The Commission remains conscious of the operational issues being experienced by firms as they continue in their transition to an environment in which the majority, if not all, staff will be working from home. The Commission also acknowledges, and appreciates, the steps taken by these firms to continue to provide uninterrupted services to their customers and clients, albeit sometimes through differing media, and their commitment to helping the Bailiwick.
With the measures being taken by the States of Guernsey, and other governments around the world, to mitigate the health, social and economic impact of the COVID-19 pandemic, there is an increased risk that fraudsters will try to take advantage of the disruption to the normal operation of firms in the Bailiwick.
The Commission would ask all licensees and registered businesses to stay attuned to the heightened risk of fraud facing each of their businesses.
The sophistication of fraud schemes is likely to evolve as the COVID-19 pandemic deepens with the imminent threats being:
- Third party impersonation fraud (i.e. the risk that a third party may impersonate an individual or business to extract payment)
- First party application fraud (i.e. the risk that an applicant may misrepresent their circumstances to qualify for a payment or loan)
- Increased risk of phishing and other cyber crimes
The Commission recognises that firms may have had to amend their processes and procedures, not only to facilitate staff working from home but also to accommodate consumer and client circumstances, for example, for those customers who are self-isolating or sick or where firms are operating on reduced staffing levels. Whilst these changes are necessary in these unprecedented circumstances, firms should ensure that potential weaknesses in amended processes are fully assessed, addressed and documented and that all relevant staff are made aware of the increased risk.
The Commission would expect licensees to continue to apply effective fraud controls. These measures could include, although are not limited to:
- Undertaking or updating the licensee’s fraud risk assessment;
- Ongoing scanning for new threats and risks, including through the increased use of remote working;
- Integrated fraud control as part of the licensee’s policies and procedures, including continuing efforts to prevent cybercrime;
- Continuing upfront controls to identify and verify individuals and businesses, including the beneficiary’s account details as a means to prevent fraud taking place;
- Using upfront fraud prevention clauses in application forms and processes (including call scripts) to make applicants aware of how their data will be used and their legal obligations.