Channel stuffing fraud – a distribution problem

8 minutes

What is Channel Stuffing?

Channel Stuffing is also known as ‘trade loading’, and is where sales teams sell an abnormally large quantity of product to distributors at one time. These sales are usually at a significant discount, or on generous payment terms making it both attractive and financially viable to the buyer. Channel Stuffing increases earnings in the short-term, but you are effectively front-loading the next quarter’s sales, which makes it harder to achieve future sales targets.

Sometimes, Channel Stuffing can be fraudulent, such as where a sales person engages in Channel Stuffing to get a higher short term incentive (bonus) or commission knowing they intend to resign before the next quarter. In some cases, the buyer (e.g. retailer) is forced or coerced by the Distributor to purchase the extra inventory. This can damage the relationship and even impact the retailer’s financial viability.

To make it more attractive to sourcing and procurement teams in the retailer, the sales person attemping Channel Stuffing may offer bribes or kickbacks to the retailer’s staff to complete the Channel Stuffing transaction, or distributor sales staff and retailer procurement staff may be acting in collusion to perpetrate the scheme. An illustration of how Channel Stuffing works is shown below:

Companies that don’t have proper controls in place are likely to fall victim here – it’s worth pointing out that Channel Stuffing is an internal fraud, a type of insider threat which occurs in the distribution stage of the supply chain.

man operating silver machine for silver steel kegs
Photo by ELEVATE on

What industries are most exposed?

Industries most at risk of Channel Stuffing are those with high margins, because high margins can be discounted without overly impacting revenue. Those most likely to be impacted include:

  • Consumer Electronics
  • Tobacco
  • Automotive Industry
  • Pharmaceuticals
  • Fast Moving Consumer Goods (FMCG)
  • Technology, including software providers
  • Fashion and apparel
  • Industrial equipment
  • Alcohol and Distilled Spirits

As with many supply chain and distribution fraud schemes, it is hard to find reliable statistics on incident data so I have replaced a graph of losses with a more uplifting pic of something I enjoy – getting outdoors!

people riding on inflatable raft
Photo by Hilmi Işılak on

Who are the victims in Channel Stuffing?

There are two victims in channel stuffing fraud – that is, parties who incur a loss. First is the distributor (channel partner) itself which employs the sales team. This is commonly the case in fraud perpetrated by one or a small group of disaffected sales leads who are trying to engineer a good bonus and intend to resign in the near future to avoid any repercussions.

Where sales people have fraudulently engineered sales, the channel partner may need to engage legal support to claw back bonuses, and may also be subject to financial penalties from the manufacturer under the Distribution Agreement for having inadequate controls which allowed Channel Stuffing to happen.

The second victim is the manufacturer or business which creates its products and sells them to customers via its channel partners. This company is dependent on third party channel partners to execute the distribution agreements as agreed.

Impacts of Channel Stuffing include:

  • Financial: Depending on scale and materiality, Channel Stuffing will likely impact a manufacturer’s actual revenue against plan (forecast), artificially inflating revenues in the short term. For publicly listed companies or companies with Private Equity investors, if not detected material cases of Channel Stuffing could be misleading to investors and have regulatory impacts.
  • Customer Satisfaction: Customers of the distributor (i.e. retailers) may be forced or coerced to take on additional inventory, which can impact customer satisfaction, brand and reputation. Where products are easily substituted for a rivals, retailers may even stop offering a product and switch to selling other brands.
  • Inventory distortions: A large volume of unexpected sales (through Channel Stuffing) will result in excess inventory at a retailer, which could take months to clear and may even need to be discounted. This situation can also trigger a manufacturer to build more product, believing that market demand for their product is high. When Channel Stuffing is discovered, one or more parties will be left holding excess inventory, with all the associated implications.
  • Misrpresentation of sales and marketing campaign effectiveness: If a large incidence of Channel Stuffing occurs during a sales campaign or when A|B testing is underway, this may give a wrong impression that the sales are driven by marketing or advertising when they are actually fraudulent. This can cause manufacturers to spend thousands of dollars on marketing and advertising which isn’t actually working.
  • Returns: Some purchasing terms may include provisions for retailers to return excess inventory for a refund a few months after the sale was completed. Sales teams may walk away with a larger bonus, but the manufacturer will be left to unexpectedly refund some or all of the sale, and accept the additional inventory or alternately agree to the inventory being sold at a heavy discount to end users or offloaded onto the resale market. Either way, the manufacturer loses.
man falling carton boxes with negative words

How can you identify Channel Stuffing and what are the indicators?

Identifying frauds and insider threats like Channel Stuffing is really an intelligence and analytics problem. In order to detect fraud, we need to know what we are looking for. The most effective way of doing this is to build one or more typologies that captures how the fraud scheme would actually work in your business, and what to look for. If you’ve never heard of a typology, have a read of my previous article.

If you read regularly, you will know I frequently talk about the importance of keeping data on incidents – such as through an incident register. Use the details of a previous case (or public cases involving your competitors or similar industries) for Comparative Case Analysis which allows you to develop detailed fraud detection typologies.

Detecting any type of threat in your data involves identifying the patterns (behaviours, indicators), anomalies (unusual activity), and signatures (unique offender characteristics associated with how they perpetrate the fraud). Indicators of Channel Stuffing to look for in the data includes:

  1. Unusually High Sales Volumes: Look for anomalies and spikes in sales figures, especially towards the end of reporting periods or bonus periods
  2. Rising inventory: setting aside seasonable flutuations and sales trends, can inventory increases be reliably explained?
  3. Extended Payment Terms: Do unusual sales volumes correlate with issuing of extended payment periods or more favourable return policies for retailers?
  4. Excessive Discounts or Incentives: Is your business offering unusually high discounts, rebates, or incentives to distributors or retailers?
  5. Returns and Chargebacks: (lagging indicator) Can abnormal rates of returns, chargebacks, or unsold inventory be observed in a period after indicators 1-4 were identified?
  6. Abnormal Sales Patterns: Are there any anomalies such as consistently high sales in the last week of a reporting period?
  7. Increased Distributor or Retailer Complaints: Are partners reporting concerns about pressure to accept more inventory than they can reasonably sell?
  8. Unrealistic Sales Targets: Are they realistic, or are they impossible which encourages sales staff to resort to Channel Stuffing (especially where sales team compensation is commission-based)?

By paying attention to these indicators, you can help businesses detect and prevent channel stuffing, ultimately safeguarding their financial integrity and long-term relationships with distributors and retailers. Additionally, offering guidance on transparent and ethical sales practices will contribute to sustainable business growth.

Four things businesses can do to minimise Channel Stuffing risk

With an understanding of what Channel Stuffing is and the ways it can be identified, there are four key things businesses can do to mitigate the risk:

  • Develop typologies and use data analytics to continuously monitor for, and proactively detect Channel Stuffing
  • Implement transparent, detailed reporting that ensures visibilty of emerging trends and issues that allows early management intervention
  • Ensure appropriate reporting and audit rights are included as part of any distributor compliance program forming part of Distribution Agreements. Channel Managers need to consider this in the Channel Management strategy.
  • Implement programs to perform market surveillance and obtain customer (end user) feedback to understand what is actually happening and who is buying your product. This helps validate observations in data analytics

As with all fraud schemes, paying attention to your data and having a good understanding of your business can help deter and detect frauds early. The bottom lime is that proactively looking for Channel Stuffing can avoid significant downstream pain!

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

An introduction to third party screening processes

7 minutes

What is screening and why is it important?

Screening is a term applied in the governance, risk and compliance field which equates to one or more database checks. In a screening process, the name of a business, organisation or individual is queried in a database to identify potential matches.

white jigsaw puzzle illustration
Photo by Pixabay on

Where a match is identified, the screening process should include a confirmation step to determine how reliable the match is prior to determining next steps. Screening is used in a range of functions, including:

Many risk and compliance laws and international standards have a reasonable expectation that screening will be performed by business and government as part of routine business operations or as part of customer service delivery. Vendor screening is also an essential part of vendor due diligence and is a foundational element of any supplier integrity framework.

Overview of the screening process

Any screening process comprises two stages – screening design and screening delivery – with a total of five steps in the process, as follows:

Stage 1 – Screening Design

  • Determine screening context and objectives: Confirm what you need to achieve by screening. This could be an obligation under legislation, standards, or policies.
  • Agree screening parameters: Determine what you are going to search (sources), when (at what point in a process or relationship), how frequently (e.g. once on commencement of relationship annually ), who will perform the work and where the results will be stored.

Stage 2 – Screening Delivery

  • Perform name-based screening: Query the relevant database for a name manually or automatically, ensuring all steps and results are documented.
  • Qualify potential matches and escalate matters of concern: Have a mechanism to perform further view (investigation) of likely matches
  • Perform Quality Assurance (QA) to validate search parameters, providing assurance that your proceses achieve their intended objectives.

Screening processes employing ‘name matching’ algorithms are inherently risky

If you are unfamilar with text analytics or computer science, you could be forgiven for thinking every search you do in a database is the same, but this is not correct. Broadly speaking, there are two main types of screening query:

  • Exact Name Matching: This search setting queries the exact phrase you have entered against the database (some systems may also be case sensitive). If there is a typo or names are back to front, no match will be returned giving a erroneous result.
  • Fuzzy Name Matching: Fuzzy matching is used to compare to search strings which may be similar but are not identical based on critieria determine either by the user (when performing the search) or by the algorithm.
google search engine on macbook pro
Photo by Pixabay on

Common problems encountered when designing your screening process (Stage 1 above) include:

  • Spelling errors
  • Truncated words
  • Names containing multiple languages (e.g. Arabic + English)
  • Names that have been incorrectly translated to English (either in a database record or in the search parameter)
  • Dealing with initials and titles / honorifics
  • Words that are out of order (e.g. surname -> first name or first name -> surname)
  • Spaces and hyphens
  • Nicknames or unofficial names

When performing screening for compliance purposes, it is common to determine how your screening procesess (including selected search parameters) complies with your organisation’s policy, legislative obligations, or risk appetite. It is also important to understand your data, both in the database and the material you are using to search. If your data quality is poor, you can have the best process in the world but you will still miss something. In a compliance or reputation context, improperly performing screening can have serious financial and legal consequences.

What should businesses screen for?

Precisely what a business screens its vendors for will vary depending on regulatory obligations, internal policy settings and risk appetite. In some cases, the cost of performing the screening may outweigh the risk. Examples of what is commonly employed as part of a screening process include:

Screening is only the first step in any supplier due diligence or third party risk management. Remember that not everything is in a database, and may require an audit or use of investigative techniques for detection. Show and Shadow Factories are one such example.

There are a plethora of screening solutions on the market, particularly for vendors. Some screening solutions are aggregators meaning they offer access to multiple different databases (e.g. financial viability plus adverse media) within the same interface. Many aggregators also offer proprietary reporting and case management tools, as well as continuous monitoring and alerting functionality at a variety of price points.

What about emerging markets where there is no data?

Screening tools are powered by databases, so the quality of the output reflects the data quality inputs. I have previously worked with clients to test the accuracy, coverage and reliability of paid proprietary databases against known results to determine whether the information holdings of paid databases are as accurate as they claim.

Unfortunately, the results of these comparisons haven’t always been great, particularly when it comes to data quality in emerging markets. Here are three things to consider in this scenario:

  • Consider the type of record and what the regulatory obligations are for updating that record in the given jurisdiction. A country which provides 3 months for company secretaries to register a change of director is not going to show up in a database just because the company has made a press announcement
  • Understand whether the database vendor collects the records themselves, or if they are an agregator (or worse, an aggregator of aggregators). The closer your provider is to the primary source the greater the likely the record will be accurate and timely
  • Remember that errors can be made in declarations or when transposing information unless the country uses data validation tools. Some errors can be intentional, such as where a front company provides fictitious director details

When designing your screening process, it pays to understand what you are doing and why, and confirm this meets your requirements and acceptance criteria.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Business Email Compromise – persistent threat or consistently mismanaged?

5 minutes

What is Business Email Compromise (BEC)?

I remember working in banking when BEC first happened – according to Google, this was around 2013. In our bank security department, we worked out how the fraud scheme worked, quickly developed internal controls and process improvements to reduce our vulnerabilities, and effectively treated the risk. So why in 2023, ten years later, are business owners still falling victim to BEC and other scams? More concerning, some executives only hear about BEC when they have become a victim – so what is BEC and how does it happen?

BEC is a type of fraudulent email scheme (scam) – more specifically a cybercrime – where fraudsters attack a company’s internal processes or functions. Most commonly, I come across BEC in relation to invoicing scams or banking transactions, but there are also other less common variations. Criminals use phishing techniques, which involve well crafted or deceptive emails, and in some cases other social engineering tactics as well, to convince an employee or manager that they are legitimate.

an exhausted woman reading documents
Photo by Mikhail Nilov on

At times, these emails may even be combined with other channels such as phone calls to reinforce the sense of urgency, build trust and rapport with the victim. A simple ‘BEC attack example’ involves 4 phases – research & reconnaisance, targeting, attack, escape – as illustrated below:

Here’s an example how BEC could play out:

BEC is still happening – why?

As a cybercrime / online fraud, the simple TTP (Tactics, Techniques, Procedures) employed by criminals mean and the ensuing response by workers means BEC is still going strong. According to the Australian Competition & Consumer Commission (ACCC) ‘Targeting scams 2022‘ report:

  • In 2022, Australian’s reported $569million in losses to ScamWatch, a 76% increase on the previous year
  • The volume of incidents has decreased – but the value of incidents has increased (average losses have increased by 224% since 2020)
  • Losses from False Billing scams totalled $24million in 2022

These statistics demonstrate the size of this problem. Clearly, businesses need to do more to manage fraud, cybersecurity and scam risks.

Why is BEC still this prominent? Simple – because it works.
For criminals, fraudsters and scammers, it’s quick, cheap and profitable.

People are too busy to stop and think about what they are doing or take process shortcuts, to trusting of what happens online due to poor security awareness or inadequate fraud awareness training, or because the way the scammer delivers their ‘attack’ email is so well crafted it gets the recipient on the hook easily and convinces them it’s legitimate.

For managers, its important to realise that BEC has a strong nexus to your Insider Risk Management program – BEC scams cannot succeed without a wilful, complacent or ignorant insider.

A strong Trusted Insider program should be mutually reinforced and supported by a strong security culture, where all staff (including contractors and casuals, not just employees) understand and embrace the importance of security to your business. If security awareness is low and you have a poor security culture, employees and contractors can be complacent or even ignorant of the risk.

How to prevent BEC and other scams?

Who typically gets targeted? Because BEC frauds primarily target the invoicing process, staff in accounts and procurement are most likely to be targeted, as well as potential line managers, executives and their assistants.

1. Up your game – improve culture and awareness

Whilst all staff in your organisation should have some level of fraud and security awareness, staff in these roles should have a high level of understanding about BEC, it’s various forms, and how prolific it is.

2. Identify, assess and manage the risk

Too often, I find organisations which haven’t stopped to think about how fraud and security issues can materialise in their business. Business need to perform a detailed security risk assessment to understand how and where they may be vulnerable to cybersecurity or fraud compromise. Any security or fraud risk assessments should be regularly updated to reflect changes in the business and its operations.

3. Review your business processes and internal controls

Frauds and scams differ from violent crimes in that they exploit a business process. To succeed, criminals must complete a particular task, often in a specific order. For a business, each of these tasks is a vulnerability unless you have sufficient internal control coverage to mitigate these risks.

In practice, I find overlaying a process map of the scam or fraud from the criminals (external) perspective onto the internal business process helps identify gaps (vulnerabilities). This is often done in Red Teaming and other Security Assurance activities.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Returns Fraud – a risk for eCommerce companies

7 minutes

What is Returns Fraud?

Returns fraud is a deceptive practice where customers purchase a product from a retailer so as to either temporarily ‘borrow’ the item, or to obtain a refund or store credit. Returns Fraud involves deception on the part of customers, who seek to return a product under ‘false pretences’. Common returns fraud typologies include:

  • Online returns fraud – where customers make a false claim in order to obtain a refund or store credit. Typically, these customers claim that they did not make the purchase (when buying using a credit card), that the goods did not arrive, or that the goods which arrived were faulty, damaged or did not match the description when purchased. Many customers do not return these products whilst also claiming a refund, meaning they actually keep the goods and profit from the refund.
  • Product substitution with lower cost items – customers purchase a high-quality item from one store / brand, and a similar but low quality item from another store. They may remove product tags or labels, or place the substitute product in the high quality product’s packaging before returning. Often returned goods are not properly scrutinised, or may be returned to third party service providers, and by the time the fraud is detected it is too late.
  • Product substitution with counterfeit items – this typology is the same as with lower cost items above, except the substituted product is a counterfeit item. This creates issues for retailers if the counterfeit item is repackaged and released for resale without proper inspection, and can result in brand damage or create consumer safety issues.
  • Wardrobing – a common problem especially for online retailers, consumers purchase items of clothing for a specific event (such as a party), use the item of clothing, then return it for a refund or exchange without declaring this use to the retailer.
  • Use of fraudulent receipts – some consumers alter or forge sales receipts and use these along with often substituted or second hand goods to attempt a refund without having purchased the item. Physical retailers without robust returns processes, who do not verify information on receipts against their records, or who place returned items to one side to process in quiet periods, are particularly vulnerable.

Returns Fraud can be perpetrated by external parties (i.e. opportunistic individuals and actual customers), employees (i.e. trusted insiders), and external parties in collusion with trusted insiders.

elegant male outfits on dummies in modern boutique
Photo by Andrea Piacquadio on

How does Returns Fraud impact retailers?

If not properly managed, Returns Fraud can have significant implications for retailers and may even send struggling businesses to the wall. Returns Fraud will impact profits, operating costs and brand in the market. Examples of the impact of Returns Fraud on retailers include:

  • Increased Operating Costs – Retailers may need to employ additional staff to manage and process returns, as well as spending more on loss prevention or fraud protection programs. In some cases, specialist expertise may be required, particularly for high value or complex disputes which retailers are not equipped to handle.
  • Card Scheme penalties – Card Schemes such as Visa and Mastercard apply financial penalties to retailers (merchants) where a customer disputes a transaction, such as in the case of ‘online returns fraud’ (above).
  • Customer Experience and Trust – Retailers who implement stringent policies risk frustrating or offending legitimate customers, resulting in complaints, negative ratings online, or refusal to deal with the brand again. Balancing customer experience with retail security is a huge challenge.
  • Returned Inventory Management – The ‘reverse supply chain’ is challenging for any retailer, but it needs proper attention to mitigate risks of substituted, damaged, soiled, or counterfeit product being accepted, repackaged, and resold as legitimate by a retailer with potentially disastrous results.
  • Financial losses – As mentioned in my previous post ‘Product Security is fundamental to Product Management‘ (see “Security and integrity risks need to factor in pricing decisions“, link below), once a product has been stolen or diverted a retailer needs to sell significantly more product units to recover those losses. Over time, these losses erode revenue and impact profit margins, potentially making the business unviable.

The challenge with Returns Fraud, as with any other security program, is the need to balance the inherent risk of Returns Fraud with customer service and customer experience. Some retailers have accepted a high incidence of Returns Fraud, only to find it has eventually sent the business bankrupt as word gets around the retailer is an easy target and the incidence of fraud increases.

Three simple steps to mitigating Returns Fraud risk

Recent media reporting indicates the incidence of Returns Fraud is increasing worldwide, particularly wardrobing and online returns fraud; however, there are three steps businesses can take to mitigate the risk:

  • Return policies – Policies must be clear, legal, compliant with card scheme rules (for credit card payments), and transparent to allow consumers to understand retailer expectations and conditions of sale. Policies should be displayed prominently on the website and in-store, and customers should acknowledge conditions of sale in writing prior to payment. Evidence that a customer has read and acknowledged these policies should be retained by retailer systems and processes in the event of a legal dispute.
  • Using data analytics for fraud detection – data is essential for detecting unusual patterns or behaviours indicative of returns fraud. Provided the required data is collected, typologies can be developed and dashboards built to quickly facilitate detection. Examples of indicators retailers might look for in their typologies include customers who frequently return items (analysed data should include customer name, address, phone number, or email address to identify common purchases using fictitious names); returns of specific products or product categories within 48-72 hours after purchase; and returns of ‘prestigious’ items which consumers might not be able to afford. Early detection, proper investigation, and collection of evidence is crucial to minimising a loss.
  • Build high levels of employee awareness and a strong security culture – Employees are one of the most important elements of any security or fraud program. Poor awareness of fraud and security creates ignorance of the risk, preventing staff from being able to recognise problems and respond in a timely manner. Staff should be trained both on commencement and periodically (at least annually) throughout their employment, with targeted training being undertaken in response to new trends or criminal tactics. Further information on improving security culture can be found below.

As you can see, the risk of Returns Fraud is real and must be properly understood, assessed and managed by retailers to mitigate unplanned losses and vulnerabilities. Failure to properly consider and plan for Returns Fraud in any retail business is likely to result in substantial financial loss, legal disputes, and brand damage, and may even send the business into insolvency.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Graph or Social Network Analysis – what’s the difference?

Common terminology sows the seeds of confusion

If you’re someone who has been involved in fraud protection, Anti-Money Laundering, Counter-Proliferation, Sanctions Evasion, anticounterfeiting (the list goes on) – basically any sort of investigation of networks, you will likely have come across concepts such as graph, link analysis, and network analysis. However, when you start to write use cases for your organisation and develop your functional requirements for technology, this starts to get messy. For those new to this area, the figure below provides an illustration of what social network analysis is:

Illustration of a social network in analyst notebook
Social Network Analysis illustration, US Dept. of Justice (2016)

Unfortunately, the terminology we use every day is the source of much confusion amongst business users (investigators, intelligence analysts, security & fraud professionals), data scientists and technologists alike, making it hard to understand the actual problem which needs to be solved by technology. To understand this space, there are three main concepts to get your head around:

  • Network Analytics: Is a term that has its origins in computer science and ICT, and is used to help model, monitor and assess the health and performance of computer networks
  • Graph Analytics: Also known as ‘Graph Technology’, this term actually refers to a type of database – the Graph Database – which stores data in the form of a ‘graph’ or network. Graph is heavily used today in the newly emerged field of Data Science.
  • Social Network Analysis: Also known as ‘link analysis’, ‘network analysis’, and a variety of other names, this methodology has been around since the 1970’s and stems from the social sciences. It uses algorithms and other methods to model and depict the behaviours of groups of entities (e.g. people, objects), attributes (e.g. the characteristics of objects, such as a person’s name), and the relationships (connections) between them. This is important as Entities typically exist as ‘networks’ in society.

The three concepts outlined above, each a distinct academic discipline, can be applied to three simple User Personas, as outlined below:

UserUse Case
IT DepartmentsUse network analytics to assess and manage the health of your IT and OT (operational technology – such as SCADA systems) networks
Data Scientists, Data EngineersUse Graph Databases to facilitate complex modelling, analysis, and other data management related tasks
Intelligence Analytsts, Investigators, Risk & Compliance OfficersPerform social network analysis to understand threat networks, such as criminal networks, organised fraud syndicates, or illicit corporate structures to assist in their identification, targeting and disruption
Three illustrative user personas for graph and social network analysis

Despite often using terminology interachangeably, we are actually referring to three distinct concepts which cause confusion when co-mingled.

What is a graph exactly?

A basic graph – whether we are talking about the way data is visualised within a graph database or as part of social network analysis – is depicted by nodes (entities) and edges (links or relationships). Fraud teams use enhanced depictions of ‘graphs’ to enrich a data with more information. Graphs (social networks) can be queried to return matching results, such as showing all individuals who are connected to a specific address in some way (e.g. home, work, family connections).

For data scientists, one attractiveness of a graph database is that large networks can be more efficiently searched or analysed compared to a Relational Database (RDBM) such as SQL Server or Teradata. There are numerous use cases for graph databases, including:

  • Entity Resolution – to determine whether two entities are actually the same based on various attributes
  • Knowledge Graphs – to help answer questions or find the answer to something
  • Product Recommendation Engines – for customers of eCommerce stores to suggest other products purchased by similar customers
  • Master Data Management
  • ICT network infrastructure monitoring
  • Fraud detection

Examples of graph databases on the market today include those produced by Neo4j, TigerGraph, AWS Neptune, Microsoft Cosmos, and many others.

Why is Social Network Analysis important for countering threat networks?

The term “Threat Network” is used by the U.S. Government when discussing any type of hostile actor (even lone actors are typically part of some social network). Examples include organised crime, nation states, organised fraud syndicates, counterfeiting syndicates, and industrial espionage networks. Without going into too much detail here, every threat network has a number of common roles which are required to achieve its objective.

Let’s say a consumer fraud ring is running a boilerroom scam to defraud elderly investors. The network needs people to manage its finances, communications, recruitment, targeting to spot vulnerable investors, scammers to actually defraud them, and managers and leaders to coordinate the scheme. This concept is illustrated below in relation to drug production and trafficking:

Organisational structure showing roles within a typical organised crime network
Illustration of various roles within a threat network (JP 3-25)

Social Network Analysis allows for visualisation of relationships and structures of all parties involved in the network, providing the ability to overlay additional information such as functions in the network. Social Science algorithms, such as Betweenness and Centrality, can be applied to social network data to identify key players or connections. These threat network vulnerabilities can then be targeted, such as through arrests or new internal controls, to disrupt threat actor activites. This concept is illustrated below:

Illustration of how a network can be disbanded (disrupted) with effective targeting
Illustration of how disrupting a network can render it ineffective (JP 3-25)

How can I perform Social Network Analysis?

Interestingly, you do not need a ‘graph database’ to perform Social Network Analysis. What you do need though is a suitable user interface for business users (e.g. investigators) which allows them to query, analyse, and interact with their data to achieve an outcome – such as identifying key players in a fraud ring. Without a suitable interface, business users will be unable to exploit the data effectively rendering it useless.

Fraud and law enforcement teams have used Social Network Analysis for decades. You can do simple Social Network Analysis on paper or a whiteboard without the use of software – this is where the term ‘link analysis’ originated from. Whilst pinboards are useful for Hollywood movies and simple networks, analysts today are swamped in data making software essential.

man in gray long sleeve suit holding a pen - social network analysis with paper and a pinboard
Photo by cottonbro studio on

In the late 1990’s or early 2000’s, the popular software known as Analyst Notebook was developed and is still in use today. These days, there is a proliferation of thick client and browser based software which performs this function, including Maltego, Linkurious, Palantir, Quantexa, and RipJar.

As outlined here, there is a distinct difference between the concepts of network analysis, graph and social network analysis. Each has its own use cases, methodologies, user groups and supporting software. Understanding this landscape, and how all the pieces fit together, is essential to building any sort of threat intelligence or detection analytics capability.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

What are the main e-Commerce frauds targeting online stores?

Three challenges in eCommerce Fraud Protection

One of my side hustles is lecturing postgraduate university students on financial crime intelligence – this is all about how to identify and detect fraud and illicit activity in your data. I regularly tell my students (and clients) that fraud is really a ‘process-based crime’ – it arises because of internal control gaps in your business processes which equate to vulnerabilities for your business, and opportunities for fraudsters and criminals.

shoes in boxes on shelf
Photo by Stanislav Kondratiev on

Different types of fraud arise at different points in the eCommerce process. Every fraud scheme has its own unique characteristics, which means we can prevent and detect it! From my perspective, there are three challenges in eCommerce fraud protection:

  1. Detecting customer profiles or transactions which are highly likely to be fraudulent with a low false positive rate (see here for explanation); and,
  2. Detecting the fraud in time to avoid incurring a loss (this is particularly hard with realtime payments, outourced and / or automated fulfilment); and,
  3. Striking the right balance between enough loss prevention measures to mitigate the risk (your ‘risk appetite’) and too many controls (which makes for a bad customer experience, impacting sales conversions and customer retention).

To illustrate this for eCommerce, I have used the four-phased eCommerce marketing lifecycle promoted by and overlaid where different fraud schemes can arise:

Three categories of eCommerce fraud schemes

Let’s deep dive into the three main eCommerce fraud schemes:

Account related frauds

Some eCommerce fraud schemes revolve around a users identity or account. Examples of ways in which this may happen, either at account creation or account login include:

  • Phishing – social engineering attempts to compromise users and their accounts
  • Credential stuffing – attempts to use credentials stolen from another breach to login
  • Account takeover – where a user’s account credentials or browser session is hijacked
  • Identity theft – a victim’s identity is stolen and used to obtain loans, goods, etc.

Payment Frauds

The second category of eCommerce frauds revolves around the payment or transaction itself, including:

  • Use of stolen / purchased credit card details
  • Card testing – where criminals place small charges on a card to see if it is valid which could be disputed by the cardholder
  • Chargeback fraud – shopper makes a purchase on their own card, then requests a chargeback after receiving the goods
  • Refund Scams – shopper purchases something and ask for a refund before the product is delivered
  • Payment frauds – including card present and card not present transactions
black payment terminal
Photo by on

Loss Prevention

The final category of eCommerce frauds is perpetrated by a user post-payment. Common fraud typologies include:

  • Change of address scams – delivery address is changed after payment but before shipping so goods are not sent to cardholders residence
  • Returns fraud – consumer receives goods, uses it, and sends it back (effectively ‘renting’)
  • Product diversion – where goods are basically stolen by trusted insiders (employers, contractors, suppliers)

Did you know that organised fraud, product diverters and shoplifting rings typically target specific products over others?

Products that are CRAVED are at greatest risk.

I have provided more information on which products are most likely to be targeted by organised fraud, product diversion and shoplifting rings in my article “product security risk assessments for tangible goods”.

Identifying your core business activities, systems and processes is key to understanding and managing your risk profile. I will review how to do this in a future article, but if you are looking for somewhere to start try and this article on ‘risk appetite and risk tolerance‘.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

6 steps to improving security and integrity culture in the workplace

Workplace Culture – a curious concept

Culture is a funny concept: It is neither tangible nor permanent, but rather develops and evolves over time and is a reflection of the members of that ‘tribe’. Organisations, groups and communities can all develop unique intrinsic cultures as a results of the collective actions, behaviours, norms and values of that organisation.

The fact that culture is not a tangible thing makes nurturing a ‘good’ culture hard for leaders to achieve, and very easy to destroy. Good workplace cultures can become self-perpetuating, attracting others of similar visions and values and contributing to a highly engaged workforce. In his 2013 article in the Harvard Business Review, Michael Watkins provides a great discussion on organisational culture, outlining different perspectives on what it is and how it permeates the modern workplace.

Culture is recognised as being one of the most important components of successful companies. According to James L. Heskett, culture “can account for 20-30% of the differential in corporate performance when compared with ‘culturally unremarkable’ competitors”, making understanding it essential for all leaders (HBR, 2013).

people sitting on chair
Photo by Rene Asmussen on

Seven dimensions of security culture

When applied to security, the concept of organisational culture is no different. According to Perry Carpenter in Forbes Magazine (2021), there are seven dimensions to security culture. I have taken Carpenter’s seven dimensions and adapted it to provide more context for risk leaders:

  1. Attitudes: Employees have a positive view of security and understand why it exists. A positive culture of reporting security incidents is established
  2. Behaviours: Employees conduct themselves in a manner that positively impacts overall security. Innocent, unintentional security breaches or accidents are not punished or perpetrators ostracised
  3. Cognition: Employees know about security and have a high level of awareness of threats and security programs
  4. Communication: Security is communicated clearly and regularly, with key messages being enforced in ways which are easily understood by all and which resonate with the workforce
  5. Compliance: Employees comply with security policies voluntarily, not because they have to
  6. Norms: Being conscious of security and the need for it, as well as the expected behaviours, becomes part of the organisation’s fabric. Employees who go against these norms are counselled by peers, not security, compliance or management
  7. Responsibilities: Employees understand their security obligations and take them seriously. They know what to do and when, and comply with these rules and expectations

How does your organisation compare in relation to these seven dimensions? What about your previous employers? Reflecting and thinking critically about what we do and how we behave as leaders makes us think what else can we do better, and potentially enhance our culture in the process.

people sitting on green grass waving their hands
Photo by RDNE Stock project on

Six things leaders can do to improve security and integrity culture

Despite achieving a good security culture being hard to achieve, leaders need not despair. There are things we can do to improve security culture, it just takes time and effort. Listed below are six things I would encourage leaders to do to build or improve your security and integrity culture:

  • ‘Tone from the top’ – what senior leaders say and do matters as just like pets or children, behaviours will be replicated. Leaders should continually demonstrate the importance of security and integrity within the business, and not just pay lip service.
  • Awareness training – regular training on security and integrity is important in the workplace. People need to know how they are expected to behave, and to understand the organisations policies and accepted practices. Ideally, not all training would be computer-based as people need time to talk through scenarios and learn from peers such as via interactive, discussion based forums.
  • Risk is part of the organisation’s DNA – thinking about risk does not mean being discouraging staff from taking risks. Taking risks is an important element of creativity and innovation, but ideally risk taking would be measured to avoid taking risks from which organisations or staff cannot recover. Thinking about what could go wrong (or right) and ways in which adverse consequences or likelihoods can be mitigated or proactively managed should ideally be part of the organisation’s cultural fabric.
  • Penalties are not applied for accidents, near misses or unintentional incidents – rather, a constructive approach that focuses on continuous improvement and lessons learned should be taken. Inquiries into organisations with poor risk culture found that poor organisational cultures are those where blame is apportioned, messengers are blamed, and where subordinates are too scared to tell the truth to senior management for fear of repecussions. Leaders cannot fix problems they know nothing about.
  • Staff feel comfortable speaking up about their peers – in my previous post on the critical path method and insider risk management, I spoke about the need for organisations to identify workers who are struggling (and may pose a security or integrity risk to the organisation by virtue of their situation). Peers who have a concern about a co-worker should ideally be able to confidentially raise these concerns without worry that the struggling co-worker will be fired or penalised, but rather supported.
  • Treating people fairly – where problems or allegations do arise, the workforce must know they will be treated fairly and that the principles of natural justice will be applied to the investigation and resolution of incidents.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Developing a Service Catalogue for fraud, security and integrity teams

Author: Paul Curwell

What is a Service Catalogue and why is it important?

Service Catalogues are receiving increased attention from Chief Operating Officers and business managers as organisations continue the digital transformation journey for internally-facing shared services teams. A Service Catalogue comprises the list of the service offerings (the ‘services menu’) for a functional team, making it easy for internal customers (stakeholders) to understand and access the team’s services.

Service Catalogues also create boundaries that define what a functional team will and will not do, particularly when developed in consultation with, and approved by, senior management. Optional or ‘nice to have’ services may simply not be feasible or affordable at a point in time – the service catalogue process provides a mechanism to agree these offerings and then align them with performance scorecards, resource availability, corporate strategy and internal policies.

Illustrative Service Catalogue
Illustrative Service Catalogue (Curwell, 2003)

How do you build one?

Building a Service Catalogue is a relatively straight forward process involving data collection and interviews or workshops. I typically use Microsoft Excel as my tool of choice for building the initial service catalogue. Once built, I may move this to Microsoft Sharepoint, JIRA or other solutions (see below) depending on the client’s strategy. There are six main steps involved in building a Service Catalogue:

  • Step 1 – Review the organisational chart and position descriptions: Organisational charts usually show the functions within a Business Unit (BU) or team which typically align to the main categories of service offering.
  • Step 2 – identify the main service offerings within each service category: this typically involves interviews or workshops with people in the respective team. The aim here is to understand everything team members do on a day to day basis, and to try and categorise these into distinct services.
  • Step 3 – populate the Service Catalogue template: based on responses gathered from Step 2.
  • Step 4 – remove duplications and deconflict services: sometimes there is a tendancy for team members to view a service as being completely distinct, when it is actually a variation of another service. Ideally, variation should be avoided where possible as this generates waste and errors (in lean six sigma language). If variations are required,
  • Step 5 – process map each service and prepare SOPs: Once each service has been identified, the business process should be mapped and any opportunities to streamline or increase process efficiency implemented. Standard Operating Procedures (SOPs) should be prepared for each service offering which align to the process map.
  • Step 6 – align the Service Catalogue with performance metrics, team resourcing and HR position profiles: Once developed, it is important to assign performance metrics to the team, such as the turnaround time (SLA) which an internal customer has to wait for a process to be completed (e.g. building passes for new hires will be issued within 24 business hours of lodging a request form). Team metrics, tracked through tools like Kanban boards, allow team leaders to implement daily standups with their team to focus effort on the highest priority tasks and remediate delayed or overdue tasks.
An example of a Service Catalogue template
An example of a Service Catalogue template (Curwell, 2023)

As illustrated by the six step methodology above, building a Service Catalogue is a relatively straightforward process that helps focus the attention of internal teams on core business.

A basis for improving governance, performance and team resourcing

Service Catalogues contribute to better governance and performance outcomes, enabling functional team leaders to clearly define what they do, how they do it, and the value it contributes to the business. Non-customer facing support functions are always under cost and resource pressure in any business: Service Catalogues should also align with performance scorecards to track service delivery against agreed KPIs.

white shirt sitting behind counter under television
Photo by PhotoMIX Company on

Employee position descriptions should align with the Service Catalogue, ensuring staff holding those roles are able to effectively perform the required functions without being over or under qualified. Capturing service delivery performance metrics, including time taken to execute each service and the number of requests for that service over a defined period of time also provides the data required to ‘right size’ the team headcount to suit business requirements, required service levels, and risk appetite.

Service Catalogues – an enabler of digital transformation

Every manager knows that resources are always limited – there is always more you should, could, or would like to be doing but time, cost and quality is a handbrake. Digital transformation is increasingly being adopted by internally facing services teams such as security, fraud, HR, finance, legal and others. The adoption of digital transformation tools, such as case management solutions, workflow management tools and process automation offers the chance to minimise manual handling and allow users to self-service, reducing demands on support staff.

lens display business market
Photo by RODNAE Productions on

Having done a few of these activities before, I often find that the Office of the CIO has procured an IT Service Management tool which can be easily adapted and redeployed for other non-IT Service Management tasks with an incremental increase in spend (typically licensing and configuration). Once developed, Service Catalogues are increasingly being implemented in online tools such as:

  • Atlassian JIRA – extremely popular and easy to use, Australian company Atlassian’s web-based JIRA solution makes it easy to track tasks and integrate workflows and decisioning for service requests.
  • ServiceNow IT Service Management – An increasingly popular and common option, ServiceNow is being rolled out as part of enterprise implementations to transform internal operations.
  • Microsoft SharePoint – One of the more enduring and common corporate intranet solutions, SharePoint can help streamline processes and workflows using a combination of SharePoint lists and tools such as Power Automate and Power Apps from a web browser.

These solutions provide simple opportunities to streamline and enhance service delivery and performance of internal services teams, and can form the basis for digital transformation across all shared services teams in any business. In a future article, I will provide a guide on implementing your Service Catalogue in JIRA.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Developing an compliance obligation register for your business

Author: Paul Curwell

What are compliance obilgations?

The importance of business integrity has increased over the past 10 – 15 years. Increased enforcement action by international regulators, culminating in hefty fines and prosecution, has occured in areas such as trade sanctions, bribery and corruption, modern slavery and anti-money laundering. Additionally, the ‘social licence to operate‘ for every business is gaining increased importance amongst communities globally, with businesses who behave unethically or inappropriately incuring the wrath of consumers.

man sitting in front of keyboard
Photo by Jopwell on

Compliance management, including complying with regulatory and policy obligations, is a fundamental component of business integrity (what the OECD refers to as ‘responsible business conduct‘). Understanding your compliance obligations and having actions in place to ensure your business complies with them is expected by regulators and consumers alike.

Illustrative example of a compliance obligation
Illustrative example of a compliance obligation (Curwell, 2023)

For business, managing compliance obligations has always been a challenge – they are not something which can be produced once and never refreshed. Legislation is constantly changing, international standards are being updated, and organisations regularly revising internal policies. The first step in managing your compliance obligations starts with building an obligation register customised for your business.

How do you build an obligation register?

The time and effort required to conduct this work depends on your business, your industry (highly regulated industries will have more obligations), and the jurisdictions you operate in. There are six main steps to building a obligation register for compliance management:

  1. Identify and map your compliance landscape – this step involves identifying all the regulation (legislation), international standards (e.g. ISO27001), and internal policies which create obligations that dictate the way your business, suppliers or employees / contractors need to operate. This may be most efficiently done using a combination of research, interviews and / or workshops or brainstorming – it is also a task you may wish to outsource.
  2. Build your obligation register template – this is the document that will utlimately become your Business Obligation Register. You may wish to do this in something like Microsoft Excel, Microsoft Sharepoint, Microsoft Word or in a database, such as a Governance Risk Compliance (GRC) system (see ‘the importance of regular updates’ for more detail). An example of a Business Obligation Register is illustrated below.
  3. Review the source documentation – for each compliance obligation (e.g. ISO27001, or your jurisdiction’s companies legislation), extract the relevant information, and populate the register. In some cases, you may need a lawyer to provide an interpretation on a specific obligation, or to help convert the interpretation of that obligation to the actual things you need to do to comply (i.e. the ‘plain english’ obligation).
  4. Map the populated obligations to your business’ internal control environment – identify what controls do you have in place to ensure compliance or mitigate the risk of non-compliance. Note this step does not consider the effectiveness or coverage of each control, which are related but separate concepts. I will write about this in a subsequent article.
  5. Review the final draft – this step should involve stakeholders involved in the previous steps, as well as a legal review to ensure nothing has been overlooked or misreprented prior to implementation.
  6. Publish your Business Obligation Register in a central location which can be accessed by line managers (you may want to make this version read only to avoid any unauthorised updates or accidental modifications). You should also implement a process to periodically update the register.
Illustrative Obligations Register in Microsoft Excel.
Illustrative Obligations Register in Microsoft Excel (Curwell, 2023).

What sort of data is captured in an obligation register?

There is no mandatory structure for an obligation register – the fields you wish to capture in your obligation register depend on your organisation. Common examples of data captured include:

  • Document type – such as legislation, policies, international standards etc.
  • Document reference – this might be an identification number (e.g. ISO9001). Typically you will have obligations from multiple sources in the same register.
  • Document name – e.g. “Consumer Act”
  • Version or date of last update – to allow for comparision of the Obligations Register to the source to determine whether current
  • Obligation wording – the original wording contained in the source document, word for word
  • Simple english obligation – some legislation is gibberish to non-lawyers, and requires a simple explanation of what the organisation needs to do to comply which can be understood by all staff
  • Priority or importance – this might be reflected by including penalty information, or showing how critical compliance with an obligation is to the business, to help inform management decisions. An example might be where a company states it will ‘endeavour to comply’ with ISO23001 (business continuity management), but is not actually ISO certified making compliance optional.
  • Applicable business unit / team – not every obligation is relevant to every team on the organisational chart, so capturing this makes compliance easier for line managers
  • Internal control name – what is the name of the control which mitigates non-compilance with the obligation?
  • Internal control identifier – many organisations have numbers for controls, such as where a control is part of a mapped business process
  • Internal control owner – sometimes, the owner of the control resides in a different team to the owner of the compliance obligation, meaning both parties need to communicate to ensure compliance.

As you can see, obligations registers vary in relation to content and structure, but the key element is to ensure executives know what their obligations are, and what steps (in the form of controls) the business has implemented to ensure compliance.

man standing on a rock
Photo by Andrei Tanase on

The importance of regular updates

As we have seen in previous paragraphs, it is important that an Obligation Register is up to date and reflects the organisation’s internal and external compliance obligations at that point in time. Building an obligations register from nothing takes substantial time and effort, but it can also get out of control if periodic updates are not made.

Modern tools and technology help make period updates comparatively easy, particularly whe n it comes to monitoring obligation sources for updates. Ways businesses can monitor for updates to compliance obligations include:

  • Subscribing to legislative update alerts on government websites in the juridsidiction(s) concerned.
  • Alternatively, businesses without internal resources to do this may seek to outsource this to lawyers or consultants, or purchase updates from commercial information vendors.
  • Monitor the relevant International Standards Organisation webpage to get updates on when standards are being refreshed that relate to your business
  • Ensure the Business Obligation Register owner is informed of any internal policy refreshes or updates, such as when they are tabled at management committees or the board for endorsement, to trigger the refresh process.

Better practice involves assigning responsibility for oversight of the overall obligations register to one person (ideally a senior executive) to ensure it is properly managed and updated, however there will typically be teams from across the organisation who manage the actual updates.

Example of free subscription to receive legislative updates (Australia)

Can a Governance, Risk and Compliance (GRC) system help?

Many organisations are increasingly using Governance, Risk and Compliance (GRC) systems to help manage compliance obligations, policy versions and refreshes, risk registers, control libraries and assurance tasks. GRC systems are a great idea, however they require considerable forethought in terms of design to ensure the way they work will accomodate business requirements.

As someone who has implemented a few different GRC systems for clients in the Financial Services and Mining industries, a number of vendors on the market haven’t really thought through the ‘GRC architecture’ and design, or have designed their systems by someone who doesn’t understand the complex relationships inherent in risk architecture, meaning some systems are more difficult to implement and operate than others. More on this in a future article.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Searching court records in Australia

A subject’s legal history says a lot about their integrity and suitability

Performing any sort of counterparty due diligence requires an understanding of the “whole person” (this applies to both individuals and legal entities). In financial sector or service delivery organisations, this is referred to as a “single view of customer” and is used to manage fraud risk, credit risk and regulatory compliance.

A subject’s legal history is an important element of the ‘whole person’; without it, managers may make decisions based on incomplete or inaccurate information only to regret it later. Performing legal checks requires an understanding of Australia’s courts to develop an informed search strategy.

grey concrete court-like building
Photo by Brett Sayles on

Australia’s court structure

In Australia, legal matters can be brought under State / Territory or Commonwealth law, as well as other mechanisms (such as professional standards schemes which are expected to regulate their members). Some dispute mechanisms are industry based.

State or Territory courts:

  • Local Court, County Court, Magistrates Court – hears most criminal and summary prosecutions and minor civil matters (e.g. <100,000). 95% of criminal cases commence at this level.
  • District Court (excluding TAS, NT and the ACT) – hears appeals from Local Court, serious criminal cases (excluding murder, treason), civil matters typically <$750,000.
  • Supreme Court – hears serious civil cases >$750,000 and serious criminal cases (including murder, treason and piracy).

Commonwealth (federal) courts:

  • Federal Court – has jurisdiction over 120 plus federal Acts of Parliament.
  • Family Court – jurisdiction over all divorces and maintainence over children and spouses.
  • High Court – primary role is to interpret and enforce the Constitution, amongst functions.

The State Library of NSW provides a useful overview of Australia’s courts and tribunals.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

Where to search court records

Most Australian jurisdictions have consolidated their legal records, making the task of searching for a record relatively easy once you know what you are looking for:

JurisdictionCivil or CriminalSourceComments
NSWBothCaseLawGenerally within 24 hours
QLDBothCaseLawGenerally within 24 hours
VICBothMultiple WebsitesVaries
TASBothDecisionsPublished on AustLII*
NTBothMultiple Websites
Federal Court
Family Court
Federal Circuit
BothFederal Law Search
Federal CourtBothJudgementsReleased within 24 hours
@ForewarnedBlog (2022). Research.

* The Australian Legal Information Institute (AustLII) is jointly operated by the UTS and UNSW law faculties and aims to pubish public legal information, including primary and secondary legal materials. AustLII is not a primary source.

NSW Caselaw advanced search interface
NSW CaseLaw – advanced search interface

Criminal Records are considered ‘sensitive information’ under the Privacy Act

Note that searching court records is different to a National Police Check (‘criminal history check’). Under the Privacy Act 1988 (Cth), an individual’s criminal record is considered a category of sensitive information.

A National Police Check is the appropriate mechanism to understand whether an individual has a criminal record (such as for workforce screening purposes or before contracting with the management team of a prospective business partner). The National Police Check process considers important factors such as Spent Convictions.

Importantly, performing a National Police Check in Australia requires the individual’s informed consent.

How do you search court records?

Public Record checks are typically performed at the early stages of any due diligence or vetting process, once you have a clear understanding of the scope and parties involved. A typical process for searching court records is as follows:

1. Identify the full legal name of all entities and individuals, including close associates and related parties.

2. Determine which databases to query and over what timeframe. The scope and your professional judgement will set the timeframe, whilst jurisdiction is dependent on what you know (or need to know) about the subject. In some cases, a negative search result (i.e. no results returned for a party name) may be all need to know. If you have no idea where they have lived or operated, search every database (you may also need to search overseas).

3. Perform the search(es) and review the results. On the first pass, I use a spreadsheet to manage my searches and put all results in one of three categories: no match, possible match, match. Matches mean there is a record involving your subject (i.e. not another party with the same name). Possible match means you need to spend more time working out whether it’s your subject or not.

4. Assess the implications of your results

Vetting or due diligence is not simply about database checks – anyone can do this. Done properly, background investigations involve identifying potential risks based on what is and is not present (but should be), before determining the implications and what to do about them.

This is where diligence becomes an art. There is nothing in a database to tell you what is missing – this comes down to professional experience, judgement and skill.

Paul Curwell (2022). REfer Chapter 8 in ‘Terrorist Diversion’

5. Identify any other leads which need to be followed up.

6. Update your working papers or case notes, including what you did, when, where and the outcome. Databases and the internet change all the time, so a record that was there five minutes ago may be different when the same search is re-performed.

person working on black laptop
Photo by EVG Kowalievska on

Primary versus Secondary Sources

Wherever possible, primary (original) sources should be used. Secondary source vendors are often more expensive, yet serve two main purposes:

  • For companies that are willing to accept the risk of a record being inaccurate, incomplete, missing or out of date, secondary sources may offer an efficient alternative which enables multiple types of searches to be performed from a single location (e.g. court records, credit ratings, company ownership, land titles) as well as the ability to automating record search and retrieval to your case management system via API.
  • For investigators, secondary sources provide a handy way of quickly identifying potential relationships, transactions or other records which can the be verified via the primary source. Some vendors offer the ability to search all fields in a record, unlike the limited search functionality often offered by primary vendors.

When it comes to secondary, sources, Caveat Emptor: (1) they are not a primary source (hence they could be incomplete or out of date), and (2) they are often a ‘black box’ in terms of search parameters, so you may not actually know what is or is not being searched (some vendors have a nasty habit of changing search functionality without informing their customers, so what worked when you undertook your diligence one week may be completely different the next).

Court Lists

Court lists are published online in most Australian jurisdictions to inform parties to a case when and where they need to be. Often, court lists are published temporarily and subsequently removed. They are not an authoritative source.

Further reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.