在数字时代应对经济犯罪（英文版）.pdf

Economic crime in a digital age 2020 Association of Chartered Certified Accountants January 2020 About ACCA ACCA (the Association of Chartered Certified Accountants) is the global body for professional accountants, offering business- relevant, first-choice qualifications to people of application, ability and ambition around the world who seek a rewarding career in accountancy, finance and management. ACCA supports its 219,000 members and 527,000 students (including affiliates) in 179 countries, helping them to develop successful careers in accounting and business, with the skills required by employers. ACCA works through a network of 110 offices and centres and 7,571 Approved Employers worldwide, and 328 approved learning providers who provide high standards of learning and development. Through its public interest remit, ACCA promotes appropriate regulation of accounting and conducts relevant research to ensure accountancy continues to grow in reputation and influence. ACCA has introduced major innovations to its flagship qualification to ensure its members and future members continue to be the most valued, up to date and sought-after accountancy professionals globally. Founded in 1904, ACCA has consistently held unique core values: opportunity, diversity, innovation, integrity and accountability. More information is here: About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst Applying similar machine learning techniques to phishing emails can improve their criminal efficiency, while the use of AI to create deep fake videos has raised concerns about the risk of identity theft. 11 Economic crime in a digital age | 2. The evolving digital environment the device and user are the key elements in any digitally enabled economic crime cyber attack. The routes may have changed, but the fundamentals of breaching personal trust remain central to the commission of the crime. The ease with which criminals can compromise email domains and create convincing communications shifts the burden of detection back onto the individual. As well as the simple proliferation of existing crimes, technological developments have introduced new vectors for crime. The development of cryptocurrencies and their availability as mechanisms for storing or transmitting value in an anonymous or pseudonymous fashion have transformed some aspects of economic crime. Nonetheless, conventional business fraud seems, for the time being, likely to continue to be carried out using fiat currency. As Claire Jenkins, Forensic Accountant, puts it, I think then the question is: how comfortable would someone be doing businesses with an individual who wants you to pay him entirely by cryptocurrency? Is it likely, even now that people will accept the payment? I have my doubts. While the majority of respondents to the EY Global Fraud Survey 2018 stated that their organisations would soon be regularly using digital payment systems, just 4% expected to be conducting business using cryptocurrencies (EY, 2018a). But in situations where trust is already compromised, the picture is very different. The ability to transfer value anonymously has huge implications for both money laundering and the broader fields of economic crime, such as people trafficking. The initial assumption of many people that early blockchain-based cryptocurrencies were impossible to track is widely recognised as no longer being true (Emerging Technology from the arXiv, 2017). While bitcoin, Ethereum and the like remain popular for many criminal transactions, they have been superseded by purpose-built anonymous currencies for those who are determined to remain untraceable. The use of tumblers, which mix dirty and clean cryptocurrency funds to hide the traces of the source and destination of funds, is a recognised threat to accountability. The ability to purchase goods on the dark web via genuinely untraceable funds has clear implications for terrorist financing. There are further issues when dealing with cross-border criminal activity. The use or ownership of cryptocurrencies in China has been outlawed, in part as a response to their use as a mechanism for evading exchange controls. In addition, there is a clear risk of breaches of sanctions regimes. In addition to the attraction of making anonymous transfers to those subject to sanctions, financial institutions with regulatory responsibilities under those regimes now face the threat of inadvertent breach if they operate using such cryptoassets. The instant a transfer is made, receipt of the funds could trigger liability, yet it is inherent in the nature of the asset that the recipient entity cannot undertake due diligence in the conventional sense. The difficulty of tracing cryptocurrency transactions, allied with the ease of accessing them, has fuelled secondary markets for criminal activity, warns Narayanan Vaidyanathan, Head of Business Insights ACCA. And the reason theyve been able to fuel that is because they have this inability to directly track and trace the beneficial owner of the funds. And thats a challenge that we did not have in the same way previously. The implications of that challenge can be immense. In one instance, a teenager took advantage of the ease of access to online tools to purchase a distributed denial of service (DDoS) attack, which he targeted at his schools website so as to create a plausible excuse for playing football with friends instead of completing and submitting online homework. In fact, the prank backfired: the schools site was hosted by the internet service provider (ISP) that supported the transport provider for the UKs organ donor network, and the attack disrupted vital surgery across the country. The ability to transfer value anonymously has huge implications for both money laundering and the broader fields of economic crime, such as people trafficking. 12 Economic crime in a digital age | 2. The evolving digital environment NEW HORIZONS That incident also relates to the evolution of existing economic crimes. Technological advances are creating entirely new forms of attack on the value inherent in businesses. Denying a business access to its markets would have been historically uneconomic for criminals to consider, yet the disruption caused by a DDoS attack on an online seller can now be generated for minimal cost, and at low risk. The modern-day protection racket is more likely to arrive via email than in an anonymous car full of heavyset men with baseball bats. Keeping records and managing data have always been fundamental to successful business decision-making. Auditing, and the trust that it creates for stakeholders, relies on manageable and trustworthy data. But the digital era has brought more data than ever, in both volume and variety. There is an opportunity here for accountants to derive an even greater advantage from the increasing data by generating better insights and extracting the maximum value from the resource. To this end, accountants can work with compliance and risk departments to identify risk areas and can help assess the effectiveness of the controls in place. On the other hand, this opportunity for legitimate business has a mirror in the criminal world. The usefulness of customer lists to direct competitors has long been recognised, but increasingly it is simply the personal information held by a business that motivates criminals to attack. In addition, for the newer-platform business models, the value of network effects 3 is an essential element in their attractiveness to partners and criminals. Working out where in the matrix of economic crime such activities fit will be a challenge which informs the regulatory response. Arguably, in a spectrum that ranges from fraud through money laundering and even possibly encompassing human trafficking, there is a place for the deliberate targeting of a businesss revenue-generating machinery as a means of generating revenue for thieves. Facing the increasing complexity of fraud patterns, there are many technology tools that have been more widely adopted by forensic accountants to identify risks and investigate criminal activities more effectively and efficiently. At the same time, some jurisdictions have been seen as effective in encouraging the private sector to explore new technological methods of creating value and combating economic crime. For example, Jack Jia, Partner, Ernst supporting a culture of cooperation between institutions and companies was seen as more effective than merely applying penalties. As Anne McCormick, EMEIA Public Policy and Network Engagement Leader, Ernst instead of thinking, I do not want that to happen to me, they think that is not going to happen to me. In the words of Matthew Stephenson, professor of law at Harvard Law School, Effective enforcement of anticorruption rules, including criminal law enforcement, against individual wrongdoers is necessary but not sufficient to combat systemic corruption. (Stephenson, 2019) Equally, the changing technological landscape could disrupt the effect of countermeasures against economic crime. The usefulness of new detection tools in the corporate environment should be recognised by management, regulators and law enforcement alike and their use encouraged within legal frameworks adapted to give weight to evidence generated and curated by AI tools. Criminals are more likely to refrain from illegal activities if they judge that the risk of detection is too great. Integrity is key to the organisational hostile environment for economic crime. Building on the core elements of governance, culture, controls and insights, the business can blend human factors with enhanced tools using innovative techniques to bridge the gap between organisational intentions and actions (Gordon, 2019). As the information gathered from enhanced monitoring and analysis in the control environment feeds into a better understanding of the human decisions that characterise the business, so the governance mechanisms can adapt to create and enhance a culture of compliance, in which doing the right thing, and avoiding the opportunity cost of dealing with the aftermath of doing the wrong thing, becomes the default position. These updated and evolved structures will demand changes in the skills and approaches of employees and management, as well as in policies and processes. Companies will need to invest in their staff so that they will understand the implications of the effective use of AI, and to appreciate the legal and reputational consequences of failure to understand the risks that AI presents. The step change in data management heralds a transformation in compliance departments as ethical values come to the fore. Above all, humans need to supervise and control the process. In the age of AI, this is a big ask of a companys senior executives, but this is what is required and demanded of them (EY, 2019). The use of tools such as AI to identify criminal behaviours has an important role to play in fraud detection, but prevention is better than cure, and deterrence should trump detection as a policy outcome to pursue. 24 Economic crime in a digital age | 3. Policy and practice: responses to economic crime in a digital age One intrinsically human element of the fight against crime is the whistle-blower. A number of the interviewees we consulted pointed to the importance of effective whistle-blowing mechanisms that support both the prevention and detection of economic crime. For example, Harbinson saw the development of whistle-blowing programmes within your own organisation as a critical step in the defence against economic crime. He went on to note that this protection must be accessible to your suppliers and your customers. A series of surveys into the awareness of, and impact on, smaller businesses of bribery and corruption found that respondents ranked high-profile prosecutions as only the fourth most effective option of the five offered, with whistle-blowing laws and mechanisms rising from third place in 2007 and second in 2013 to being ranked the most effective of the options by 2019 (ACCA, 2007; Davies and Mirkovic, 2013a, 2013b; ACCA, 2007, 2019a, 2019b). In the resource-constrained SME sector, access to stakeholder programmes, whether provided by government or supply-chain partners, will be essential. In practice, the challenges of effectively implementing whistle-blower programmes must not be underestimated. Creation of regulation and process is less than half the battle, with cultural factors both in business and society at large often compromising the effectiveness of such initiatives. A number of the interviewees we consulted pointed to the importance of effective whistle- blowing mechanisms that support both the prevention and detection of economic crime. THE ROLE OF AUDITING PROFESSIONALS In addition to the internal controls used by business, the scope for impact on the audit profession should be explored. Survey work by ACCA measuring perceptions among the general public uncovered a widespread belief in respondents that auditors should be responsible for uncovering fraud at every level (notwithstanding materiality considerations and current regulatory frameworks). Globally, just 30% of respondents recognised that there might be some limitations to auditors ability to detect fraud, while in the UK, 69% of the public respondents expected auditors to detect fraud that would affect financial statements or detect and report all fraud, regardless of size or impact (ACCA, 2019c). Historically, the response to this from the profession might well have been that, however attractive such an aspiration might be, and regardless of the conceptual role of the auditor, 100% analysis would require such intensive resource deployment as to be economically impossible. But the techniques being used to detect and predict anomalous behaviour in real time could potentially be deployed in a historic audit to uncover patterns apparent only in hindsight. Of course, detecting all economic crime will remain impossible in the face of determined criminals “Business technology is no longer an administrative tool; its fundamental component of the compliance environment, and an integral part of the defences as it becomes a vector of attack. Making the right decisions, at both strategic and tactical levels, will depend on the right talent having the right skills and the right information to tackle the rapidly changing digital world.” Mike Suffield Director Profe