By Andrea Moundi Savvides, Head of Compliance, MLRO (Cyprus), at Harneys.
COVID-19 has changed the world in a lot more ways than one could imagine. An increase in the level of crime and changes in the type of criminal activity is just one of the many consequences of COVID-19 on global businesses. According to “COVID-19 related Money Laundering and Terrorist Financing, Risk and Policy Responses” (FATF COVID-19 paper), new Money Laundering (ML) and Terrorist Financing (TF) threats and vulnerabilities from the outbreak of COVID-19 related crimes have been created.
Before the outbreak, the first National Risk Assessment (NRA) with regards to Cyprus was completed. Following that, it was evident that Cyprus is a strong international financial centre with a significant and advanced professional services sector. The NRA acknowledges that the ML threat in Cyprus has increased due to international engagement. According to the NRA, the banking sector is the most fragile to an ML threat followed by TCSPs or lawyers or accountants offering company and trust services. The Cypriot NRA identified that TSCPs have a “medium-high” risk for ML/TF. The relative ease by which companies are set up may cause, the otherwise lawful activities they provide, to be used for criminal purposes. For instance, in Cyprus companies can be formed in less than two weeks and the actual cost does not exceed €700-800. If pre-approved names have been obtained, the service provider might be able to set up a company in just a few days. Cypriot companies have, in the past, been involved in recent laundromat instances, a fact which both justifies (i) the level of risk allocated to this sector and (ii) the risk that COVID-19 may pose if proper due diligence procedures cannot be followed.
In 2020, Moneyval, the Council of Europe’s expert committee on the evaluation of Anti-Money Laundering and Counter Financing of Terrorism (AML/CFT) measures, published a report summarising their findings on the Cyprus AML/CFT measures in place following the on-site visit which took place between 13-14 May 2019 for the period 2013-2018.
COVID-19 related crimes
Increased fraud is one of the consequences of the pandemic. In April, the FATF president stated that: “criminals are taking advantage of the COVID-19 pandemic to carry out financial fraud and exploitation scams, including advertising and trafficking in counterfeit medicines, offering fraudulent investment opportunities and engaging in phishing schemes that prey on virus-related fears. Malicious or fraudulent cybercrimes, fundraising for fake charities, and various medical scams targeting innocent victims are likely to increase”.
The European Commission has issued statements attempting to enlighten the public and prevent them from becoming victims of fraudsters. Interpol has also encouraged the public to exercise caution in general, including when buying medical supplies (including the immediate need to obtain face masks and antiseptic sprays) from “online providers” as there have been reports that the promised goods may never be delivered despite the payment having been made. Similar warnings have been issued by Europol as well as the local police in Cyprus. COVID-19 related crimes include fraud, cybercrime, misdirection or exploitation of government funds or international financial assistance.
With many places physically shutting down, working from home has become the new norm. This increases the use of online platforms for socialising, as well as purchasing goods and services which means that increased efforts need to be made both on a national level (for instance by regulators) and on a business level to ensure that adequate safeguards are appropriately used to guard against the further exploitation of the opportunities presented to criminals. Increased misuse of online financial services and virtual assets to move and conceal illicit funds is also on the rise.
The FATF COVID-19 paper highlights the increase in fundraising scams. As a jurisdiction, Cyprus should ensure that proper oversight is in order to ensure that criminals are not posing as charities by circulating emails and requesting donations for COVID-19 related fundraising campaigns. During the Moneyval inspection, Cyprus was rated as “partially compliant” in relation to Recommendation 8 of the FATF Recommendations pertaining to the standards required of non-profit organisations.
According to the Moneyval inspection, Cyprus is hugely exposed to receiving proceeds from criminal activities abroad due to its activity as a financial centre. Hence, one of the challenges that trust and company service providers based in Cyprus need to overcome as a result of COVID-19 is the collection and verification of client due diligence and the execution of documents. Arguably, the various financial crime compliance programmes are commensurate to the various risks that countries and businesses face on a daily basis, as a result of inter alia, the globalisation of crime.
Becoming commercial and pragmatic is perhaps the best way for businesses to manage the risks that have arisen because of COVID-19. For instance, when dealing with the need to comply with client due diligence and onboarding requirements, it is important for compliance officers to apply the Risk-Based Approach (RBA) to its full extent whilst acting with caution. For instance, the requirement to obtain identification documents in hard copy certified form is undoubtedly difficult, if not impossible, depending on the level of lockdown in each country. On the other hand, obtaining documents in certified format is not only a regulatory requirement in certain jurisdictions it is also a way of ensuring that the risk of impersonation is significantly minimised.
The COVID-19 pandemic has yet again highlighted the importance of shifting from traditional methods of identifying and verifying the identity of clients and using reliable digital ID verification methods. The further use of electronic platforms should also be encouraged to the extent that appropriate safeguards are in place. In scenarios where regulated institutions identify instances of lower risk, then the FATF Standards provide for simplified measures to be applied. More generally, supervisors are encouraging the full use of electronic and digital channels to continue payment services whilst maintaining social distancing.
According to the FAFT, the swift and effective implementation of measures will act as a shield against the rising risks. Such responses could include better domestic coordination and the strengthening of communication between governments and the private sector.
In Cyprus, the various regulators have issued guidance or policy papers as a response to COVID-19. For instance, the Cyprus Securities and Exchange Commission (CySEC) has issued several circulars and guidance notes informing regulated entities of the impact that COVID-19 might have on their operations. CySEC encourages regulated entities to consider their business continuity procedures and systems, proportionate to the size and complexity of a regulated entity’s activities. WFH requires a company’s systems to be just as robust and operational as on-premises. From a compliance with applicable AML/CFT procedure perspective, means providing the compliance team with unhindered access to the client files whilst at the same time ensuring that the use of those files remotely is not susceptible to external threats. It is also important to ensure communication channels between employees remain intact so criminals do not take advantage of a “broken phone” to facilitate their illegal aspirations.
Another example of the intervention by regulators in Cyprus includes the response that the Institute of Certified Public Accountants of Cyprus (ICPAC) has issued. This includes guidance as to what should be perceived as a red flag by its supervised entities during the pandemic. ICPAC urged its members to remain alert to any changes in the known business activities of their clients, or change in the behaviour of their clients, as well as new clients. With regards to the completion of client due diligence procedures, ICPAC has provided its members with general guidance notes to complete the CDD requirements such as using reliable online sources. Supervisors have also responded by extending submission deadlines to the various annual reports, which are due during the first quarter of each year.
In general, less supervision and less direct contact between supervised entities and regulatory authorities is also a risk which has arisen due to the COVID-19 pandemic. Onsite inspections have been postponed or substituted and most national and international policy departments have activated business continuity plans with most staff working from home. This development signifies yet again the importance of ensuring that robust IT infrastructure is in place to support workers, working from home and to ensure that all parties involved fulfil their obligations to the best extent possible.
It is also important to ensure that regulated entities have a central point of contact to reach out to in difficult times. Due to limited resources, it is also vital for regulators to focus their resources in the area where the risk is greater – this means that regulators may need to revisit their risk assessment on the various regulated entities in due time to ascertain whether the risk of each entity has changed.
Encouraging and enabling the use of technology to the fullest extent is also highlighted in the FATF COVID-19; it is advisable that regulators should issue guidance which would further assist companies to meet regulatory requirements in a digitalised and socially distant era. Areas where the regulator may intervene, is in instances where certified true copies and the maintenance of hard copy files are a legal requirement and CDD completion, as mentioned above. Further, within the EU it is a legal requirement to train employees to be able to identify and manage ML/TF risks in discharging their day-to-day duties. With face-to-face meetings becoming a privilege and any “mass” gatherings prohibited, businesses need to turn to e-learning, webinars and virtual workshops and other forms of distance learning. Digital payment solutions are also vital in helping social distancing rules be adhered to.
It is important to balance out the commercial needs of all types of regulated businesses with possible risks. To remain alive, companies need to be agile and take a proactive approach to address the various issues in order to come out of the crisis best.
Economic relief measures and monetary assistance to individuals and businesses is yet another area where regulated entities may need guidance on in order to detect suspicious financial transactions, particularly in the context of cross border flows from countries that are receiving emergency COVID-19 related funding from international organisations and other donors. The FATF COVID-19 paper includes a reference to the fact that measures may be implemented to prevent the misuse of economic relief packages for ML/TF purposes and manage risks including the risk of corruption. Regulated institutions should remain vigilant and ensure that AML/CFT procedures are applied correctly in such instances to avoid misuse of such economic relief, irrespective of whether it has been obtained locally or abroad.
Lastly, in the FATF COVID-19 Paper it is stated that agencies are considering pooling available resources, including repurposing assets confiscated or forfeited from criminals to assist in COVID-19 responses (eg using confiscated properties as temporary/emergency hospital facilities). The Moneyval inspection on Cyprus notes that the local competent authorities have not been proactive at freezing and confiscating foreign criminal proceeds, although they have been instrumental in assisting other countries. Unless the outbreak lasts for years, it is not likely that Cyprus will be in a position to utilize such confiscated assets for covering existing needs. According to Europol, only 1 per cent of criminal proceeds are confiscated in the EU. Nevertheless, this could be an area of development both locally as well as on an EU level.
 Cyprus National Assessment of Money Laundering and Terrorist Financing Risks, (2018), p.9.
 Trust and Company Service Providers.
 Cyprus National Assessment of Money Laundering and Terrorist Financing Risks, (2018), p.10,11.
 Cyprus National Assessment of Money Laundering and Terrorist Financing Risks, (2018).
 Transparency International UK, ‘Hiding in plain sight – how UK companies are used to launder corporate wealth’ UK, (November 2017).
 Council of Europe, ‘Committee on Legal Affairs and Human Rights Laundromats: responding to new challenges in the international fight against organised crime, corruption and money-laundering Report’, Rapporteur: Mr Mart van de VEN, Netherlands, Alliance of Liberals and Democrats for Europe (March 2019). Accessed October 20, 2019. http://website-pace.net/documents/19838/5636250/20190304-MoneyLaundering-EN.pdf/c69d9ea9-e583-4fd2-9cb2-65ed360a4b3e
 FATF, ‘COVID-19-related Money Laundering and Terrorist Financing Risks and Policy Responses’, May 2020 https://www.fatf-gafi.org/media/fatf/documents/COVID-19-AML-CFT.pdf
 https://www.interpol.int/en/News-and-Events/News/2020/INTERPOL-warns-of-financial-fraud-linked-to-COVID-19, https://www.interpol.int/en/Crimes/Financial-crime/Financial-crime-don-t-become-a-victim, https://www.interpol.int/en/News-and-Events/News/2020/Unmasked-International-COVID-19-fraud-exposed
 FATF, ‘International Standards on Combatting Money Laundering and the Financing of terrorist & proliferation’ The FATF Recommendations, Updated June 2019 https://www.fatf-gafi.org/media/fatf/documents/recommendations/pdfs/FATF%20Recommendations%202012.pdf
 According to the Moneyval inspection, the GRECO evaluation report on Cyprus, Fourth evaluation round – Corruption prevention in respect of members of parliament, judges and prosecutors) adopted in June 2016, it is stated that that “…It would appear that general awareness about corruption in Cyprus has increased over the years but although Transparency International’s Corruption Perception Index has ranked Cyprus among countries less affected by corruption (32 out of 168), other surveys indicate that corruption is perceived to be widespread in the country;…”.
The Psychology Behind a Strong Security Culture in the Financial Sector
By Javvad Malik, Security Awareness Advocate at KnowBe4
Banks and financial industries are quite literally where the money is, positioning them as prominent targets for cybercriminals worldwide. Unfortunately, regardless of investments made in the latest technologies, the Achilles heel of these institutions is their employees. Often times, a human blunder is found to be a contributing factor of a security breach, if not the direct source. Indeed, in the 2020 Verizon Data Breach Investigations Report, miscellaneous errors were found vying closely with web application attacks for the top cause of breaches affecting the financial and insurance sector. A secretary may forward an email to the wrong recipient or a system administrator may misconfigure firewall settings. Perhaps, a user clicks on a malicious link. Whatever the case, the outcome is equally dire.
Having grown acutely aware of the role that people play in cybersecurity, business leaders are scrambling to establish a strong security culture within their own organisations. In fact, for many leaders across the globe, realising a strong security culture is of increasing importance, not solely for fear of a breach, but as fundamental to the overall success of their organisations – be it to create customer trust or enhance brand value. Yet, the term lacks a universal definition, and its interpretation varies depending on the individual. In one survey of 1,161 IT decision makers, 758 unique definitions were offered, falling into five distinct categories. While all important, these categories taken apart only feature one aspect of the wider notion of security culture.
With an incomplete understanding of the term, many organisations find themselves inadvertently overconfident in their actual capabilities to fend off cyberthreats. This speaks to the importance of building a single, clear and common definition from which organisations can learn from one another, benchmark their standing and construct a comprehensive security programme.
Defining Security Culture: The Seven Dimensions
In an effort to measure security culture through an objective, scientific method, the term can be broken down into seven key dimensions:
- Attitudes: Formed over time and through experiences, attitudes are learned opinions reflecting the preferences an individual has in favour or against security protocols and issues.
- Behaviours: The physical actions and decisions that employees make which impact the security of an organisation.
- Cognition: The understanding, knowledge and awareness of security threats and issues.
- Communication: Channels adopted to share relevant security-related information in a timely manner, while encouraging and supporting employees as they tackle security issues.
- Compliance: Written security policies and the extent that employees adhere to them.
- Norms: Unwritten rules of conduct in an organisation.
- Responsibilities: The extent to which employees recognise their role in sustaining or endangering their company’s security.
All of these dimensions are inextricably interlinked; should one falter so too would the others.
The Bearing of Banks and Financial Institutions
Collecting data from over 120,000 employees in 1,107 organisations across 24 countries, KnowBe4’s ‘Security Culture Report 2020’ found that the banking and financial sectors were among the best performers on the security culture front, with a score of 76 out of a 100. This comes as no surprise seeing as they manage highly confidential data and have thus adopted a long tradition of risk management as well as extensive regulatory oversight.
Indeed, the security culture posture is reflected in the sector’s well-oiled communication channels. As cyberthreats constantly and rapidly evolve, it is crucial that effective communication processes are implemented. This allows employees to receive accurate and relevant information with ease; having an impact on the organisation’s ability to prevent as well as respond to a security breach. In IBM’s 2020 Cost of a Data Breach study, the average reported response time to detect a data breach is 207 days with an additional 73 days to resolve the situation. This is in comparison to the financial industry’s 177 and 56 days.
Moreover, with better communication follows better attitude – both banking and financial services scored 80 and 79 in this department, respectively. Good communication is integral to facilitating collaboration between departments and offering a reminder that security is not achieved solely within the IT department; rather, it is a team effort. It is also a means of boosting morale and inspiring greater employee engagement. As earlier mentioned, attitudes are evaluations, or learned opinions. Therefore, by keeping employees informed as well as motivated, they are more likely to view security best practices favourably, adopting them voluntarily.
Predictably, the industry ticks the box on compliance as well. The hefty fines issued by the Information Commissioner’s Office (ICO) in the past year alone, including Capital One’s $80 million penalty, probably play a part in keeping financial institutions on their toes.
Nevertheless, there continues to be room for improvement. As it stands, the overall score of 76 is within the ‘moderate’ classification, falling a long way short of the desired 90-100 range. So, what needs fixing?
Towards Achieving Excellence
There is often the misconception that banks and financial institutions are well-versed in security-related information due to their extensive exposure to the cyber domain. However, as the cognition score demonstrates, this is not the case – dawdling in the low 70s. This illustrates an urgent need for improved security awareness programmes within the sector. More importantly, employees should be trained to understand how this knowledge is applied. This can be achieved through practical exercises such as simulated phishing, for example. In addition, training should be tailored to the learning styles as well as the needs of each individual. In other words, a bank clerk would need a completely different curriculum to IT staff working on the backend of servers.
By building on cognition, financial institutions can instigate a sense of responsibility among employees as they begin to recognise the impact that their behaviour might have on the company. In cybersecurity, success is achieved when breaches are avoided. In a way, this negative result removes the incentive that typically keeps employees engaged with an outcome. Training methods need to take this into consideration.
Then there are norms and behaviours, found to have strong correlations with one another. Norms are the compass from which individuals refer to when making decisions and negotiating everyday activities. The key is recognising that norms have two facets, one social and the other personal. The former is informed by social interactions, while the latter is grounded in the individual’s values. For instance, an accountant may connect to the VPN when working outside of the office to avoid disciplinary measures, as opposed to believing it is the right thing to do. Organisations should aim to internalise norms to generate consistent adherence to best practices irrespective of any immediate external pressures. When these norms improve, behavioural changes will reform in tandem.
Building a robust security culture is no easy task. However, the unrelenting efforts of cybercriminals to infiltrate our systems obliges us to press on. While financial institutions are leading the way for other industries, much still needs to be done. Fortunately, every step counts -every improvement made in one dimension has a domino effect in others.
Has lockdown marked the end of cash as we know it?
By James Booth, VP of Payment Partnerships EMEA, PPRO
Since the start of the pandemic, businesses around the world have drastically changed their operations to protect employees and customers. One significant shift has been the discouragement of the use of cash in favour of digital and contactless payment methods. On the surface, moving away from cash seems like the safe, obvious thing to do to curb the spread of the virus. But, the idea of being propelled towards an innovative, digital-first, cashless society is also compelling.
Has cashless gone viral?
Recent months have forced the world online, leading to a surge in e-commerce with UK online sales seeing a rise of 168% in May and steady growth ever since. In fact, PPRO’s transaction engine, has seen online purchases across the globe increase dramatically in 2020: purchases of women’s clothing are up 311%, food and beverage by 285%, and healthcare and cosmetics by 160%.
Alongside a shift to online shopping, a recent report revealed 7.4 million in the UK are now living an almost cashless life – claiming changing payment habits has left Britons better prepared for life in lockdown. In fact, according to recent research from PPRO, 45% of UK consumers think cash will be a thing of the past in just five years. And this UK figure reflects a global trend. For example, 46% of Americans have turned to cashless payments in the wake of COVID-19. And in Italy, the volume of cashless transactions has skyrocketed by more than 80%.
More choice than ever before
Whilst the pandemic and restrictions surrounding cash have certainly accelerated the UK towards a cashless society, the proliferation of local payment methods (LPMs) in the UK, such as PayPal, Klarna and digital wallets, have also been a key driver. Today, 31% of UK consumers report they are confident using mobile wallets, such as Apple Pay. Those in Generation Z are particularly keen, with 68% expressing confidence using them.
As LPM usage continues to accelerate, the use of credit and debit cards are likely to decline in the coming years. Whilst older generations show an affinity with plastic, younger consumers feel less secure around its usage. 96% of Baby Boomers and Generation X confirmed they feel confident using credit/debit cards, compared to just 75% of Generation Z.
Does social distancing mean financial exclusion?
As we hurtle into a digital age, leaving cash in the rearview, there are ramifications of going completely cashless to consider. We must take into consideration how removing cash could disenfranchise over a quarter of our society; 26% of the global population doesn’t have a traditional bank account. Across Latin America, 38% of shoppers are unbanked, and nearly 1 in 5 online transactions are completed with cash. While in Africa and the Middle East, only 50% of consumers are banked in the traditional sense, and 12% have access to a credit card. Even here in the UK, approximately 1.3 million UK adults are classed as unbanked, exposing the large number of consumers affected by any ban on cash.
Even when shopping online – many consumers rely on cash-based payments. At the checkout page, consumers are provided with a barcode for their order. They take this barcode (either printed or on their mobile device) to a local convenience store or bank and pay in cash. At that point, the goods are shipped.
There are also older generations to consider. Following the closure of one in eight banks and cashpoints during Coronavirus, the government faced calls to act swiftly to protect access to cash, as pensioners struggled to access their savings. Despite the direction society is headed, there are a significant number of older people that still rely on cash – they have grown up using it. With an estimated two million people in the UK relying on cash for day to day spending, it is important that it does not disappear in its entirety.
Supporting the transition away from cash
Cashless protocols not only restrict access to goods and services for consumers but also limit revenue opportunity for merchants. While 2020 has provided the global economy with one great reason to reduce the acceptance of cash, the payments industry has billions of reasons to offer multiple options that cater to the needs of every kind of shopper around the world.
Whilst it seems younger generations are driving LPM adoption, it is important that older generations aren’t forgotten. If online shops fail to offer a variety of preferred payment methods, consumers will not hesitate to shop elsewhere. With 44% of consumers reporting they would stop a purchase online if their favourite payment method wasn’t available – this is something merchants need to address to attract and retain loyal customers.
UnionPay increases online acceptance across Europe and worldwide with Online Travel Agencies
- UnionPay International today announces that two of Europe’s leading travel companies, Logitravel and Destinia, have started accepting UnionPay.
- This acceptance will enable users of the groups’ travel websites to make purchases using UnionPay payment methods.
The acceptance partnerships between the OTAs and UnionPay began in July 2020 for customers across 13 European countries and another 90 countries and regions worldwide. The European countries covered by the agreements include the UK, Germany, France, Italy, Spain, Portugal, Norway, Denmark, Sweden, Austria, Switzerland, Hungary and Ireland. The brands covered by these acceptances include Logitravel.com and Destinia.com which together deliver more than 8.5 million worldwide travel bookings each year covering flights, hotels, holidays, car hire and other experiences.
With over 8.4 billion cards issued in 61 countries and regions worldwide, UnionPay has the world’s largest cardholder base and is the preferred payment brand for many Chinese and Asian expatriates and students based in Europe, as well as an increasing number of global customers. These cardholders are also particularly attractive to the two OTAs. Despite the impact of Covid-19, Logitravel and Destinia expect to see the demand for travel across the European continent as well as that between Europe and Asia return to growth in the coming years. They are now placing significant focus on offering more payment options and smoother payment services to meet this demand.
The partnerships incorporate UnionPay’s ExpressPay and SecurePlus technology, which will ensure seamless transactions for the customers, contained within a single process through the relevant websites. UnionPay’s technology also provides for the requirement to authenticate transactions under the EU regulation Payment Services Directive 2 (PSD2) ensuring that sites will be compliant as soon as the relevant countries apply the requirements.
Wei Zhihong, UnionPay International’s Market Director, said: “This is a major partnership with two of Europe’s leading online travel companies. Logitravel and Destinia are brands which have been at the forefront of e-commerce for many years and we are very excited to be working with them to extend their reach to new audiences. This highlights the work that we have carried out in ensuring that our technology provides effective solutions for the biggest e-commerce sites both in Europe and around the world. We look forward to announcing many more similar agreements in the near future.”
Jesús Pons, Chief Financial Officer at Logitravel Group said: “UnionPay has always been on our radar, and since travel has become a crucial part of its development, Logitravel felt it important to develop this important partnership. It really was an obvious decision for Logitravel since both companies share a passion for e-commerce and emphasising the payment experience for their customers.”
Ricardo Fernández, Managing Director at Destinia Group said: “We believe that this is the beginning of a really strong relationship. Our discussions with UnionPay in reaching this partnership have demonstrated their understanding of the needs of major online merchants and their ability to deliver the highest quality systems. We look forward to working together on further partnership as we move forward.”
The importance of app-based commerce to hospitality in the new normal
By Jeremy Nicholds CEO, Judopay As society adapts to the rapidly changing “new normal” of working and socialising, many businesses...
The Psychology Behind a Strong Security Culture in the Financial Sector
By Javvad Malik, Security Awareness Advocate at KnowBe4 Banks and financial industries are quite literally where the money is, positioning...
How open banking can drive innovation and growth in a post-COVID world
By Billel Ridelle, CEO at Sweep Times are pretty tough for businesses right now. For SMEs in particular, a global financial...
How to use data to protect and power your business
By Dave Parker, Group Head of Data Governance, Arrow Global Employees need to access data to do their jobs. But...
How business leaders can find the right balance between human and bot when investing in AI
By Andrew White is the ANZ Country Manager of business transformation solutions provider, Signavio The digital world moves quickly. From...
Has lockdown marked the end of cash as we know it?
By James Booth, VP of Payment Partnerships EMEA, PPRO Since the start of the pandemic, businesses around the world have...
Lockdown 2.0 – Here’s how to be the best-looking person in the virtual room
By Jeff Carlson, author of The Photographer’s Guide to Luminar 4 and Take Control of Your Digital Photos suggests “the product you’re creating is...
Banks take note: Customers want to pay with points
By Len Covello, Chief Technology Officer of Engage People ‘Pay with Points’ – that is, integrating the ability to pay...
Are you a fighter or a freezer? The 4 “F’s” of Surviving Danger
By Dr.Roger Firestien, Author of Create In a Flash. The fight, flight, freeze survival response – or FFF for short...
Why the FemTech sector might be the sustainability saviour we have been waiting for
By Kristy Chong, CEO & Founder Modibodi ® Taking single use plastics out of circulation is no easy feat, but...