators in your region have sufficient resources to enforce the law in this area? Are they making inroads?
• If a company finds itself subject to a government investigation or dawn raid, how should it respond?
• What role are whistleblowers playing in the fight against corporate fraud and corruption? How important is it to train staff to identify and report potentially fraudulent activity?
• What advice can you offer to companies on conducting an internal investigation to follow up on suspicions of fraud or corruption?
• What general steps can companies take to proactively prevent corruption and fraud within their organisation?

Q: To what extent have you seen a notable rise in the level of corporate fraud, bribery and corruption uncovered in your country of focus?

A: The COVID-19 pandemic has created increased opportunities for fraud worldwide. The UK is not immune, unfortunately, and such a disruptive event as the pandemic increases the likelihood that normal safeguards and risk management controls can be bypassed and subverted. There has been an increase in reported fraud and corruption cases over the past year. A survey of fraud experts by the Association of Certified Fraud Examiners (ACFE) in August 2020 showed that 77 percent were seeing an increase in fraud. Perhaps not surprisingly, cyber fraud is the fastest-growing problem area, but there has also been an uptick in unemployment fraud. This is bad news in the UK, where fraud is our most common crime, costing the country £190bn annually, according to the Royal United Services Institute (RUSI).

Q: Have there been any legal and regulatory changes implemented in your country of focus designed to combat fraud and corruption? What penalties do companies face for failure to comply?

 A: There is proposed legislation, supported by the secretary of state of the UK’s Department of Business, Energy and Industrial Strategy, that would increase accountability for corporations that produce falsified financial statements. This includes a provision that would require company directors to personally sign off on their corporation’s financial statements, under penalty of fines and possible prison time. Under the Sarbanes-Oxley Act in the US, the penalty for falsely certifying such statements is steep: up to 20 years in prison and up to $5m in fines, and the UK is looking at similar measures to step up its fight against fraud and corruption. The UK also recently approved the formation of an audit, reporting and governance authority (ARGA) that should come into force within the next two or three years. Accordingly, the UK is taking a stronger stance against fraud going forward.

STAY UPDATED: Sign up for risk management, compliance, corporate and background investigations, business intelligence and due diligence related news, solutions, events and publications

 Q: In your opinion, do regulators in your region have sufficient resources to enforce the law in this area? Are they making inroads?

A: Combatting fraud is never straightforward. When looking at progress in detecting and preventing fraud, it sometimes feels like a question of whether the glass is half full or half empty. For example, the Serious Fraud Office (SFO) brought 13 fraud defendants to trial in 2019 and 2020, with a 95 percent four-year success rate by case. Many of these represent large frauds, and they are meaningful wins, but how many more fraudsters are out there undiscovered? Other bodies, including Her Majesty’s Revenue and Customs (HMRC), among others, also have key roles to play in investigating fraud, but a considerable amount of fraud is still investigated and prosecuted at the local level. It is important for leaders in the UK to know what resources law enforcement have and where they need training and support in the fight against fraud.

Q: If a company finds itself subject to a government investigation or dawn raid, how should it respond?

A: Any investigation, and especially a raid, can be an incredibly stressful time for a company and its employees. The important thing is to not panic – the investigators have a job to do, and the sooner they get to the truth of the situation, the better for everyone. Companies should direct their management and their employees to cooperate fully, while also engaging legal counsel to properly protect the corporation from future litigation. If fraud is detected, it is a criminal matter and the company should make a good faith effort to work with prosecutors and regulators, while making sure to document all control measures and prior steps taken to manage fraud risk. Having a track record of meeting compliance requirements and having proper internal controls in place at the time fraud occurs could have a mitigating effect in terms of potential prosecution and penalties down the road. View the reprint of the interview, covering not only the UK but also the United Arab Emirates.

Q: What role are whistleblowers playing in the fight against corporate fraud and corruption? How important is it to train staff to identify and report potentially fraudulent activity?

A: Employees are a company’s first line of defence against fraud and corruption. But training them to recognise the red flags of fraud is only half of the process. The company must also implement a reporting system that is anonymous and easy to use, so that employees are encouraged to report any suspicions. Then, the company must follow through and fully investigate any reports that do come in. If they do not, whistleblowers will believe that combatting fraud and corruption is not a corporate priority, and the tips will stop coming in. How important are those tips? According to the ACFE, they are by far the highest detection method for fraud, well above audits and other means. The company should communicate that a whistleblower hotline or online reporting system is available, and that there is a zero-tolerance policy for any type of retaliation against whistleblowers. Over time, the tips will come in.

Q: What advice can you offer to companies on conducting an internal investigation to follow up on suspicions of fraud or corruption? 

A: Investigations can be challenging, and they require expertise. For example, there are rules for collecting and handling evidence, including physical evidence and witness statements, that must be followed for such evidence to be admissible in court. There are also laws in the UK dealing with privacy and the rights of the accused. The bottom line is that a company already dealing with a potentially costly and damaging fraud scenario should not risk adding more legal trouble through a faulty investigation. Hire experts who deal with corporate crime and specialise in fraud and corruption cases. Like any other area of expertise, they will have the knowledge and resources to help proceed with an investigation and lead it to the most favourable outcome for your company. If you already have anti-fraud professionals on staff, let them take the lead, but provide outside resources as needed.

Q: What general steps can companies take to proactively prevent corruption and fraud within their organisation? 

A: A fraud prevention strategy has many different elements, and the sooner companies implement them, the sooner they can begin to work together in a proactive way to prevent fraud. Mandating employee training, such as ISO 37001 ABMS, having an ethical code of conduct signed by every member of staff, providing regular and surprise audits, and implementing a fraud reporting system are all effective ways to help prevent and detect fraud and corruption. None of these methods is strong enough on its own to properly protect organisations. But together, they can be very effective. It is also important to set a ‘tone at the top’, from ownership, directors and management on down, that fraud will not be tolerated. Anti-fraud controls only work if the company sees them through and thoroughly investigates every report. When fraud is confirmed, any perpetrators should be terminated and potentially prosecuted, sending a message of zero-tolerance.

Find out more about the ISO 37001 training

CONTACT INFORMATION

Zafar Anjum, MSc, MS, CFE, CII, MICA, Int. Dip. (Fin. Crime) | CRI Group™ Chief Executive Officer
37th Floor, 1 Canada Square, Canary Wharf, London, E14 5AA United Kingdom
t: +44 207 8681415 | m: +44 7588 454959 | e: zanjum@crigroup.com

Source & Credits

The original version of the Q&A was published on Financier Worldwide’s InDepth Feature: Corporate Fraud & Corruption 2021. Download the reprint here.

Filed under: Anti-Bribery Anti-Corruption Solution, Compliance Solution, Investigative Solution, Resources, Third-Party Risk Management by admin
No Comments »

The Consequences of Inadequate Due Diligence

Adequate Due Diligence

Running worldwide businesses requires effectively recognizing, analyzing and managing risks and ensuring compliance. We have identified that many organizations with third-party relationships conduct inadequate due diligence that might pose significant risks. In this article, we look at the possible risks and the best practices for conducting adequate due diligence and third-party risk management effectively, such as:

1. Planning
2. Documentation
3. Culture

Continuous Risk Management

Today’s global business requires efficiently managing a network of third-party partners that supply product components, run operations in foreign markets, operate call centers, or act as outside consultants or agents.

A well-maintained third-party network’s vast array of capabilities and specialized skill sets make operations easier for the organization and its customers. But many organizations, from small businesses to multi-national corporations, can rarely afford the time and effort required in-house to manage these often-complex third-party relationships.

Because of this, the risk of unethical business practices, bribery and other business corruption potentially increases if inadequate due diligence is conducted on third-party partners. The ramifications of a scandal related to a third-party partner can easily take down an organization, resulting in such risks as a damaged reputation and brand devaluation, regulatory violations, legal proceedings and possible fines and jail terms for directors. Therefore, a solid and viable third-party risk management program is the only way to protect the corporation’s assets fully.

Building a third-party risk management program is not a passive process. It continually requires time and effort as the risks associated with third-party partnerships evolve.

Explore Third-Party Risk Management Solutions

Consider the recent events during which the legislators of three separate nations signed new compliance regulations and standards into law. Suppose your organization’s third-party risk management program cannot quickly adjust to these new regulations (or is not designed to anticipate future legislative movements). In that case, your organization is genuinely at risk.

Cutting Corners Not Worth the Risk: Adequate Due Diligence

Indeed, building a solid risk management program requires a significant investment of time and resources (internally and from the outside). Still, the consequences of not doing it right could be dramatically severe. Still, far too many organizations are willing to tempt fate by cutting corners on developing and implementing their third-party risk management program.

Organizations attempt to cut corners by relying on outdated or stagnant tools to monitor, detect, and prevent risks. Hiring outside industry professionals with proven track records of successful due diligence experience is necessary.

Relying too heavily on “desktop” due diligence is another dangerous shortcut. Desktop due diligence is an essential initial step of the investigative process, involving background checks, lien searches, regulatory filing investigations and environmental reports. And while it is a vital component of any effective due diligence program, it’s not nearly enough to evaluate the third party thoroughly.

Truly understanding a potential partner’s business requires a considerable amount of time spent face-to-face with the outside organization’s leadership, operations management and even current customers. This “boots on the ground” process will detect potential risks, often hidden from a distance and undetectable via web-based discovery tools.

The “boots on the ground” approach also help to establish a relational dynamic required for ongoing negotiations and provides a clear insight into two of the fastest-growing issues in third-party risk management: Bribery and Labor Management.

Bribery As a Compliance Issue

Anti-bribery and anti-corruption compliance is a fast-moving target. New anti-bribery laws and regulations are being decreed worldwide at a relentless pace. Complicating matters further, many countries may have laws in place but cannot enforce them adequately. The responsibility falls to your organization’s adequate due diligence program to ensure detection and protection when this happens.

High profile investigations in recent years have contributed to the rapid emergence of bribery and corruption as a societal issue. Never before has such a contrast been drawn so dramatically on a global stage between those who engage in corruption and those who suffer. Any organization that finds itself mixed up in a scandal involving bribery has more than a legal mess. It has a long battle to win back the trust of its shareholders, employees, customers and the public.

Conducting adequate due diligence surrounded such varying factors is work that must be completed in person. Gaining insight into a potential partner’s company culture requires immersion with the organization’s leadership, management and staff. When evaluating bribery risk, some warning signs can only be discovered on-site.

This e-book explores some critical questions posed to business leaders today: Has your organization implemented reasonable and proportionate measures to prevent bribery? How will you know if your anti-bribery and anti-corruption controls are effective? Are you aware of the latest best practices in avoiding bribery? Download our eBook to find out! READ NOW

Labor Matters and Compliance

From overtime issues and under-age workers to unsafe working conditions and improperly documented accidents, labor compliance represents a significant component of any solid third-party risk management program.

Once again, inadequate attention to risks related to labor compliance can bring on considerable penalties. Understanding which industries, geographic regions, and management structures elevate the organization’s risk is vital to efficiently operate an adequate due diligence program. This understanding is nearly impossible to guarantee via ‘desktop’ due diligence. Spending the necessary time in person is the only way to ensure a potential supplier properly compensates and manages employees while providing a safe workplace environment.

Even if your agreement with a third-party partner places the responsibility of payroll issues firmly upon the vendor, your organization — as a joint employer — can still be held accountable in many countries. After all, the labor conducted at your partner’s facility benefits your organization’s bottom line.

What are the Best Practices?

The demands of identifying and measuring third-party risk, monitoring those potential risks on an ongoing basis, and making recommendations based on empirical research are best met by a dedicated team of outside professionals. And while no two organizations are alike in terms of risk profiles, several factors have become consistent in building a strong, effective and adequate due diligence program:

1. Planning: Without a well thought out plan outlining ongoing monitoring efforts with assigned roles and responsibilities, measures to mitigate risk will be haphazard at best and dormant at worst. With a thoroughly established, management-advocated program that identifies specific risk factors for each affiliation, a process for addressing red flags, and an established mechanism for continual revision, the organization will remain vigilant in its efforts to protect itself from liability.

2. Documentation: Due diligence efforts are only as good as the information and data gathered and secured. Meticulous documentation and reporting enable the organization to recognize trends, communicate analyses, and sustain efforts during any future personnel changes. Effective risk management programs feature established guidelines for capturing data, contracts and research with uniformity.

3. Culture: An organization where leadership, management and workforce do not take the third-party risk seriously will never be adequately protected from risk. Successful organizations in this respect dedicate themselves to building a culture in which every employee feels personally invested in the operation’s risk management. Employees must feel empowered and encouraged to report red flags. Passive engagement is simply not enough.

Done correctly, third-party risk management can effectively save the organization from risk, liability, and other perils often associated with outside entities wanting to engage and transact with your business.

A TPRM Customized Solution that Best Suits Your Needs

CRI Group™’s own exclusive, expert-developed 3PRM™ services help you proactively mitigate risks from third-party affiliations, protecting your organization from liability, brand damage and harm to the business. Whether your organization has a large, well-established third-party program, is in the early stages of development, or is anywhere in between, the 3PRM™ solution can improve the health of your program and future-proof your entire business in many forms.

Our 3PRM™ solution streamlines the third-party risk management process through scalability, and efficiencies – from third-party risk identification to assessment what sets us apart is that our 3PRM™ solution includes:

• Due Diligence
• Screening & Background Checks
• Regulatory Compliance
• Business Intelligence: Information Management
• Investigations: i.e. IP, Fraud, Conflict of Interest, etc.
• Anti-bribery & Anti-Corruption (ABAC) Compliance
• Employee auditing training & education
• Monitoring & reporting

Where Should TPRM Sit within an Organization?

TPRM can sit within various business units depending on your organization’s structure. Many organizations involve multiple departments such as procurement, information security, operational risk and compliance to provide input to manage the risks related to engaging third parties. Depending on your business’ internal structure, you may choose to apply a centralized, mixed or decentralized model when focus on TPRM. At CRI Group™ we observed a trend with many of our clients implementing a centralized model when managing their third-party relationships, given the required input from their multiple business lines. A centralized model allows you as an organization to track common risks across departments and identify emerging trends that may require a response from more than one department.

Risk Management Goes Beyond TPRM

CRI Group™ provides the knowledge required to navigate unfamiliar markets and mitigate third party risk by assessing the backgrounds, integrity and character of those with whom you do business. Our 3PRM-Certified™ program is therefore key for managing an organization’s third party risk levels. However, this is only one of the several vital steps towards a robust risk management strategy implementation.

Risk management is the identification, evaluation, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities. Risks can come from various sources including your employees.

Getting Started with ISO 31000 Risk Management? Learn more with our “ISO 31000 Playbook”

At CRI Group™, we understand that managing compliance and risk activities might be a daunting task. That’s why we present you with the insights library where you can dive deep into these topics to make your job easier. If you can’t find what you are looking for, just get in touch – we would love to have a chat!

CONTACT INFORMATION

Zafar Anjum | CRI Group™ Chief Executive Officer
t: +44 207 8681415 | m: +44 7588 454959
e: zanjum@crigroup.com

Filed under: Due Diligence, Industry Insights, Resources, Third-Party Risk Management by admin
1 Comment »

Unemployment Insurance Fraud During COVID-19

The Financial Crimes Enforcement Network (FinCEN), a bureau of the United States Department of the Treasury that collects and analyses information about financial transactions in order to combat domestic and international money laundering, terrorist financing, and other financial crimes launched an Advisory on Unemployment Insurance Fraud During the Coronavirus Disease 2019 (COVID-19) Pandemic.

This advisory is aimed “to alert financial institutions to unemployment insurance (UI) fraud observed during the COVID-19 pandemic. Many illicit actors are engaged in fraudulent schemes that exploit vulnerabilities created by the pandemic. This advisory contains descriptions of COVID19-related UI fraud, associated financial red flag indicators, and information on reporting suspicious activity”.

We published recently that COVID-19 continues to affect businesses in a myriad of ways. Organisations are having to adapt quickly to the fast-changing climate of the pandemic, and unfortunately, we’ve recently noticed some business practices of cutting steps in a few internal processes, such as hiring, or lack of risk management controls. It’s a vulnerable time for organisations – earlier we wrote that a crisis can bring out the worst in some people. Fraudsters who prey on people’s fear and confusion tend to waste no time when a global pandemic strikes. COVID-19 is relatively new, yet fraud schemes are multiplied much like the virus itself as criminals look for vulnerabilities among a fearful population. This pandemic also creates risks for employee fraud – CRI Group’s survey revealed that nearly 77 percent of HR professionals accept that there is a risk that employees can initiate fraudulent activity because of the work-from-home arrangement.

But employee fraud might not be the only risk the organisations face today. Earlier this year, we published that some organisations commit fraud themselves and abuse the Coronavirus Job Retention Scheme by engaging in furlough fraud. They do this by accepting taxpayer money designed to help them pay salaries for furloughed workers, who are essentially “deactivated” due to loss of business and quarantine – yet they pressure them to work (or they accept furlough benefits without the employees’ knowledge).

As we can see, a fraudulent activity might happen in a myriad of ways. Let’s dive in what are the red flag indicators of unemployment insurance (UI) fraud as unemployment claims across the globe have surged due to the COVID-19 pandemic.[/vc_column_text][vc_hoverbox image=”8095″ primary_title=”> The Unseen Enemy: Explore Insurance Fraud in-depth with our eBook!” hover_title=”GET YOUR FREE COPY”]DOWNLOAD NOW[/vc_hoverbox]

What are the Red Flags of Unemployment Insurance Fraud?

In the advisory, FinCEN lists the financial red flag indicators to alert financial institutions to fraud schemes targeting UI programs, and to assist them in detecting, preventing, and reporting suspicious transactions related to such fraud. The illicit activity might include employer-employee fraud-related activities, such as creating a fake company with fictitious employees and providing fabricated details such as wages, or conspiracy between the two parties when an employee receives UI payments while the employer continues to pay reduced and/or officially undisclosed salaries. The fraud scheme might also be happening under the ‘misrepresentation of income fraud’ when the applicant fails to provide the correct income/wage details, or even submits an application with stolen or fake identity information.

A similar case happened when the COVID-19 was in a full swing last year: one for-sale ad was published in the black-market specialising in selling stolen accounts and data – it was for access of the stolen UI claim in California that had been approved and offered benefits worth $17,550. This is just one example of the fraudulent activities – “in California, fraud was so pervasive that officials have suspended processing jobless claims for two weeks to put new controls in place and reduce a bulging backlog”. It also resulted in The U.S. Labor Department making fraud detection a priority and allocating $100 million to combat the issue. To support this fight against illicit activities, FinCEN identifies the following red-flag indicators:

1. Account(s) held at the financial institution receive(s):

• UI payments from a state other than the state in which the customer reportedly resides or has previously worked;
• Multiple state UI payments within the same disbursement timeframe;
• UI payments in the name of a person other than the accountholder, or in the names of multiple unemployment payments recipients;
• UI payments and regular work-related earnings, via direct deposit or paper checks;
• Numerous deposits or electronic funds transfers (EFTs) that indicate they are UI payments from one or more states to persons other than the accountholder(s);
• A higher amount of UI payments in the same timeframe than similarly situated customers received.

2. The customer withdraws the disbursed UI funds in a lump sum by cashier’s checks, by purchasing a prepaid debit card, or by transferring the funds to out-of-state accounts.
3. The customer’s UI payments are quickly diverted via wire transfer to foreign accounts, particularly to accounts in countries with weak anti-money laundering controls.
4. The customer receives or sends UI payments to a peer-to-peer (P2P) application or app. The funds are then wired to an overseas account, or withdrawn using a debit card, in a manner that is inconsistent with the spending patterns of similarly situated customers.
5. Individuals quickly withdraw disbursed UI funds via online bill payments addressed to an individual(s), as opposed to businesses, as payee(s), with some individual payees receiving multiple online bill paychecks over a short time period.
6. The IP address associated with logins for an account conducting suspected UI-fraud activities does not map to the general location of stated address in identity documentation for the customer or where the UI payment originated.
7. Individuals direct UI-related EFTs, or deposit UI checks into suspected shell/front company accounts, which may be indicative of money mules transferring these funds in and out of the accounts.
8. Multiple accounts receiving UI payments at one or more financial institutions are associated with the same free, web-based email account that may appear in more than one UI application.
9. A newly opened account, or an account that has been inactive for more than thirty days, starts to receive numerous UI deposits.
10. After a financial institution suspects UI fraud and requests additional identification documentation to verify the identity(ies) of the customer(s), queried individuals provide documents that are incorrect or forged, which may be an indicator of an account takeover or identity theft. After a financial institution suspects UI fraud and conducts due diligence, it determines that the customer does not have a history of living at, or being associated with, the address to which the UI check or UI debit card is sent, or within the geographical area in which the registered debit card is being used.

Read the full advisory here.

Insurance fraud is something that no company can afford. It is a serious crime that can result in serious consequences for fraudsters who may find their future job prospects impacted, find it harder to obtain insurance and other vital financial services, obtain a criminal conviction and even face the prospect of imprisonment. CRI Group’s insurance fraud investigations cover the full range of insurance fraud cases, from healthcare fraud to disability and even fake death claims. Our experts are trained to look for the tell-tale signs of fraud: they can view claims, medical and hospital records, conduct interviews, examine statements and documents, as well as perform on-site inspections.[/vc_column_text][/vc_column][/vc_row]

Enhanced Risk Management

At CRI Group™, we suggest you consider looking at your overall risk management process, involving not only potential insurance fraud risks during the COVID-19 pandemic, but a broader range of employee, bribery and corruption, compliance risks your organisation might face.

The “Risk Management & ABMS Playbook” provides tools, checklists, case studies, FAQs and other resources to help you lead your organisation into better preparedness and compliance. Our experts share their own plays to help you reduce risk, thereby preventing and detecting more fraud. The first section addresses risk management directly: proper third-party due diligence and critical background screening take centre stage for this game plan. Section two tackles bribery and corruption, with tried-and-true measures you can implement to stay better protected and in compliance with strict laws and regulations.[/vc_column_text][vc_btn title=”GET YOUR FREE COPY NOW” link=”url:https%3A%2F%2Fcrigroup.com%2Fcase-study%2Frisk-management-abms-playbook%2F|target:_blank”][/vc_column][/vc_row]

Speak up – Report illegal and Unethical Behaviour

If you find yourself in an ethical dilemma or suspect inappropriate or illegal conduct, and you feel uncomfortable reporting through normal channels of communication, or wish to raise the issue anonymously, use our Compliance Hotline. This hotline is available to all everyone in a business relationship with CRI Group and ABAC Group. It is an anonymous reporting mechanism that facilitates reporting of possible illegal, unethical, or improper conduct when the normal channels of communication have proven ineffective, or are impractical under the circumstances.[/vc_column_text][vc_btn title=”REPORT NOW” link=”url:https%3A%2F%2Fcrigroup.com%2Fcompliance-ethics-hotlines%2F|target:_blank”][/vc_column][/vc_row][accordion_father][accordion_son title=”Who is CRI Group?” clr=”#1e73be”]Based in London, CRI Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening, Business Intelligence, Due Diligence, Compliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background-screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are we have the network needed to provide you with all you need, wherever you happen to be. CRI Group also holds BS 102000:2013 and BS 7858:2012 Certifications, is an HRO certified provider and partner with Oracle.

Filed under: COVID-19 Insights, Insurance, Insurance Fraud Investigation, Resources by admin
No Comments »

Address Risk with Employee Background Checks

Employee Background Checks

We have all heard of the term “employee background checks”, but what is the exact function of this process? There are inherent risks in the hiring process, including fraudulent claims by candidates. These include everything from relatively minor transgressions, like stretching employment dates, to severe and concerning deceptions, such as claiming unearned degrees or credentials or hiding one’s criminal record. Being aware of these risks is only the first step, and companies that don’t take steps to address them, such as thorough, comprehensive background checks as part of their hiring policies, are putting themselves in peril. Several case studies have shown companies learning this lesson the hard way.

In one recent case, a semiconductor manufacturing company noticed that its finances weren’t adding up. Auditors traced the discrepancies to around the time when a company had hired a new CFO – and so the investigation began. When contacted, the CFO’s previous employers reported that the individual had been terminated due to cash embezzlement, harassment and workplace violence. In the end, the case proved costly to the semiconductor company. The CFO was terminated and prosecuted, but nearly $200,000 had been embezzled, and most of it could not be recovered (it was already spent, as the fraud had been taking place over four years).

Proper background checks and a thorough vetting of references would have exposed the fraudster before he had ever set foot in his office as a CFO. The proactive approach would have saved the company in lost revenues, human resources investment (extensive auditing and investigation) and damage to reputation.

When an organisation is ready to add a critical layer of security to its hiring process, Organisation should consider the following:

• Evaluate the current process: What is the company’s existing, written policy for hiring new employees? How does it address background checks, due diligence, and other issues? Is the process followed in every case?
• Risk areas: Some positions are more sensitive than others. For example, the CFO at the semiconductor company was well-placed to commit fraud. What are some other job positions and responsibilities that have a heightened risk factor?
• Ownership of the process: Ultimately, who has the responsibility of vetting new hires? Is it ownership? Human resources? Individual managers? It might be a collaborative process. All of those involved in hiring should also be involved in implementing a due diligence solution that includes background checks.
• The current workforce: Proper due diligence doesn’t just apply to prospective new hires. The organisation should also use it to evaluate your current workforce periodically. Examine the various roles and personnel at your organisation. Consider a policy that addresses risk areas with background checks to ensure that you don’t have any employees among your ranks that might have criminal backgrounds or other issues that your company is unaware of.

After performing a thorough evaluation of the organisation’s needs in terms of effective pre-and post-employment background checks, it’s time to consider whether to conduct such checks in-house or use an outside expert firm.

Some larger corporations might already have access to dynamic resources for background checks and a team of trained staff to conduct them. Most businesses, however, do not. In such cases, enlisting the services of a firm that conducts background checks as part of its main course of business makes sense. Investing in proper due diligence can save severe problems down the road.

Managing Your People through COVID-19

The COVID-19 pandemic is undeniable, affecting the world. And the situation is changing at an hourly rate as we go into a second global lockdown. Businesses have to adapt quickly to survive, i.e. cutting steps in their hiring process, and no one knows how this will play out. However, there are ways you can mitigate the impact, learn how with this FREE ebook. Taken as a whole, this ebook is the perfect primer for any HR professional, business leader and company looking to avoid employee background screening risks. It provides the tools and knowledge needed to stay ahead of COVID-19 effectively. Read the answers to the following questions:

• How to turn the tide’ on coronavirus crisis?;
• COVID-19 Action point checklist;
• Background Screening: Essential Checks;
• 6 steps for good practice in connection with COVID-19;
• 11 Steps to Reduce Personnel Costs;
• COVID-19 General advice;
• How to remove any danger to your business during COVID-19;

> Download your “Employee Screening during COVID-19: everything you need to know and more!” FREE ebook here!

Frequently Asked Questions about Background Checks.

Get answers to frequently asked questions about background checks/screening cost, guidelines, check references etc. This eBook is a compilation of all of the background screening related questions you ever needed answers to:

• Does a candidate have to give consent to process a background check/screening?

• How long does it take to conduct a background check?

• When should I conduct pre-employment checks?

• How often should I screen employees?

• How to collect references, and what to ask?

• How much does it cost to conduct background checks?

• What is the difference between employment history verification and employment reference?

• How do I check on entitlement to work?

• How to conduct identity checks?

• What will a financial regulatory check show?

• Is it possible to identify a conflict of interest during checks?

• What is a bankruptcy check?

• What about directorships and shareholding search?

• Can I have access to a criminal watch list?

• Anti-money laundering check?

• Can we conduct FACIS (fraud and abuse control information system) searches?

• … and MORE!

Taken as a whole, is the perfect primer for any HR professional, business leader and companies looking to avoid employee background screening risks. It provides the tools and knowledge needed to make the right decisions.

CONTACT INFORMATION

Zafar Anjum, MSc, MS, CFE, CII, MICA, Int. Dip. (Fin. Crime) | CRI Group Chief Executive Officer

37th Floor, 1 Canada Square, Canary Wharf, London, E14 5AA United Kingdom

t: +44 207 8681415 | m: +44 7588 454959 | e: zanjum@crigroup.com

About CRI Group™

Based in London, CRI Group™ works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening, Business Intelligence, Due Diligence, Compliance Solutions and other professional Investigative Research solutions provider.

We have the largest proprietary network of background screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are, we have the network needed to provide you with all you need, wherever you happen to be. CRI Group also holds BS102000:2013, and BS7858:2019 Certifications is an HRO certified provider and partner with Oracle.

In 2016, CRI Group™ launched the Anti-Bribery Anti-Corruption (ABAC™) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification.

ABAC™ operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organisations. Contact ABAC™ for more on ISO Certification and training.

Filed under: Background Investigation, Employee Background Check, Resources by admin
No Comments »

CPI 2020 Overview: Middle East & Asia

The newly published Transparency International’s Corruption Perception Index (CPI 2020) has ranked 180 countries and territories by their perceived levels of public sector corruption. This index uses a scale of 0 to 100, where 0 is highly corrupt and 100 is very clean. CPI 2020 identified that despite progress, most countries still struggle to stop corruption effectively – more than 2/3 of countries score below 50 on CPI, with an average score of just 43. That proves the need to implement more stringent anti-bribery anti-corruption measures worldwide.

In this article, which was originally published on ABAC™ Center’s of Excellence website, we will look at how the Asia Pacific, the Middle East and Pakistan scored in the CPI 2020 and discuss solutions to tackle bribery in these regions.

Asia Pacific

Transparency International identified that with an average score of 45, the Asia Pacific region is still struggling to combat corruption despite continuous efforts. Region’s top leader New Zealand (88) is followed by Singapore (85), Australia (77) and Hong Kong (77). Conversely, Cambodia (21), Afghanistan (19) and North Korea (18) ranked lowest in the region. Malaysia, the country which introduced more stringent measures to fight bribery and corruption, proves that it takes time to see improvements. The country has moved down to 51 points compared to 53 points in 2019. Accordingly, the ranking also moved down to 57 in comparison with 51 in 2019. “Although a drop in the score appears statistically insignificant, the government must be cognizant that our rank falling 6 steps means that compared to other countries we are not improving as well as other countries in our efforts to fight corruption” – said Transparency International Malaysia in a statement. TI-M added: “The Government after coming into power in early 2020 committed to continue with the agenda to fight corruption and among them were to gazette the enforcement date of 1 June 2020 for the Corporate Liability and continue with the National Anti-Corruption Plan (NACP) initiated by the previous Government which is commendable. The NACP (National Anti-Corruption Plan) is a comprehensive plan but the government must ensure the implementation is effective and the Chief Secretary to the government should be empowered to lead the implementation and be made accountable”.

In our published whitepaper “South Asia grapples with anti-bribery compliance”, which overviews anti-bribery, anti-corruption and ISO 37001 solutions in Malaysia and entire in South Asia, we wrote that South Asia has a troubled record when it comes to preventing bribery and corruption, as well as enforcing compliance. Recent cases and statistics show that the problem persists in most countries in the region. Both government officials and private sector business leaders are struggling to adopt policies, control methods and best practices to help reduce bribery and corruption on their watch. High profile cases such as the 1MDB scandal in Malaysia and, more recently, the alleged Meikarta township case in Indonesia underscore this point. The investigations that were triggered by these cases demonstrate, however, that regulators are serious about addressing the threat of bribery and corruption as more than just a legal issue, but as a societal one, as well. In response, organizations that are committed to being in compliance are adopting the ISO 37001 – Anti-Bribery Management Systems standard as a comprehensive approach to mitigating risk and demonstrating ‘adequate procedures’ taken to prevent bribery and corruption.”

READ ARTICLE

Middle East

Transparency International identified that with an average score of 39, the Middle East and North Africa region is still perceived as highly corrupt, with little progress made towards controlling corruption. Even though the United Arab Emirates (71) and Qatar (63) are best performing in the region, UAE is still appearing in headlines with bribery and corruption scandals.

In the article “CPI 2020: Trouble in the top 25 countries” Transparency.org wrote: “The United Arab Emirates has been heavily criticised by the Financial Action Task Force (FATF) for its inadequate anti-money laundering framework. The country’s chaotic approach to registering companies makes it incredibly difficult for law enforcement to detect who is behind a suspicious company when thirty-nine different registries operate across the seven Emirates.

The UAE’s booming construction and real estate sector accounts for a fifth of the Emirates’ GDP, but remains vulnerable to money laundering because of complex and opaque ownership structures”.

Recently CRI® Group was featured in Financier Worldwide’s InDepth Feature: Anti-Money Laundering 2021 publication and shared the view about the unfortunate situation of money laundering in this region: “When it comes to money laundering, a recent report from Carnegie Endowment found that there is a steady stream of illicit funds from corruption and crime flowing into the UAE. This should be alarming to organisations and regulators alike. The perpetrators take advantage of ‘free trade zones’ and often the money is funnelled through real estate deals, especially in luxurious properties in Dubai, for instance. This might be facilitated by foreign mobsters, gold smugglers, and even warlords. These are high-level criminal operations that can pose a risk to any legitimate organisation operating in the UAE and the Middle East as a whole”. In this edition, CRI® Group’s CEO Zafar Anjum and ABAC®’s Scheme Manager Huma Khalid talked about the Anti-Money Laundering solutions and financial crime impact on businesses not only in UAE but across the globe: “Money laundering still represents a gap in enforcement, and organisations should not wait for government action to put their own AML frameworks in place. Like many countries around the world, the UAE is experiencing an uptick of fraud and financial crimes during the COVID-19 pandemic”. Read the full interview here.

Pakistan

As published in the press release, Pakistan’s CPI 2020 score “has lowered to 31/100 from 32/100 in 2019 and rank to 124/180 from 120/180 in 2019. This is despite NAB’s extraordinary efforts who claims to have recovered Rs363 billion in the last two years, and Public Accounts Committee claims to have recovered Rs. 300 billion over the previous two years”.

TI Pakistan recently reported that “A total of 95 corrupt persons were convicted and fined worth billion of rupees by various accountability courts during the last three years due to the vigorous persuasion of National Accountability Bureau, Rawalpindi“. The comment was made by the Director General NAB, Irfan Naeem Mangi Monday. These efforts, of course, plays a significant role in fighting bribery and corruption, however, Pakistan is still appearing in the headlines. Recently, Transparency International Pakistan has found the Federal Board of Revenue (FBR) involved in prima facia violating procurement rules for IT-based solutions and causing Rs13.5 billion losses to exchequer.

As the expert in AML and risk management solutions, CRI Group™ was interviewed in the Annual Review (2018): Pakistan Corporate Fraud & Corruption, published by Financier Worldwide Magazine and highlighted that Corporate fraud and corruption in Pakistan are widespread (Rose-Ackerman, 1997, p. 4), particularly in the government and police forces. There is a need to reform accountability and anti-corruption policies in Pakistan. 

Rising fraud risks have driven companies to establish the right steps to prevent fraud and corruption from surfacing. Following through with a focused trajectory ultimately also ensures failsafe protections are put in place, which will guard against scandals or negative publicity, while minimizing risk exposure. There is quite a notable empirical rise in the frequency of companies conducting background screenings to nip corruption in the bud. Though checks can vary in nature, enforcing internal controls by implementing ISO strategies can bring pivotal change to a company’s strategy. Risk management is an essential part of minimizing the costs that can arise in the long term due to losses and falling prey to fraudulent practices in the corporate realm. This can be implemented through a resilient management system that has been designed to specifically target any loopholes and any roadblocks, the impact of which can often be greater than anticipated, rattling the company and causing harm that could lead to lawsuits, unanticipated monetary and financial losses and hefty fines imposed by regulatory authorities, from which the company may never recover.

READ THE Q&A NOW

Demonstrating Adequate Procedures to Prevent Bribery and Corruption 

ISO has developed a standard – ISO 37001:2016 ABMS – to help organisations promote an ethical business culture. “Designed to help your organisation implement an anti-bribery management system (ABMS), and/or enhance the controls you currently have. It helps to reduce the risk of bribery [and corruption] occurring and can demonstrate to your stakeholders that you have put in place internationally recognised good-practice anti-bribery [and anti-corruption] controls”.

Consider ISO 37001:2016 ABMS as one of the invaluable tools of your Third-Party Risk Management Strategy. Combined with due diligence, background screening, business intelligence and compliance solutions, ISO 37001 certification and training can lift your risk management process and help your business mitigate risks from third-party affiliations, protecting your organisation from liability, brand damage and harm to the business. Learn more about 3PRM™ program as a flexible and responsive tool to the various risk domains that are most important to your business.

ABAC™ – Aiming for a Higher Standard

At CRI Group’s ABAC™ Center of Excellence Limited, we are affiliated with leading certification and accreditation bodies around the world. These affiliations and accreditations help demonstrate the high level of experience and knowledge we provide in anti-bribery, risk and compliance management to our clients on a daily basis.

That’s why ABAC™ has achieved essential accreditations from the United Kingdom Accreditation Service (UKAS), Emirates International Accreditation Center (EIAC) and membership in the Association of British Certification Bodies (ABCB). ABAC® is also a member of the “Partner in Corporate Governance” programme with the Malaysian Institute of Corporate Governance (MICG) and a Corporate Member of Transparency International Malaysia (TI-M).

ABAC™ was established in 2016 by CRI Group™, a global leader in risk, compliance and anti-bribery management systems. ABAC™ was launched to provide certification and online training in anti-bribery and anti-corruption risk management and compliance for organisations worldwide. CRI Group™ and ABAC™ CEO Zafar I. Anjum, CFE, said that ABAC™ is proud to be accredited by, and affiliated with, international accreditation bodies. “Our engagement with high-profile bodies like EIAC, ABCB and UKAS demonstrates the effectiveness of our ISO 37001:2016 Anti-Bribery Management System certification and training, along with our ISO 37302, ISO 31000 certifications and other programs,” Anjum said. Visit abacgroup.com to find out more about anti-bribery, anti-corruption, risk and compliance management solutions.

CRI Group™ invites you to schedule a quick appointment with us to discuss in more detail how conducting due diligence and compliance can help you and your organisation. 

Meet our CEO

Zafar I. Anjum is Group Chief Executive Officer of CRI Group™ (www.crigroup.com), a global supplier of investigative, forensic accounting, business due to diligence and employee background screening services for some of the world’s leading business organisations. Headquartered in London (with a significant presence throughout the region) and licensed by the Dubai International Financial Centre-DIFC, the Qatar Financial Center – QFC, and the Abu Dhabi Global Market-ADGM, CRI Group™ safeguard businesses by establishing the legal compliance, financial viability, and integrity levels of outside partners, suppliers and customers seeking to affiliate with your business. Based in London, CRI Group™ maintains offices in UAE, Pakistan, Qatar, Singapore, Malaysia, Brazil, China, Turkey and the USA.

Filed under: Anti-Bribery Anti-Corruption Solution, Compliance Solution, Resources by admin
No Comments »

Protecting Your Company from the Global Corruption Pandemic

Who is CRI® Group?

Based in London, CRI® Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening, Business Intelligence, TPRM, Due Diligence, Compliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background-screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are, we have the network needed to provide you with all you need, wherever you happen to be. CRI® Group also holds BS 102000:2013 and BS 7858:2012 Certifications, is an HRO certified provider and partner with Oracle.

In 2016, CRI® Group launched the Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body that provides education and certification services for individuals and organizations on a wide range of disciplines and ISO standards, including ISO 31000:2018 Risk Management- Guidelines; ISO 37000:2021 Governance of Organisations; ISO 37002:2021 Whistleblowing Management System; ISO 37301:2021 (formerly ISO 19600) Compliance Management system (CMS); Anti-Money Laundering (AML); and ISO 37001:2016 Anti-Bribery Management Systems ABMS. ABAC® offers a complete suite of solutions designed to help organizations mitigate the internal and external risks associated with operating in multi-jurisdiction and multi-cultural environments while assisting in developing frameworks for strategic compliance programs. Contact ABAC® for more on ISO Certification and training.

Filed under: Anti-Bribery Anti-Corruption Solution, Compliance Solution, Resources by admin
No Comments »

ESG: CRI Group™ Environmental Policy

Corporate Research and Investigations Limited “CRI Group™” is a certified member of GBB (Green Business Bureau), seeks excellence in every aspect of our business and is committed to minimising the environmental impacts of our business operations. After extensive new compliance requirements across the ESG (Environmental, social and governance) and working with Green Business Bureau, we are committed to strictly implementing the same commitments we agreed with GBB certification. 

The CRI Group™ and all directly employed sub-contractors, and agents, agree to comply with the below rules and will continue to ensure compliance. Here is our global Environmental Policy.

Our commitment is to:

• Continuously improve our environmental performance and integrate recognised environmental management best practices into CRI® Group operations.
• Reduce our consumption of resources and improve the efficient use of those resources.
• Measure and take action to reduce the carbon footprint of CRI Group™ activities to meet our published objectives and targets.
• Purchase qualified electronic equipment globally recognised as the most energy-efficient equipment available.
• Manage waste generated from our business operations incorporating reduction, re-use and recycling in accordance with the principles of the waste hierarchy
• Manage CRI® Group business operations to prevent pollution.
• Give due consideration to environmental issues and energy performance in the acquisition, design, refurbishment, location, and buildings use.
• Ensure environmental, including climate change, criteria are considered in the procurement of goods and services.
• Comply as a minimum with all relevant environmental legislation and other environmental requirements to which the firm subscribes.
• Maintain our certification to ISO 14001 program in 2022 implementation and rigorous.
• Monitoring and review.

To meet our commitments, we will:

• Provide CRI® Group’s Executive Board oversight and review of environmental policies and performance and allocate resources for effective direction and implementation.
• Monitor key objectives and targets for managing our environmental performance at least annually.
• Use a green web hosting service for our business websites with completely carbon neutral.
• Communicate internally and externally our environmental policy and performance regularly and encourage feedback.
• Communicate the importance of environmental issues to our people.
• Work together with our people, service partners, suppliers, landlords, and agents to promote improved environmental performance.
• Promote appropriate consideration of sustainability and environmental issues in the services we provide to our clients.
• Review our environmental policy regularly.

This environmental policy represents our general position on environmental issues and the policies and practices we will apply in conducting our business.

What is ESG?

ESG (Environmental, social and governance) criteria increase interest to companies, their investors and other stakeholders. With growing concern about the ethical status of quoted companies, these standards are the central factors that measure the ethical impact and sustainability of investment in a company. 

In less than 20 years, the ESG movement has grown from a corporate social responsibility initiative launched by the United Nations into a global phenomenon representing more than US$30 trillion in assets under management. According to Juliet Chung and Dave Michaels, “ESG Funds Draw SEC Scrutiny”, Wall Street Journal in the year 2019 alone, a surge of capital totaling US$17.67 billion flowed into ESG-linked products, an almost 525 per cent increase from 2015.

ESG factors cover a wide spectrum of issues that have traditionally been excluded from financial analysis:

Environmental:

• Climate change
• Resource depletion
• Waste and pollution
• Deforestation

Social:

• Working conditions, including the use of child labor
• Local communities
• Conflict
• Health and safety
• Employee relations and diversity

Governance:

• Executive pay
• Corruption
• Political affiliations and donations
• Board composition, diversity and structure
• Tax strategy

These factors have increasing financial relevance as global interest in ethical investment grows. 

Meeting the ESG Imperative

Increase your shareholder Engagement with Corporate Governance Solutions with our DueDiligence360™ service and our sister brand ABAC™ ISO certification.

Have confidence in your decisions when selecting your business partners, customers and workforce. Our due diligence reports provide research and insights from financial to legal and reputational standing.

Request a free report sample today!

or

Download our brochure now!

About CRI Group™

Corporate Research and Investigations Limited (CRI Group™) has been safeguarding businesses from fraud, bribery and corruption since 1990. Globally, we are a leading Compliance and Risk Management company licensed and incorporated entity of the Dubai International Financial Center (DIFC) and Qatar Financial Center (QFC). CRI™ protects businesses by establishing the legal compliance, financial viability, and integrity levels of outside partners, suppliers and customers seeking to affiliate with your business. Based in London, United Kingdom, CRI™ is a global company with experts and resources located in key regional marketplaces across the Asia Pacific, South Asia, the Middle East, North Africa, Europe, North and South America. Our global team can support your organisation anywhere in the world.

In 2016, the company launched the Anti-Bribery Anti-Corruption (ABAC™) Center of Excellence – an independent certification body that helps organisations mitigate internal and external risks by providing a complete suite of Anti-Bribery, Compliance and Risk Management programs.

Filed under: All Industries, All Regions, CRI News by admin
Comments Off on ESG: CRI Group™ Environmental Policy

CRI®, the only company with BS102000 & BS7858 certifications in Middle East

What is BS7858 & BS102000? The BS7858:2019 standard, “Screening of Individuals Working in a Secure Environment – Code of Practice,” places emphasis on the risk assessment of secure environment workers. The code focuses on the need for tighter controls over the pre-employment screening – and periodic re-screening – of individuals, who in their positions could potentially benefit from illicit personal gain, become compromised, or take advantage of other opportunities for creating breaches of confidentiality, trust or safety. Read more here.

When it comes to providing information security, financial audits, risk assessments, background checks, due diligence and a wide range of anti-fraud related services, maintaining the highest levels of training and expertise is an absolute must. That’s why CRI® Group achieves critical certifications from the British Standards Institute (BSI), the National Association of Background Screeners (NAPBS) and other preeminent groups in the security and anti-fraud field as part of the company’s commitment to its clients. 

CRI® Group is the first and only investigative research company in the Middle East to receive the certifications BS102000:2013, Code of Practice for the Provision of Investigative Services, and BS7858:2019, screening of individuals working in a secure environment, from internationally recognised training and certification body BSI. CRI® Group also holds other BSI certifications (more on those within this article).

Founded in 1901, BSI is the UK national standards body that works with thousands of organisations in more than 150 countries. BSI is accredited by 20 local and international bodies. We sat down with CRI® Group President and CEO Zafar I Anjum, CFE, to discuss these certifications and what they mean:

CRI® Group is the only firm of its kind in the Middle East to hold the BS102000:2013 and BS7858:2019 certifications. What led you to embark on gaining these and other certifications from BSI?

Anjum: Just a few years ago, we announced that CRI® Group would be engaging BSI for training and certification on many levels, and these and other certifications are direct results of that initiative. Earning multiple certifications from a distinguished standards body like BSI is a mark of pride for us as it demonstrates expertise in our core services.

BS102000:2013 is the “Code of Practice for the Provision of Investigative Services.” What does this mean?

Anjum: This certifies CRI® Group’s proficiency in providing services regarding fraud risk assessment and investigations, forensic accounting, intellectual property (IP) investigations, due diligence and background investigations, debt collections, corporate security consulting and investigation, pre-and post-employment screening and fraud and crime investigations.

BS7858:2019 denotes “Security Screening of Individuals Employed in a Security Environment.” Please tell us more about this certification.

Anjum: This recognises CRI® Group’s expertise in screening services including identity checks, financial checks, employment checks and criminal records checks. CRI® Group implemented this standard with regular external audits conducted by BSI and adhered to recommendations specifically vetting and conducting employment background screening of security personnel seeking affiliations with security companies.

How does this relate to CRI® Group’s EmploySmart program?

Anjum: Background screening professionals must be on the cutting edge of industry technology and resources – while also staying educated on the changing laws and regulations that govern the field. At CRI® Group, we are proud to provide the most extensive and thorough background screening services as part of our EmploySmart program.

CRI® Group also holds the certifications ISO/IEC 27001:2013, Information Security Management System and you are a credentialed NAPBS (National Association of Professional Background Screeners) Research Provider. Congratulations on these distinguished credentials!

Anjum: Thank you. We are pleased to have our expertise in these areas recognized by BSI, NAPBS and other leading bodies, and we will continue to strive to provide the top level of service for businesses to help them prevent and detect fraud.

BS7858:2019, a new way to mitigate employee risk during COVID-19

The far-reaching impact of the COVID-19 outbreak has affected virtually every business and economic sector worldwide, and depending on the global region, has hampered (on various levels) the ability to conduct proper and thorough background screening investigations. In the United Kingdom and the United Arab Emirates, the countrywide lockdowns forced leaders to close sites and send their workforce home. Many are having to learn how to manged people working from home (WFH) or remotely for the first time. The previous concerns about productivity, privacy and protecting sensitive information only grew more with the practice of WFH. They highlighted the vital importance of pre-employment background screening and background investigations. BS7858:2019: the revised standard for screening individuals working in secure environments offers a complete solution.

Find out how you can mitigate employee risk during this pandemic with BS7858:2019 

The revised BS7858:2019 standard enables organisations to demonstrate a commitment to safeguarding their businesses, employees, customers and information utilising widely accepted methods that focus on risk assessment and top-down management involvement in the company’s employment policies and practices. In establishing policies and practices around the standard, organisations can show that they place a high value on hiring individuals who possess integrity. Organisations can then task them with responsibilities designed to keep their co-workers, customers and information safe from the negative forces that have become more prevalent in today’s ever-changing COVID-19 world.

BS7858:2019, everything you need to know and more!

The price of a bad hire has far-reaching consequences for any business, including productivity loss, decreased employee morale, risks to employee safety and increased exposure to costly negligent hiring claims and potentially devastating litigation. The premise behind the standard is to safeguard employers from bad or fraudulent hires. Cases of organisations that forego conducting due diligence on a new hire – especially a hire with high-risk exposure – often end badly for those organisations. At CRI Group we know how important is your background screening to your company’s success and to give you an idea of what is new we have produced this playbook detailing the differences between BS7858:2012 standard and the new BS7858:2019 standard.

Download your “BS7858:2019, everything you need to know and more!” playbook here…

Managing your people through COVID-19

The COVID-19 pandemic is undeniable affecting the world. And the situation is changing at an hourly rate as we go into a second global lockdown. Businesses are having to adapt quickly in order to survive, i.e. cutting steps in their hiring process, and no-one knows how this will play out. However, there are ways you can mitigate the impact, learn how with this FREE ebook. Taken as a whole, this ebook is the perfect primer for any HR professional, business leader and companies looking to avoid employee background screening risks. It provides the tools and knowledge needed to effectively stay ahead of COVID-19. Read the answers to the following questions:

• How to turn the tide’ on coronavirus crisis?;
• COVID-19 Action point checklist;
• Background Screening: Essential Checks;
• 6 steps for good practice in connection with COVID-19;
• 11 Steps to Reduce Personnel Costs;
• COVID-19 General advice;
• How to remove any danger to your business during COVID-19;
• … and more!

Download your “Employee Screening during COVID-19: everything you need to know and more!” FREE ebook here!

Frequently asked questions about background checks

Get answers to frequently asked questions about background checks/screening cost, guidelines, check references etc. This eBook is a compilation of all of the background screening related questions you ever needed answers to:

• Does a candidate have to give consent to process a background check/screening?
• How long does it take to conduct a background check?
• When should I conduct pre-employment checks?
• How often should I screen employees?
• How to collect references and what to ask?
• How much does it cost to conduct background checks?
• What is the difference between employment history verification and employment reference?
• How do I check on entitlement to work?
• How to conduct identity checks?
• What will a financial regulatory check show?
• Is it possible to identify a conflict of interest during checks?
• What is a bankruptcy check?
• What about directorships and shareholding search?
• Can I have access to a criminal watch list?
• Anti-money laundering check?
• Can we conduct FACIS (fraud and abuse control information system) searches?
• … and MORE!

Taken as a whole, is the perfect primer for any HR professional, business leader and companies looking to avoid employee background screening risks. It provides the tools and knowledge needed to make the right decisions.

About us…

Based in London, CRI® Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening, Business Intelligence, Due Diligence, Compliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are, we have the network needed to provide you with all you need, wherever you happen to be. CRI® Group also holds BS102000:2013 and BS7858:2019 Certifications is an HRO certified provider and partner with Oracle.

In 2016, CRI® Group launched the Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI® Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organizations. Contact ABAC® for more on ISO Certification and training.

MEET THE CEO

Zafar I. Anjum is Group Chief Executive Officer of CRI® Group (www.crigroup.com), a global supplier of investigative, forensic accounting, business due to diligence and employee background screening services for some of the world’s leading business organizations. Headquartered in London (with a significant presence throughout the region) and licensed by the Dubai International Financial Centre-DIFC, the Qatar Financial Center – QFC, and the Abu Dhabi Global Market-ADGM, CRI® Group safeguard businesses by establishing the legal compliance, financial viability, and integrity levels of outside partners, suppliers and customers seeking to affiliate with your business. CRI® Group maintains offices in UAE, Pakistan, Qatar, Singapore, Malaysia, Brazil, China, the USA, and the United Kingdom.

Contact CRI® Group to learn more about its 3PRM-Certified™ third-party risk management strategy program and discover an effective and proactive approach to mitigating the risks associated with corruption, bribery, financial crimes and other dangerous risks posed by third-party partnerships.

CONTACT INFORMATION

Zafar Anjum, MSc, MS, CFE, CII, MICA, Int. Dip. (Fin. Crime) | CRI® Group Chief Executive Officer

37th Floor, 1 Canada Square, Canary Wharf, London, E14 5AA United Kingdom

t: +44 207 8681415 | m: +44 7588 454959 | e: zanjum@crigroup.com

Filed under: Background Investigation, Employee Background Check, Middle East, Resources by admin
No Comments »