On 26 Jun 2024, Nicholas McTaggart and I wrote an article for The Strategist, a publication of the Australian Strategic Policy Institute). We explored how scams have evolved from being a nuisance to becoming a critical national security issue. These sophisticated operations exploit technology and human vulnerabilities, targeting individuals and organisations alike. From phishing schemes to supply chain compromises, the impacts are far-reaching, undermining trust in systems and draining economies.
In our view, governments and businesses must treat scams as more than a financial issue; they are a threat to resilience and security. A multi-pronged approach involving education, regulation, and technology is essential to combat this escalating challenge.
DISCLAIMER: All information presented on PaulCurwell.com is intended for general information purposes only. The content of PaulCurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon PaulCurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.
As a startup, IP is your asset, along with your people. Once your IP is gone, you have nothing but financial liabilities to keep you company. Humans have this “she’ll be right” attitude, nothing will happen to me, I’m bulletproof… but, the startup graveyard shows otherwise. If you’re running a startup, here’s five things to do before you become a victim.
Did you ever hear the one about the founder who didn’t take their IP seriously?
I’ve ceased to get frustrated talking to startup founders and inventors who have a great idea, only to have it stolen or compromised through a data breach. All that time, effort, money, blood, sweat and tears – and occasionally the family home – gone. Forever gone. Not coming back.
Disclosing your IP before you have legal protection (e.g. patent) or when you are vulnerable to competitors is to investors what the smoke of a campfire is to mosquitos.
Unfortunately, IP is like a dirty secret – once the world knows your secret, you’re gone.
Compromised IP = lost competitive advantage
Once gone, those investors are too. You become that kid everyone ignores in the playground.
Get the message? Unfortunately, most humans don’t (until it’s too late)
Hopefully I’ve got you worried enough to spur you into action. Perhaps you can’t even sleep? But don’t fret, there are 5 things you can do to protect it:
Uplift your cybersecurity – understand your risks, and put in place protections for your computers, networks, and digital data like passwords, firewalls, and data encryption. Easy.
Have a complete information security program – ever written something sensitive on a piece of paper because you thought it was more secure than a computer? Think Colonel Sanders. Or Coca-Cola. Paper, prototypes, designs, specimens, samples, laboratory notebooks can be a weak link. Protect non-computer information as well.
Insider Threats – heard the story of the co-inventor who went rogue? Well, history is littered with them. Just like marriage, a business partnership or employee-employer relationship can sour if people feel disadvantaged. Have the right legal, data loss prevention, behavioural analytics, and security programs to manage those charged with keeping your secrets secret.
Data breach & dark web monitoring – when bad stuff happens online, most of the time its the dark web. Trusted employees and business partners are right now selling IP stolen from their employers without them ever knowing. This could be the first indication your IP is compromised. Whilst the horse might have bolted, you may just be able to coax it back behind the starting line before the race starts, otherwise those investors are gone faster than Phar Lap.
Market Surveillance – keep an eye on your competitors and your industry. After ~20 years in fraud and security, I don’t believe in coincidences. If a competitor starts selling something that looks like your invention, its probably because it is. Causes could include a data breach, former employee, or accidentally presenting your IP at a conference. The list goes on. Market surveillance aims to put the genie back in the bottle.
So, if you’ve got this far, hopefully you’ve got the message. Lots of startup founders don’t protect their IP and it gets disclosed or compromised. And they don’t realise until its too late. Founders and inventors – protecting your IP is not limited to patents and copyright – you need to do more, and doing more is easy. Don’t be lazy – you’ve come too far to throw it all away.
DISCLAIMER: All information presented on PaulCurwell.com is intended for general information purposes only. The content of PaulCurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon PaulCurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.
I’ve been in this space for about 20 years. Not quite sure how or why—maybe it’s the influence of James Bond, Star Wars, and detective shows from my childhood—but every time I’ve ventured into other roles, I always find myself back in corporate security. It’s like a bad habit I can’t quit, but hey, at least it’s a productive one.
I often get asked why I work in corporate security?
People often ask me, “Why corporate security?” Well, I’m a big picture kind of person who thrives on problem-solving. I love seeing how all the puzzle pieces fit together, even when some are hidden under the surface, manipulated by some puppet master. Once you uncover the full picture, you can implement a robust response. It’s like playing a real-life game of Cluedo, but with higher stakes and fewer butlers.
Security is a constantly evolving field—business, technology, people, and threats are always changing. If you crave constant challenges, this might just be your calling. Each day brings something new, which keeps things interesting.
Reflecting on my weeks, I feel like I’ve made a difference more often than not. Sure, no job is perfect, but for me, it’s about leaving things better than I found them.
My goal is to contribute to the profession and coach the next generation
I’ve always enjoyed coaching my team, and in 2022, I started teaching as a side hustle alongside my consulting job. If you’ve been following my posts, you know I started the Ship30for30 course to sharpen my digital writing skills. My aim? To write articles that truly resonate with my audience. Here’s to constant improvement and leaving a lasting impact.
Who isn’t, right? It’s time to get smart about security risk assessments.
Yes, those pesky assessments that sound boring but are actually your best friend in dodging scams.
Step one: map out your company’s email flow. Who’s sending what to whom? Knowing this helps you spot anomalies. If Bob from accounting suddenly asks for a wire transfer, you’ll know something’s up—especially since Bob’s been on vacation for two weeks.
Next, scrutinize your email security settings. Is your spam filter set to “catch-all-the-junk” mode? Great! But is it also catching important emails? Not so great. Adjust those settings to filter effectively without blocking legitimate business.
Oh, and let’s not forget about multi-factor authentication (MFA). Yes, it’s an extra step, but it’s a step that can save your bacon. MFA ensures that even if a scammer gets your password, they still need a second form of verification. It’s like having a bouncer for your email.
Train your staff. Regularly. If your employees can’t spot a phishing email from a mile away, you’re in trouble.
So, there you have it. Conducting a security risk assessment isn’t just a good idea—it’s essential. Keep those scammers at bay and protect your hard-earned money.
For over 20 years, the convergence of fraud and security functions has been often discussed, rarely achieved. I think we are at a tipping point, with data and technology facilitating this convergence, while the accelerating pace and complexity of threats make it a business necessity.
In security, Convergence refers to uniting cyber, physical, personnel, supply chain security with fraud and integrity risk functions to enable timely threat detection and response.
In my view, the convergence challenge is three-fold: (1) Culture, (2) Operating Model, and (3) Data and tech. Each element poses distinct challenges. Culturally, convergence necessitates a shift for traditionally isolated departments that, despite facing common issues, often operate independently.
Operationally, leadership of converged functions may need a different skillset, as well as the ability to engage, motivate, inspire and unite very different team cultures and viewpoints.
Data and technology can overcome some of these barriers, but success requires integrating data from various sources in the right sequence to identify the patterns, behaviours and indicators threat actors exhibit for timely detection and response.
There are still a lot of unknowns about convergence and its value. Whilst the ability to see threats ‘end to end’ facilitates early and accurate detection, I haven’t seen reliable data on ROI, operational metrics or cost savings from repurposing existing infrastructure, likely because few organizations have achieved true convergence thus far.
To conclude, I’ve long been a proponent of convergence and its potential value for business. Getting the right data to the right person at the right time has posed an ongoing challenge – I think we’ve nearly cracked that nut, but there’s a way to go yet to demonstrate a compelling business case.
After finishing business school, I worked for a biotechnology company based at The University of Queensland. As part of my work on campus, I interacted with many companies and came across a case which would become commonplace throughout my career – theft of IP by departing employees.
The company concerned had employed a number of scientists to perform research, with the intent of commercialising that research to generate a Return on Investment (ROI) when it was ready to take to market. Unfortunately, once the research was effectively complete a number of researchers resigned and went to a competitor, where they were offered higher pay and more senior positions.
A short time after the former employees left that business, their new employer started pursuing patents and other IP Rights for the same research. Ultimately, the former employees were taken to court and their new employer found to have acted inappropriately. Whilst this insider threat case ultimately had a positive outcome, it was at the expense of considerable time, effort and legal fees.
Could this situation have been avoidable?
An IP breach will cost your business big time
Entrepreneurs and business leaders of startups get really invested in their business, and can sometimes develop ‘tunnel vision’ where a small number of issues consume their focus and energy.
Unfortunately, in my experience leaders who are not familiar with legal issues often fail to fully grasp what is involved in remediating any data breach and are often overwhelmed when faced with managing incident response.
To illustrate the true costs of a security incident, the 2016 Deloitte report entitled ‘The hidden costs of an IP breach’ places remediation costs in two categories:
Category
Costs
Above the surface (better known cyber incident costs)
a) Customer Breach Notification b) Post-breach customer protection c) Regulatory compliance remediation d) Media and public relations campaign e) Legal and litigation fees f) Technical investigation g) Cybersecurity program uplift
Below the surface (hidden or less visible costs)
a) Insurance premium increases b) Increased costs to raise debt c) Impact of operational disruption or destruction d) Lost value of customer relationships e) Value of lost contracts f) Devaluation of trade name g) Loss of Intellectual Property
Mossburg et al (2016). The hidden costs of an IP breach
Like everything in life, timing is important. If your IP leaks before you are ready to commercialise or have formalised your IP rights, it can have disastrous effects, often resulting in a small or medium-sized businesses (SMB) being shut down. Surely more can be done?
Protecting your IP through legal mechanisms – such as patents, copyright, trademarks, plant breeders rights, circuit layout rights and ‘trade secrets’ – are very important, as is use of Non-Disclosure Agreements. But you also need to consider Information Security as part of your toolbox to protect IP.
Just because you have legal protections in place doesn’t mean your IP can’t be compromised. A worst case scenario for many organisations is that their research is leaked before they have successfully obtained a patent, or that their trade secret is published. In these situations, competitors and other actors can exploit your hard work to:
Quickly replicate your work and bring it to market before you have obtained full IP Rights (i.e. they beat you to the patent)
Bring a competing product to market, perhaps in jurisdications where you have not applied for IP Rights (most organisations cannot afford to lodge patents in every country worldwide, and do so selectively) which competes for market share – these products are often cheaper as R&D costs do not need to be recovered, but over time may cannibalise your market share and revenue
Engage in successive rounds of litigation and legal red tape, aiming to exhaust your legal defence funds and bankrupt your business so as to obtain the rights for free or cheaply under licence.
Thinking “it will never happen to me” and placing your investment and hard work in the hands of blind faith is an avenue walked by many entrepreneurs and researchers, many of whom learn the hard way.
Starting early to properly protect your IP through BOTH legal and information security approaches is essential. Doing only one or the other is not suifficient.
How do VCs and Angel Investors view IP?
Whilst you may be comfortable with your current IP protection arrangements, as your business starts to grow and you need capital to scale leaders need to turn their minds to what investors will think. Investors have a scarce commodity – money – and there are a lot of companies vying to help them spend it.
Investment attraction in innovative industries requires protecting your IP. In 2015, Forbes wrote an article entitled ‘Do Venture Capitalists Care About Intellectual Property?’. The answer, as you might imagine, was a resounding yes.
The article identifies two types of Business Angels – those who invest on blind faith (perhaps a friend or family member), and those who do solid due diligence. The article quotes Brian Cohen, author of ‘What Every Angel Investor Wants You To Know‘, as saying “for many startups, the IP is the sole basis for the valuation of the company, so investors need to be confident that it is real”.
Venture Capitalists and Private Equity investors get even more serious about their IP assets:
“ Many founders make mistakes in the first 12 months of business that cost them dearly as they build their companies. These mistakes revolve around intellectual property, founding team members, initial product that is built and market validation.”
Quoting Entrepreneur-turned-VC Mark Suster in Jutten (2015)
To be positioned as an attractive investment, you need to do everything reasonable to ensure the business is as attractive as possible.
One of the mistakes I see is that founders or company management often fail to pay sufficient attention to security. Information Security – which is broader than the more technical cyber security – is focused on your organisation’s most important information assets (that is, your research or technology), understanding who has access to them, and how they could be compromised.
Many innovative or technology companies pay attention to legal protections for their IP early, but information security and insider risk management is left until later. Some start-ups are founded by groups of friends who never consider they may fall out or have a falling out or rogue employee in the future.
The most critical elements of protecting your IP and trade secrets from an information security perspective include:
Identifying your critical information assets
Identify who has access to them
Performing a risk assessment to understand how these assets could be compromised and identifying controls and control gaps in your current processes
Implementing auditing and logging tools to facilitate detection, investigation and response to potential incidents
Implementing a fit-for-purpose information security program to properly manage your cybersecurity, workforce (people), supply chain and business partner risks in relation to your IP
Building an organisational culture which appreciates the importance of a positive security culture and high levels of security awareness
What can Small Medium Businesses do to mitigate these risks?
ISO27001:2022 Information Security Management System and ISO27002:2022 Information security, cybersecurity and privacy protection — Information security controls provide an excellent foundation for any business seeking to implement IP and proprietary information protection, in addition to legal avenues.
As a small organisation, it may be overkill for you to develop the complete ISMS required under 27001, but applying 27001 selectively in a measured way will help you mitigate security risks whilst at the same time providing a strong foundation to seek external investment.
This approach means your ISMS can be progressively uplifted or enhanced as your business grows and risk profiles change – in time, you will have an ISO27001 ready ISMS to seek ISO/IEC Certification should you chose or it becomes a condition of your investment.
Further Reading
Cohen, B. (2013). What Every Angel Investor Wants You To Know, McGrawHill Education
Jutten, M. (2015). Do Venture Capitalists Care About Intellectual Property?, www.forbes.com
Mossburg, E., Fancher, J.D., Gelinne, J. (2016). The hidden costs of an IP breach, Deloitte Review, Issue 19, www.deloitte.com
DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.
When was the last time you bought diverted product?
Illicit Trade and diversion is a problem which keeps growing. Have you ever purchased a counterfeit product? Would you know if you did?
If you’re a regular online shopper the chancers are good that you’ve come across illicit product, possibly without knowing it.
I was recently at my local barbers getting a haircut when I noticed the container of a popular brand of talcum powder.
Only the logo and product name was in english – everything else was in Indonesian.
My barber mentioned he hadn’t noticed, but bought it because it was being sold cheaply online. This is an example of product diversion.
To highlight the risks of diverted or counterfeit product, there are many articles online about the link between talcum powder and cancer. By purchasing talcum powder on the illicit market you may unknowingly be exposed to asbestos, which causes lung cancer.
Most people know what counterfeits are, but diversion is less well known. Diverted product is authentic product sourced at a discount (or stolen) in one market, and then resold in another market. The diverter pockets the price differential between bought and sold, and the manufacturer (and their authorised distributors) lose out.
Mechanisms that provide track and trace functionality, such as serialisation, are essential for the detection and investigation of illicit trade.
Serialisation can help improve supply chain integrity and counterdiversion
When we talk about serialisation in a supply chain context, it refers to the process where a unique identifier – usually a serial number or barcode – to individual items or products in the supply chain.
In combination with data management, analytics, and a well-developed program, serialisation is a way to realise the tracking and tracing of products as they move through the supply chain and circulate in the market.
Supply Chain Integrity can be defined as providing an “indication of the conformance of the supply chain to good practices and specifications associated with its operations”
European Union Agency for Network and information security (2015)
Serialisation offers benefits to Supply Chain Integrity:
Traceability – Serialisation is the traceability mechanism by which manufacturers can track the movement of their product through the supply chain
Provenance – Serialisation itself will not establish provenance (unless serialisation is uses blockchain), but data related to provenance could be linked with the serial number to indirectly establish provenance
Authenticity – Serial numbers should be unique and be matched to specific product versions or models, making it possible to identify counterfeit and diverted product through test purchases, ‘mystery shopping’, or seizures by police or customs
Given the safety risks associated with illicit product, its no wonder the pharmaceutical industry is a leading adopter of serialisation:
The US Drug Supply Chain Security Act (DSCSA) requires serialisation, track and trace capabilities in the pharmaceutical supply chain, from manufacturers to retail pharmacies.
The 2019 European Union Falsified Medicines Directive (FMD) applies only to presciption medicines produced, imported or distributed in the EU.
The Chinese National Medical Products Administration (NMPA) has been managing serialisation since it was first introduced in 2013.
India commenced the serialisation journey in 2019, through its Drugs Technical Advisory Board (DTAB).
Australia is late to the party on serialisation in the pharmaceutical industry, with the Therapeutic Goods (Medicines—Standard for Serialisation and Data Matrix Codes) (TGO 106) being mandatory from 1 January 2023.
How does serialisation work?
Serialisation is the unique identification of each unit of a product, allowing a unit to be identified distinctly within its batch. Serialisation can be applied at multiple levels in any shipment:
Pallet
Consignment
Packaging (item and carton levels)
Labelling
Item
To maximise efficiency, Serialisation markings must be machine-readable and are typically applied via three techniques:
Barcodes
QR codes
Data Matrices
According to the Therapeutic Goods Administration (TGA), a Data Matrix contains various beneficial features not associated with the other methods, including:
A large data carrying capacity
Built-in error correction providing reliability and readability in situations where the label is damaged or if the pack is irregularly shaped
The ability to be easily printed at high production speeds, such as those found in medicine manufacturing environments.
How can small-medium businesses access the benefits of serialisation?
It used to be that product serialisation was an expensive endeavour, but a number of recent articles online suggest serialisation is becoming much cheaper. The costs of serialisation can be quite substantial if not managed properly, but product serialisation can also add value to your supply chain and inventory management practices beyond mitigating illicit trade.
As the technology becomes more common and compliance programs mature, SMBs will be able to leverage their existing systems with serial number generation and management tools and labelling or printing tools to access the benefits of product serialisation.
European Union Agency For Network And Information Security [ENISA], (2015). Supply Chain Integrity: An overview of the ICT supply chain risks and challenges, and vision for the way forward, Version 1.1, August, https://www.enisa.europa.eu/publications/sci-2015
Therapeutic Goods Administration (2021). Serialisation and data matrix codes on medicines, www.tga.gov.au
DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.
Global competition for science and technology is heating up
Unless you have been sleeping under a rock these past five years or so, you will be aware that the world is again in an era of great power competition. One key area in which this geostrategic competition is playing out is in science and technology. In addition to the omnipresent competition between businesses, nations are now trying to gain the upper hand for economic and national security reasons in a way we haven’t seen since the end of the Cold War.
Developing a high level of scientific and technological capability maturity takes decades and requires substantial infrastructure, starting with basic education systems all the way to post-doctoral research. The research needs to be supported by a legal, regulatory and financial environment conducive to commercialisation, such as Intellectual Property law, sources of capital investment, and the right government policy settings. Lastly, countries need to have companies capable of converting consumer-ready ideas into products, and the ability to take these products to market.
Where countries or companies cannot or do not wish to take a product to market, they use Technology Transfer mechanisms to assign ownership or control. If you can’t or won’t build these capabilities organically, the alternative offers a fast-track option: Steal it. If you want to take the illicit path, you have three main options: Theft, patent infringement and counterfeiting, or diversion.
What is Diversion in the context of Technology Transfer?
To understand the diversion of critical technology we need to establish some definitions, starting with Technology Transfer. I spent quite a bit of time learning about Technology Transfer at university, but it seems the inherent complexity hasn’t changed in many years. According to a 2011 World Health Organisation (WHO) report, the term “technology transfer has been notoriously difficult to define precisely”.
WHO have chosen to go with a World Intellectual Property Organization (WIPO) definition which defines technology transfer as “a series of processes for sharing ideas, knowledge, technology and skills with another individual or institution (e.g. a company, a university or a governmental body) and of acquisition by the other of such ideas, knowledge, technologies and skills”.
“Diversion” refers to the unauthorised or unintended redirection of technology, confidential information, or components / materiel from its intended (authorised) receipient or use to a different party or for use in a different purpose.
Diversion is different to Theft (although they often arise simultaneously): Theft is effectively taking something that isn’t yours without permission (and often without paying for it). For example, going on a laboratory visit, picking up a laboratory notebook and discreetly putting it in your bag for later is theft, not diversion. Although I cannot find evidence of it being discussed in this way in the literature, I consider Diversion a type of Fraud as it typically involves obtaining a benefit (the confidential information or technology) by deception.
Why should we care about the Diversion of critical technology?
The impact of diverted technology depends on the what the technology actually is and the identity of the perpetrator. Diversion is commonly perpetrated by nation states, competitors, private intelligence collectors, non-state actors (e.g. terrorist groups), and trusted insiders (e.g., employees, supplier’s workforce). Diverted technology can have a number of national security and market competitiveness impacts, which over time erode competitive advantage and can expose companies and countries to undue risk, including:
Military Superiority: Critical technologies often underpin a national defence capabilities. If adversaries or third parties access these technologies, your competitive edge can be eroded.
Economic Competitiveness: Advanced technologies drive economic growth and national competitiveness. At the start of this 4th Industrial Revolution, science and technology goes hand in hand with economic prosperity.
Critical Infrastructure Vulnerabilities: Critical technologies are often used to support critical national infrastructure like energy, transportation, and communication. Diverted technology could be used to identify novel vulnerabilities in systems (including zero-day cybersecurity vulnerabilities), which could be exploited by adversaries leading to widespread disruptions.
Proliferation of Weapons of Mass Disruption and Dual-Use Technologies: Defence and dual-use technologies (those with both military and civil applications) can be diverted to sanctioned groups or nation states, destabilising global security.
Diminished Strategic Autonomy: In this new ere of geostrategic competition, being reliant on another country is a strategic vulnerability (we saw this from the effects of the COVID-19 pandemic). Diversion can lead to increased dependence, potentially compromising a nation’s independence.
Foreign Interference and Espionage: Diverted technology can provide adversaries with insights into a nation’s capabilities, strategies, and operations, potentially undermining its diplomatic and security efforts.
There are many ways in which technology can be diverted, such as False End Users, front companies, use of brokers or intermediaries to obtain information, joint ventures or mergers and acquisitions, IP Licensing agreements, insider threats, foreign student arrangements, and many more. In some cases, once the diverted technology is obtained by the adversary, it will be copied or reverse engineered before going into production (manufacturing). The benefit here means that companies can build a competing product (or military capability) at a cheaper price. without the overheads of having to recover the costs of research and development.
Further Reading
Gaida, J., Wong Leung, J., Robin, S., Cave, D., Pilgrim, D. (2023). ASPI’s Critical Technology Tracker – Sensors & Biotech updates, Australian Strategic Policy Institute, https://www.aspi.org.au/
Hannas, W., Chang, HM (2021). Unwanted Foreign Transfers of U.S. Technology: Proposed Prevention Strategies, Centre for Security and Emerging Technology, https://cset.georgetown.edu/
McBride, J. and Chatzky, A. (2019). Is ‘Made in China 2025’ a Threat to Global Trade?, Council on Foreign Relations, https://www.cfr.org/
Toman, D., Famfollet, J. (2022). Protecting Universities and Research from Foreign Interference and Illicit Technology Transfer, European Values Centre for Security Policy, https://europeanvalues.cz/
WHO (2011). Pharmaceutical Production and Related Technology Transfer, www.who.int
DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.
Channel Stuffing is also known as ‘trade loading’, and is where sales teams sell an abnormally large quantity of product to distributors at one time. These sales are usually at a significant discount, or on generous payment terms making it both attractive and financially viable to the buyer. Channel Stuffing increases earnings in the short-term, but you are effectively front-loading the next quarter’s sales, which makes it harder to achieve future sales targets.
Sometimes, Channel Stuffing can be fraudulent, such as where a sales person engages in Channel Stuffing to get a higher short term incentive (bonus) or commission knowing they intend to resign before the next quarter. In some cases, the buyer (e.g. retailer) is forced or coerced by the Distributor to purchase the extra inventory. This can damage the relationship and even impact the retailer’s financial viability.
To make it more attractive to sourcing and procurement teams in the retailer, the sales person attemping Channel Stuffing may offer bribes or kickbacks to the retailer’s staff to complete the Channel Stuffing transaction, or distributor sales staff and retailer procurement staff may be acting in collusion to perpetrate the scheme. An illustration of how Channel Stuffing works is shown below:
Companies that don’t have proper controls in place are likely to fall victim here – it’s worth pointing out that Channel Stuffing is an internal fraud, a type of insider threat which occurs in the distribution stage of the supply chain.
Industries most at risk of Channel Stuffing are those with high margins, because high margins can be discounted without overly impacting revenue. Those most likely to be impacted include:
Consumer Electronics
Tobacco
Automotive Industry
Pharmaceuticals
Fast Moving Consumer Goods (FMCG)
Technology, including software providers
Fashion and apparel
Industrial equipment
Alcohol and Distilled Spirits
As with many supply chain and distribution fraud schemes, it is hard to find reliable statistics on incident data so I have replaced a graph of losses with a more uplifting pic of something I enjoy – getting outdoors!
There are two victims in channel stuffing fraud – that is, parties who incur a loss. First is the distributor (channel partner) itself which employs the sales team. This is commonly the case in fraud perpetrated by one or a small group of disaffected sales leads who are trying to engineer a good bonus and intend to resign in the near future to avoid any repercussions.
Where sales people have fraudulently engineered sales, the channel partner may need to engage legal support to claw back bonuses, and may also be subject to financial penalties from the manufacturer under the Distribution Agreement for having inadequate controls which allowed Channel Stuffing to happen.
The second victim is the manufacturer or business which creates its products and sells them to customers via its channel partners. This company is dependent on third party channel partners to execute the distribution agreements as agreed.
Impacts of Channel Stuffing include:
Financial: Depending on scale and materiality, Channel Stuffing will likely impact a manufacturer’s actual revenue against plan (forecast), artificially inflating revenues in the short term. For publicly listed companies or companies with Private Equity investors, if not detected material cases of Channel Stuffing could be misleading to investors and have regulatory impacts.
Customer Satisfaction: Customers of the distributor (i.e. retailers) may be forced or coerced to take on additional inventory, which can impact customer satisfaction, brand and reputation. Where products are easily substituted for a rivals, retailers may even stop offering a product and switch to selling other brands.
Inventory distortions: A large volume of unexpected sales (through Channel Stuffing) will result in excess inventory at a retailer, which could take months to clear and may even need to be discounted. This situation can also trigger a manufacturer to build more product, believing that market demand for their product is high. When Channel Stuffing is discovered, one or more parties will be left holding excess inventory, with all the associated implications.
Misrpresentation of sales and marketing campaign effectiveness: If a large incidence of Channel Stuffing occurs during a sales campaign or when A|B testing is underway, this may give a wrong impression that the sales are driven by marketing or advertising when they are actually fraudulent. This can cause manufacturers to spend thousands of dollars on marketing and advertising which isn’t actually working.
Returns: Some purchasing terms may include provisions for retailers to return excess inventory for a refund a few months after the sale was completed. Sales teams may walk away with a larger bonus, but the manufacturer will be left to unexpectedly refund some or all of the sale, and accept the additional inventory or alternately agree to the inventory being sold at a heavy discount to end users or offloaded onto the resale market. Either way, the manufacturer loses.
How can you identify Channel Stuffing and what are the indicators?
Identifying frauds and insider threats like Channel Stuffing is really an intelligence and analytics problem. In order to detect fraud, we need to know what we are looking for. The most effective way of doing this is to build one or more typologies that captures how the fraud scheme would actually work in your business, and what to look for. If you’ve never heard of a typology, have a read of my previous article.
If you read Forewarnedblog.com regularly, you will know I frequently talk about the importance of keeping data on incidents – such as through an incident register. Use the details of a previous case (or public cases involving your competitors or similar industries) for Comparative Case Analysis which allows you to develop detailed fraud detection typologies.
Detecting any type of threat in your data involves identifying the patterns (behaviours, indicators), anomalies (unusual activity), and signatures (unique offender characteristics associated with how they perpetrate the fraud). Indicators of Channel Stuffing to look for in the data includes:
Unusually High Sales Volumes: Look for anomalies and spikes in sales figures, especially towards the end of reporting periods or bonus periods
Rising inventory: setting aside seasonable flutuations and sales trends, can inventory increases be reliably explained?
Extended Payment Terms: Do unusual sales volumes correlate with issuing of extended payment periods or more favourable return policies for retailers?
Excessive Discounts or Incentives: Is your business offering unusually high discounts, rebates, or incentives to distributors or retailers?
Returns and Chargebacks: (lagging indicator) Can abnormal rates of returns, chargebacks, or unsold inventory be observed in a period after indicators 1-4 were identified?
Abnormal Sales Patterns: Are there any anomalies such as consistently high sales in the last week of a reporting period?
Increased Distributor or Retailer Complaints: Are partners reporting concerns about pressure to accept more inventory than they can reasonably sell?
Unrealistic Sales Targets: Are they realistic, or are they impossible which encourages sales staff to resort to Channel Stuffing (especially where sales team compensation is commission-based)?
By paying attention to these indicators, you can help businesses detect and prevent channel stuffing, ultimately safeguarding their financial integrity and long-term relationships with distributors and retailers. Additionally, offering guidance on transparent and ethical sales practices will contribute to sustainable business growth.
Four things businesses can do to minimise Channel Stuffing risk
With an understanding of what Channel Stuffing is and the ways it can be identified, there are four key things businesses can do to mitigate the risk:
Develop typologies and use data analytics to continuously monitor for, and proactively detect Channel Stuffing
Implement transparent, detailed reporting that ensures visibilty of emerging trends and issues that allows early management intervention
Ensure appropriate reporting and audit rights are included as part of any distributor compliance program forming part of Distribution Agreements. Channel Managers need to consider this in the Channel Management strategy.
Implement programs to perform market surveillance and obtain customer (end user) feedback to understand what is actually happening and who is buying your product. This helps validate observations in data analytics
As with all fraud schemes, paying attention to your data and having a good understanding of your business can help deter and detect frauds early. The bottom lime is that proactively looking for Channel Stuffing can avoid significant downstream pain!
DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.
What is third party screening and why is it important?
Screening is a term applied in the governance, risk and compliance field which equates to one or more database checks. In a screening process, the name of a business, organisation or individual is queried in a database to identify potential matches.
Where a match is identified, the screening process should include a confirmation step to determine how reliable the match is prior to determining next steps. Screening is used in a range of functions, including:
Modern Slavery and Environmental Social Governance (ESG)
Many risk and compliance laws and international standards have a reasonable expectation that screening will be performed by business and government as part of routine business operations or as part of customer service delivery. Vendor screening is also an essential part of vendor due diligence and is a foundational element of any supplier integrity framework.
Any screening process comprises two stages – screening design and screening delivery – with a total of five steps in the process, as follows:
Stage 1 – Screening Design
Determine screening context and objectives: Confirm what you need to achieve by screening. This could be an obligation under legislation, standards, or policies.
Agree screening parameters: Determine what you are going to search (sources), when (at what point in a process or relationship), how frequently (e.g. once on commencement of relationship annually ), who will perform the work and where the results will be stored.
Stage 2 – Screening Delivery
Perform name-based screening: Query the relevant database for a name manually or automatically, ensuring all steps and results are documented.
Qualify potential matches and escalate matters of concern: Have a mechanism to perform further view (investigation) of likely matches
Perform Quality Assurance (QA) to validate search parameters, providing assurance that your proceses achieve their intended objectives.
Keeping detailed and accurate records of what you search for, when, where, and what results were achieved is essential in any compliance or due diligence process. You never know when you may be required to produce these records as part of your legal defence, when seeking external investment, or a similar activity.
It is also essential to keep records of how and why you designed the screening process, any inherent risks in the screening process and how these are mitigated.
Third Party Screening processes employing ‘name matching’ algorithms are inherently risky
If you are unfamilar with text analytics or computer science, you could be forgiven for thinking every search you do in a database is the same, but this is not correct. Broadly speaking, there are two main types of screening query:
Exact Name Matching: This search setting queries the exact phrase you have entered against the database (some systems may also be case sensitive). If there is a typo or names are back to front, no match will be returned giving a erroneous result.
Fuzzy Name Matching: Fuzzy matching is used to compare to search strings which may be similar but are not identical based on critieria determine either by the user (when performing the search) or by the algorithm.
Common problems encountered when designing your screening process (Stage 1 above) include:
Spelling errors
Truncated words
Names containing multiple languages (e.g. Arabic + English)
Names that have been incorrectly translated to English (either in a database record or in the search parameter)
Dealing with initials and titles / honorifics
Words that are out of order (e.g. surname -> first name or first name -> surname)
Spaces and hyphens
Nicknames or unofficial names
When performing screening for compliance purposes, it is common to determine how your screening procesess (including selected search parameters) complies with your organisation’s policy, legislative obligations, or risk appetite. It is also important to understand your data, both in the database and the material you are using to search. If your data quality is poor, you can have the best process in the world but you will still miss something. In a compliance or reputation context, improperly performing screening can have serious financial and legal consequences.
What should businesses screen third parties for?
Precisely what a business screens its vendors for will vary depending on regulatory obligations, internal policy settings and risk appetite. In some cases, the cost of performing the screening may outweigh the risk. Examples of what is commonly employed as part of a screening process include:
Commercial and Sanctions Watchlists – e.g. WorldCheck, World Compliance
Screening is only the first step in any supplier due diligence or third party risk management. Remember that not everything is in a database, and may require an audit or use of investigative techniques for detection. Show and Shadow Factories are one such example.
There are a plethora of screening solutions on the market, particularly for vendors. Some screening solutions are aggregators meaning they offer access to multiple different databases (e.g. financial viability plus adverse media) within the same interface. Many aggregators also offer proprietary reporting and case management tools, as well as continuous monitoring and alerting functionality at a variety of price points.
What about emerging markets where there is no third party data?
Screening tools are powered by databases, so the quality of the output reflects the data quality inputs. I have previously worked with clients to test the accuracy, coverage and reliability of paid proprietary databases against known results to determine whether the information holdings of paid databases are as accurate as they claim.
Unfortunately, the results of these comparisons haven’t always been great, particularly when it comes to data quality in emerging markets. Here are three things to consider in this scenario:
Consider the type of record and what the regulatory obligations are for updating that record in the given jurisdiction. A country which provides 3 months for company secretaries to register a change of director is not going to show up in a database just because the company has made a press announcement
Understand whether the database vendor collects the records themselves, or if they are an agregator (or worse, an aggregator of aggregators). The closer your provider is to the primary source the greater the likely the record will be accurate and timely
Remember that errors can be made in declarations or when transposing information unless the country uses data validation tools. Some errors can be intentional, such as where a front company provides fictitious director details
When designing your screening process, it pays to understand what you are doing and why, and confirm this meets your requirements and acceptance criteria.
DISCLAIMER: All information presented on PaulCurwell.com is intended for general information purposes only. The content of PaulCurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon PaulCurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.
