Apple move highlights growing trend of commercial pressure to take enhanced responsibility for supply chain
On 13 February 2014, technology giant Apple published its Supplier Responsibility 2014 Progress Report. The report made public details of its progress in raising standards throughout its global supply chain, educating staff, improving working conditions and imposing higher standards of conduct on the businesses it relies on for the manufacture of products such as the iPad, iPhone and Mac.
Once upon a time, corporates managed their supply chain for value and efficient delivery. Management is no longer so simple, as the challenges associated with supply chain management now include factors as varied as human rights, economic sanctions, export controls, corruption and local content laws. Increasingly, this deliberate focus by corporates on ethics means that national regulators and enforcement agencies can increasingly count on the corporate community itself to help in the bid to tackle complex crimes such as fraud and corruption. While this may represent the leading edge of corporate compliance, market-leading corporations are promoting sustainable, ethical practice by integrating it into supply chain evaluation and selection processes and by pushing obligations, certification and transparency on their supply chains.
Of particular interest is Apple’s decision to publish a list of smelters and refineries used by the company, indicating which of them may be using conflict minerals.
Conflict minerals are metals, typically tungsten, tantalum, tin and gold, which are mined in conditions of armed conflict and human rights abuses, mostly in the eastern provinces of the Democratic Republic of Congo and adjacent areas of neighbouring countries.
Under s.1502 of the US Dodd-Frank Act, US companies are required to disclose in an annual report to the SEC the steps they are taking to ensure their products do not contain conflict minerals. They are required to publish this information on their websites. The move is designed to encourage companies both to scrutinise more thoroughly the source of their products and to improve the transparency of their business operations.
Apple’s report contains a list split into three sections according to smelters’ compliance with the Conflict-Free Smelter Program (CFSP). Companies are placed in one of the following lists:
- CFSP Compliant Smelters;
- CFSP Participating Smelters (those that have agreed to participate in the CFSP audit); or
- No known or public CFSP participation (Apple has reached out but no participation is yet acknowledged).
This move ultimately casts doubt on the ethics of those with no known participation, at the same time as demonstrating the importance that Apple has placed on promoting transparency in its wider business operations.
The recent scandal surround the Kaloti Group refinery audit underlines the potential scale of the problem. According to a whistle-blower, a former partner of the accounting firm, EY, an audit of the Kaloti refinery in Dubai revealed that Kaloti paid around US$5billion in cash for gold purchases in 2012 alone (around 45% of its total 21012 business).
Expanding reach of legislation
The mechanism utilised by Dodd-Frank is not the only legislative measure designed to encourage corporates to more effectively police their supply chains. The ‘associated persons’ provisions contained in the UK Bribery Act 2010 also apply, as do other statutes such as the US Foreign Corrupt Practices Act. These legislative measures and substantial prosecution efforts have served to force companies to pay more attention to their supply chains and ensure that they police their own business partners.
Corporates regulating corporates
Major companies, from Coca-Cola to BP, now have stringent supplier codes of conduct that they require partners to sign up to in order to enter into business relationships. In Apple’s report, it states that “to do business with Apple, our suppliers must live up to the toughest standards in the industry, and we make sure there’s no confusion over our expectations”. The standards that Apple and other leading multinationals impose upon their business partners frequently meet international best practice standards rather than minimum levels set by legislation.
Major companies are willing to take drastic steps to protect their reputations. There are numerous examples of companies terminating supplier contracts due to ethical failures. In January 2013 a number of companies, including Tesco and Burger King, dropped Silvercrest after it became embroiled in the European horsemeat scandal, costing the firm tens of millions of pounds in lost orders. Tesco claimed in a statement that “the breach of trust [was] simply too great”.
Increasingly, attention is expanding from management and vetting of the existing supply chain to evaluation and selection of new vendors. In higher-risk activities such as logistics and customs clearance for example, FTSE-100 corporates are increasingly evaluating the ethical policies and procedures of potential new vendors. Vendors with clear, detailed, and demonstrably active ethical programs open up clear blue water between themselves and their competition. Ironically, this means that suppliers with historic problems, and the enforced remediation that follows, find themselves in a much stronger position than their competition.
What this means for the supply chain
Reputation management is vital to the health of the world’s largest brands, and even conduct of suppliers that does not contravene laws may be enough to trigger termination clauses in contracts if it is so emphatically at odds with the principal corporate’s ethical values.
It is clear that companies at all levels of the product supply chain must think beyond compliance with the national laws they are subject to. With 70 per cent of global trade estimated to involve the world’s 500 largest companies, multinationals are crucial to the financial health of smaller corporates throughout the world. They are also the primary targets of prosecutors, NGOs and consumers owing to their high profile.
In the face of such scrutiny, multinationals are increasingly widening their compliance programmes to require business partners to comply with best practices from appointment onwards, and to monitor performance. Corporations which recognise this and incorporate these features into their businesses and into their customer management will become market leaders.
All corporates should take an interest in their supply chains, undertake appropriate due diligence of new business partners and implement robust compliance programmes which meet international best practice norms. Should they fail to do so, they increasingly risk losing out on lucrative contracts and suffering reputational damage in the increasingly public sphere of business ethics.
About the Authors
Toby Duthie Partner, Forensic Risk Alliance
Toby Duthie is one of FRA’s co-founders and heads its London office. With experience in cases involving government enforcement in the UK and the US, his expertise lies in internal and regulatory investigations, data protection and complex financial modeling, with particular experience in global, multi-jurisdictional cases. Toby was instrumental in the development of FRA’s service in the anti-corruption and white-collar defense arena across Europe. He spent more than five years in the US, gaining extensive experience advising on damages amounts in a number of complex civil and criminal litigations and in connection with a number of high-profile FCPA enforcement actions (e.g. Panalpina, Bonny Island LNG and Oil for Food). He has also worked on matters involving the UK, Swiss and French regulators.
Derek Patterson Principal, Forensic Risk Alliance (FRA)
Derek Patterson is a forensic accountant with over 20 years’ experience in reviewing multi-dimensional financial facts, fraud and corruption, evaluating financial losses and in matters requiring internal investigation. He is currently involved in a number of complex financial reconstructions, multi-jurisdictional corruption investigations and pre-emptive reviews under a variety of anti-corruption regimes, including the US FCPA, the Swiss federal prosecutor, and the UK SFO.
Derek has recently undertaken compliance reviews and internal investigations for US and European clients in the extractive, infrastructure and medical devices sectors. For example, as part of a compliance enhancement initiative for a US-listed Oil Services company, Derek was responsible for the transactional sampling, testing and review of certain higher-risk West African operations. This included an especially detailed review of customs and logistics controls and transactions.
Jason Hungerford Senior Associate, Norton Rose Fulbright
Jason Hungerford is a disputes resolution lawyer based in London. Jason specialises in corporate compliance and investigations under a range of anti-bribery, economic sanctions and trade control laws and regulations.
Previously based in Washington, DC, Jason’s engagements have included the design and implementation of global compliance and training programs, regulatory due diligence for corporate transactions, internal investigations, and representation of corporate clients before governmental agencies. Jason advises on the FCPA, UK Bribery Act, economic sanctions administered by OFAC and the European Union, and US and EU dual-use and military trade controls, including ITAR. Jason has also advised on proceedings before the Committee on Foreign Investment in the United States.
About Forensic Risk Alliance
Forensic Risk Alliance (FRA) is a consulting firm with offices in the US, UK, France and Switzerland. It helps businesses to resolve complex and high-risk financial, legal and regulatory challenges. Its people provide independent, conflict-free advice and litigation support services, often in the local language as its team speaks virtually all of the world’s key business languages, including most European languages as well as Arabic, Russian, Mandarin and Cantonese Chinese, Malay and Bahasa Indonesia. FRA collects and analyzes data for use in legal disputes and investigations (often cross-border) in a number of areas, including litigation, fraud, bribery and corruption investigations. The company has extensive worldwide project experience in Latin America, Asia, Europe, Africa and the Middle East. FRA is one of only ten companies in the world approved to carry out validation audits for the EITI (Extractive Industries Transparency) Initiative which evaluate how well a country’s government conforms to the EITI’s standards of transparency in reporting revenue received from the extraction of natural resources. Members of the FRA team also provide expert witness testimony in court when required and have recently contributed two chapters to the Serious Fraud Office’s book ‘Serious Economic Crime – a boardroom guide to prevention and compliance’.
For more information, please visit www.forensicrisk.com or call +44 (0) 207 831 9110.
ISO 20022 migration: full speed ahead despite recent delays, says new Deutsche Bank paper
Today, Deutsche Bank has released the third installment in its “Guide to ISO 20022 migration” series, which offers a comprehensive update on the industry shift to the de facto global standard for financial messaging: ISO 20022. This paper comes at a critical time for the ISO 20022 migration, with a number of changes to existing timelines and strategies from SWIFT and the world’s major market infrastructures having been announced this year.
The paper explores the latest developments, including SWIFT’s year-long postponement of the migration in the correspondent banking space. The decision meets industry calls for a delay and also provides ample time to build the new central Transaction Management Platform (TMP) – a core feature of SWIFT’s new strategy that will allow the industry to move away from point-to-point messaging and towards central transaction processing.
It also details the wave of action that has been seen by market infrastructures around the world – with many, including the ECB, EBA CLEARING and the Bank of England, announcing revised migration approaches.
“Now more than ever, with shifting timelines and strained resources, it is vital that banks and corporates alike do not view the ISO 20022 migration as just another project that can be put on the back burner,” says Christian Westerhaus, Head of Cash Products, Cash Management, Deutsche Bank. “The delays in the correspondent banking space, and across several market infrastructures, should not be seen as an opportunity for banks to take their foot off the pedal. The journey to ISO 20022 is still moving ahead at speed – and internal projects need to reflect this.”
The Guide also highlights the implementation issues on the migration journey ahead – most notably surrounding interoperability between market infrastructures, usage guidelines and messaging formats. This is achieved through a series of deep dives, case studies, and points of attention drawn from Deutsche Bank’s internal analysis.
“As this year has proved, nothing is set in stone, “says Paula Roels, Head of Market Infrastructure & Industry Initiatives, Deutsche Bank. “The ISO 20022 migration involves a lot of moving parts and keeping abreast of the latest developments is critical for banks and corporates alike. As the deadlines near, and the ISO 20022 story develops, this series of guides will continue to highlight key points for consideration over the coming years.”
The Psychology Behind a Strong Security Culture in the Financial Sector
By Javvad Malik, Security Awareness Advocate at KnowBe4
Banks and financial industries are quite literally where the money is, positioning them as prominent targets for cybercriminals worldwide. Unfortunately, regardless of investments made in the latest technologies, the Achilles heel of these institutions is their employees. Often times, a human blunder is found to be a contributing factor of a security breach, if not the direct source. Indeed, in the 2020 Verizon Data Breach Investigations Report, miscellaneous errors were found vying closely with web application attacks for the top cause of breaches affecting the financial and insurance sector. A secretary may forward an email to the wrong recipient or a system administrator may misconfigure firewall settings. Perhaps, a user clicks on a malicious link. Whatever the case, the outcome is equally dire.
Having grown acutely aware of the role that people play in cybersecurity, business leaders are scrambling to establish a strong security culture within their own organisations. In fact, for many leaders across the globe, realising a strong security culture is of increasing importance, not solely for fear of a breach, but as fundamental to the overall success of their organisations – be it to create customer trust or enhance brand value. Yet, the term lacks a universal definition, and its interpretation varies depending on the individual. In one survey of 1,161 IT decision makers, 758 unique definitions were offered, falling into five distinct categories. While all important, these categories taken apart only feature one aspect of the wider notion of security culture.
With an incomplete understanding of the term, many organisations find themselves inadvertently overconfident in their actual capabilities to fend off cyberthreats. This speaks to the importance of building a single, clear and common definition from which organisations can learn from one another, benchmark their standing and construct a comprehensive security programme.
Defining Security Culture: The Seven Dimensions
In an effort to measure security culture through an objective, scientific method, the term can be broken down into seven key dimensions:
- Attitudes: Formed over time and through experiences, attitudes are learned opinions reflecting the preferences an individual has in favour or against security protocols and issues.
- Behaviours: The physical actions and decisions that employees make which impact the security of an organisation.
- Cognition: The understanding, knowledge and awareness of security threats and issues.
- Communication: Channels adopted to share relevant security-related information in a timely manner, while encouraging and supporting employees as they tackle security issues.
- Compliance: Written security policies and the extent that employees adhere to them.
- Norms: Unwritten rules of conduct in an organisation.
- Responsibilities: The extent to which employees recognise their role in sustaining or endangering their company’s security.
All of these dimensions are inextricably interlinked; should one falter so too would the others.
The Bearing of Banks and Financial Institutions
Collecting data from over 120,000 employees in 1,107 organisations across 24 countries, KnowBe4’s ‘Security Culture Report 2020’ found that the banking and financial sectors were among the best performers on the security culture front, with a score of 76 out of a 100. This comes as no surprise seeing as they manage highly confidential data and have thus adopted a long tradition of risk management as well as extensive regulatory oversight.
Indeed, the security culture posture is reflected in the sector’s well-oiled communication channels. As cyberthreats constantly and rapidly evolve, it is crucial that effective communication processes are implemented. This allows employees to receive accurate and relevant information with ease; having an impact on the organisation’s ability to prevent as well as respond to a security breach. In IBM’s 2020 Cost of a Data Breach study, the average reported response time to detect a data breach is 207 days with an additional 73 days to resolve the situation. This is in comparison to the financial industry’s 177 and 56 days.
Moreover, with better communication follows better attitude – both banking and financial services scored 80 and 79 in this department, respectively. Good communication is integral to facilitating collaboration between departments and offering a reminder that security is not achieved solely within the IT department; rather, it is a team effort. It is also a means of boosting morale and inspiring greater employee engagement. As earlier mentioned, attitudes are evaluations, or learned opinions. Therefore, by keeping employees informed as well as motivated, they are more likely to view security best practices favourably, adopting them voluntarily.
Predictably, the industry ticks the box on compliance as well. The hefty fines issued by the Information Commissioner’s Office (ICO) in the past year alone, including Capital One’s $80 million penalty, probably play a part in keeping financial institutions on their toes.
Nevertheless, there continues to be room for improvement. As it stands, the overall score of 76 is within the ‘moderate’ classification, falling a long way short of the desired 90-100 range. So, what needs fixing?
Towards Achieving Excellence
There is often the misconception that banks and financial institutions are well-versed in security-related information due to their extensive exposure to the cyber domain. However, as the cognition score demonstrates, this is not the case – dawdling in the low 70s. This illustrates an urgent need for improved security awareness programmes within the sector. More importantly, employees should be trained to understand how this knowledge is applied. This can be achieved through practical exercises such as simulated phishing, for example. In addition, training should be tailored to the learning styles as well as the needs of each individual. In other words, a bank clerk would need a completely different curriculum to IT staff working on the backend of servers.
By building on cognition, financial institutions can instigate a sense of responsibility among employees as they begin to recognise the impact that their behaviour might have on the company. In cybersecurity, success is achieved when breaches are avoided. In a way, this negative result removes the incentive that typically keeps employees engaged with an outcome. Training methods need to take this into consideration.
Then there are norms and behaviours, found to have strong correlations with one another. Norms are the compass from which individuals refer to when making decisions and negotiating everyday activities. The key is recognising that norms have two facets, one social and the other personal. The former is informed by social interactions, while the latter is grounded in the individual’s values. For instance, an accountant may connect to the VPN when working outside of the office to avoid disciplinary measures, as opposed to believing it is the right thing to do. Organisations should aim to internalise norms to generate consistent adherence to best practices irrespective of any immediate external pressures. When these norms improve, behavioural changes will reform in tandem.
Building a robust security culture is no easy task. However, the unrelenting efforts of cybercriminals to infiltrate our systems obliges us to press on. While financial institutions are leading the way for other industries, much still needs to be done. Fortunately, every step counts -every improvement made in one dimension has a domino effect in others.
Has lockdown marked the end of cash as we know it?
By James Booth, VP of Payment Partnerships EMEA, PPRO
Since the start of the pandemic, businesses around the world have drastically changed their operations to protect employees and customers. One significant shift has been the discouragement of the use of cash in favour of digital and contactless payment methods. On the surface, moving away from cash seems like the safe, obvious thing to do to curb the spread of the virus. But, the idea of being propelled towards an innovative, digital-first, cashless society is also compelling.
Has cashless gone viral?
Recent months have forced the world online, leading to a surge in e-commerce with UK online sales seeing a rise of 168% in May and steady growth ever since. In fact, PPRO’s transaction engine, has seen online purchases across the globe increase dramatically in 2020: purchases of women’s clothing are up 311%, food and beverage by 285%, and healthcare and cosmetics by 160%.
Alongside a shift to online shopping, a recent report revealed 7.4 million in the UK are now living an almost cashless life – claiming changing payment habits has left Britons better prepared for life in lockdown. In fact, according to recent research from PPRO, 45% of UK consumers think cash will be a thing of the past in just five years. And this UK figure reflects a global trend. For example, 46% of Americans have turned to cashless payments in the wake of COVID-19. And in Italy, the volume of cashless transactions has skyrocketed by more than 80%.
More choice than ever before
Whilst the pandemic and restrictions surrounding cash have certainly accelerated the UK towards a cashless society, the proliferation of local payment methods (LPMs) in the UK, such as PayPal, Klarna and digital wallets, have also been a key driver. Today, 31% of UK consumers report they are confident using mobile wallets, such as Apple Pay. Those in Generation Z are particularly keen, with 68% expressing confidence using them.
As LPM usage continues to accelerate, the use of credit and debit cards are likely to decline in the coming years. Whilst older generations show an affinity with plastic, younger consumers feel less secure around its usage. 96% of Baby Boomers and Generation X confirmed they feel confident using credit/debit cards, compared to just 75% of Generation Z.
Does social distancing mean financial exclusion?
As we hurtle into a digital age, leaving cash in the rearview, there are ramifications of going completely cashless to consider. We must take into consideration how removing cash could disenfranchise over a quarter of our society; 26% of the global population doesn’t have a traditional bank account. Across Latin America, 38% of shoppers are unbanked, and nearly 1 in 5 online transactions are completed with cash. While in Africa and the Middle East, only 50% of consumers are banked in the traditional sense, and 12% have access to a credit card. Even here in the UK, approximately 1.3 million UK adults are classed as unbanked, exposing the large number of consumers affected by any ban on cash.
Even when shopping online – many consumers rely on cash-based payments. At the checkout page, consumers are provided with a barcode for their order. They take this barcode (either printed or on their mobile device) to a local convenience store or bank and pay in cash. At that point, the goods are shipped.
There are also older generations to consider. Following the closure of one in eight banks and cashpoints during Coronavirus, the government faced calls to act swiftly to protect access to cash, as pensioners struggled to access their savings. Despite the direction society is headed, there are a significant number of older people that still rely on cash – they have grown up using it. With an estimated two million people in the UK relying on cash for day to day spending, it is important that it does not disappear in its entirety.
Supporting the transition away from cash
Cashless protocols not only restrict access to goods and services for consumers but also limit revenue opportunity for merchants. While 2020 has provided the global economy with one great reason to reduce the acceptance of cash, the payments industry has billions of reasons to offer multiple options that cater to the needs of every kind of shopper around the world.
Whilst it seems younger generations are driving LPM adoption, it is important that older generations aren’t forgotten. If online shops fail to offer a variety of preferred payment methods, consumers will not hesitate to shop elsewhere. With 44% of consumers reporting they would stop a purchase online if their favourite payment method wasn’t available – this is something merchants need to address to attract and retain loyal customers.
86% of UK businesses face barriers developing digital skills in procurement
A shortage of digitally savvy talent, and a lack of training for technical and soft skills, hinder digital procurement initiative...
ISO 20022 migration: full speed ahead despite recent delays, says new Deutsche Bank paper
Today, Deutsche Bank has released the third installment in its “Guide to ISO 20022 migration” series, which offers a comprehensive...
What Skills Does a Data Scientist Need?
In this modern and complicated time of economy, Big data is nothing without the professionals who turn cutting-edge technology into...
The importance of app-based commerce to hospitality in the new normal
By Jeremy Nicholds CEO, Judopay As society adapts to the rapidly changing “new normal” of working and socialising, many businesses...
The Psychology Behind a Strong Security Culture in the Financial Sector
By Javvad Malik, Security Awareness Advocate at KnowBe4 Banks and financial industries are quite literally where the money is, positioning...
How open banking can drive innovation and growth in a post-COVID world
By Billel Ridelle, CEO at Sweep Times are pretty tough for businesses right now. For SMEs in particular, a global financial...
How to use data to protect and power your business
By Dave Parker, Group Head of Data Governance, Arrow Global Employees need to access data to do their jobs. But...
How business leaders can find the right balance between human and bot when investing in AI
By Andrew White is the ANZ Country Manager of business transformation solutions provider, Signavio The digital world moves quickly. From...
Has lockdown marked the end of cash as we know it?
By James Booth, VP of Payment Partnerships EMEA, PPRO Since the start of the pandemic, businesses around the world have...
Lockdown 2.0 – Here’s how to be the best-looking person in the virtual room
By Jeff Carlson, author of The Photographer’s Guide to Luminar 4 and Take Control of Your Digital Photos suggests “the product you’re creating is...