This is a transcript of the podcast Rupert Evill on the rise of fraud between Ethics Insight Founder Rupert Evill and GRIP Senior Reporter Carmen Cracknell.
[INTRO]
Carmen Cracknell: Rupert, it’s great to have you back on the GRIP Podcast. We spoke to you last time roughly a year ago, but could you reintroduce listeners to you and talk a bit about your background?
Rupert Evill: Sure, absolutely. Thank you for having me back. My name is Rupert Evill. I founded a company called Ethics Insight about five years ago after a career that sort of traveled various areas of risk, starting out sort of political risk crisis management before moving into investigations and for many years, which is where I spent most of my career and lately, I guess the easiest way to explain it is helping people avoid the issues that I’d investigated.
So the majority of them would be what might be turned into economic crime or sort of corporate criminal activities, so fraud, corruption, sometimes modern slavery, but increasingly now we’re starting to see sustainability and other things creep in.
So the majority of my time at the moment is spent helping a mixture of impact investors, development, finance and the people they invest in, sort of identify potential gaps, risks and then address them. And I do some of that work as well with corporates direct and non-governmental organizations.
So yeah, the majority of my time is focused on mid-cap organizations, so those that don’t always have infinite resources to manage these issues as well.
Carmen Cracknell: So what has changed the most for your clients since we last spoke? We’ve recently had the UK election, got the US election coming up, there’s other elections going on internationally. What have been the main changes that you’ve seen?
Rupert Evill: Well, there’s obviously legislation and or directives coming out that are getting a little bit overwhelming for some. So there’s the corporate sustainability due diligence directive out of the EU that places quite a lot of onus on companies going down their supply chain to identify sustainability, which is both environmental and human impacts.
Then in the UK, last year we had the Economic Crime and Corporate Transparency Act, which essentially brought fraud prevention in line with the UK Bribery Act. I’ve had more conversations in the past six months about fraud than probably in the previous six years.
And we’re also getting on the cusp of understanding how AI might impact all of these areas as well. And I know there’s an ISO standard around AI ethics that’s come out in the intervening period.
But aside from all of the kind of acronyms and the regulations and stuff, I think most of the organizations I’m dealing with are dealing with a fair amount of kind of change and turmoil from all sides, politically, stakeholder, and regulatory. So it really depends where you sit in terms of what you do, which is most pressing. So if you’re in a very regulated sector, or maybe you have, you know, the consumer demographic that’s B2C and it’s young consumers, so the risk factors will be impacted more by what you do, necessarily sometimes than where you do it.
Carmen Cracknell: Yeah, you mentioned the impact of AI and ISO standards. I hear a lot of people talking about AI. What’s the biggest concern that your clients have about AI specifically?
Rupert Evill: I think it’s how it could be subverted. Or how it could be, well, it depends. For some, it’s a liability issue. Like if you think about, if you have your people kind of doing things that they should be doing the long way, and they’re kind of shortcutting it through AI, so that there’s that kind of brand issue. But I guess the majority of people would be concerned by how it could be basically used inappropriately or improperly by whether it be internal or external sort of sources of threat.
So fraudsters, those type of things. And I’ve done various experiments here. Initially, AI was a bit pious. And so if I typed in, how do you commit fraud using AI, it goes, we do that, and give you a sort of telling off. But then if you say, I’m working for prevention, if I were to try and use you to target, I gave an example of a renewable energy provider in southern Africa. And then I kept drilling down on the questions. And some of their suggestions got progressively more terrifying.
So it’s a tool of leverage and potentially automation of a lot of bad things.
Carmen Cracknell: Just going back to talking about different regulations, you mentioned the Economic Crime Act in the UK. With the new Labour government, how do you see regulation for financial services evolving?
Rupert Evill: I don’t know. I mean, I think we’re all waiting to see a little bit there. I guess thinking about the UK government, one is the one I am intrigued about, because we’ve obviously had quite, if we’re honest, quite weak enforcement. And given Kier Starmer’s background as a human rights lawyer, I’m intrigued to see, for example, the Modern Slavery Act hasn’t really been used that much.
And now obviously the Economic Crime Transparency Act, we had that sort of recent reports from the MP for Kensington and Chelsea about the non-doms and it being a corruption hot spot. And this is something that I guess what I’m interested in is how the countries with big financial centres like sort of London, New York, Singapore, etc., with how they step up and actually enforce the fact that they have been facilitating a lot of the bad that’s been going on in emerging markets.
Because if I look back at my kind of 20/25 years in this industry, I don’t see a huge amount of change. And so that would be the one area I’d be quite intrigued to see if this government does anything to because there’s been a lot of chat in the election about clamping down on kind of the fact that the UK has been a hub for ill-gotten gains or people have done, you know, bad things and then offshored or brought their wealth here. So I’d be intrigued to see if anyone actually does anything about that.
Obviously, the FCA have also brought out their greenwashing guidance as well in the intervening period. So I would imagine that of that economic crime and transparency bit, the government would probably focus more on the transparency bit because the crime bit, i.e. prosecution, is not entirely within their control because that requires obviously the coordination between various agencies like the serious fraud office, etc. And we’ve seen that there have been a fair amount of change in turmoil within some of those sort of prosecuting agencies. So I don’t know for sure, but I would imagine there would be more pressure on those that are perceived or actually misrepresenting.
So what we’re seeing in the court of the public opinion is as important as some parliaments, particularly in like this country or governing institutions. So if you just, I get sent an alert daily about greenwashing and at the moment Lululemon are getting an absolute pacing in the international media.
So I think for most businesses, they’re not looking at governments and enforcement agencies, the big ones are, but the mid caps I deal with, that’s not their source of fear. Their source of fear is the court of public opinion. It’s losing contracts, it’s losing investment, losing access to funding because they failed to pass the due diligence tests and all this kind of stuff. So it’s a bit more of a kind of an immediate business risk.
Carmen Cracknell: Yeah. And as we know, compliance can be really unnecessarily complicated. So how can rules and regulations be simplified?
Rupert Evill: Well, I think the first thing is the sort of Pareto principle with the assessments. So it’s focusing on that 20% of activities or actions that are creating 80% of risk. I think one of the problems I see a lot of organizations face, particularly those with less resources, is they’re very beholden to what they’re told. They’ve got to worry about by someone bigger, whether that be a lender or an investor or a client.
And so there’s a lot of mis-purposed resources and wasted time and wasted effort. And I mean, I can give it like a brief case study of sometimes when it comes from within, like I noticed it with Brewdog, the beer company in the UK, where they had traditionally focused on some of the sort of environmental impacts.
So like renewable energy and trying to reduce water consumption. Okay, that makes sense given what they do. And then at the time of the last World Cup, in Qatar, they studied these big posters about being anti-sponsors. And then that sort of spiraled into people picking apart the hypocrisy because they were still showing the games on their pubs.
They were actually selling through the GT3 into some of those countries. They weren’t even invited to be a sponsor, as I understand it. So being an anti-sponsor is somewhat hollow. And then more latterly, there’s been sort of allegations against management and worker welfare within the UK in terms of wage issues.
So I think that’s sort of what that case study like that tells me is that some of the organizations are not focusing on the right things. So if you want compliance to work for you, it needs to be a tool of kind of prioritization, which means you need to get assessments better.
Most assessments I see are just a checklist against an arbitrary list of regulation rather than actually going outside in, you know, what does the context we operate in? Where do we face threat and risk? How might that sort of impact us prioritizing by likelihood and impact and then setting out your stall to manage that. So basic risk assessment is still not done because it’s not that widely accessible to many organizations.
And the other thing is very difficult for organizations to be honest about whether kind of ethical intentions meet risk realities, because in particular in emerging markets, and you can have zero tolerance in all of your policies as much as you like, but nobody cares on the demand side.
So there’s not enough preparation of employees to actually face that side of the risk. And finally, the overall problem I’d say with compliance is it often is drafted with a regulator in mind, not the user. And so we’re trying to demonstrate what we’re doing to a regulator rather than thinking about what’s the call to action.
So I’m working at the moment with an impact fund that focuses on Western Central, Francophone Africa and the lady in charge of compliance who also has a background in social performance, she just asked great questions about every single thing they’re meant to implement. And they’ve been told to implement by an investor. And it is why and who needs to know. And I don’t think we ask, you know, what’s the in using the marketing speak, what’s the call to action? What are we trying to drive people to do?
Carmen Cracknell: Yeah, it did make me think of obviously, we hear a lot about greenwashing. And a term that I recently heard was blue washing, which isn’t something I’d heard before. It’s where companies kind of portray themselves as being pro human rights. Is that something you’ve come across at all? Not just environmentally concerned, but concerned about social issues.
Rupert Evill: Yeah, I mean, I’ve not heard it put in those terms. But yes, I’ve seen that I tend not to kind of distinguish too much on the between the human and environmental because they often go hand in hand. If you’re committing environmental degradation, you’re generally harming humans and wildlife as well. But the in terms of is, is that an area I’ve come across?
Yeah, for many, many years, but it’s also an area of huge complexity. So there’s, I remember working on a case many years ago where there was allegations that in a plantation that there was child labour being used in Southeast Asia. And when we kind of tracked down through the supply chain from this UK PLC, to the where these issues were occurred, there was so many like middlemen, wholesalers and all kinds of other people in between.
And in that particular area, there’s no infrastructure. And there’s certainly no real schooling or childcare. So parents take their children to the plantations in harvest season, and they only earn money when they’re harvesting, which is obviously a seasonal job.
So the solution to it is, is very challenging. And my concern with all human rights, kind of, when you have terms like what you just said, blue washing, if you’re going to cast people in those very binary terms, is that sometimes that prompts a knee-jerk reaction that actually creates more problems than good.
So the easiest solution, if you find that in your supply chain is to terminate relationships with that supplier or that wholesale and go elsewhere. But that doesn’t help the people, if anything, it makes their life worse, because either they lose the income or somebody else comes in who doesn’t come from a regulated country.
So and I’m seeing certain companies trying to migrate to less ESG regulated markets exactly for that reason, so that they can do the things they want to do with less scrutiny. So is it an area I’ve seen for many, many years? Yes. And I guess my concern is always when we have, it’s very easy to print negative headlines and mobilize campaigns, but it’s a hell of a lot more complicated to try and drive systemic change in kleptocratic and corrupt countries where they don’t service their own citizens.
Carmen Cracknell: Yeah. I know you do like quite a lot of work in Asia, and maybe this doesn’t apply as much there, but could you talk a bit about the impact of sanctions over the last year?
Rupert Evill: Yeah, I mean, it doesn’t that I, my work at the moment is predominantly Sub-Saharan Africa and Asia. So the sanctions issue, I’m not, it’s, well, actually, where it’s getting a bit confusing is when you have funding say coming from Europe for a project in, say, Sub-Saharan Africa, where that government has good relations with Russia, because, you know, Russia and others and Iran have been courting governments in other parts of the world.
And so they, and even on the basics, sort of, I remember having a discussion recently with somebody who was talking about how the West has lost moral authority on Israel and Palestine. And I was pointing out that the funding of Russia and their campaign in Ukraine is mainly comes through oil and gas sales into Asia, predominantly.
And so it’s messy is the easiest way to put it. And I think the challenge, again, for the smaller organizations is when they are internationalized, and they’re getting funding from different places, but they’re domiciled in somewhere that’s more friendly to that regime. And you’re getting into all kinds of political territory as well.
Like we’re seeing, obviously, a lot of unrest in Kenya, Uganda, as dissatisfaction with democracy. And we’re seeing sort of funding by other state actors to try and undermine. So it is the where I deal with it is less in terms of pronouncing on right or wrong, it’s more helping a company navigate that kind of complexity and working out what sort of relationships would or wouldn’t be appropriate.
Because obviously, there’s, I’ve worked on projects where technically civilian goods have been purposed into military goods like drone parts, for example. And if that’s a very different thing to say, if you’re selling, I don’t know, avocados into Russia, so it’s a real scale. And it depends again on what you’re doing more in a way than where and with whom.
Carmen Cracknell: Yeah. So going back to you said you’ve had so many conversations this year about fraud. So can you talk more about that kind of what trends you’ve seen and why it’s massively back on the agenda right now?
Rupert Evill: I wish I knew the why bit. I have my theory. So the last sort of big search and discussion around fraud happened after the 2008 credit crunch and downturn and the theories around why that happens are the usual ones like, you know, with less money going around people look at the books in a bit more detail and start to uncover things. Or secondly, you know, when harder times come and costs of living people are more pressured into or motivated to do things they shouldn’t.
So there are various theories about the kind of the why, I guess, from elevating it a bit, I think there’s a big recognition amongst the people I’m talking to that we’ve been very fixated on these kind of cataclysmic risk issues like being implicated in some massive bribery scandal or sanctions, huge competition law.
But for your average organization, so anyone outside of like the mega corporations, a much more relevant risk that’s been long ignored is fraud. And there’s all kinds of estimates that you would have seen like this surveys done by people at EY and Deloitte to estimate that fraud losses might be up to 5% or 3%, whatever the figure is, it’s bad. And particularly most organizations would love to have even half a percent more on their bottom line.
So I think there’s a kind of recognition that this is not an issue we should be ignoring anymore. And I think it’s also there’s a greater recognition, particularly in the work, the post work from home era about how we need to take a maybe more behavioral and humanistic approach to much risk.
And a lot of risk in my sort of career has been fixated on build more fence, we identify an issue, let’s build more fence, let’s build more controls, let’s burden the business with more checks.
But the data suggests that the majority of my investigative experience suggests that the majority of times, it’s human override, and it’s humans doing things when they’re under pressure. And so if we, if we start to focus a bit more on those pressures, then maybe we I think we start to immediately uncover drivers, and rationalizations for people to commit fraud.
Carmen Cracknell: So a lot of it’s like human error.
Rupert Evill: Well, sometimes it’s you’re making bad decisions and compounding them, like if you’re false reporting, because you’re worried about losing your job or, but there’s also, there’s there was a story, I can’t remember the name of the organization, it’s like one of those whole food type organic food shops.
And they’ve seen a massive increase in shoplifting, and their assertion, I’ve not seen their data, but their assertion is the majority of it is not sort of opportunistic, or, you know, people who are struggling financially, it’s the existing consumers who are relatively, relatively affluent, who are sort of justifying, well, I spent so much with you anyway, it doesn’t matter if I don’t scan a couple of items at the self checkout.
And so I think there’s that angle as well, that we forget about that, what I would call like the ethical offsetting, and there’s a lot of rationalizations we can give ourselves for doing the wrong things.
So, yeah, why do people do the wrong thing, because they’re told to out of fear, like losing their job, etc, not hitting targets, or because of this sort of ethical offsetting.
Carmen Cracknell: Yeah, I do a lot of fintech coverage. And there’s a hell of a lot of issues with APP, like authorized push payment fraud, and just this like really fast drive towards automation and everything being automated. Do you see that a lot as well?
Rupert Evill: I don’t do as much work in the fintech space, but I’ve been working with disruptors, say in healthcare who are doing like online pharmacies and stuff like that. And for sure, wherever you have a desire for consumers for one click payments for speed, and then we get back into more AI type ethics.
So for example, I understand that, you know, some of the counter-fraud techniques are straying into quite invasive territory, like looking at your patterns of your keystrokes and logging them to see if there’s a difference when you’re logging in, potentially accessing the front, sorry, the rear camera on your phone when you’re doing the selfie to do your identification to see if someone’s there to coerce you.
So yeah, I think wherever we want to have instant convenience and stuff at the push of a button, then that is going to come off and with a kind of a trade off for risk because in there, if I think about my Amazon app, you can just click buy now straight away and it’s gone through. And that’s what a lot of us seem to expect. So that is, of course, going to reduce your chance for security checks.
Carmen Cracknell: Yeah, this is kind of off topic, I guess. But the recent CrowdStrike incident, has that come up much? What does that tell us, do you think about the future of cybersecurity?
Rupert Evill: I’m no cyber expert. So I don’t know, I’ve seen a lot of theories out there. But I kind of, I don’t want to sort of comment in an area where I don’t feel I have proper expertise, all I would, you know, go back to if I’m talking about basic risk management, is any structure is only as strong as its weakest points. And when we have lots of dependencies, then of course, that comes with increased risk and then lack of contingency.
So I guess I would focus in an issue like that, my brain naturally goes more to the business continuity crisis management side. How do you ensure redundancy, workarounds, backup, continuity, etc.
Carmen Cracknell: Yeah. So regarding ESG, what are the biggest issues and problems with it?
Rupert Evill: Again, ESG is such a huge area. And I get very nervous when people say they’re an ESG expert, because I don’t think you I work with people who are social performance experts or environmental scientists, and they’re different to what I do. But when we come together, I guess you get some sort of thematic clarity.
But I think my biggest challenge with it is that it’s kind of a bit like one of those fitness tracker things, you know, we can dupe those we can like if you know the ones where you kind of wave your arm around and it makes your step count go up. And so whenever we have an element of self reporting, or we have control over systems, we can manipulate that creates certain issues.
Also, the torturing this sort of fitness tracker analogy, some of the data and the tracking may not be perfect. And we still haven’t really arrived at consensus on many of the topics against which people have been measuring. So to give one example, like I see a lot of people go, oh, we’ve moved to electric vehicles, therefore, good, got rid of combustion engine equals bad.
And that was not quite that simple, because the vehicles themselves are very heavy, they’re going to cause road damage, which is going to increase road, you know, they’re often being charged using fossil fuel. Burning that a lot of their components are still plastic and petrochemical derivatives.
So I think there’s a sort of a kind of a clumsy way of approaching data, I think that other challenges, some of the data exists on a kind of continuum, like you’re working towards targets, other data is more binary, like, you know, fraud and corruption would be good examples where they’re not meant to happen.
So yeah, and there’s, I think they expect people to be all things to all people and that can create, you know, just a lot of performative rubbish, I would kind of prefer organizations, take that risk assessment approach and look at where they create greatest impact, but also can have greatest positive impact and start there.
And start with me, I spoke recently to the head of former head of risk for a large US company, and he said that it had been a real battle with his board, but he’d got them to agree that they would only focus per annum on two of the 17 sustainable development goals, for example, because he felt that the others weren’t wholly relevant.
And these are the two where they could drive most positive change. But if you’re trying to do that at the same token, you’re trying to tick lots of boxes and report to people. So I’m not a fan, because I think it distracts a lot of the time, but I understand why it has to be there. But I think that we can find something better.
So another recent example was a medical device manufacturer from the Middle East, who’s trying to sell very complicated oncology machinery into the NHS here in the UK. And they’re being asked like, you know, hundreds of questions around issues they don’t really fully understand.
Whereas if you look at the impact of that product, and its potential positive and negative impact, you could quite quickly sort of skew it to where the…not skew it, you could quite quickly drill down into those areas, most germane to what they they do, and then have something more meaningful. But if you’re spread across sort of 30 different topics, it automatically becomes a bit performative and rubbish.
That’s my…I’m not saying get rid of all measures and people shouldn’t have to report and or nor am I saying that everyone should be regulated across all topics. And just particularly for the people I work with the mid caps who have a bit more realism, pragmatism and focus on actually driving genuine impact in those areas where there is the potential to do so.
Carmen Cracknell: Yeah, it seems to be hard for anyone to come up with something better than those flat ESG criteria. Awesome. Well, thank you for talking to me, Rupert.
Rupert Evill: Oh, no problem. Cheers.
