Post-pandemic: focus on evolving fraud and cyber strategies – learning from the Wirecard scandal

As consumer behaviours drove the need for access to financial services without having to handle cash or other ‘unsafe’ payment methods, financial services companies were only too happy to oblige, and fintech popularity increased as a result. The demand for digital services led to even more dependencies on the digital supply chain, leading many to wonder what effect a massive supply chain failure would have on the payments industry. We didn’t have to ponder for very long. 

Reading the signs 

In January 2019, a Financial Times investigation highlighted underlying problems with potentially false accounting and money laundering in the Asian operation of Wirecard. Questionably, Edo Kurniawan, the accountable executive, remained in position after the investigation showed numerous accounting and internal controls failures for more than a decade. Subsequent clean audits from EY gave Wirecard a semblance of respectability. As expected, Wirecard played the deflection card when the FT contacted them, affirming that it ‘took all compliance and regulatory obligations extremely seriously’, and that it had ‘stringent internal and external audits’, and that any concerns were ‘always thoroughly and appropriately investigated’. It then became apparent that Wirecard processed transactions for a Maltese Mafia-linked casino, known for its money laundering activities. Analysts, investors, and regulators, with few exceptions, largely turned a blind eye. Wirecard ex COO is now on Interpol’s most wanted list and its assets are being sold off.

The consequences were stark: this fintech success story turned into a nightmare and Wirecard was suspended by several regulators, leaving many of their fintech customers unable to process payments. This left consumers, some in vulnerable segments, unable to access their fund.

As this most epic governance failure unfolded, it was a clear reminder that even in times of crisis, businesses must not relax their governance and risk postures in order to continue protecting consumers’ data and assets. 

Don’t pass the buck 

Some blamed the regulators, arguing that existing frameworks were not adequate. It is my firm belief that regulations are no substitute for accountability, transparency, governance, and risk management. Let’s not repeat the Wirecard mistakes:

• Failure to heed early warnings – This denotes the absence of an effective corporate risk and governance framework that would have spotted irregularities. It took the intervention of a whistleblower to bring the matter to light. 

• Lack of appropriate governance – The complacency of auditors, who took senior executive reports as evidence, without appropriate checks, led to continuous failings. 

• Failure to take regulatory compliance seriously and to spot accounting irregularities and internal fraud – McKinsey warned Wirecard’s Board a year before of ‘significant risk’ and advised ‘substantial change’ in risk and compliance management. Wirecard decided to hire PWC instead, creating a potential conflict of interest as PWC were also the auditors for Wirecard Bank.

• Supply chain impact, leading to operational and reputational risk, as well as societal impact – Wirecard’s failure resulted in a significant impact on their B2B customers, largely fintech firms, the more able of which had already been preparing to distance themselves. But consumers were still directly affected, denting trust in digital payment services. 

• Lack of Board commitment and accountability – Whatever the Wirecard Board’s objectives were, it is clear that executive management were not leading by example. As bad behaviour was rewarded (or at least overlooked), and corners were cut, a toxic corporate culture took hold. 

Getting results 

Now more than ever, rather than relax risk postures, businesses must continue to apply (or step up) the rigour and governance needed to manage risks associated not only with supply chains but also with employees. 

The increasing technological and regulatory complexity, as well as the increase in cybercrime and fraud, suggests the need for some form of technology automation, as I suggested in my earlier post, but any amount of technology, in and of itself, will not solve these challenges. Nor will regulations on their own, as they only provide ‘responsible’ operating frameworks. A combination of technology, regulatory compliance, culture, and behaviours are the key success factors for risk management to be effective. Losing sight of this can only lead to failure.

This Expert Opinion was published in our Fraud Prevention in Ecommerce Report 2020/2021, the go-to source in securing transactions while offering a frictionless customer journey.

About Neira Jones

Neira advises organisations on many topics, including payments, fintech, regulations, and cybersecurity. She is also a professional speaker, regularly addressing global audiences, and is a recognised trainer (see her on-demand e-learning courses here). 

About EPA

The EPA is a thriving community of payments professionals aiming to strengthen and expand the payments industry. Since 2004, they have been instrumental in helping to connect the ecosystem, encourage innovation and profitable business growth. Over 130 member companies benefit from a comprehensive programme of activities, which addresses key issues impacting the industry.