How to Prevent Terrorist Financing

Terrorist financing involves the collection, movement, and disguising of money in order to finance terrorist operations.

Terrorist activities can be financed from both legal and illegal sources – from political donations, to trading digital currencies, to proceeds of crime, e.g., kidnapping for ransom and fraud, and terrorist financiers often exploit intermediaries in the legitimate economy to hide their illicit activities (think financial institutions, charities, religious organisations, and other shell companies).

Because terrorist financing can be hard to detect, and money can pass through many hands and several territories before reaching its final destination, it’s important that organisations train their employees on how to spot signs of potential terrorist financing and also how to report any suspicious activity they come across whilst being vigilant.

Anti-terrorist financing procedures are often thought-of alongside anti-money laundering practices since the techniques used by terrorist financers to disguise and move money around are closely related to money laundering techniques and sometimes involve actual money laundering.

The signs and red flags for terrorist financing therefore overlap with money laundering red flags, so it’s important to offer training to employees in both subjects alongside your anti-money laundering modules.

What constitutes a terrorist financing offence?

Terrorist financing is any form of financial support for terrorism, terrorist organisations, or anyone encouraging acts of terrorism. This includes direct funding as well as the processing of funds intended to facilitate terrorist operations.

Regulations and legislation criminalise the direct funding of terrorism, as well as activities that can contribute to terrorist financing. While specific definitions of terrorist financing offences vary by jurisdiction, they generally include:

  1. Knowing or having a reasonable suspicion that fundraising money or property may be used for terrorism. This may include making payments, giving loans, inviting others to make payments, or receiving payments that may be used to fund terrorism.
  2. Using or acquiring money or other property for terrorist purposes or with reasonable suspicion that it will be used for terrorist purposes.
  3. Entering into an agreement intended to make money or other property available to another person if it will or may be used for terrorist purposes.
  4. Facilitating retention or control of terrorist property in any way. This might be on behalf of another person, by concealment, through moving it out of the jurisdiction, or via transfer.
  5. Failing to report red flags, suspicions, or knowledge of terrorist financing activity.
  6. Alerting a person or organisation that they are under suspicion or investigation for terrorism-related activities. This is known as tipping off.

The importance of due diligence

Client/customer due diligence (CDD) is a key element of the anti-money laundering (AML) and counter-terrorist financing regime.

Performing proper due diligence should uncover any stakeholder who has a controlling influence on a customer or supplier and who benefits from that account or organisation. These stakeholders are known as ultimate beneficial owners (UBOs).

Since those involved in terrorist financing may not be known to authorities or belong to a terrorist organisation, and since UBOs may not be listed as a legal owner and may be hidden behind layers of ownership, terrorist financers often channel money to hidden UBOs who turn out to be terrorists or other sanctioned entities.

This is exactly why the importance of customer and supplier due diligence checks is emphasised in the fight against terror.

The three component parts of customer/supplier due diligence are as follows:

  • Identifying the client or supplier, unless the identity of that client/supplier is already known to you and has been verified by you
  • Verifying that identity (unless the client’s/supplier’s identity has already been verified by you)
  • Assessing and (where appropriate)gathering more information on the purpose and intended nature of the business relationship or occasional transaction

Due diligence is required whenever a new business relationship is established or where organisations carry out odd/occasional transactions.

It is also good practice to carry out additional due diligence (and report!) if you suspect money laundering or terrorist financing is taking place, or if you doubt the veracity or adequacy of documents or information previously obtained for the purposes of identification or verification

Find out more about due diligence.

Red flags of potential terrorist financing activity

Being able to spot and report warning signs of potential terrorist financing activity is an essential component in stopping the flow of terrorist funds, protecting your organisation, and maintaining national security.

In order to remain compliant with anti-terrorist directives, employees should look out for the following red flags:

  • Unknown source of funds
  • Funds transferred from a jurisdiction subject to sanctions or increased monitoring
  • New accounts with more than one signatory in different locations and there is no apparent connection between the signatories
  • Address changes, particularly involving a sanctioned jurisdiction
  • Transactions do not match the wealth of the account holder
  • High volumes of low-value cash transactions or ATM withdrawals
  • Transfer destination in a jurisdiction subject to sanctions or increased monitoring
  • Evasiveness, e.g., reluctance to provide information when requested or provision of vague or unsatisfactory explanation for unusual account activity
  • Suspicious purchases, including purchase of weapons or materials that may be repurposed to build weapons, sudden trade in high-risk assets such as gems, precious metals, or high volumes of cash, or other uncharacteristic high-risk purchases
  • Inaccurate or incomplete information and documentation
  • Inconsistencies in information, including seemingly innocent typos
  • Inconsistent or insufficient due diligence on suppliers farther upstream in the supply chain
  • Negative media exposure that suggests links to terrorism Negative media exposure that suggests links to money laundering or other financial crime
  • Customer or supplier screening result suggesting a link to terrorism or financial crime

International sanctions

Terrorists and terrorist organisations are often subject to international sanctions. Sanctions are restrictions imposed on individuals or legal entities (otherwise known as targets) to restrict access to financial services, funds, or economic resources. For example, terrorist organisations such as Al-Qaeda as well as individual Al-Qaeda operatives appear on international sanctions lists.

Different jurisdictions maintain their own sanctions lists. It is therefore important to screen customers and suppliers against your organisation’s consolidated list, which will include sanctioned entities from all jurisdictions where you operate.

How to report suspicious or unusual activity

Your organisation should have a procedure for internal reporting of red flags and other suspicious activity. These reports are commonly known as suspicious activity reports (SARs), suspicious transaction reports (STRs), or unusual activity reports (UARs).

It’s the Money Laundering Reporting Officer (MLRO)’s – or other nominated officer’s – responsibility to determine whether further action is required and whether the report is escalated to the authorities.

Some organisations have a special form to fill in for reporting suspicious activity, whilst others permit reports to take any form such as an email, a phone call, or a face-to-face meeting. Always use the method required by your organisation (and if more than one is offered, choose whichever you are most comfortable with).

Regardless of the format, reporting suspicious activity is a confidential process. Only share report details with colleagues who need the information to do their job, and never tip off a customer or supplier that a report has been submitted about them – this is a criminal offense!

If you are ever unsure how to report a suspicion or whether an activity is suspicious, seek advice from your manager. Your organisation’s nominated officer or MLRO can also advise whether a report is needed.

The important thing to remember is that failure to report a red flag or other suspicious activity is illegal, so you must never ignore it. If something doesn’t seem right, seek additional information, get advice, or submit a report.

Need more information?

We hope this article has helped our readers understand what terrorist financing is and how to help prevent it taking place at your organisation. If you need help training your employees on anti-money laundering and anti-terrorist financing best practices, feel free to drop our friendly team a line via email or on 01509 611019. We’re a friendly bunch and would be more than happy to help!

Click here to view our updated for 2022 anti-money laundering collection of eLearning courses!

What is Due Diligence and why is it Important?

All business interactions require thorough and effective due diligence in order to confirm that customers and suppliers are who they say they are.

This involves conducting checks at the initial onboarding stage, at ongoing regular intervals thereafter, and if any change in circumstance should trigger concern (e.g., if someone has lost their job but appears to have a lot of newly acquired funds – as this could be perceived as a red flag).

The aim of due diligence is to detect, deter, and prohibit money laundering and associated terrorist financing activity from taking place, and it’s important that everyone at your organisation understands the role they play in mitigating these risks.

It is estimated that money laundering activities in the UK equate to approximately 2-5% of GDP. This means that between £36-90 billion of criminal finances are laundered through the UK economy annually (and that’s a prudent estimate!).

People who commit financial crimes are not always easy to spot; they often distance themselves from suspicious activity by using third parties, moving money around different jurisdictions, or hiding behind shell (false) companies.

There are signs and risk factors that indicate that a link to money laundering could be likely, however – and this is exactly why knowing your customer and performing effective due diligence for each client, supplier, and transaction is an essential part of anti-money laundering compliance.

Put simply, due diligence helps organisations tackle financial crimes and ensures your assets and your customers’ assets stay safe.

Know your customer

Standard due diligence involves a process called ‘know your customer’ or ‘KYC’. This process is designed to protect organisations against types of fraud, corruption, money laundering, and terrorist financing and involves three steps:

  1. Establishing customers/suppliers’ identity (in The UK, for example, this commonly involves checking that the individual is on the electoral register and asking them to provide a current passport, driving license, or birth certificate, as well as a utility bill, council tax bill, or mortgage statement as proof of address).
  2. Understanding the nature of the customer/suppliers’ activities and checking the source of their funds is legitimate (this may also include checking the person is not politically exposed and is not on any sanction lists, such as the one published by The International Criminal Police Organisation, Interpol).
  3. Performing continuous monitoring (this process ensures that business relationships and transactions are consistent and that no unusual activity, or ‘red flags’, appear once the relationship is established).

Recently banks and other regulators have indicated that a move towards standardised KYC requirements would be beneficial. After all, having common internal processes across the board would remove any ambiguity about KYC procedures and ensure everyone – no matter the size of their company or the industry in which they operate – performs these checks to a universally accepted, basic level.

Unfortunately, there is still a way to go before we achieve this, and a number of global and local initiatives to collaborate on this and set standarised KYC checks have failed to stick.

With this is mind, it’s more important than ever that each organisation take responsibility for performing their own KYC to a high standard, training employees on its importance, and ensuring appropriate steps are in place to protect individuals and the company alike.

Enhanced due diligence

For some customers and suppliers understood to be ‘high risk’, standard due diligence is not enough.

In fact, in order to mitigate the risk of financial crime effectively, it’s imperative that organisations make additional, in-depth background checks on certain people. This is known as ‘enhanced due diligence’ or ‘EDD’.

EDD is essentially a risk-based approach; it doesn’t automatically suggest wrongdoing by anyone, rather it’s a way of ensuring protections against financial crime remain effective.

High risk clients or suppliers who necessitate EDD might include:

  • Politically exposed persons (PEPs), in other words people with high-profile political roles or who perform prominent public functions (this also includes the family members and close associates of PEPs).
  • Special interest persons (SIPs), in other words those who have a known history of involvement with financial crimes. Remember, a person doesn’t have to have been convicted to be considered an SIP. They could have been previously accused of financial crimes or be currently facing court proceedings.
  • Anyone with sanctions against them.
  • People who have had negative media reports made against them.
  • People with a high-net worth.
  • Clients who are involved in unusual, complex, or seemingly purposeless transactions (these can be large amounts of money or very tiny transactions).

There are other geographical factors considered high-risk and that would necessitate EDD too, these include people with links to:

  • Countries that have sanctions or embargoes against them
  • Countries on the Financial Action Task Force’s (FATF) list of Other Monitored Jurisdictions (greylist)
  • Countries on the FATF list of Call for Action Jurisdictions (blacklist)
  • High-risk third countries
  • Countries containing proscribed terrorist organisations (including the UK)

Additionally, any person using private, offshore, or correspondence banking may be considered high risk (particularly if they have no family or business ties to where their bank is geographically located). The high-levels of confidentiality that private banks offer make them much more likely to be involved with money laundering and clients of these organisations are therefore subject to additional EDD checks.

What does enhanced due diligence involve?

Enhanced due diligence involves requesting additional identity documents in order to verify that customers are who they say they are and often includes more in-depth background checks and additional investigations.

When performing enhanced due diligence it’s important to:

1. Establish the origin and ultimate beneficial ownership (UBO) of funds

This means obtaining proof to indicate the origin of wealth and ensure its legitimacy.

Organisations may also compare the value of a person’s financial and non-financial assets with that of their real assets to ensure the numbers add-up and seem viable. Inconsistencies between net-worth, source of wealth, and earnings should be cause for suspicion and trigger further investigation work to take place.

If the person owns an organisation, it will also be important to establish who benefits financially from the ownership and to thoroughly verify this identity.

2. Track ongoing transactions

Organisations will need to keep a close eye on the transaction history of their client or supplier, including that of any interested stakeholders, persons, or organisations, and analyse the purpose and nature of these transactions.

In particular, be on the lookout for inconsistencies between the projected value of goods and services and the amount paid or received. Again, any inconsistencies should trigger alarm bells and will require a valid explanation.

3. Check for adverse media coverage

Negative news reports about your client or supplier should be a red flag, as these speak to the track record and public reputation of the person or entity you’re about to enter into business with.

Any past accusations of financial crime – even if charges were dropped – will be cause for enhanced monitoring and investigation and, of course, established involvement with financial crime indicates a very high risk indeed.

4. Conduct an onsite visit

You may wish to visit your client or supplier at their physical business address to verify their place of work and to verify they are the person they claim to be.

This is also an opportunity to check that the operation address matches the address on any documentation they have provided (e.g., invoices). If these addresses do not match, or the organisation you find is not what you expected based on the information your customer presented to you, this is cause for concern.

An on-site visit may also be vital to obtain physical verification documents that cannot be sourced digitally.

5. Create a further investigation plan

After you’ve conducted all the above processes and determined that the client in question isn’t too high-risk for you to continue working with them, you’ll need to create a report outlining your EDD plans for monitoring your client in the future.

A timetable should be included in this report, detailing when certain monitoring actions will be carried out. Your report, along with all of the information you’ve acquired up to this point, should be kept in a secure location.

6. Develop an ongoing monitoring strategy

Make a plan to keep track of your client’s progress in the future. This should be done alongside a thorough review of the information they’ve already provided. Certain transactions may not appear suspicious in isolation, but they may be part of a larger pattern of activities that point to illegal activity.

Can we help?

Did you know, getting your employees up to speed on the latest AML regulations, including the importance of due diligence checks, is one of the most effective ways to protect your company and its assets from illegal activity?

We hope this article has helped our readers understand the importance of due diligence and what it means for your organisation. However, if there’s anything we can help you with, please do get in touch via email or on 01509 611019.

Check out our freshly updated, all new, anti money laundering collection including short courses on Due Diligence and Enhanced Due Diligence.

DeltaNet International Extends its Anti-Money Laundering Online Training Collection

We have today announced the availability of our newly refreshed and expanded Anti-Money Laundering (AML) collection of online training courses. With a comprehensive offering of 16 courses, the AML collection provides everything an organisation needs to train employees about compliance with AML best practices and legislation, and in turn, ensure their business remains compliant and avoids financial penalties.

The updated collection of training solutions allows organisations to navigate recent changes to AML legislative requirements, and through a catalogue of courses, offers guidance on global best practices. Available in various course lengths and learning styles, the online training supports different learning preferences. This includes immersive training, detailed study, gamification and interactive courses, toolbox talks, adaptive courses, diagnostic assessments, and ‘take 5’ microlearning courses.

With organisations facing increasing scrutiny surrounding anti-money laundering legislation, educating employees on the importance of recognising red flags and reporting suspicious activity are fundamental to ensuring compliance. Using AI-powered technology and diagnostic assessments, the adaptive AML course saves employees valuable time by only recommending learning content they need to know – adapting learning pathways to each individual. Adaptive learning not only reduces costs but improves employee engagement with compliance training.

Leveraging the scenario-led immersive courses allows employees to use gamified scenarios to learn due diligence, understand global best practices for AML compliance and find out how regulated and non-regulated sector businesses have different responsibilities.

The new list of courses include:

“Time and time again, financial and non-financial institutions fall victim to lack of compliance with anti-money laundering legislation, causing them to face extortionate sanctions. Mitigating this risk is key, and that can only happen with the right training,” highlights Darren Hockley, Managing Director at DeltaNet International. “With the global workforce dispersed across a mix of office, hybrid and remote teams, ensuring employees understand the latest AML regulations and how they each have the responsibility to their organisation to report suspicious activity is critical. We are thrilled to have extended our course offerings for AML compliance to provide a comprehensive overview, allowing organisations to provide more effective training.”

For more information on DeltaNet’s AML training courses collection, please visit: https://www.delta-net.com/anti-money-laundering.

Complete Guide to Anti-Money Laundering (AML)

Anti-money laundering regulations refer to procedures and processes that are put in place by organisations across every industry to discourage and prevent potential criminals from performing money laundering, either on or via their premises.

Through various standard controls and directives, compliance with anti-money laundering best practices empowers employees to identify, report, and terminate money laundering activities, helping to protect their business, their community, and the economy – as well as preserving national security (since money laundering is associated with terrorist financing).

Complying with money laundering regulations involves several areas of operation and it’s important that employees are given the information they need to understand and comply with these responsibilities as far as they could impact their job role.

Here’s what you need to consider:

Due Diligence

All business interactions require effective due diligence. These are thorough checks that – put simply – are designed to verify your customers are who they say they are.

Performing due diligence helps organisations calculate the risk-level of a customer or supplier and flag any areas for concern, such as if they are a politically exposed person, have residency in a high-risk location, or have links to organised crime.

In order to know who you’re dealing with, where their funds originate, and who benefits from the intended transactions, then, it’s good practice to conduct due diligence checks at onboarding stage (before you agree to work with a new customer) and also at ongoing, regular intervals – including if any change in circumstance triggers concern.

Whilst some customers and suppliers require additional checks (known as ‘enhanced due diligence’), performing standard checks should protect both your organisation’s and your client’s interests/assets and help reduce or eliminate exposure to financial crime, including money laundering, fraud, and terrorist financing.

Following good due diligence practices means that customers can rest assured that you take their data privacy seriously and helps mitigate the risk of bad publicity, loss of reputation and legal consequences for your organisation. Remember, corporations and individuals are increasingly being held accountable for their due diligence practices and both can face high fines and, in extreme cases, even imprisonment if found to be criminally complicit in this respect.

Terrorist Financing

Just like it sounds, terrorist financing involves the funding and movement of money in order to finance terrorist operations. Terrorist activity can be financed through legal and illegal funds – from political donations to proceeds of crime – and terrorist financiers often exploit intermediaries in the legitimate economy to hide their activities and transfer funds (think financial institutions, charities, religious organisations, and other shell companies).

Because terrorist financing can be hard to detect (money can pass through many hands before reaching its final destination, spanning several territories), it’s important for employees to be able to recognise signs of potential terrorist financing and how to report them.

The techniques used by terrorist financers to move money are closely related to money laundering techniques and sometimes involve actual money laundering. The signs and red flags for terrorist financing therefore overlap with money laundering red flags.

Regulations and legislation criminalise direct funding of terrorism, as well as activities that can contribute to terrorist financing. While specific definitions of terrorist financing offences vary by jurisdiction, they generally include:

  • Knowing or having a reasonable suspicion that fundraising money or property may be used for terrorism. This may include making payments, giving loans, inviting others to make payments, or receiving payments that may be used to fund terrorism.
  • Using or acquiring money or other property for terrorist purposes or with reasonable suspicion that it will be used for terrorist purposes.
  • Entering into an agreement intended to make money or other property available to another person if it will or may be used for terrorist purposes.
  • Facilitating retention or control of terrorist property in any way. This might be on behalf of another person, by concealment, through moving it out of the jurisdiction, or via transfer.
  • Failing to report red flags, suspicions, or knowledge of terrorist financing activity.
  • Alerting a person or organisation that they are under suspicion or investigation for terrorism-related activities. This is known as tipping off.

Find out more about how to prevent terrorist financing.

Accounting red flags

As a professional working in the financial sector, accountants and other types of finance administrators often stand in the way of criminals who want to use their place of business to launder money.

Due to this, it is important for all financial professionals to arm themselves with knowledge and understand what to look out for to spot money laundering and what anomalies ought to ring alarm bells about unlawful intent to investigate further.

Empowering your employees with this information will help your organisation to work in compliance with the law and combat financial crime.

Here are some accounting red flags your employees need to know about:

  • Unusual or uncharacteristic behaviours from a known/loyal customer, for example, requiring multiple reminders about documentation when ordinarily the client is very prompt.
  • Seeming reluctant or unable to provide the necessary paperwork.
  • Documents not matching up with previously given information.
  • Invoicing anomalies, e.g., misspelling of critical details, unexplained gaps, or invoice address and head office address being different.
  • Negative remarks in the media concerning the individual and/or organisation in question.
  • Associations with politically exposed persons (PEPs).
  • Use of offshore bank accounts, particularly if the customer/supplier has no presence in the country.
  • Unusual transactions, e.g., clearing an account of funds and/or making multiple small cash deposits.

Politically Exposed Persons

A politically exposed person (PEP) is someone who currently holds, or has held, a prominent public office. Due to the nature of the position, the immediate relatives or close associates of PEPs are also considered to be ‘politically exposed’ and are subject to enhanced due diligence checks for anti-money laundering.

PEPs are considered higher risk due to their position and influence, which increases their potential involvement in money laundering, bribery, fraud, and terrorist financing.

Politically exposed persons may have access to state assets, they may be able to put processes in place to prevent the detection of money laundering or terrorist financing, or they may own or control financial institutions, businesses, or other enterprises that could be used to launder money or generate illicit profits.

It’s worth mentioning that most PEPs do not abuse their position of power. However, these people are often targeted by those who wish to get close to them and abuse either them or their position of power. Therefore, PEPs are always considered to be high-risk clients and are often subject to a detailed background check and other enhanced due diligence.

Know Your Customer

Know Your Customer (KYC) standards are designed to protect financial institutions against fraud, corruption, money laundering, and terrorist financing. Indeed, for many organisations, KYC is the first and most crucial step of their AML compliance program and consists of the process used to verify a client’s identity, construct their risk-profile, and continuously monitor their account.

It’s important for organisations to carefully verify any customer’s identity, assess their risk, and understand their general financial habits as this makes it much more likely that any abnormalities and red flags will be identified. In turn, this allows organisations to act quickly and investigate any signs of money laundering (or other crimes) before the situation escalates.

There are three components of KYC:

  • Customer identification

This involves verifying a customer’s identity (i.e., that they are who they say they are) and usually calls for customers to share credentials such as name, date of birth, and address. In The UK, this commonly involves checking that the individual is on the electoral register and asking them to provide a current passport, full driving license, or birth certificate, as well as a utility bill, council tax bill, or mortgage statement.

  • Customer due diligence

Due diligence aims to uncover any potential risk to the organisation should the company agree to do business with a specific individual. For this reason, organisations will use the above information to check that the customer in question is not on any sanction lists, such as the one published by The International Criminal Police Organisation (Interpol). They will also want to check that the prospective customer is not Politically Exposed.

  • Continuous monitoring

It’s not enough to perform identity checks and customer due diligence just once. Rather, in order to gain a full understanding of how customers typically use their accounts – and to catch any irregularities and mitigate risks as they arise – financial institutions must complete continuous monitoring and checks across their clients’ accounts.

Financial Sanctions

Financial sanctions programmes operate across the world. Different countries or jurisdictions have their own financial sanctions and enforcement bodies, all with one common aim: to combat money laundering, terrorist financing, and financial crime.

Financial sanctions also play an important role in national security, foreign policy and international peace. Common types of financial sanctions include tariffs on imports, trade embargoes, asset freezes (to prevent access to funds), and restrictions on financial markets and services such as banking and investments.

Most financial sanctions programmes maintain lists of individuals and entities who are subject to financial sanctions. These individuals or entities are known as ‘targets’, ‘Specially Designated Nationals’ or ‘blocked persons’ by different sanctions regimes.

Financial sanctions enforcement bodies have international legal reach. Examples include the United Nation’s Security Council and the European Commission. Other bodies, such as The Office of Foreign Assets Control (OFAC) of the US Department of the Treasury, and the Office of Financial Sanctions Implementation (OFSI) of the UK HM Treasury, enforce sanctions based on their laws, national security and foreign policy.

EU Legislation updates

Following 4MLD in 2017 and 5MLD in 2020, the Sixth Money Laundering Directive (6AMLD) was transposed into EU law in December 2020, with firms having until June 2021 to implement the changes.

6AMLD was intended to improve clarity and harmonisation among EU member states, but it also increased member states’ reporting duties (since money laundering continues to go widely undetected and this must be addressed).

Why was 5AMLD important?

This directive was designed to bolster the barriers brought in by 4AMLD in the fight against money laundering and terrorist financing. It achieved this by:

  • Increasing ownership transparency to prevent money laundering and terrorist financing inside organisations that previously could conceal their ownership structures.
  • Creating centralised bank account registers to increase and improve the capabilities of Financial Intelligence Units (FIUs) across Europe.
  • Legally defining cryptocurrencies and reducing the anonymity and risk associated with them.
  • Improving the cooperation and exchange of information between AML authorities and the European Central Bank
  • Broadening the criteria for the assessment of high-risk countries and applying standardised checks and monitoring across the board for these locations.

Why was 6AMLD important?

Only six months had passed since 5AMLD came into force when the EU extended this legislation even further by introducing the Sixth Anti-Money Laundering Directive (6AMLD). Its main aim was to expand the list of predicate criminalised offences (those crimes which are committed as a component of a more serious criminal act) and to increase the penalties for money laundering offences, e.g., heavy fines and imprisonment.

Unlike 5AMLD, the UK did not transpose 6AMLD into its domestic AML framework following the country’s withdrawal from the EU in January 2020. The key reason for this decision being the government’s understanding that the UK’s anti-money laundering systems are already compliant with many of the 6AMLD rules – in fact, the government believes ‘the UK already goes much further’ in many respects.

UK AML rules, for instance, already enforce longer sentences for certain money laundering offences (including imprisonment of up to 14 years in some cases) and UK law does include broader provisions relating to predicate offences than the specified crimes that qualify as predicate offences set out in 6AMLD

Final Word

In an ever-changing regulatory landscape, getting your employees up to speed on the latest AML regulations and how to spot money laundering is one of the most effective ways to protect your company and its assets from illegal activity. We hope this article has helped our readers understand what AML means and why it is important for your business. However, if there’s anything we can help you with, please do get in touch via email or on 01509 611019.

Check out our freshly updated, all new, anti money laundering collection!

Five Ways to Prioritise Mental Health and Wellbeing in 2022

With the pandemic continuing and Covid-19 cases still on the rise with the latest variant, it may seem that January blues are underway. However, organisations must avoid letting this get employees down and instead use January as an opportunity to kick start and make way for a year of prioritising good mental health and wellbeing.

Here are five ways organisations can provide support to employees:

1 – Effective Management

Strong leadership skills and good line management is essential in supporting employee wellbeing. Don’t drop short deadlines on colleagues. Instead, work with them to solve problems so employees don’t feel completely stressed out but remain in control. While it’s clear the country is facing a significant skills shortage and employees across industries are making moves due to The Great Resignation, it’s vital organisations keep up with recruitment. Keep internal processes moving quickly, so teams aren’t severely understaffed and overstretched, putting additional pressure on employees. This process will help to mitigate stress and burnout.

2 – Build awareness for self-awareness

One of the prime issues leaders face is not recognising when an employee is struggling with mental health. Educating employees to spot tell-tale signs in their colleagues, but also when they need the help themselves, encourages them to communicate these worries with their manager or a colleague. Make it clear that it’s OK not to be OK. Organisations must build an openculture in the workplace where employees feel comfortable to voice their concerns to management and have an open-door policy. This allows employees to talk to someone not just about their work – but also their wellbeing.

3 – Provide support mechanisms

Creating a solid network of support mechanisms is critical to building a wellbeing culture in the organisation. Employees should have access to the support they need internally or externally to improve their mental health. This not only includes being able to speak to managers, HR or colleagues but also access to mental health apps or possibly private healthcare. This will enable employees to speak to professionals and get the appropriate support or guidance they require when they need it most.

4 – Promote wellbeing training

Training business leaders and employees on how to look after their own and their colleagues’ mental health, spotting the signs of stress, and learning how to manage stress are fundamental to improving overall wellbeing. Line managers can only help improve their employees’ mental health if they recognise the red flags. Having good wellbeing isn’t just confined to mental health – it also involves having an overall healthy lifestyle, including exercise, sleep and diet – and avoiding harmful substances such as alcohol, drugs and cigarettes. Educating employees on the importance of going to sleep at a good time and not staying up until 2 am binging Netflix shows – is also critical to supporting their health and wellbeing ready for their work the next day.

5 – Foster a wellbeing culture

Building an organisational culture around wellbeing is vital to ensuring staff feel supported and recognise that they can reach out to someone in their team if they are struggling. Building a wellbeing charter, where employees understand that they can work flexibly, have support to deal with stress, get professional help, or just a helpful ear can make a world of difference. Whilst it’s not easy for anyone to admit they need extra help, fostering a culture where managers and colleagues regularly check in on each other will make employees feel more comfortable to voice their concerns.

To find out more about improving mental health and wellbeing training in your organisation, try a free demo of our wellbeing collection of courses.

What is AML and why is it Important?

Anti-money laundering (AML) is a blanket-term used to describe the constantly evolving laws and regulations put in place to prevent money laundering and other related financial crimes. However, in order to fully understand AML activities, it’s important first that we get to grips with what money laundering means and the true extent of this crime.

In short, money laundering is a type of financial crime; more specifically, it’s the process of taking illegally obtained funds (dirty money) and making them appear legitimate (i.e., clean or ‘laundered’).

Criminals involved in money laundering activities want to make it as difficult as possible for the authorities to trace the source of any ill-gotten money, so the more complex the ‘laundering’ process is, the less likely they are to be found out. This means that money is often moved around overseas, for example, or invested in companies, art, and offshore accounts.

It is estimated that money laundering activities in the UK equate to approximately 2-5% of GDP. This means that between £36-90 billion of criminal finances are laundered through the UK economy annually, and that’s a low estimate!

Criminal finances can be generated through organised crime, individual criminal activities, and high-end money laundering schemes – but all of these impact businesses, individuals, and communities in a negative way.

These activities also put national security at risk by financing terrorist activities, armaments, and nuclear weapons.

Anti-money laundering (AML)

AML consists of a series of laws, regulations, and policies designed to prevent money laundering from taking place.

In the UK, anti-money laundering legislation is dictated by the Proceeds of Crime Act 2002 (POCA), the Terrorism Act 2000 (TA 2000), and the The Money Laundering and Terrorist Financing (Amendment) Regulations 2019 (MLR 2019). Additionally, the UK is a member of the Financial Action Task Force (FATF) which means the UK’s anti-money laundering legislation meets FATF’s global standards.

It’s also worth noting that, whilst the UK left the EU on January 31, 2020 – and so did not transpose the EU’s sixth anti-money laundering directive (6AMLD) into its domestic AML framework – the government has stated that the UK’s anti-money laundering systems are already compliant with many of 6AMLD’s rules and, in fact, the government believes that ‘the UK already goes much further’ in many respects.

Know your customer standards

Know Your Customer (KYC) standards are designed to protect financial institutions against fraud, corruption, money laundering, and terrorist financing. Indeed, for many organisations, KYC is the first and most crucial step of their AML compliance program and consists of the process used to verify a client’s identity, construct their risk-profile, and continuously monitor their account.

It’s important for organisations to carefully verify any customer’s identity, assess their risk, and understand their general financial habits as this makes it much more likely that any abnormalities and red flags will be identified. In turn, this allows organisations to act quickly and investigate any signs of money laundering (or other crimes) before the situation escalates.

The 3 Components of KYC

KYC may seem like a simple concept, but the processes of customer identity verification and customer due diligence are critical to a successful AML program.

There are three stages to KYC compliance:

1. Customer identification

This involves verifying a customer’s identity (i.e., that they are who they say they are) and usually calls for customers to share credentials such as name, date of birth, and address. In The UK, this commonly involves checking that the individual is on the electoral register and asking them to provide a current passport, full driving license, or birth certificate, as well as a utility bill, council tax bill, or mortgage statement.

2. Customer due diligence

Due diligence aims to uncover any potential risk to the organisation should the company agree to do business with a specific individual. For this reason, organisations will use the above information to check that the customer in question is not on any sanction lists, such as the one published by The International Criminal Police Organisation (Interpol).

They will also want to check that the prospective customer is not Politically Exposed, as it is deemed at international level that a PEP (Politically Exposed Person) is more susceptible to corruption (meaning this customer would be considered as high risk and subject to more rigorous and specific mitigation measures).

3. Continuous monitoring

Under AML directives, it’s not enough to perform identity checks and customer due diligence just once. Rather, in order to gain a full understanding of how customers typically use their accounts – and to catch any irregularities and mitigate risks as they arise – financial institutions must complete continuous monitoring and checks across their clients’ accounts.

AML Authorities in the UK

  • The Financial Conduct Authority

The Financial Conduct Authority is the UK’s primary financial services regulator, overseeing banks, building societies, credit unions, and other financial institutions. The Financial Conduct Authority (FCA) was established in 2012 under the Financial Services Act to replace the Financial Services Authority (FSA) and to ensure the safety of the UK’s financial system and financial institutions.

The FCA is in charge of ensuring that AML requirements are followed in the UK, and it has the authority to investigate money laundering and terrorism funding offences in collaboration with other law enforcement agencies and authorities, such as the Crown Prosecution Service (CPS). The FCA requires all banks and financial institutions in the United Kingdom to be registered.

  • HMRC

Her Majesty’s Revenue and Customs (HMRC) shares the responsibility to investigate money laundering offenses with the FCA. It also publishes guidance on anti-money laundering in the UK, including what due diligence and transaction monitoring financial organisations are required to carry out in order to be compliant with UK law.

  • National Crime Agency (NCA)

In addition to the FCA and HMRC, the National Crime Agency (NCA) and the Serious Fraud Office (SFO) also have the power to enforce money laundering regulations in the UK. Both these institutions have the power of arrest and may seek warrants and court orders.

UK anti-money laundering and counter financing of terrorism authorities (AML/CFT) also have the power to freeze and confiscate any assets they suspect are involved in money laundering, terrorism financing, and other criminal activities.

AML and non-compliance

Depending on the form and severity of the infraction, noncompliance with the UK’s AML/CFT legislation can result in monetary penalties or up to 14 years in prison. As above, the FCA has the power to close down or restrict the activities of companies proven to be guilty of wrongdoing, as well as to reclaim funds and assets implicated in money laundering violations through court or civil processes.

Additionally, non-compliance with AML/CFT directives in the UK is likely to result in considerable reputational damage for the companies concerned.

The importance of AML

We know that money laundering often funds criminal activities such as smuggling, illegal arms sales, embezzlement, insider trading, bribery, and cyber fraud schemes. It also has links with organised crime, such as human trafficking, drug trafficking, and prostitution rings.

As well as funding unlawful enterprises, money laundering diverts resources away from economically and socially productive uses. This negatively affects a country’s financial system by undermining its stability and erodes public trust. It’s also closely linked with terrorism, since money laundering is used to raise funds to sustain and camouflage terrorist activities.

AML in practice

It’s important for all types of organisations to offer AML awareness training to their employees – not just financial institutions (although these types of organisations will require more in-depth education on the subject).

The significance of effective internal controls and risk mitigation cannot be stressed enough since the effects of money laundering – and, indeed, its increasing regulation – affects all industries.

At its core, AML awareness training is about empowering your employees and equipping them with the right skills to handle the requirements of AML regulation as these affect their daily work tasks. In doing so, the training helps members of staff to flourish and be productive at work because it helps clarify their responsibilities and the boundaries surrounding these.

As well as reducing liability and risks for everyone in the company, then, AML training is a gateway allowing employees to get on with work unsupervised which, in turn, builds trust and drives productivity.

Some good AML controls include:

  • Nominated compliance risk owners within a business that employees can report to, creating a clarity in the whole process of reporting and responding
  • Providing employees with regular information and refresher training on the risks and red flags of money laundering. This means that employees are aware of their responsibilities and importance of AML activities.
  • Regularly updating AML policies, controls and procedures in line with new regulations, as well as completing a policy statement and sticking to it.

Final word

In an ever-changing regulatory landscape, getting your employees up to speed on the latest AML regulations and how to spot money laundering is one of the most effective ways to protect your company and its assets from illegal activity. We hope this article has helped our readers understand what AML means and why it is important for your business. However, if there’s anything we can help you with, please do get in touch via email or on 01509 611019. We’re a friendly bunch and would be more than happy to help!

Spar forced to close stores following a Ransomware Cyber Attack

More than 300 Spar convenience stores have been affected by a significant cyber-attack on its company’s IT systems. Many of these stores have been forced to close until the true extent of the damage can be assessed. Any stores that have managed to stay open are operating on a cash-only basis, due to the damage caused to Spar’s till systems by the attack.

What caused the Spar’s Cyber Attack?

The exact details of exactly how Spar’s systems were compromised is yet to be discovered. However, it has already been disclosed that they had fallen victim to a Ransomware attack. This usually indicates that there has been a successful Phishing attack, or that someone in the network has downloaded a malicious file.

How does a Ransomware attack work?

Ransomware is a form of malware, and the key to its objective lies in the prefix, ‘ransom’. Ransomware infects organisation’s IT infrastructure in much the same way as most Malwares, e.g., through targeted phishing attacks or malicious downloads, and its purpose is to hold the owner to ransom. Users – and indeed entire organisations – are locked out of their systems and told to pay a ransom (usually in hard to trace cryptocurrency) in return for unlocking the device.

Once the ransomware has accessed an organisation’s system, it works to either encrypt the entire system or else targets individual files, depending on the type of Ransomware and the cybercriminal’s intent. Once the files are encrypted, the owner can then be locked out of their system until they either pay the fee or decode the attack. It is worth noting advice here not to pay the ransom, since there is no guarantee the hacker will return access to your system.

Image

What types of Ransomware are there?

The type of threat posed by Ransomware is entirely dependent on the type of Ransomware used to infect an IT system. The two main categories of ransomware are:

Within these categories sit the specific Ransomware methods used. For example, Bad Rabbit and the aptly named WannaCry.

Crypto Ransomware – what is it?

It is a type of malicious programme that encrypts files on a device, such as a phone or laptop, with the goal of extorting money from the owner.

There are 2 ways which crypto ransomware is usually delivered:

  1. Files and links sent via email, instant messaging services or other digital communication channels.
  2. Downloaded onto a device using fake alerts and threats while utilising exploit kits and trojan downloaders.

Email, instant messaging, and digital communications

Emails and messages are sent to the target recipients that contain links/attachments to documents. However, these are not documents, but instead executable programmes that once installed active the crypto ransomware.

These malicious files can look like Word, Excel, ZIP folders, or any other popular email attachment. The email itself does not trigger the infection but opening/downloading the attachments or links does.

Image

Exploit Kits and Trojan Downloaders

Exploit kits can be thought of as digital toolboxes that cyber criminals’ plant on websites. They automatically probe each website visitor for a vulnerability in their security defences. If there is a vulnerability found the exploit kit will automatically download and run the crypto ransomware on the device.

Locker ransomware – what is it?

Locker ransomware is less dangerous, but only if you know how to deal with it. It attacks when an individual visits a compromised website, and it usually only attacks a single device.

A pop-up screen then appears, pretending to be from a well know brand such as Apple, Microsoft, Norton etc, telling the user their system has a virus. It informs the user not to shut it down and provides a telephone number to call to access support. If the user tries to close the pop-up, it returns immediately, locking the user out of the device.

If a user falls for the pop-up and calls the service number a cyber criminal posing as a service technician establishes a remote connection to the device and ask for payment to fix the issue. They may also load other software onto the device as well as try and sell anti-virus software to the user.

In some circumstances users that are not tech savvy may not realise they are being defrauded.

The solution is simple…

The solution is as simple as shutting down the device as soon you get hit by Locker ransomware. Do not make the phone call, and do not pay any fees. Simply shut the device down and reboot it.

How to detect ransomware

The first step to protecting your IT systems is to ensure adequate preventative methods are put in place.

Prevention is made up of two components,: a watchful eye and market-leading security software.

How to build a watchful eye

While most businesses understand the need to be alert to the dangers of cyberattacks, some do not invest in the most basic of defences – knowledge. There is no better preventative measure than ensuring all staff across an organisation understand the types of cyber threats they may be exposed to, how to recognise each of these threats, and what their role is to combat them.

Image

Businesses should have an annually refreshed, mandatory cyber security training programme to ensure employees understand the basics of how to spot and combat cybercrime. This is not only helpful to an organisation’s cyber safety, but it can be applied at home by employees too.

There needs to be a culture of compliance created within the working environment to help develop a watchful eye in every employee within the organisation.

We offer a comprehensive range of Cyber Security and Information Security courses to help your business defend itself again cyber criminals.

Common Ransomware methods once a system infection has started

Once a system has been infected by a download or link click there are some tell-tale signs that individuals should look out for.

Illegal content claims:

  1. Cybercriminals pose as law enforcement or a regulatory body.
    They will claim to have found illegal content on the infected computer and will ask for a penalty fee to be paid.
  2. Unlicensed applications:
    Much like the above, the cybercriminal will ask for a fee to be paid due to an unlicensed programme.

Unfortunately, most of the time, once a system is infected, a cybercriminal will be less shy about ransoming an IT system than the above examples. Much like Spar’s example, businesses systems are shut down with no warning by the attacker. It is critical to use a comprehensive security software package, as well as training staff to be a businesses first line of defence against cyber-attacks.

Cyber Security: Phishing Alert – Email Chain Hacking

Ikea Targeted by a New Phishing Scam

A new type of phishing attack has been uncovered after flat-pack furniture giant, Ikea, launched an internal investigation after noticing several malicious emails circulating throughout the business. Email Chain Hijacking is a new type of phishing scam that takes advantage of a weakness found in Microsoft Exchange servers.

Ikea adequately protected against the attack by encrypting all personal data. However, many other businesses remain vulnerable to this new type of attack.

Image

What is Email Chain Hijacking?

Email Chain Hijacking is a key identifier of the prevalent SquirrelWaffle malspam campaign, which takes advantage of a vulnerability in Microsoft Exchange Servers. SquirrelWaffle malware enables cybercriminals to gain a foothold inside organisations IT systems, allowing them to deploy further system infections such as Quakbot, a well-known banking trojan.

Usually, with phishing attacks, imposter emails attempt to mimic an organisation’s emails and domain. Once an individual clicks on the link, malware is downloaded and the systems are infected. With Email Chain Hijacking, emails are sent via the organisation’s actual servers. Cybercriminals reply to existing email chains and embed malicious links or attachments within them.

Once the hacker has access to an individual’s email system, they find an email chain to use and then reroute the replies to a separate inbox, such as the trash folder. The person’s email they are using never see the replies in the email chain, which means the attack can go untracked for a long time.

This method makes it incredibly difficult for individuals to spot the phishing attack and react since emails don’t just look like they are from their colleague’s email addresses, they actually are.

How can Your Business Protect Against Email Chain Hacking?

There are a number of things to do to guard against an email chain hack. These include:

  1. Ensure all email accounts use security best practices. This includes setting secure passwords and using multi-factor authentication.
  2. Regularly inspect email and inbox settings. Look out for rules that weren’t created by the user that intend to filter replies into a different inbox. If you spot this, contact your IT team immediately.
  3. Disable all Microsoft Office Macros where possible. Macros allow a user to personalise automatic and manual email replies and are a common vehicle of attack.
  4. Ensure your business has a quality and trusted Endpoint Detection and Response (EDR) security provider in place. If an email chain hack is successful, an EDR can stop the malicious code hidden in links and attachments from being executed.
  5. Increase your organisation’s knowledge with comprehensive training designed to increase their awareness of cyber-crime and their responsibilities to protect their organisation.

Image

DeltaNet Cyber Security Collection

We provide a comprehensive collection of courses designed specifically to build awareness, knowledge, and capability to fight cyber-crime such as phishing. You can find out more here.

In addition to this, we have developed a revolutionary Phishing Simulation Tool. The tool allows organisations to test their employees’ resilience against phishing in the real world by staging simulated phishing attacks. You can send fake phishing emails to anyone and everyone in your organisation and report on performance. The Phishing Simulation Tool will make cyber risk owners aware of anyone who has failed the test, allowing for further training to be provided and increasing your organisation’s defences against phishing attacks and cybercrime.

How to create a Compliance Culture

How to create a Compliance Culture

The term ‘compliance culture’ isn’t new; for years we’ve heard about the need for organisations to create one in order to really get on top of and mitigate regulatory and reputational risk.

And whilst the phrase ‘compliance culture’ (or ‘culture of compliance’ if you prefer) is one we all recognise, like a lot of qualities pertaining to culture, it can be hard to define.

At DeltaNet International, we imagine ‘culture’ as it affects the organisation itself. That is, as the DNA that runs through the business colouring its everyday operations.
After all, workplace culture – often called ‘corporate culture’ – refers to the beliefs and behaviours of the workforce.

It’s made up of the various values, attitudes, actions, and norms visible in those around us and regarding various factors in the workplace – one of these being, compliance.

Compliance, on the other hand, is all about doing the right thing, the right way. It’s about setting principles and standards and acting accordingly.

When we speak about a culture of compliance, then, these expectations are incorporated into the behaviours, beliefs, and actions of the entire workforce.

It’s not enough to have written policies and procedures (whilst these are important benchmarks that should be communicated clearly, they can also feel distant from the organisation).

Image

True Culture of Compliance

A true culture of compliance will not only point to and promote such policies but will also bring them to life – it’s about doing what is right simply because it’s the right thing to do – regardless of who is watching.

In short, a compliance culture is a critical area that permeates every aspect of business. If it’s successful, it will influence our vocabulary, our values, our targets (and the way we achieve them), and our interactions/transactions with those we encounter.

A compliance culture is the filter through which we conduct ourselves and our business, it’s never an afterthought that ticks a box.

Beyond written rules- Identify risks, manage expectations

It’s important to understand that the look and feel of one organisation’s compliance culture will be totally different to that of another. Cultures of compliance are never one size fits all, so it’s imperative to identify the specific compliance risks that your company faces and construct a compliance culture in and about these areas.

Risk factors

High-risk factors might include the physical (think construction or chemical work, for example) where health and safety will need to take precedence; or else they could be technological, requiring extra attention on cyber-security and data protection principles. Some organisations, let’s say financial institutions, might focus on strategic risks, raising awareness about anti-bribery, anti-money laundering or FCA regulation for example.

Compliance cultures are NEVER one size fits all

Whatever areas of compliance your message centres around, setting and communicating your expectations in these areas is paramount to establishing an effective compliance culture; one that’s relevant to you.

Communication is key

Remember, your expectations when it comes to compliance are communicated in more ways than one. It’s the sum of all this messaging – whether communicated purposively
(think written policy, mandatory training, posters, and other learning materials) or as a by-product (visible consequences, management buy-in, risk tolerance, performance pressure, and so on) – that creates the culture guiding and framing employee behaviour.

Whilst some go unseen, these messages are nevertheless strong forces which reinforce and represent what the organisation expects from its employees, and what employees can expect from the organisation. As such, it’s important these voices are united when it comes to areas of compliance you want to manage.

Codes of conduct and ways of building trust

Whilst creating and maintaining a compliance culture goes above and beyond written policies, it’s nevertheless useful to begin here and build outwards.

What does a code of conduct look like?

A code of conduct is the most common policy for organisations to have. Essentially a self-regulating document, codes of conduct are designed to outline specific behaviours, either required or prohibited, as a condition of ongoing employment.

Indeed, many organisations also have supplier or third-party codes of conduct to ensure the entire supply chain is aligned with the minimum standards of behaviour they expect to see.

Image

Recognising success- a tale of ownership and accountability

A culture of compliance is easily recognisable; it’s an environment where employees know what is expected of them and, wherein, they make good choices. In this compliant culture, leaders do more than communicate the rules to be obeyed, they model consistently good behaviour themselves.

They set the cultural tone by sharing their vision, reacting quickly (and fairly) to non-compliance, and by celebrating when employees act in a compliant manner.
Inside this successful compliance culture, strategies are delivered to monitor ongoing compliance (think inspections, investigations, regular risk-assessments and simulations to test knowledge).

Plans are also in place to manage and respond-to any vulnerabilities or non-compliance uncovered by these actions – whether this is further education, increased awareness training, or other disciplinary action, the goal is to discover weak links and deal with them promptly.

This is an environment which fosters accountability. Here, designated risk owners are assigned to manage key-risks on behalf of the organisation and, as custodians of compliance, these individuals have clear roles and responsibilities when it comes to the job.

They’re well-trained and committed to building trust via competency and consistency; the mindset here is not to ‘win at any cost’, but to be transparent, to do what’s right.

A successful compliance culture does not view training as a ‘once and done’ exercise, but as a continual process aimed at closing knowledge gaps and upskilling employees.
Employees are not forced to repeat training they don’t require either (this wastes time and fosters resentment about said wasted time).

Learning here is adaptive, tailored to the individual, and can be completed seamlessly, in the flow of work.

A successful compliance culture views training as a continual process aimed at closing knowledge gaps and upskilling employees.

Image

The drive to incentivise- what NOT to do when building a compliance culture

One of the biggest mistakes organisations make it when it comes to building a compliance culture is to incentivise it. Yes, compliance and positive behaviour should always be positively reinforced, but it’s important to remember that compliance is about doing the right thing for the right reasons – not simply to get a reward.

Incentivising compliance is a risky business (pun intended) because it can erode the trust and commitment that’s necessary to cultivate a compliance culture in the first place.
It doesn’t make sense to ask employees to self-regulate, to trust their instincts, and to do what’s right on the one hand, whilst simultaneously conditioning them that
compliance can be bought and sold somehow.

Under reporting and over reporting- 2 sides of the wrong coin

Additionally, incentivising compliance can lead to two issues that a true compliance culture would always seek to eradicate. In fact, these enemies of any budding compliance culture happen to be two sides of the same coin: under-reporting and over-reporting.

For example, in an environment where going X number of days without a health and safety incident garners rewards:

  • How likely is it that real incidents (the type that require action to prevent them reoccurring) will be reported?
  • How long until under-reported small incidents build up into a larger problem- one that’s potentially devastating for the company?

Likewise, inside an organisation where whistleblowing is overly incentivised and compensated, how long before employees begin to over-report or nitpick just to appear on top of things?

Fostering this kind of over-vigilance is a slippery slope into bad office politics and corporate backstabbing, quite the opposite of the trust-filled accountability culture we want to nurture.

Remember… the appearance of compliance is not compliance

Compliance – and the way your compliance culture takes shape – is an ongoing journey. It’s never a destination or something that will one day be ‘complete’.

Image

Perpetual stories of improvement

Rather, think of compliance as a spectrum of maturity involving people, processes, and other tools/technology.

Depending on factors such as the size or age of the organisation, your company’s position on the compliance maturity spectrum will adjust
over time, as will the legislation and regulations that lay the groundwork for what compliance means.

For instance, younger companies may have cut corners in this respect. It’s not unusual for start-ups and SMEs to treat compliance as a series of boxes to check in-line with what the law dictates they must do.

Larger, more established organisations, on the other hand, may have been working on their compliance culture for several years, approaching compliance as it plays a positive role in driving business growth.

Tone from the top

Whilst touched-upon throughout this document, we’ve deliberately avoided dedicating any single page to ‘setting the tone from the top’ – even though this element is incredibly important and often discussed when it comes to the topic of compliance cultures. an integral part of the life-force enabling your company to strive for excellence in compliance

The reason for this is the true meaning of the phrase, which carries much more weight than any written theory or principal allows for. Instead, setting the right tone from the top is an integral part of the life-force enabling your company to strive for excellence in compliance.

The DNA that informs the ongoing growth, development, and success of your compliance culture begins here (and can end here too, if leaders are careless).

You must not underestimate it.

At the highest level, successful compliance management is continuous as well as sustainable.

Building a compliance culture means learning from past mistakes and cultivating an environment of continuous improvement that’s observable throughout every department, from the top down.

How to prevent employees from being scammed around the holidays

Around the Black Friday and Cyber Monday weekend, employees will undoubtedly be distracted by looking for the latest bargains offered by retail stores both online and in-store. However, due to the ongoing effects of the pandemic, many employees are most likely to be shopping online. This weekend is also an opportunity for many employees to do their Christmas shopping ahead of time.

Unfortunately, this shopping weekend is a lucrative opportunity for cybercriminals to target shoppers, who may fall into the trap of phishing and social engineering scams. According to Kaspersky, online payment fraud surged by 208% between September and October 2021, with 1,935,905 financial phishing attacks disguised as e-payment systems during October.

With many employees also using company devices for personal use, organisations must remind employees on best practices for staying safe and secure online.

Top tips to advise employees:

1) Remind employees of stringent IT policies

Employees must be reminded to follow stringent IT policies, compliance, and to avoid using company-owned devices for personal purchases. While it can be tempting to keep an eye on bargains whilst working, employees should not be doing this on their work laptops or phones, even during break times.

2) Shop smartly

Tell employees to use only trusted websites to shop and use credit cards for payments over a secure connection – remember to check the website starts with “https://”. Don’t forget to monitor bank accounts for any suspicious activity, so banks can be alerted at once if scammers do manage to infiltrate bank accounts.

3) Be aware of phishing scams

Employees need to watch out for phishing and social engineering scams targeting shoppers with bargain prices – always triple check any URLs before clicking on them by hovering over the link. Support employees with phishing awareness training and check their alertness with our phishing simulation tool to truly understand if employees know how to spot a scam.

4) Remember good password hygiene

When logging into accounts for each online retail store, educate employees to use a solid, unique password for each one. Make sure the password contains a minimum of eight characters, a mix of upper- and lower-case letters, numbers and symbols. Good password hygiene will help reduce the likelihood of details being compromised in a data breach.

5) Use added security barriers such as 2FA & MFA

Where possible, teach employees to use two-factor or multi-factor authentication to log into accounts to prevent others from accessing your accounts. If a password has been compromised or cracked by a cyber-criminal, multi-factor authentication requires the hacker to bypass the one-time password, which is usually a code sent via email or text to your number. This second barrier to entry makes it harder for hackers to get it and make purchases on the account.

6) Don’t fall for gimmicks

Employees must remain cautious of ads and prize contests, (which are rife during this period) looking to pull and sell consumer information to third parties. Remind them to not click on anything they don’t trust and appears too good to be true. If in doubt, always check the URL domain.

7) Finally, don’t forget overall device security

It’s vital to keep security updated on all devices, including laptops, tablets and smartphones. Remind employees to use anti-virus software and backup all files. With IT vulnerabilities constantly appearing, employees must continuously update their devices when prompted or told by IT.

Get in touch today to talk to us about how our collection of Information Security Courses can help prevent your employees from being scammed around the holidays and further strengthen your organisation’s cybersecurity risk.