Global Featured Wired

Everything Compliance-Episode 24, the Looking Back to Look Forward Edition

FCPA Compliance & Ethics -

In this episode, the top compliance roundtable podcast returns with a look back at some of the top FCPA, compliance and data privacy/data security issues from 2017 and how they inform what will be the top such issues in 2018 by looking forward.  Jay Rosen considers the new Justice Department FCPA Corporate Enforcement Policy and [...]

The post Everything Compliance-Episode 24, the Looking Back to Look Forward Edition appeared first on Compliance Report.

Getting Practical With Emerging Risks

BRINK News -

Yesterday’s BRINK article on the outlook for global risks depicted a fractured and fractious world, characterized by the confluence of far-reaching technological disruptions and seismic shifts in political and geopolitical imperatives. The extraordinary velocity of change that is spurring many companies to question not just their basic resilience, but also their fitness for purpose in the new world order is also influencing expectations of risk management.

If robust finances were the major corporate concern during and after the financial crisis, the key issue these days is market positioning. If back then the risk management buzzwords were prudence and controls, now they are business case support and responsive agility. Staying out of—or exiting—certain markets for fear of an unwelcome shift in the political climate might prove expensive, not least if competitors are more bullish. Likewise, the pressure for adopting new technologies is intense, even where near-term performance benefits are uncertain and longer-term ecosystem effects unclear.

As our new report contends, risk leaders should devote more resources to grappling with emerging threats. While this doesn’t mean tasking teams with predicting the future, it does call for a stronger role in challenging prevailing assumptions and giving shape to key uncertainties in a way that illuminates the impact of plausible scenarios and informs senior management decisions. It involves recognizing not just that new risks are appearing on the horizon, but that operational risks may become strategic risks, known risks may become unknown, controllable risks may become uncontrollable, and risks assumed to be acceptable may acquire “fat tails.”

From Identification to Action

Three things are essential if work on emerging risks is to remain true to the messiness of these issues and also be truly integrated into corporate decision processes. These are: creatively exploring the sources of risk; embedding a thorough risk characterization in impact analyses; and being able to justify potential responses.

The search for emerging threats requires looking beyond the issues that can immediately and easily be anchored to business performance. Unpack hot risk topics and trends to see how different—often non-market—forces might surge or collide in problematic ways. Tease out pockets of volatility or uncertainty in the firm’s commercial ecosystem. Apply a fresh lens to the firm’s strategic and institutional vulnerabilities.

It’s often unwise to dismiss possible risk topics too early—they may combine with other ideas and be useful later. And don’t worry at the outset whether something is a risk, a driver or a consequence—that can be resolved in due course. A preparedness to challenge “house truths” is vital, as is not constraining discussions by views on probability (“the chances of that happening are tiny”).

A thorough characterization of the top emerging risks involves assessing what’s shaping each risk, their likely trajectory and its potential consequences, with a view to determining where it might touch the firm, the types of impact and the time profile of the damage. This helps clarify the materiality of each risk, and provides an initial steer for response planning.  

Quantified scenarios that give shape to plausible alternative futures are useful for exposing hidden tensions between commercial ambitions and corporate risk appetite. They can be used not just for stress-testing finances, but also for challenging strategic goals and rehearsing crisis management preparedness. Although scenario narratives and quantification exercises for emerging risks shouldn’t be constrained by historic data and risk relationships, acceptance of the results will depend on the degree to which key stakeholders have appreciated the validity of the inputs.

John Drzik on the Global Risks Report

Management levers that address a range of top-tier emerging risk concerns may present a more compelling business case than multiple action plans targeting individual issues. However, overly generic recommendations will encounter pushback from company leaders as they will be unable to articulate what they will deliver and the (opportunity) cost of doing so. The threshold for mandating action is that much higher than for familiar risks, given the high levels of uncertainty, especially with regard to preemptive responses.

Investment decisions regarding solutions for emerging risks should also take into account residual risk exposures (“are they acceptable?”), any significant knock-on consequences, the lead-in time required to implement the measures, and the speed with which precautionary measures can be unwound should they no longer be needed. Sometimes, aggressive market plays and investment in research and development are more appropriate than defensive mitigation measures. Contingency planning may strengthen resilience against fast-onset risks, where precautionary action has been deemed unviable.

The search for emerging threats requires looking beyond the issues that can immediately and easily be anchored to business performance.

A New Boldness for Risk Teams

With new risks swinging into view, senior-level demands changing, and new technological capabilities emerging, this is an exciting time for risk leaders to reframe their function for the new era.

Taking advantage of the new opportunities requires a shift of emphasis in three areas:

  1. Better alignment with business priorities: Risk teams need to demonstrate strong business or commercial acumen and engage more intensely with the company’s strategic ambitions and major investments. This will sharpen their ability to develop valuable insights into emerging concerns and help scope innovative risk mitigation solutions.
  2. More flexible deployment of resources: Revised analytical methodologies, including the introduction of new data science and automation techniques, should free up capacity in risk teams for more project-based (as opposed to routine) risk work and the provision of advice to business and functional leaders.
  3. Greater dynamism in stakeholder engagement: A more creative lens with regard to emerging risks will enable risk teams to engage with institutional and individual biases and blind spots and help build an appreciation of threats for which evidence may be limited or conflicting.

To take this forward, some risk leaders may need to expand their comfort zone. But those who can mesh strategic vision, influencing skills, and technological fluency on top of their core risk-management expertise will be best positioned to help their firms negotiate dynamic risk environments laden with potential shocks and disruption.

Financial Institutions Are Playing Catch-Up in AML and Sanctions Compliance

Corruption, Crime & Compliance Blog -

Compliance officers are a much more collaborative group of professionals than lawyers.  Compliance officers share information with colleagues about compliance experiences, best practices and strategies.  The compliance industry benefits from this sharing of information.

On occasion, however, this sharing of a company’s performance in one area can lead to unfair judgments by a recipient of the information.  For example, one company may conduct an in-depth due diligence on every third party, while another may target due diligence reviews based on risk ranking and exclude some candidates from an in-depth due diligence and conduct a basic level due diligence on lower risk candidates.  Compliance officers who share information have to be careful to distinguish between their respective companies’ risk profiles and not use such a comparison as a means to judge their performance.

On the other hand, there are some basic requirements where such a comparison is warranted.  A board of directors should receive compliance training every year – no ifs, ands or buts.  If one company conducts such training, the other company should be doing so.  To take an even more basic example, every company has to have a code of conduct – and if a company does not, they should remedy that omission.

The same analysis applies to surveys.  A recent survey of financial institutions conducted by Alix Partners on AML and Sanctions compliance (here) contains informative results that support some of my general concerns about ethics and compliance programs – board members do not receive adequate training and compliance officers are continuing to struggle with lack of adequate resources.

The key findings from a global survey of a variety of financial institutions found that:

  • 20 percent of the respondents do not train their boards on AML and sanctions compliance;
  • 54 percent of the respondents identify automated transaction monitoring and filtering programs as their top priority investment;
  • 55 percent of the respondents identify sanctions screening as a top priority investment;
  • 8 percent of the respondents do not have a formal AML or sanctions compliance program;
  • 32 percent of the respondents consider their AML and sanctions compliance program budget inadequate or severely inadequate;
  • 35 percent of the respondents do not conduct annual independent reviews of their AML and sanctions compliance program.

Considering that financial institutions are heavily-regulated and face significant risks, these results are surprising and raise serious concerns about the industry’ commitment to compliance.

The failure to train a board on compliance is inexplicable and sends the wrong message to managers and employees in a company that does not conduct training for its board.  While I know that board members are busy there is no excuse and CCOs have to push this issue when reporting to the board.  Very few boards are familiar with strategies and practices for conducting oversight and monitoring a compliance program.  A CCO needs to explain to the board the legal and code risks, mitigation strategies, and how the board should conduct oversight and monitoring of the company’s compliance program.

Despite claims that companies are committed to their compliance program, the failure to allocate adequate resources is a continuing trend in the financial industry and will eventually become the focus of enforcement and regulatory actions.  It is surprising to say the least that one-third of the respondents noted that they operate compliance with inadequate or severely inadequate resources.

The post Financial Institutions Are Playing Catch-Up in AML and Sanctions Compliance appeared first on Corruption, Crime & Compliance.

Tribute to Keith Jackson and Breakthrough Strategies in Compliance

FCPA Compliance & Ethics -

Keith Jackson died last week. He was universally recognized as the Voice of College Football and announced college football games for over 40 years. According to his obituary in the New York Times (NYT), Robert A. Iger, the chief executive of the Walt Disney Company, said of Jackson “For generations of fans, Keith was college [...]

The post Tribute to Keith Jackson and Breakthrough Strategies in Compliance appeared first on Compliance Report.

Experimental Design and Loss Prevention Programs

Loss Prevention Media -

The purpose of many loss prevention programs is to reduce shrink, reduce returns, and lower other negative sales impacting activities. It is important, when designing an experiment and measuring the results, to take a holistic approach and determine a wide range of positive and negative indicators of success or failure. While we will want to see the corresponding loss-related metrics improve with the implementation of a loss prevention program, we should be equally focused on not impacting core sales. See Figures 1 and 2 for lists of LP initiative and metrics related to shrink.

Figure 1. Common Loss Prevention Solutions


Figure 2. Loss Reduction Metrics

Experimental Design

Figure 3 illustrates the normal flow in the scientific method’s process. First, the researcher asks a question. An example question is, “Why do the iPads in the display area of the store continue to get stolen?”

Next, the loss prevention professional researches the question. For example, an inspection of the display area in the store may reveal that the iPads are only secured to the table with a very weak device that can be easily bypassed.

Next, the loss prevention professional would form a hypothesis: “iPads that are secured to the table with a more secure device will not get stolen as often.” At this point in the scientific method, an experiment should be conducted to determine whether the hypothesis is correct.

Figure 3. The Scientific Method

Many factors can hinder or ensure a complete and accurate experiment. For example, how many records (sample size) you have in the experiment can influence your results and how you can interpret them. For an ideal experiment, it is recommended to have a large number of experimental records, and that the test subjects (can be employees or stores, for example) are representative of the entire population you are trying to investigate. The best way to ensure “representation” is using a random selection of subjects.

For the ideal experiment, it is important to have a control group (those not receiving the test factor – or the thing you are trying to test). It is essential that the test factor is applied as it is planned to be deployed, and that the test factor is the only difference between the test subjects and the control subjects. Again, the assignment of the subjects into “test” versus “control” is best done randomly. Once the subjects are assigned, it is important that the subjects do not know to which group they have been assigned.

Once the subjects have been selected and assigned, it is the time to collect data. Again, the data collection process is also guided by principles that ensure experimental validity. Proper analytical techniques are then required to correctly analyze the data and interpret the results.

Loss Prevention Experiments: Issues to Consider

When conducting an experiment, the primary goal is to answer the research hypothesis without any doubt as to the validity of your experiment. Figure 4 shows some common threats to experimental validity. Each of these items can interfere with an experiment and make the results and conclusions unreliable.

Figure 4. Threats to Validity

When testing loss prevention programs, it is important that only one factor in the store is changed at a time. Additionally, whenever possible, the stores should be assigned to test and control groups randomly so that all other potential confounding variables will be distributed equally in both the test and the control groups.

Suppose that you were attempting to measure the effects of a more secure device to prevent loss of iPads. If, at the same time as your experiment, there were a separate initiative that placed a guard in the area with the iPads. This would be a confounding factor, which would make measuring the effects of the more secure device impossible. Since both prevention factors are present at the same time in the same stores, it will be impossible to separate the effects of the guard from the effects of the more secure devices.

A potential threat to an experiment’s validity and the conclusions from the experiment is improper or incomplete analysis. If the wrong statistical tests are used, if confounding variables that should have been considered are not considered, or if another explanation for the effect was not analyzed, then the results may be invalid. To avoid validity issues with improper analysis, confounding variables, seasonality, open and closing stores, control stores, and proper statistical tests should be used in the analysis.

Even if a proposed hypothesis is true, without an adequate sample size, we may not be able to prove the hypothesis (and reject the null hypothesis in the statistical test). The null hypothesis is the opposite of what you are trying to prove. This becomes increasingly important when the size of the effect is small. For example, suppose we are trying to detect whether shrink has decreased. With only ten stores in a sample and with the natural variation of shrink, we will be unable to detect small changes in shrink due to natural fluctuations in the data. However, if we use 100 stores, this will probably overcome the variation in shrink.

The goal of an experiment and an analysis is to determine whether the loss prevention initiative creates value beyond the cost of the program. To measure return on investment, we first need to analyze the data in a manner that accounts for seasonality and normal data fluctuations. For this reason, we would measure the shrink rate in the test stores and control stores before the test, during the test, and during the same two periods in the previous year. Let’s assume, for this test, that we can obtain shrink within a specific time window using a manual method of measurement.

Once the experiment is completed, an analysis should be conducted to measure the impact of the new loss prevention program on the key metrics. A few key factors should be addressed in the analysis, which are unique to retail:
1) Seasonality – a key reason to use a control sample is seasonality. Most retailers have very different sales and loss patterns depending on the time of the year. There are a few techniques that we can use in the analysis to protect against seasonal fluctuations falsely influencing results.

2) Year-over-year trends – before the test, if stores are trending higher or lower on a key metric year over year just before the test, it may be important to consider these trends in the analysis. A way to deal with both the year-over-year trends and seasonality is to use the following metric for each store. Each store in the test and control sample converted to this measurement captures the net change in the key metric considering trends before and during the test compared with the prior year.

If the results of the experiment are good, and the program is to be rolled out to all stores for a retailer, there are some rollout considerations. The program should be executed similarly to how it was executed for the test. It is also important to establish execution reports to determine whether the program is being executed properly as the program matures. If ongoing measurement is required, it may be useful to maintain a control group of stores that never get the program and can be used as a baseline group for comparison. Alternatively, the program’s removal can be tested at some point. The means that for some period, the program is removed from a random sample of stores and now our test program is the removal of the program. This type of test would be conducted like the original test but in reverse.

In conclusion, the processes for conducting experiments in this article should help the loss prevention professional test and evaluate which programs will have the greatest effect in controlling losses.

EDITOR’S NOTE: This post has been excerpted/adapted from the authors’ text, Essentials of Modeling and Analytics: Retail Risk Management and Asset Protection. Learn more.

The post Experimental Design and Loss Prevention Programs appeared first on LPM.

Prioritizing Social Responsibility in Companies: A coming firestorm?

Ethical Systems Blog -

In a development that Andrew Ross Sorkin of The New York Times believes will cause “a firestorm” in boardrooms across the country, Larry Fink, the CEO of BlackRock has sent a letter to the chief executives of the world’s largest public companies urging them to prioritize their company’s social responsibilities.

Sorkin writes that this is likely to be a watershed moment for American companies, given BlackRock’s position as one of the largest investors in the world with more than $6 trillion under management through 401(k) plans, exchange-traded funds and mutual funds.

In Fink’s appeal, BlackRock recognizes that most of the public has a long-term investing perspective, often saving for retirement or a rainy day.  Most companies, however, manage their business with short-term interests in mind despite the interests of their owners and shareholders.  This emphasis on the short-term, as Fink says in his full letter, “sacrifice[s] investments in employee development, innovation, and capital expenditures that are necessary for long-term growth.”   This skewed dynamic has become even more pronounced given the shift towards greater use of index funds.  As a fiduciary to the long-term investing public, BlackRock believes that “[their] responsibility to engage and vote is more important than ever.”

Fink’s letter also emphasizes the role of public companies in growing economic inequality. He writes, “Since the financial crisis, those with capital have reaped enormous benefits. At the same time, many individuals across the world are facing a combination of low rates, low wage growth, and inadequate retirement systems.”  Ethical companies are ones that tend to these dynamics, by providing good jobs to employees, recognizing ethical behavior and fostering an ethical and speak-up organizational culture. 

This emphasis on long-term value creation is consistent with academic research that shows that more ethical companies have better financial performance in the long run. Furthermore, Just Capital has also shown through its research that more ethical and “just” companies are more profitable. 

Profits aside, Fink makes an even stronger point – it’s the right thing to do.  “The time has come for a new model of shareholder engagement – one that strengthens and deepens communication between shareholders and the companies that they own.”

*image courtesy of The New York Times

Further Reading:




Tags: Andrew Ross SorkinLarry FinkBlackRockethics paysAzish Filabi

Compliance into the Weeds-Episode 66, the Salary Penalty for Misconduct

FCPA Compliance & Ethics -

In this episode Matt Kelly and I take a deep dive into a fascinating paper from Harvard Business School. Boris Groysberg and George Serafeim, worked with a global recruitment firm, to study more than 2,000 executive-level job placements from 2004 to 2011, examining a wide range of job placements and pay data since 2004. They [...]

The post Compliance into the Weeds-Episode 66, the Salary Penalty for Misconduct appeared first on Compliance Report.

A Sense of Purpose

The Harvard Law School Forum on Corporate Governance and Financial Regulation -

Posted by Larry Fink, BlackRock, Inc., on Wednesday, January 17, 2018 Editor's Note: Larry Fink is Founder, Chairman and CEO of BlackRock, Inc. This post is based on Mr. Fink’s annual letter to CEOs.

Dear CEO,

As BlackRock approaches its 30th anniversary this year, I have had the opportunity to reflect on the most pressing issues facing investors today and how BlackRock must adapt to serve our clients more effectively. It is a great privilege and responsibility to manage the assets clients have entrusted to us, most of which are invested for long-term goals such as retirement. As a fiduciary, BlackRock engages with companies to drive the sustainable, long-term growth that our clients need to meet their goals.


Webinar: How to Implement an Effective Internal Investigation Program

Corruption, Crime & Compliance Blog -

Webinar: How to Implement an Effective Internal Investigation Program

Tuesday, February 6, 2018, 12 noon EST


An effective ethics and compliance program depends on an efficient internal investigation function. Corporations have to design and implement an internal investigation system that is fair, timely and reliable. To do so, companies need to identify risks, assign resources, monitor investigations and mete out disciplinary actions. A company has to maintain a system that adheres to organizational justice in order to make sure that employees trust the company’s commitment to respond to employee concerns.

Join Michael Volkov, CEO of The Volkov Law Group, as he discusses how companies should implement effective internal investigation programs.

The post Webinar: How to Implement an Effective Internal Investigation Program appeared first on Corruption, Crime & Compliance.

Breaking News in the Industry: January 17, 2018

Loss Prevention Media -

NY man attacked LP while trying to rob store

A man from Farmingville, New York, was arrested on Sunday after police say he attacked a store employee while trying to steal merchandise. According to police, Daniel Charbonnier, 30, tried to steal goods from Bloomingdale’s, in East Garden City, on Sunday afternoon. When associates from the store’s Loss Prevention stopped him, police say Charbonnier became physical and injured both associates. However, he was still detained. Both of the Loss Prevention associates were treated at the scene. Charbonnier was transported to a hospital for evaluation. During a search of his person, police say they found cocaine. Police say that Charbonnier also robbed the same Bloomingdale’s on Dec. 1. Charbonnier is charged with two counts of second-degree robbery, two counts of second-degree assault, petty larceny and seventh-degree criminal possession of a controlled substance. Police say he will be arraigned when medically practical. [Source: Garden City Patch]

Colorado man wanted for allegedly shoplifting; hitting police cruiser

Police say he hit an officer’s cruiser and second vehicle while trying to flee a Walmart after shoplifting. The officer had just pulled into the parking lot as the suspect was jumping into a white car. The suspect peeled out and reportedly struck the cruiser first, then the other car. Both cars were parked and no injuries were reported. The man kept driving and was last seen heading eastbound on Pueblo Boulevard and then northbound on Acero Avenue, in Colorado Springs. The incident happened at the Walmart Neighborhood Market on 2732 S. Prairie Ave. The suspect vehicle is described as a white 90s model Toyota Camry. Anyone with information is asked to call Cpl. Kenneth Matic at 719-553-3292.  [Source: KKTV11 News]

New Netflix email scam asks users for credit card information

Stay away from unexpected Netflix emails: They may be tricking you into handing over your credit card information. Netflix is warning customers about what may be the most sophisticated phishing scam yet. First discovered by Australian email security company MailGuard, the zero-day scam uses Netflix branding and webpage style to coax users into giving away credit card details. The email shows “Netflix” as the sender and the subject area alerts recipients that their card information was declined. “Hi, We have attempted to authorize the Amex card you have on file but were unable to do so,” the email reads. “We will automatically attempt to recharge your card again in 24-48 hours. Update the expiry date and CVV (card verification value) of your Amex card as soon as possible so you can continue using it with your account. We’re here to help if you need it. Visit the Help Centre for more info or contact us. – Your Friends at Netflix.”

An image of the phony email was posted to Twitter by the New South Wales Police Force in Australia. The deceptively pleasant message includes an “update payment” button that directs users to a credit card information portal with blanks for email address, card number, expiration date, and CVV number. Once a user submits their information, the scam redirects them to Netflix’s homepage to ease any potential concerns. The longer users are unaware of the theft, the longer scammers can continue taking advantage of any ill-gotten personal information, so keeping people in the dark is just as important as gaining access to their info in the first place. Reports say “thousands” of users have been affected so far. The scam has reached people in Australia and the U.K., but it’s not clear if any U.S. customers have received any of these emails.  [Source: The Daily Dot]

Thieves steal roughly 50 handbags worth over $100K from retailer

An estimated seven to 10 suspects on Monday swiped about 50 high-end handbags believed to be worth over $100,000 from Nordstrom located at the Stanford Shopping Center in Palo Alto, according to police. The thieves managed to slip into the store just before closing and cut the metal security cables that keep the Gucci handbags secured to display counters, according to police. The suspects then dashed out of the store and hopped into two getaway cars. Specific suspect or vehicle descriptions were not immediately available other than that one of the getaway vehicles was described as a Nissan Sentra and the other was either a Honda or Accord without a license plate, according to police. No arrests have been made in the case, according to police. One of the suspects did try to punch a loss prevention associate during the heist, according to an investigation is ongoing. Surveillance footage has yet to be released due to the investigation. Further information was not available. [Source: Peninsula]

Five charged in retail theft ring

A month-long investigation of an organized retail theft ring by the Walton County Sheriff’s Office. according to a press release from the Sheriff’s Office, just before 9 p. deputies responded to the Tommy Hilfiger store at Silver Sands Premium Outlets on U.S. Highway 98 regarding people seen shoplifting. Deputies located four of the five suspects. Hernando James, 19, was seen carrying a Tommy Hilfiger bag with several items inside. Surveillance video showed James entering the store without a shopping bag and purchasing two items. However, more than two pieces of clothing were found in the bag, the press release said. James was arrested for grand theft along with Stevonda O’Neal, who was an out-of-state fugitive. Also during the investigation, Rameshia Hatcher provided a false name to deputies. Her mother, Ophelia Hatcher, knew Rameshia was giving a false name while they spoke to deputies, according to the press release. A car was located in the parking lot beside a large pile of clothes. Inside of the vehicle were several garbage bags and store alarm tags. The vehicle was seized and a search was conducted at a later date.Investigators found more than $6,000 worth of stolen merchandise in the car from several stores, including Victoria’s Secret, Bath and Body Works, Justice, Michael Kors and Tommy Hilfiger, the Sheriff’s Office said. Investigators later learned the names of all those involved, including the identity of Rameshia Hatcher. Hernando James, 19 was arrested and charged with coordinating in theft of more than $3,000. Stevonda O’Neal was arrested that day on an out-of-state fugitive charge and then released. O’Neal, Shakina Letressa Hall, 32, Rebecca Hatcher, 25, and Ophelia Hatcher, 45, have all been charged with coordinating in theft of more than $3,000. Rameshia and Ophelia Hatcher also have been charged with providing false information to a law enforcement officer. All four have active warrants for their arrests  [Source: NWF Daily News]

Mattress Firm to close 200 stores

Mattress Firm has entered into a credit agreement up to $225 million, to be available for “working capital needs and other general corporate purposes.” The ABL Facility has an initial aggregate principal availability amount of $75 million, but the company intends to upsize that via an incremental availability feature to a total aggregate principal amount of up to $225 million, according to a company press release. Last week, Mattress Firm executives told lenders that the company, as of last year a unit of financially struggling South African conglomerate Steinhoff, would close 200 stores as part of an ongoing restructuring effort, the Houston Business Journal reports. Before being acquired by Steinhoff last year, Mattress Firm in 2014 had itself bought rival The Sleep Train, which operated 310 stores, for $425 million, a move that increased its costs over sales.[Source: RetailDIVE]

The post Breaking News in the Industry: January 17, 2018 appeared first on LPM.

IDG Contributor Network: Of clouds and compliance: DLP + UEBA are back in the spotlight

CSO Online -

As CTO and co-founder of a company that specializes in user and entity behavior analytics, it’s no surprise that I’m bullish on the prospects of this technology; but this optimism is increasingly substantiated by a pair of accelerating trends.

The continued and overwhelming momentum of cloud adoption, along with related evolution of compliance requirements in the form of the EU General Data Protection Regulation (GDPR), have elevated user and entity behavior analytics back into the spotlight, particularly related to the use of data loss prevention (DLP) technology.

Behavior analytics had existed in some form for over a decade, first developed in the digital advertising domain, then adapted to serve the needs of a context-hungry IT security audience.  However, the overwhelming sentiment related to its use has often been one of skepticism; specifically, that deployment of behavior analytics tools represented a complex science project that created more work than results.

To read this article in full, please click here

Credit Card Fraud News: 2018 Update

Loss Prevention Media -

We cover a lot of credit card fraud news in the LPM Insider. It’s a natural topic for a readership heavily concentrated in retail and retail loss prevention. But the statistics keep changing, as do some of the suggestions to help protect yourself. So, an update and review every so often is beneficial.

The continually evolving credit card fraud news:

  • The latest Nilson report estimates that in 2016, worldwide credit card losses topped $24.71 billion.
  • Barclays reports that 47 percent of all credit card fraud occurs in the United States.
  • Fifty-six percent of Mexico residents reported being a victim in 2016.
  • Only 8 percent of Hungarians reported being victims in the past 5 years. In general, European countries have the lowest fraud rates due to the early adoption of EMV (chip) cards.
  • Javelin Strategy reports that there is an identity theft incident every 2 seconds, many involving credit card fraud.
  • ACI Worldwide estimates that 47 percent of Americans have been a victim of credit card fraud in the past 5 years.
  • Florida topped all states with over 300,000 fraud complaints reported to the Federal Trade Commission (FTC) in 2015, while North Dakota had the fewest.
  • Older Americans are more likely to become victims of credit card fraud. According to the FTC, 65 percent of all complaints in 2015 involved victims over 40 years old.
  • Women topped men as victims in 2014, but only by 11 percent.
  • Approximately 65 percent of credit card fraud victims suffer a real or indirect financial loss resulting from an incident.
  • The vast majority of credit card fraud occurs for purchases online or over the phone.
  • Approximately 37 percent of all credit card fraud in the United States is related to counterfeit cards.
Eliminating Signature Requirements?

Given these disquieting credit card fraud news updates, it’s ironic that Mastercard, Discover, American Express and Visa have recently announced that they will no longer require signatures for most credit card transactions. Austen Jensen, the vice president for government affairs for the Retail Industry Leaders Association (RILA), pointed out that retailers have long argued that signatures are “a costly yet feeble means of securing transactions.”

Further, industry leaders don’t think no-signature policies will endanger cardholder data. Jaromir Divilek, executive vice president of global network business at American Express, notes that “our fraud capabilities have evolved to the point that we can now eliminate this pain point for our merchants” As we all know, merchants don’t typically check a cardholder’s signature against the signature on the back of the card anyway.

We Still Need to Protect Ourselves

OK, so fraud detection tools have advanced and even signatures are no longer needed. But every consumer needs to be cautious and know how to protect themselves from becoming a victim. Here are some tips:

  • Protect your privacy; shred pre-approved credit card offers. Keep your purse or wallet in a safe place at work, at the gym, or while in your car. Use passwords for all devices and use a password-keeper program or app. Never write them down.
  • Use zero-liability credit cards. It’s becoming more common for credit card issuers to provide fraud protection or zero liability for the cardholder when it comes to unauthorized purchases. Make sure your cards have these features.
  • Monitor your accounts often. Federal liability protection requires that you report any fraudulent charges within sixty days. Check on your accounts at least every few days.
  • Use common sense when shopping online. Be sure your wireless network is secure. When paying online, make sure that website is secure. Look for the “https” at the beginning of the website address indicating that data sent between your browser and that site are encrypted.
  • Choose credit, not debit. Use credit cards whenever possible. Protection against fraud on credit cards is more secure. If fraudsters access your bank account from a debit card, they can clean it out quickly.
  • Protect your mail. Stop service through the post office when you leave town. It’s easy and free, but be sure you do in person or on the official USPS site. Don’t post vacation plans on social media. And mail items using a postal box, not with the flag up on your mailbox.

And, as we’ve always said, a healthy dose of paranoia goes a long way to keep you safe. Be careful out there.

The post Credit Card Fraud News: 2018 Update appeared first on LPM.

How to Fix Your Company Policies for GDPR

The Compliance & Ethics Blog -

By Patrick O’Kane, Data Protection Officer Do you ever sit at a desk trying to read a company policy and find that the words are just not going in? Often company policies are written in the most turgid, dull and unintelligible language.  The consequence is that employees never read them, much less remember what they […]

Full Speed Ahead for the SEC

Compliance Building -

Commissioners Hester M. Peirce and Robert J. Jackson, Jr. are, According to Jay Clayton’s math the 96th and 97th Commissioners of the Securities and Exchange Commission after being sworn in last week.

It’s been two years since the SEC has been at full strength. Perhaps this means that rule-making will proceed ahead. Based on the SEC’s regulatory agenda, Chair Clayton is planning to have the commissioners focus on a much smaller set of rules in the near term.


Day 17 of 31 Days to a More Effective Compliance Program-Managing Your Third Parties

FCPA Compliance & Ethics -

The building blocks of any compliance program lay the foundations for a best practices compliance program. For instance, in the lifecycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation and compliance terms and conditions in contracts. However, as many companies mature in their compliance programs, [...]

The post Day 17 of 31 Days to a More Effective Compliance Program-Managing Your Third Parties appeared first on Compliance Report.

Customer Privacy at Risk When Companies Become Complacent Regarding Data Security

Loss Prevention Media -

As new estimates predict cyber crime costs will exceed $2 trillion by 2019, many consumers are wary of letting companies handle their personal data. Lack of diligence in the business world has dominated headlines, leading to serious mistrust on the part of consumers. Currently, 68 percent of consumers don’t trust companies to handle their personal data securely and keep it protected from hackers. (1)

.inline-text-ad h1, .inline-text-ad h2, .inline-text-ad h3 { margin-top: 0; } .inline-text-ad h1 { font-size: 18px !important; font-weight: bold !important; } .inline-text-ad p { font-size: 1.0rem; } .inline-text-ad { border-top: 1px dotted #cccccc; border-bottom: 1px dotted #cccccc; padding-top: 20px; } @media only screen and (max-width: 768px) { .inline-text-ad { text-align: center; } .inline-text-ad h1, .inline-text-ad h3, .inline-text-ad h3 { font-size: 1.15em; } } @media only screen and (max-width: 460px) { .inline-text-ad h1, .inline-text-ad h3, .inline-text-ad h3 { font-size: 1em; } }

Don’t become another data breach statistic. Get our FREE Special Report, Data Security:  Data Loss Prevention Best Practices and Proven Policies to Combat Data Breaches right now!

Companies need consumer data for invoicing and other legitimate business purposes. This means that methods must be developed for effectively securing data to prevent personal information from falling into the wrong hands. Cyber criminals quickly devise strategies to overcome older data security measures, and it’s a sure bet that they’ll continue to exploit any possible vulnerabilities in new security patches, etc.

However, there are some basic practices one can implement which can help protect most consumer data. It’s also important to keep customers in the loop regarding how the company handles and protects personal consumer information. Spohn Security Solutions has a few suggestions in this regard:(1)

1) Use multiple authentication layers, and follow this up by letting customers know who will have use of customer data and how it’s secured from unauthorized use.

2) Make sure your company is focused on security, not compliance. This means following a list of best practices to ensure that your customers’ information stays safe. PCI, HIPAA, SOC compliance cover the MINIMUM acceptable level for many aspects of data security, ranging from employee procedures to data encryption. Compliance will come with security. Compliance is great to advertise on your website and in many cases, required by law, but a secure network lets you sleep at night.

3) Make your consumers’ privacy a competitive advantage for your company. Destroy customer data once it’s no longer needed or required to be kept by law. Let customers know that you won’t keep any credit information or personally identifiable information on file longer than legally required. Communicate your assured cloud destruction and data retention agreements; explain this is why they must enter their data repeatedly on your site. Most will appreciate your attention to maintaining their privacy, even if it is inconvenient. (2)

However, even with these and other measures in place, employees sometimes forget to implement them, or new employees who haven’t yet been fully trained on current security practices can commit errors. Spohn Security Solutions has been in the cyber security business for 20 years and has observed that not all companies maintain an appropriate level of vigilance regarding employee security training.

“It’s vital that companies continue to provide security training for their employees. When they train but then forget to regularly update and check on their employees’ practices, it’s as if they were never trained at all,” said Timothy Crosby, senior security consultant for Spohn Security Solutions.

When these gaps occur and new threats hit, serious risks can be propagated throughout the system, leaving vulnerabilities for hackers to exploit. One example was the WannaCry ransomware attack in May 2017. That attack, termed “next-gen ransomware,” was the largest computer virus /ransomware infection in history. As opposed to regular ransomware, which encrypts only the local machine it lands on, this type spreads throughout the organization’s network from within, without having users open emails or malicious attachments (which is why it’s called a “ransomworm”).(3)

“A big risk is companies becoming complacent with their security watchfulness,” said Crosby. “Windows had released an updated security patch prior to the WannaCry attack, but not everyone updated their system. There’s a risk of companies providing employee training and information but then forgetting to provide continuity.”


1. Gerber, Scott. “9 Ways to Protect Your Customers’ Data and Keep Them in the Loop.” The Next Web, 2 June 2017.

2. Sep 30, 2011 | Updated Oct 3, 2017. “Customer Privacy Is An Important Part Of Business Strategy.” ReputationDefender, 3 Oct. 2017.

3. Zeichick, Alan. “Self-Propagating Ransomware: What the WannaCry Ransomworm Means for You.” Network World, Network World, 16 May 2017,

The post Customer Privacy at Risk When Companies Become Complacent Regarding Data Security appeared first on LPM.


Subscribe to Hong Kong Loss Prevention Association 香港防損協會 aggregator - Global Featured Wired

HKLPA (@the_hklpa) Tweets

RT @mikevolkov20: Episode 14 - What Every Compliance Officer Needs to Know About Data Privacy and the EU's GDPR - Corruption, Crime &… 3 weeks 1 day ago
RT @ComplianceXprts: What You Need To Know About Auditing And Risk Management In The Transport Industry 1 month 2 days ago
RT @EthicalSystems: Our 2017 End of Year Letter from @JonHaidt and @azishf "This is the time for the business… 1 month 4 days ago
RT @ComplianceXprts: Inspection of Facilities and Sporting Venues - Due Diligence 1 month 4 days ago
RT @ComplianceXprts: 14 Essentials For Your Compliance Management System 1 month 3 weeks ago
RT @ComplianceXprts: Our focus is on what people don't want to do. #ce 1 month 3 weeks ago
RT @mikevolkov20: ISO 37001: Board, Top Management and Anti-Bribery Compliance Responsibilities (Part III of V) - 3 months 1 week ago
RT @RSAFraud: 1 in 4 retailers state loyalty #fraud is one of the most detrimental threats to their e-commerce business… 4 months 1 day ago
RT @ComplianceXprts: FTAs, Risk Management and The Transport Industry #riskmanagement 4 months 1 day ago
RT @ComplianceXprts: How To Navigate Audit Road Blocks : Part II Avoid Challenges To The Audit Scope 4 months 1 week ago