Recent incidents of fraud and theft across the Caribbean region have led to questions on how they happened and what can be done to prevent them. We examine some of the factors that have emerged, and a possible solution that organisations could consider.
Across the Caribbean region and over the past several weeks, instances of theft and fraud seem to be increasingly prevalent, evidenced by the frequency with which they are making the local and even regional and international news, and the blow-by-blow overage that has sometimes ensued. Although in recent times, there has been a focus on external threats, such as in the form of ransomware or other cyber intrusions through which criminals in far-flung jurisdictions have either stolen data or money or are using extortion methods to secure the latter, these days, the greater threat seems much closer to home. Employees have been stealing from the organisation for which they work, or are stealing directly from the organisation’s customers.
In some cases, based on the information that was made publicly available, the theft was a recent occurrence and seemed to have been caught relatively quickly, especially if the incidents occurred at a commercial bank. However, in other cases, they seemed to have been longstanding situations, which in some instances, may have started at least a decade ago.
As expected, the public at large has become more concerned about the safety of their money and the organisations in which they place their trust. The recent revelation of the theft of over USD 12 million dollars from an investment account of one of the greatest sprinters of all time, Usain Bolt, from a prominent brokerage and securities dealer in Jamaica has sent shockwaves across the country, with several questions being pointed both at the firm and the regulator, the Financial Services Commission.
We also cannot forget about FTX, the crypto trading firm headquartered in The Bahamas, which collapsed in November, leaving reportedly at least a million creditors holding the bag, and several other crypto and fintech firms either bankrupt or on the verge of bankruptcy.
In these and many other instances, the question of trust has reared its head. Consumers are now second-guessing their choices, because although organisations seem to be reputable, and some due diligence is done, that no longer seems enough. On the flip side, organisations, and not just those in the fintech or financial services space, are finding themselves exposed, thanks to unscrupulous employees, and may now be questioning their recruitment processes and how more stringent their systems need to be to minimise the risk.
People cannot be trusted
In trying to wrap our heads around the recent incidents, there seems to be a growing consensus that we can no longer depend on the honesty and integrity of individuals: that someone working in a bank or handling money is honest and would not steal from customers or their employer.
To be fair, we are currently living in highly materialistic societies, where there is a lot of conspicuous consumption and emphasis on money. There is thus a lot of pressure to ‘keep up with the Jones’ or to have the life and lifestyles we see on social media. Also, and very much in the Caribbean region, there can be a wide disparity between the ‘haves’ and the ‘have-nots’, even in the workplace, which can also fuel the attitudes and behaviour we are currently seeing.
Well-established systems and processes are being circumvented
We also ought to keep in mind that even with the very best systems and processes, for them to operate successfully, they need to be properly implemented and managed. However, regardless of how robust the systems are, processes become vulnerable when there are ways to override or bypass them.
Senior executives who do not want to always have to follow the established process are often the reasons why ways are established to override or bypass certain requirements. However, to be fair, there may circumstances in which it is necessary to expedite certain processes, but those should be exigent situations and the exception, not the norm. More importantly, and in every instance, there should be a way to ensure that ALL transactions, and all steps in a transaction, are logged – regardless of whether they followed standard procedure, or a special process was invoked.
Analog is the enemy
In some of the longstanding incidents of theft and fraud that have been reported, there was a sense that because processes were not fully digitalised, gaps were exploited. Some of the gaps included not having stringent controls regarding cash and cash transactions, allowing customers to telephone or email instructions that subsequently were being altered, and employees being able to keep ‘two sets of books’ with customer accounts not reflecting showing correct balances.
Technology has reached a point where we ought to be questioning the extent to which intermediaries are needed to interface with clients and the number of employees that must participate to facilitate a transaction. Although we, as customers, may all still like to be able to pick up the phone and call someone in an organisation to help us with some business, increasingly, it is becoming necessary for organisations to give customers more control, to better manage risk.
The need for digital and trust-less systems
If there is anything you ought to have gleaned from the above paragraphs, is that the trust you have placed in organisations and their employees may need to be revisited. As a customer or member of the public, you have no sight of the procedures and processes that organisations have established, whether they were properly implemented, and being vigorously monitored and updated. Moreover, even in organisations that are conscientious, it can be challenging to oversee all of the processes, ensure that they are being properly implemented and updated, and act with alacrity should any irregularities emerge.
To that end, and noting that there will most likely be some time lag between when an irregularity (including fraud or theft) occurs and when it is detected, having access to accurate records that would facilitate the necessary investigation and remediation (hopefully!) is critical. The use of technologies that are secure, transparent, and can maintain permanent and unalterable records of all transactions, will be essential to regain trust. Luckily, such technologies already exist, the most prominent of which is blockchain technology, but they are not as widely used as they could be in the Caribbean region. However, with the loss of trust that has occurred both within and outside of organisations, the rowing risk and endemic vulnerabilities can no longer be ignored.
Image credit: Gerd Altmann (Pixabay)
Quite a lot to digest in this post Michelle. I can agree with you that the zero trust framework is the one that is optimal. But a practical solution – maybe the good enough – is the one where you trust but verify. Digital systems properly architected and configured will deliver that. To some extent.
Both of us have worked on regulatory systems heretofore. You have operated on the other side, as regulator. You know I am a proponent of the ‘light touch’ approach to regulation. The problem in my view is that while our regulators continue to say this is the framework to which they subscribe, the regulatory operating support systems they deploy in enabling the regulatory processes are not fit for purpose. Most simply ignore the basic premise of the philosophic position; what you know and, when you know it are essentials.
The regulator may not prescribe the operating support systems but if the regulator enjoins the regulated to record and keep the records of all material transactions, this requirement informs the kinds of operating support systems to be deployed. If the regulator insists on the right to sample evidence of transactions as indispensable to enforcement and, that samples could be collected with barge-in tools, then this requirement could serve as a prior restraint on wayward transactions.
I have argued and proposed that intelligence garnered from the public space, including anonymous sources, is axiomatic of regulatory oversight in the digital age. Regtech is at best, application of Web 2.0 tools and the processes usually evident in the way search is monetized by the data companies; collect a lot of public facing data to which algorithms are applied to discern patterns and connections. And from those patterns and connections, one knows, can even predict and stand a chance to get ahead of a detrimental action. Now that we have these Web 3.0 tools – like the LLMs! – to exploit, the regulator is in a stronger position to collect actionable intelligence at Internet speed.
[I recall from personal experience my utter surprise when hired to review regulatory processes and make recommendations for update, I suggested to staff the need to know what others are saying about them and even more importantly, what the regulated is saying to others. I suggested a document management system with RSS feeds as a baseline. They had never heard of RSS feeds! They thought it sounded too much like spying.]
All this aside, the SSL debacle was really about a failure to act. Because the evidence will show regulators were aware long before now that things were awry in that operation. You can access the regulations yourself and pass a critical eye. Check out the elements that speak to monitoring and evaluation and you can discern the gaps yourself.
Carlton