• wblogo
  • wblogo
  • wblogo

Data-protection problems faced by compliance officers who work from home

James Castro-Edwards, Wedlake Bell, Partner, London, 6 October 2020

articleimage

'Remote working' is at its riskiest when the workers in question have to grapple with thorny compliance-related questions online for want of face-to-face contacts with their subordinates. This article explores the many conundra that compliance officers began to face during 'lockdown' - and many problems are continuing.

Since March of this year, the Britih workforce has faced an unprecedented change in working conditions, with the lockdown requiring them to work at home as far as possible. Proponents of flexible working claim that it brings with it a wealth of benefits such as greater productivity, more family-friendly work patterns and no commuting costs. However, critics point to isolation, mental health problems and insecure information as the negative consequences of remote working. More and more cyber-attacks have been reported in the news over the last six months and this has made the threat to information security more apparent.   

Remote working is inherently riskier from a data-protection perspective than working from an office. Organisations are less able to take technical and organisational measures in relation to employees' home workstations than they are on the company premises. Furthermore, home working increases the worker's reliance on such information technology as video-conferencing. Remote working tools such as Zoom introduce a number of potential risks, for example the recent phenomenon of 'Zoom bombing,' where intruders hijack Zoom calls.   

The security risk is even worse when a job involves the handling of sensitive information, with compliance officers in financial institutions being a prime example. Compliance officers may frequently be required to handle sensitive information in the course of "carrying out client due diligence" (keeping an eye on, checking the backgrounds of and obtaining other information about clients) or CDD. For instance, they may be required to obtain copies of sensitive documents such as a prospective client's passport, his driving licence and his bank statements - all in an attempt to verify his identity. Criminals could use such sensitive documents to commit identity fraud or to open false bank accounts to wash dirty money or finance terrorism.

The lockdown has seen an increase in the use of phishing attacks, such as emails which attempt to persuade people to click on links that expose their computers to downloads of malware or malicious software. More sophisticated schemes have seen the deployment of ransomware onto computers, which is a type of malware which encrypts the computer’s files and only allows the user to access them again with a decryption key that he has to buy - hence the reference to ransom. Phishing emails often convey a sense of urgency, pressurising the recipient into clicking on malicious links. Although compliance officers may not be the workers who face this type of attack, the nature of the information that they handle as part of their job function clearly accentuates the risk.  

Cyber-criminals have capitalised on the global lockdown by sending emails whose headings or subject matter purportedly relate to the Coronavirus pandemic in a way that appears genuine. Although many phishing emails are easy to spot, some may be sophisticated enoug to convince even the most seasoned members of staff. Phishing attacks are not limited to email and may be carried out by text messages or telephone calls. Cyber-criminals are liable to prey on any unwary employee, so firms should ensure that all of their staff – not just the compliance team - are trained to spot and avoid phishing attacks.  

Misdirected payment fraud occurs when attackers are able to change someone's account details in a bank transfer so that his funds are directed to their account. This type of fraud has become more common because financial institutions have used more email for the purpose of communication between colleagues who cannot meet face-to-face. A fraudster may, for instance, send an email that purports to be from a senior member of staff - such as the managing director or compliance officer - to a more junior member of staff, asking him to make an urgent payment to an account that appears legitimate but is actually his. Criminal groups have also been known to infiltrate organisations and change the payment details for existing suppliers. In this case the victimised firm believes that it is paying a supplier, but instead that payment is diverted to a fake account. It is worrying to note that this type of fraud can be committed remotely by email, or telephone, or even by way of a rogue employee.

To offset the risk of payment fraud, it is imperative for firms to alert their staff to the risks involved in performing financial transactions. They must remain extra-vigilant, particularly in relation to transactions involving substantial sums, or to an existing contact who seeks to change his bank-account details. Staff must not assume that every transaction is legitimate and should apply particular scrutiny to any detail that appears unusual.

The lockdown has seen an exponential increase in compliance officers unintentionally sharing confidential or work-related information with unintended recipients, simply due to the volume of information now in circulation outside the workplace and the opportunities for sharing, without the usual checks and balances in place. The more sensitive the information, the greater the risk - CDD documents held by compliance teams are a prime example. The workplace affords such protection as the use of intimate meeting rooms, restrictions on the use of personal devices, and privacy of telephone conversations. However, these safeguards may be eroded by the working from home environment, potentially leading to complacency and a relaxation of the usual rules.

Firms can mitigate these risks by reviewing their policies that relate to confidentiality and data protection and providing refresher training to staff where appropriate. Home workers should consider organisational security measures such as not sharing work devices with members of their families, maintaining a 'clear desk' policy for their home workstations, locking (or at least turning off) their devices when they are not using them and putting papers away when the day is done. Managers should also arrange regular contact with staff to give them a sense of involvement in the business and spot holes in security.   

The lockdown has presented unprecedented challenges for compliance departments and the depredations of cyber-criminals are among the most important. Compliance officers must be mindful not only of the risks that their organisations face, but also those risks that their departments face.

* James Castro-Edwards can be reached on +44 (0)20 7395 3108 or at jcastro-edwards@wedlakebell.com

Latest Comment and Analysis

Latest News

Award Winners

Most Read

More Stories

Latest Poll