Understanding Regulatory Changes in Fraud Management

The recently announced changes in #FCPA enforcement strategy, and resulting uncertainty, have understandably generated anxiety within the #ethics & #compliance community. While this shift in risk impact/likelihood is closer to home, and your cheese may have been moved, it still requires a proactive and dispassionate assessment of the potential impacts on your ethics & compliance program and workplace culture. Here at Integrity Bridge LLC, we’ve been brainstorming with clients and business partners about the immediate questions to be considering: ➡️ Company Strategy & Risk: you might be worried that management is going to adversely react to the announced pause on FCPA enforcement. But they are likely distracted by other more pressing matters. Will new tariffs require a change in supply chains? Will it affect country entry/exit or M&A decisions? Has your risk of regulatory enforcement increased in other countries as a result of trade tension? As risk & compliance leader,  are you part of those strategy and risk conversations? ➡️ Risk Assessment & Remediation: The change in FCPA enforcement policy represents a shift in your corruption risk profile. Are there company locations/third parties who might see this as an opportunity to engage in inappropriate behavior? Do you need to increase monitoring in those areas? Is there merit in management restating their commitment to compliance with corruption laws to employees and third parties? And reinforcing the importance of speaking up if someone does request a bribe? ➡️ Third Party Risk Management: What is going to be your response if third parties now refuse to answer questionnaires or accede to audits? Is this now the opportunity to align corruption due diligence with e.g. sanctions, forced labor and cyber-security due diligence? ➡️ Monitoring: irrespective of how you feel about the initiative, there are strong parallels between some of the work that DOGE is doing (identification of potential fraud/overspend) and what compliance functions do. Is that an opportunity to explain the transaction monitoring work your team does, and how it could do more with appropriate resourcing? ➡️ Investigations: as Hui Chen notes in her excellent article (link below), there is perhaps less need to involve outside counsel in the investigation of corruption allegations. But do you have robust investigation governance, expertise and appropriate access to communications/data to diligently investigate those allegations? ➡️ Budget: You’ve just had your 2025 budget approved based on a certain set of assumptions. Rather than waiting for the question from leadership, do you need to firm up your ROI business case? (Nick Gallo has incredible resources to support this). Or even proactively pause on a particular compliance program investment until things become clearer? I would love to hear from you on other practical measures you are adopting in response to this change. #ethics #compliance #cco #complianceofficer #fcpa

The SEC's recent move to enforce new cybersecurity rules, effective December 18, 2023, is a significant development in the corporate world, particularly for public companies. These rules, mandating the disclosure of material cybersecurity incidents within four business days, signal a pivotal shift towards greater transparency and compliance integrity in the digital age. ➡ Emphasis on Transparency The requirement for rapid disclosure reflects a growing recognition of the importance of transparency in today's interconnected digital economy. In an era where cyber threats can significantly impact a company's operations and reputation, timely and transparent communication becomes crucial. This approach aligns with the broader trend of increasing investor and public demand for openness in corporate governance, particularly regarding how companies manage and respond to cyber risks. ➡The Role of Compliance Integrity The new rules underscore the critical role of compliance integrity in cybersecurity. It's no longer sufficient for companies to have cybersecurity measures in place; these measures must be effectively integrated into their overall governance structures. This integration is vital for building investor and stakeholder confidence in a company's ability to manage cyber risks proactively and responsibly. ➡Building Compliance Confidence and Executive Accountability In this new regulatory landscape, the focus shifts to building compliance confidence and ensuring executive accountability for material misrepresentations. The rules compel companies to not only implement robust cybersecurity measures but also to ensure that these measures are transparent and accountable. This shift highlights the need for a clear and accurate understanding of a company's cybersecurity posture, emphasizing the importance of having real confidence in the effectiveness of cybersecurity controls and the integrity of internal risk management strategies. ➡Implications for Smaller Organizations While these rules specifically target publicly traded companies, smaller organizations can draw valuable lessons. The emphasis on timely disclosure of cybersecurity incidents underscores the importance of having robust incident detection and response mechanisms. Furthermore, organizations of all sizes must invest in continuous control monitoring and continuous compliance. This proactive approach to cybersecurity risk management, integrating it into the overall business strategy, is becoming increasingly crucial. The SEC's new cybersecurity rules represent a call to action for companies to elevate their cybersecurity practices, ensuring that they are transparent, compliant, and resilient in the face of evolving cyber threats. This development is a reminder of the ongoing need for companies to adapt and strengthen their cybersecurity and risk management strategies in an ever-changing digital landscape. #compliance #cybersecurity #security #SEC #regulatory #enforcement #governance

A bill introduced August 2nd seeks to amend Regulation E’s liability framework by shifting the on-us for fraud loss to #banks and #creditunions. “H.R. 9303/S. 4943 would define an unauthorized transfer as one that includes a fraudulently induced transfer, requiring credit unions and other financial institutions to reimburse consumers for this type of fraud. It would also define merchant charges for undelivered goods as errors, along with misdirected payments resulting from information a consumer initially provided and would change the current carveout for wire transfers, treating remittance transfers the same as other electronic fund transfers subject to the EFTA’s framework for error resolution and consumer reimbursement.” Given the widespread exploitation of consumers and existing Reg E error resolution process by fraudsters today, we can expect that this shift would create a massive incentive for bad actors to double down on fraud-related efforts. Consumers would also arguably have even less incentive to take precautionary measures themselves to prevent fraud with no liability. Financial institutions will quickly find real-time fraud detection solutions to be imperative to hedging losses, and #fraudprevention resources will be at a premium for #fintechs and #financialinstiutions alike. Wire transfer reimbursement alone could triple or quadruple entire year fraud loss totals with just a few transactions. If you haven’t already begun thinking about how to treat fraud like a strategic differentiator rather than a cost center, there’s no better time to start! This one will be a close one to follow, and I’m sure face significant opposition from more than America's Credit Unions. #riskmanagement #compliance #fraudstrstegy #frauddetection #lossmanagement

Less regulation doesn’t mean less risk. It means more losses. Recent headlines about the White House pulling back on crypto enforcement send a clear signal: The burden of defense is shifting and early trends point to new vulnerabilities. Already, we’re seeing a rise in memecoin-fueled crypto “gambling” schemes. No substance. No oversight. Just pyramid structures recycling value until they collapse. Crypto fraud and scams are on pace to become the largest source of financial losses this year. Here’s what happens when KYC and AML enforcement weakens: •Exchanges relax identity standards •Platforms are shielded from accountability •Market volatility spikes •Institutional trust erodes •Scams move faster, unchecked 🎯 Baseline compliance is no longer enough. 🎯 Waiting for regulators to intervene is not a strategy. 🎯 The companies that win will be the ones who build trust at speed and protect it relentlessly. Stronger identity verification and real-time risk monitoring are no longer regulatory obligations. They are operational necessities. The future of fraud prevention is business-driven. If you move first, you will define the next chapter. Stay one step ahead.

Payments are under increasing scrutiny as regulatory frameworks tighten and fraud risks evolve, particularly in the wake of advancements in Generative AI and deepfakes. 👉 Interchange fees and surcharging regulations shift payment industry dynamics, with regions like the EU and Australia capping fees to protect merchants while the U.S. remains focused on debit interchange through the Durbin Amendment. Meanwhile, surcharging remains a contentious issue, with some countries allowing merchants to pass costs on to consumers, with strict transparency rules. As regulatory bodies seek to make transactions more equitable (with a mix of intended and unintended consequences) payment providers must continuously adapt. 👉 Open banking regulation is also reshaping payments, particularly in the UK, EU, and Australia. By mandating that banks share customer data securely via APIs with third-party providers, these regulations aim to foster innovation and competition. Open banking opens doors for fintechs to build new services, but it also comes with higher expectations for data security, customer consent, and fraud prevention. 👉 Governments are devising digital ID frameworks to streamline identity verification (e.g. the EU’s eIDAS, India’s Aadhaar, NIST draft guidelines in the U.S.). These frameworks ensure secure access to financial services, yet they must now confront the rise of GenAI and deepfakes. Fraudsters can manipulate facial recognition, voice biometrics, and even digital ID systems using AI-generated identities, which means banks and fintechs must evolve their fraud detection techniques. ✔️ Opportunity: Payment providers have a long history of adaptive pricing in response to regulatory shifts. Banks and fintechs that invest in advanced verification technologies, such as multi-factor authentication, behavioral biometrics, and AI-powered fraud detection will not only protect themselves and their customers, but be able to use risk mitigation as source of differentiation. Fraud and risk providers that offer advanced biometric and behavioral verification methods, leveraging voice characteristics, environment detection, and liveness checks will gain share in this new risk environment. ❌ Threat: Traditional payment processors, legacy banks, credit card issuers, and e-commerce platforms must recalibrate pricing strategies and their data access posture in response to evolving regulation interchange fee caps, surcharging restrictions, and open banking mandates. Less sophisticated fintechs and banks that rely on outdated fraud protection systems will find themselves targeted by fraudsters, and risk losing the trust of merchants and consumer customers. My colleagues Michael Cashman, Roger Zhu and I recently updated our perspective on global payment trends… this is 5️⃣ of 6️⃣ in a series of posts. Are you attending #money2020usa? Reach out to the Bain & Company team if you want to discuss implications for your business. 

SEC's Cybersecurity Rule: Prioritizing Action Over Avoidance The Harvard Law School Forum on Corporate Governance recently offered actionable advice for companies navigating the new SEC requirements. This proactive stance contrasts with the Chamber of Commerce's efforts to sidestep or challenge the new regulations. It's vital for organizations to understand their roles and responsibilities to comply effectively with these regulations. By taking tangible steps, rather than merely avoiding the issue, businesses can cultivate a robust cybersecurity environment that holds up to scrutiny and maintains investor trust. Roles and Their Associated Questions to Consider: - CEO/CFO:  - Are the integrity and completeness of the disclosed information reliable?  - Is the organization ready for the broader disclosures required by the new rule? - Boards:  - How can consistent, effective reporting provide insights into key cyber risks?  - Should the board actively engage with cybersecurity experts for better knowledge and understanding?  - How can they have productive discussions with the Chief Information Security Officers (CISO) and relevant teams? - CIO/CISO and team:  - Does the cyber risk management program meet the disclosure standards?  - How can the team determine the significance of an incident promptly?  - How can the cybersecurity program be assessed and improved continuously? - Legal:  - How can disclosures be drafted to remain compliant without revealing sensitive details?  - How will the team establish criteria for determining the significance of an incident?  - In case of potential risks to public safety or national security, how will coordination with federal law enforcement be managed? - Internal Audit:  - How will the team ensure that disclosures are complete and accurate?  - What processes are in place to ensure the organization's internal measures are efficient and consistent? By taking a proactive approach, businesses can position themselves for success. Understanding change, its effects, and implementing strategic actions can turn challenges into growth and resilience opportunities. #cybersecurity #regulation #governance

Europe is MILES ahead of the US in regulating fraud and ATO (account takeover). While the gap won't hold for long, they are doing something different across the pond. A significant new regulation in the European Union requires financial institutions to reimburse customers who lose money due to certain types of fraud, including account takeover (ATO) and authorized push payment (APP) scams. This marks a major liability shift, placing more responsibility on banks and payment service providers to protect consumers from digital payment fraud. The center of these changes? Payment Services Regulation (PSR) and the upcoming Payment Services Directive 3 (PSD3). The regulation specifically addresses reimbursement obligations for fraud losses, including ATO and APP fraud, and introduces a "shared liability model" in some cases. → Scary even for the double agents who've been playing both sides of the security game. Meanwhile, many U.S. businesses are still in a “wait and see” posture. Keeping spending slim while there's no real legal downside. But there is another kind of cost they’re not thinking about: Reputational risk. It only takes one person losing their life savings through a compromised account. One customer who realizes your platform was the easiest target. One public story that reveals you weren’t prepared. What happens when the pace shifts from one attack per day to hundreds? What happens when you go from a 3% fraud rate to 30% or more? Wait, and you may be too late. Ask yourself, what is your reputation worth? Or for those who err on the side of risk: How much can you afford to lose before the math stops working in your favor?