Product Serialisation – a tool to help counter diversion and illicit trade

5 minutes

When was the last time you bought diverted product?

Illicit Trade and diversion is a problem which keeps growing. Have you ever purchased a counterfeit product? Would you know if you did?

If you’re a regular online shopper the chancers are good that you’ve come across illicit product, possibly without knowing it.

men s gray crew neck shirt

I was recently at my local barbers getting a haircut when I noticed the container of a popular brand of talcum powder.

Only the logo and product name was in english – everything else was in Indonesian.

My barber mentioned he hadn’t noticed, but bought it because it was being sold cheaply online. This is an example of product diversion.

To highlight the risks of diverted or counterfeit product, there are many articles online about the link between talcum powder and cancer. By purchasing talcum powder on the illicit market you may unknowingly be exposed to asbestos, which causes lung cancer.

Most people know what counterfeits are, but diversion is less well known. Diverted product is authentic product sourced at a discount (or stolen) in one market, and then resold in another market. The diverter pockets the price differential between bought and sold, and the manufacturer (and their authorised distributors) lose out.

Mechanisms that provide track and trace functionality, such as serialisation, are essential for the detection and investigation of illicit trade.

Serialisation can help improve supply chain integrity and counterdiversion

When we talk about serialisation in a supply chain context, it refers to the process where a unique identifier – usually a serial number or barcode – to individual items or products in the supply chain.

In combination with data management, analytics, and a well-developed program, serialisation is a way to realise the tracking and tracing of products as they move through the supply chain and circulate in the market.

Supply Chain Integrity can be defined as providing an “indication of the conformance of the supply chain to good practices and specifications associated with its operations”

European Union Agency for Network and information security (2015)

Serialisation offers benefits to Supply Chain Integrity:

  • Traceability – Serialisation is the traceability mechanism by which manufacturers can track the movement of their product through the supply chain
  • Provenance – Serialisation itself will not establish provenance (unless serialisation is uses blockchain), but data related to provenance could be linked with the serial number to indirectly establish provenance
  • Authenticity – Serial numbers should be unique and be matched to specific product versions or models, making it possible to identify counterfeit and diverted product through test purchases, ‘mystery shopping’, or seizures by police or customs

Given the safety risks associated with illicit product, its no wonder the pharmaceutical industry is a leading adopter of serialisation:

  • The US Drug Supply Chain Security Act (DSCSA) requires serialisation, track and trace capabilities in the pharmaceutical supply chain, from manufacturers to retail pharmacies.
  • The 2019 European Union Falsified Medicines Directive (FMD) applies only to presciption medicines produced, imported or distributed in the EU.
  • The Chinese National Medical Products Administration (NMPA) has been managing serialisation since it was first introduced in 2013.
  • India commenced the serialisation journey in 2019, through its Drugs Technical Advisory Board (DTAB).

Australia is late to the party on serialisation in the pharmaceutical industry, with the Therapeutic Goods (Medicines—Standard for Serialisation and Data Matrix Codes) (TGO 106) being mandatory from 1 January 2023.

How does serialisation work?

Serialisation is the unique identification of each unit of a product, allowing a unit to be identified distinctly within its batch. Serialisation can be applied at multiple levels in any shipment:

  • Pallet
  • Consignment
  • Packaging (item and carton levels)
  • Labelling
  • Item

To maximise efficiency, Serialisation markings must be machine-readable and are typically applied via three techniques:

  • Barcodes
  • QR codes
  • Data Matrices

According to the Therapeutic Goods Administration (TGA), a Data Matrix contains various beneficial features not associated with the other methods, including:

  • A large data carrying capacity
  • Built-in error correction providing reliability and readability in situations where the label is damaged or if the pack is irregularly shaped
  • The ability to be easily printed at high production speeds, such as those found in medicine manufacturing environments.
deliveryman scanning the barcode
Photo by RDNE Stock project on

How can small-medium businesses access the benefits of serialisation?

It used to be that product serialisation was an expensive endeavour, but a number of recent articles online suggest serialisation is becoming much cheaper. The costs of serialisation can be quite substantial if not managed properly, but product serialisation can also add value to your supply chain and inventory management practices beyond mitigating illicit trade.

As the technology becomes more common and compliance programs mature, SMBs will be able to leverage their existing systems with serial number generation and management tools and labelling or printing tools to access the benefits of product serialisation.

    Further reading

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

    Towards a taxonomy for product diversion

    What is product diversion?

    Those who follow my blog will know that diversion is something I wrote about reasonably often. The reason for this is simple – diversion has a multiplier effect on the business supply chain. It doesn’t just result in a financial loss like theft does, but it also impacts the profitability and engagement of your distributors, the integrity of your channels (in terms of being able to control who sells your product, the quality and integrity of that product, and at what price), and consumer satisfaction in terms of brand perception, warranty coverage and customer service.

    black fujifilm dslr camera
    Photo by Math on

    How does product diversion occur?

    I started researching diversion more generally before Oliver May and I wrote our book ‘Terrorist Diversion’ for the non-profit sector. Unfortunately diversion happens everywhere in business, but the way it happens differs by industry and product. One challenge with diversion is that it can be hard to grasp how it actually happens – diversion is part theft, part fraud, and part breach of contract. To illustrate, when I discuss product diversion with clients, there are six main risks I start with, as follows:

    1. Expired, defective or out-of-specification (non-conforming) product is diverted from destruction or reverse supply chains and sold as conforming (on-specification) product
    2. Product authorised for sale in one market (e.g. Country X) is actually sold in another, unauthorised market (e.g. Country Y) in breach of contractual obligations between distributors / end users and the manufacturer
    3. Product is stolen from the distribution or supply chain and diverted (sold)
    4. Product is acquired, repackaged and on-sold by a third party or unrelated party
    5. Product sold by a manufacturer for non-domestic use is subsequently sold or re-imported for sale / use domestically in that country
    6. On-specification (conforming) product is produced by an authorised manufacture (i.e. a third party) without permission from the Intellectual Property Rights Holder, through practices such as overproduction (see my previous article on Shadow Manufacturing), with that excess conforming product being sold without approval

    Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

    In my previous article on Typologies, I mentioned the importance of getting to what I typically call “level 3 risks” – effectively drilling down to three levels of detail that describes how and where each diversion risk may arise in relation to factors such as your business’s organisational structure, channels, products.

    Whilst I won’t be publishing them here due to length, I’ve identified over 25 different ‘Level 3 diversion risks’ at the time of writing. Each of these risks materialises in a different place in the supply chain and has different actors, demonstrating the breadth and complexity of this issue. If your business is experiencing product diversion issues, only focusing on a discreet element of diversion may not solve your broader problem.

    If you are concerned about product diversion in your supply chain, you may want to start with my risk taxonomy and customise it to your business. Remember not every risk will apply in your situation, but it is important to understand how and where diversion can occur in your business.

    Who perpetrates product diversion?

    Product Diversion is predominately a ‘trusted insider risk‘ perpetrated by someone within your organisation or supply chain who has privileged access to your products, processes and information. There are two exceptions to this, one being the involvement of buyers (end users) who purchase conforming product in bulk for unauthorised resale, and the second being criminals who perpetrate cargo or warehouse theft to resell stolen product on the commercial market. Perpetrators of product diversion typically include:

    • Employees
    • Contractors
    • Business Partners
    • Suppliers and Service Providers (e.g. reverse logistics, repackaging companies)
    • Organised Crime (warehouse and cargo theft)
    • Unauthorised End Users (see my previous article on the importance of End User Verification)
    • Contract Manufacturers

    In some cases, collusion between one or more groups will occur, as well as criminal infiltration between external organised crime and trusted insiders. Trying to perpetrate larger scale or ongoing product diversion as an individual may be challenging and lead to early discovery. In this case, networks such as organised fraud sydndicates tend to emerge.

    Where does product diversion arise in your supply chain?

    As with any crime, we always talk about means, motive and opportunity as three legs of the crime triangle. Without all three elements, crime is unlikely to occur. From my work, I have identified for main ‘motives’ which should be considered alongside the product diversion risk taxonomy I presented above:

    • Steal for self: where a trusted insider diverts the product for their personal use (this is typically small-scale or opportunistic, and commonly falls under the definition of ‘theft’ or ‘occupational fraud’ as opposed to product diverison, which is generally larger in scale and more organised)
    • Steal for sale: where a trusted insider with legitimate access to the product (including employees of third parties such as suppliers) diverts the product in a higher quantities for commercial sale
    • Buy for resale: where a fake end user purchases product, potentially at a discount, for resale in one or more Territories (countries / regions)
    • Buy then dispose: where a legitimate end user purchases product then resells / disposes of product to liquidation firm (such as a retailer who purchases stock but is unable to sell that stock within an acceptable period)

    If you are are responsible for managing these risks in your organisation, remember that some positions in your organisation will provide greater access and / or opportunity to perpetrate diversion than others. For the purposes of your security or insider threat management program, you need to consider these High Risk Roles.

    High Risk Roles are those positions in your organisation (or in your supplier or business partners’ organisation) that confer privileged or unsupervised access to your critical assets – in the case of diversion, this could be a warehouse manager or team managing reverse logistics and destruction of expired or non-confirming product. My article on High Risk Roles provides more information here.

    Key areas where product diversion can occur include:

    • Warehouses
    • Distributors
    • Wholesalers
    • Retailers
    • Factories
    • Contract Manufacturing Organisations
    • Third Party Logistics companies
    • Liquidation companies
    • Repackaging companies
    • Product returns companies
    • End Users (e.g. for resale)
    • Other resellers

    As you can see, product diversion can happen anywhere in the supply chain. However, some of the product diversion risks presented in my taxonomy will only manifest in specific parts of the supply chain and / or involve specific actors. This needs to be considered in any risk assessment and treatment plans.


    As you can see, product diversion is a complex type of fraud which requires considered thought and planning in order to mitigate. Understanding how and where risk events may materialise is important, as is understanding the perpetrator and their motives. Access to data, and use of data analytics and intelligence is critical to mitigating your organisation’s risk to within your risk appetite.

    Further Reading

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

    What’s the problem with conflicts of interest?

    What are conflicts of interest?

    At their core, conflicts of interest are about integrity. ‘Conflict of interest‘ arise in situations where employees or third party legal entities such as vendors or business partners (including employees of those third parties) could be influenced, or where it could be perceived that they are influenced, by a ‘personal’ interest in carrying out their duty (Commonwealth Ombudsman 2017).

    In this sense, ‘personal’ interest refers to perceived or actual benefits being derived, ranging from money to relationships or reputation. There are three forms of conflicts of interest (Commonwealth Ombudsman 2017):

    • Actual conflict – where a direct conflict arises between an individual or entity’s personal interest and their fiduciary duties
    • Perceived conflict – situations where others might perceive a conflict (even if an actual conflict does not exist)
    • Potential conflict – situations which in the future could give rise to an actual or perceived conflict of interest but have not yet happened

    Are conflicts of interest fraud?

    Conflicts of interest are considered one of four ‘corruption schemes‘ by the Association of Certified Fraud Examiners (ACFE), the other three being bribery, illegal gratuities, and economic extortion. However, unlike some types of fraud, an actual conflict of interest only becomes fraudulent if it is not declared.

    Photo by Brett Jordan on

    Declaring a conflict of interest (whether actual, perceived or potential) provides an opportunity for it to be managed, which could include the conflicted party recusing themselves from the conflicting situation or decision, or declaring this conflict to peers (such as where a board member is conflicted through multiple interests).

    Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

    How do conflicts of interest arise?

    Conflicts of interest arise can either intentionally or unintentionally (Commonwealth Ombudsman 2017) :

    • Intentional conflicts occur where an individual or legal entity knowingly puts itself in a conflicting situation. This could arise where a potential conflict is entered into with the full knowledge of all affected parties (and appropriately managed), or where the party gaining a personal benefit attempts to conceal the conflict (fraud)
    • Unintentional conflicts arise from poor management or awareness by affected parties, such as where employees do not recieve conflicts of interest awareness training, employers do not have conflicts of interest policies or require attestations.
    Photo by Jopwell on

    Declarations – a key part of conflicts management

    Conflicts of interest are all about transparency, or the lack thereof. Declarations are a key component of managing conflicts. Irrespective of whether an employee, contractor, supplier or potential business associate, businesses need to understand what (if any) potential conflicts they may have and work through a process to evaluate them.

    Typically, the easiest way of managing conflicts of interest is avoiding them, but this is not always possible. Where a conflict does or may arise, it must be evaluated – sometimes this process can be quite onerous.

    The U.S. National Academies of Sciences (NAS) notes that “conflicts are not binary (present or absent)”, and that they “can be more or less severe”. The NAS identifies two factors to assist decision makers when evaluating a conflict of interest declaration, being (a) the likelihood of undue influence by the secondary interest, and (b) the seriousness of the outcome. The NAS presents this useful rubric for assessing confict of interests:

    Likelihood of undue interestSeverity of potential harm
    What is the value of the secondary interest?What is the value of the primary interest?
    What is the scope of the relationship?What is the scope of the consequences?
    What is the extent of discretion?What is the extent of accountability?
    NAS (2009) – Chapter 2 Principles for Identifying and Assessing Conflicts of Interest

    Depending on severity or perceived harm, treating a conflict of interest may require removing the conflicted individual / entity from the decision making process, or in other cases severing the business relationship entirely. Exactly how you need to manage a conflict depends on the situation (noting that in some cases there may be applicable legislation which will also govern this).

    Good practice requires organisations to collect information on conflicted individuals or entities regularly – there is no set timeframe for this, but an annual declaration coupled with voluntary event-based disclosures by the affected party if they arise, makes sense for most organisations. Any more frequent and the program can be difficult to manage, whilst a longer gap between declarations can give employees the impression that conflicts aren’t important, as well as meaning the organisation is working on out of date information.

    Once conflicts are identified and confirmed, managers of those employees or affected contracts (e.g. vendor managers) must be made aware of the conflict and charged with managing the risk in accordance with the organisation’s agreed treatment plan.

    The challenge of detecting undeclared conflicts

    Managing declared conflicts can be challenging enough for large organisations, however detecting them is something different altogether. Without a properly structured approach it is possible to spend a lot of time, effort and money without identifying anything conclusive.

    Photo by cottonbro on

    In the absence of an allegation, such as a tip-off from a whistleblower or competing vendor, organisations seeking to be proactive in detecting potential undeclared conflicts should focus their resources on the business units, processes, people or vendors of highest risk. The ACFE identifies three main types of conflict of interest scheme (Wells, 2007):

    • Purchasing Schemes – where a conflicted party manipulates the victim’s purchasing process to the benefit of the entity to which they are conflicted
    • Sales Schemes – where the conflicted party negotiates discounts or processes write-offs to benefit the entity to which they are conflicted
    • Other schemes – where the conflicted party diverts funds, clients / sales leads, and / or resources such as equipment from their employer to the entity to which they are conflicted for the conflicted entity’s benefit

    Each of these categories of scheme is comprised of a number of typologies (perhaps best thought of as variations), some of which are more easily detected than others.

    As you can see, conflicts of interest schemes can arise amongst employees in sourcing and procurement or sales and marketing roles; however, this is not exclusively the case. Conflicts of interest are generally quite complex to both detect and investigate. Typical methods of detecting conflicts include fraud data analytics (fraud detection) and investigative techniques including (Wells, 2007):

    • Supplier vetting or due diligence (and comparison of ownership data with employee and contractor names and other indicators, such as phone numbers)
    • Matching of supplier / vendor and employee identifiers (eg.g. Address, phone number data)
    • Identification of employees who are take up employment with a vendor after termination
    • Tipoffs and complaints, including from other disaffected vendors who are losing work as a result of the corruption scheme as well as employees who notice inconsistencies or favouritism

    A well designed integrity program, inclusive of appropriate internal controls in key areas (such as purchasing), awareness programs and annual attestations can help mitigate the risk of these insider threats. Perhaps most importantly though, these same practices must extend to third parties, whether a vendor, business partner or other classification. A third party’s employees or contractors in positions which place the contracting entity at risk must be managed and monitored closely, sometimes with even more scrutiny than may be applied to the contracting entities staff – this decision is dependent on where the risk lies, and the inherent and residual rating of that risk.

    Further reading

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

    Theft of fuel from HMS Bulwark – a diversion case study

    What happened?

    This story broke in the media on 7 April 2022, with multiple articles claiming the theft of fuel from a high security Royal Navy base in the United Kingdom. According to Sky News, “the diesel was siphoned from a tanker in a heist that reportedly “ran for weeks” with most of it having been “flogged on the black market”. Some articles claim the fuel was being used to run diesel generators on HMS Bulkwark whilst it is alongside and undergoing refit.

    HMS Bulkwark, Albion-class assault ship, Royal Navy, United Kindgom

    Further details on the case are limited, other than the fact that the case is under invetistigation by the UK Ministry of Defence and that the alarm was drawn when a guard at the base became suspicious. Unfortunately the theft of fuel is a common occurance – as a perisable commodity which retains its value in the market, fuel is in high demand and can be readily converted to cash when diverted even in small quantities, or alternately consumed for personal use.

    Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

    A case of diversion or shrinkage? Motive is key

    The fact that fuel was stolen means this is an offence of theft, or potentially fraud depending on whether deception was used to perpetrate the crime. Given events took place on a secure military base where it is reasonable to assume you cannot simply walk in or out, it is reasonable to assume an element of deception (i.e. fraud).

    Either way, whilst details are limited in the public domain it is possible to develop further insights into the crime for the purposes of building this case study. For example, we know this scam went on for weeks. According to Wikipedia, the capacity of a fuel tanker truck ranges from 20,800 to 43,900 litres. Google reveals that the average capacity of an SUV on the road is up to 70 litres.

    To provide an order of magnitude, 2% of 43,900 litres is 878 litres, which equates to around 12.5 full SUV tanks. If this scam was perpetrated once a day for 7 days, we are talking about over 6,000 litres of diesel being stolen each week. With current Australian diesel costs averaging $1.95 per litre as at 14 April 2022, this equates to illicit earnings of just under AUD$12,000 per week (AUD$624,00 per annum). To be clear, there is no indication of quantum or order of magnitude in the media, so this is hypothetical and indicative only.

    AA van with Jeep SUV broken down in Kensington Gardens by David Hawgood is licensed under CC-BY-SA 2.0

    So does this activity equate to shrinkage or diversion?

    • Shrinkage is an accounting term used to describe when a store has fewer items in stock than in its recorded book inventory (Shopify). Shrinkage can be the result of process or quality issues, as well as theft and fraud.
    • Product Diversion refers to goods that are redirected from the manufacturer’s intended area of sale or destination to a different geography or distribution channel (Curwell)

    In practice, I tend to view shrinkage as being less organised and not ‘commercial’ in scale, whereas diversion is typically more organised and more commercial in nature. Given this has been going on for weeks as well as the volume and illicit revenue estimates outlined above, I would suggest this is clearly a case of product diversion. Further, in my taxonomy of product diversion risks, this is defined as “Product stolen from distribution or supply chain“.

    How can these types of product diversion events be detected generally?

    Product diversion shares similarities with other frauds. According to the Association of Certified Fraud Examiners (ACFE) Occupational Fraud 2022: Report to the Nations study:

    • 42% of business frauds globally are detected via tip offs,
    • 16% through internal audit, and,
    • 12% through management review.

    Interestingly, 5% of cases were detected by accident – exactly how the Royal Navy guard discovered this diversion incident.

    When you know what you are looking for, the application of fraud analytics techniques means product diversion can be detected provided you have the right data and you assemble and analyse this data in a manner that will allow you to identify potential indicators of diversionary activity.

    Photo by Lou00efc Manegarium on

    From my understanding of the situation, there are at least four primary records that, when ‘joined‘ together, could be used to identify similar product diversion cases pertaining to oil and fuel:

    • Order records – invoices and purchase orders should state the quantity of fuel ordered and the delivery dates. Given this is a military base, there are likely to be some sort of movement records to register in advance the potential delivery.
    • Tanker truck records – records of how many tanker trucks entered the base and their capacity (this might be captured at the front security gate for emergency management reasons in case of fire).
    • Fuel transfer records – these should record how much fuel was actually delivered from the tanker to HMS Bulwark, and would likely be maintained by the driver or the fuel tanker company’s order delivery system (most likely a smart phone app). Requirements to supply these to the customer could be mandated in the contract of sale.
    • Fuel receipt records – these would be maintained by the crew of HMS Bulwark, recording all details of the delivery including fuel quality records through onsite Quality Assurance testing performed by the ship’s engineers as well as the quantity of fuel recieved.

    These four datasets could be collected by customers and monitored on a proactive, ongoing basis to identify discrepancies indicative of potential product diversion using data visualisation tools such as Tableau or even Microsoft Excel. Alternately product diversion schemes such as this may also be identified during distributor audits or compliance investigations.

    What other preventative and detective controls might be relevant in this scenario?

    In addition to the data points outlined above, a range of other preventative and detective controls could be used to identify potential diversion. These measures may be more expensive than the ‘books and records’ approach outlined above, hence their application should be risk-based. Relevant examples include:

    • Accurate calibration of measures to calculate the volume of fuel delivered – just like petrol stations, fuel delivery measures need regular re-calibration, and in some instances may be tampered with to under- or over- deliver. There may be two such devices in this example – (1) the tanker truck and (2) HMS Bulwark.
    • Quality checks should be performed by the customer to ensure the diesel is appropriate quality and that product substitution has not occured (e.g. fuel diluted with another substance, fuel sitting on top of a heavier substance to give the appearance of conformance).
    • GPS monitoring on the tanker truck allows both the vendor and customer to monitor for unscheduled stops, which could be indicative of an accident or unscheduled delay, cargo theft (e.g. hijacking), or collusion with organised crime elements. These systems typically generate an alarm or alert in an operations centre.
    • IOT sensors may also be attached to fuel lines or guages, to confirm quality and volume of product in real-time as it is decanted from the tanker to the fuel storage tank.
    • High-value or sensitive facilities should be subject to a range of physical security measures.
    • Third parties loitering in a secure area, either pre- or post-fuel delivery, are also indicative of suspicious activity that would warrant further investigation (as allegedly occured in this case)

    As you can see, the Internet of Things (IOT) and the proliferation of sensors in daily life provide excellent opportunities for detecting product diversion in near real-time.

    Lessons learned – what to do about it?

    Performing a thorough anti-diversion risk assessment, and then implementing appropriate detective measures to identify potential diversion incidents early, before any substantial loss is the foundation of a proactive approach to managing diverison risk. The data required for detecting this type of diversion is likely to be readily collected in most organisations, and simple tools such as a spreadsheet can help identify anomalies. Detecting diversion in your data can be easy and cost-effective when you know what to look for.

    Further Reading

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

    Understanding the risk of organised crime infiltration in your business

    What is Serious Organised Crime anyway?

    The concept of organised criminal infiltration into your business or supply chain is interesting. I’ve worked with a number of critical infrastructure operators in Australia who have this concern: the nature of their business provides a unique opportunity for criminals to exploit their business, or the employees position, to facilitate their own or others criminal activity. Before we start to get carried away that serious groups like the mafia are infiltrating your business, it’s worth understanding key elements of the ‘spectrum of crime’ which forms a basis for any Threat Assessment:

    • Criminal enterprise – a group of individuals with an identified hierarchy, or comparable structure, engaged in significant criminal activity (FBI)
    • Opportunistic individuals – individuals who take advantage of internal control gaps or weaknesses and opportuinities of circumstance to perpetrate criminal and / or unethical activity (e.g. fraud or business espionage) (Curwell, 2022)
    • Organised criminals – “small, organised networks of entrepreneurial offenders, often transitory in nature, that develop to exploit particular opportunities for illegal profit. These groups vary from temporary associations created to commit a time-limited series of offenses, to enduring businesses that invest in on-going criminal activities” (Eck & Clark, 2013, p28).
    • Organised crime (organised criminal group) – “a structured group of three or more persons, existing for a period of time and acting in concert with the aim of committing one or more serious crimes or offences established in accordance with this Convention, in order to obtain, directly or indirectly, a financial or other material benefit” (Smith 2018 in United Nations 2004: 5).
    • Transnational Organised Crime – those self-perpetuating associations of individuals who operate transnationally for the purpose of obtaining power, influence, and monetary and/or commercial gains, wholly or in part by illegal means, while protecting their activities through a pattern of corruption and/or violence, or while protecting their illegal activities through a transnational organisational structure and the exploitation of transnational commerce or communication mechanisms (FBI)
    Photo by Anugrah Lohiya on

    Its important to remember that not all crime that happens somewhere like a border, port or airport will be perpetrated by serious organised crime. Anecdotally, a lot of the crime I come across day to day involves opportunistic individuals and organised criminals. These risks are managed through employment screening and internal controls (which might include detection programs – see What can be done about it? below).

    Photo by Anete Lusina on

    Common activities of serious organised crime – is there a nexus with your business?

    Understanding the types of activities which commonly involve serious organised crime groups can help businesses assess their likely exposure to this activity. In the following list, I have compiled a list of offences based on information published by the FBI and ACIC:

    • Bribery
    • Currency Counterfeiting
    • Embezzlement
    • Fraud schemes
    • Cybercrime
    • Investment and financial market fraud
    • Revenue and tax fraud
    • Credit card fraud
    • Superannuation fraud
    • Money Laundering
    • Murder for Hire
    • Drug Trafficking
    • Prostitution
    • Exploitation of Children
    • Organised retail crime
    • Human Trafficking and Slavery
    • Intellectual Property Crime – including Counterfeit Goods
    • Illegal Sports Betting
    • Cargo Theft
    • Sale and distribution of stolen property
    • Murder
    • Kidnapping
    • Gambling
    • Arson
    • Robbery
    • Extortion
    • Tobacco and firearms smuggling
    • Vehicle theft

    Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

    What we know about Serious Organised Crime in Australia today

    Access to detailed assessments of the nature and sophistication of serious organised crime in Australia are not publicly available. However, one of the most useful reports is the periodic assessment of Serious Organised Crime released approximately every 5 years by the Australian Criminal Intelligence Commission. This report provides a useful outline of serious organised criminal markets in Australia, as follows:

    Illicit CommoditiesSerious Financial CrimeSpecific Crime MarketsCrimes Against the Person
    NarcoticsCybercrimeVisa & Migration FraudExploitation of Children
    Illicit Pharmaceuticals & AnaestheticsInvestment & Financial Market FraudEnvironmental CrimeHuman Trafficking & Slavery
    Performance Enhancing Drugs (e.g. steroids)Revenue & Taxation FraudIntellectual Property Crime
    llicit TobaccoSuperannuation Fraud
    Illicit FirearmsCredit Card Fraud
    ACIC (2017). Serious Organised Crime in Australia, Canberra

    Understanding whether your business, including your supply chain, has a nexus with any of these criminal markets will help inform your threat and risk assessment process in relation to organised criminal infiltration. As with assessing physical security of your office premises or facilities, you may not have a direct nexus with organised crime but your suppliers or neighbouring businesses might. This creation of an indirect nexus should also be considered, as this could have adverse reputation, safety and disruptive effects on your business, employees or customers.

    The role of criminal enablers

    Some organisations may not be directly of interest to OCG, but they may be recognised as having something or someone who can enable or facilitate their objectives. Examples here include access to information, professional facilitators (eg. lawyers, accountants, trust & company service providers), systems (eg being able to change a database record in a third party system), or sub-leasing warehouse or storage space.

    The Australia Criminal Intelligence Commission identifies six enablers of serious and organised crime (ACIC, 2017):

    • Money laundering
    • Technology
    • Professional facilitators
    • Identity crime
    • Public Sector corruption
    • Violence and intimidation

    Enablers can be targeted by organised crime either directly (eg group leases warehouse space for its own activities) or in relation to employees in key positions. Employees who have some sort of vulnerability, either at home or at work, may be coerced, bribed, intimidated or extorted to perform acts at the direction of a group.

    Photo by ThisIsEngineering on

    What can be done about the risk of organised criminal infiltration?

    So far in this post, we’ve demystified what constitutes serious organised crime, the types of activities (offences) commonly associated with this activity, the criminal markets where organised crime groups are found, and the professional intermediaries and enablers who might knowingly (or unknowlingly) support them. The next question is what to do about it.

    The starting point for any business leader concerned about potential organised criminal infilitration in their business is a thorough, objective and factual assessment of the threats and risks, and their associated likelihood and consequence. Once understood, a proper security plan can be implemented to mitigate these risks.

    With infiltration by organised crime there is a potential insider threat. This can materialise within both the employee and contractor / third party populations, including within the extended supply chain. This also needs to be considered when scoping any assessments. Suggested actions for businesses concerned about organised criminal infiltration include:

    1. Perform a Threat Assessment to map your ‘threat universe‘ (i.e. who is likely to target your organisation), and why
    2. Undertake a Security Risk Assessment, which incorporates identifying critical assets, vulnerabilities (control gaps), consequence and likelihood (i.e. which of your assets might serious organised crime groups actually consider attractive) for the various threats identified in the Threat Assessment. For risk such as product theft or product diversion, don’t forget to assess if your products are CRAVED.
    3. Undertake a Personnel Security Risk Assessment – this is commonly separate to your Security Risk Assessment, but identifies high risk positions and roles in the organisation which give acceess to your critical assets, and the types of employment screening (background investigation) and continous insider threat detection programs that may be required to mitigate the risk
    4. Perform due diligence on prospective and current employees, contractors, suppliers and business partners / third parties based on the risks idenitifed in your Security Risk Assessment and Personnel Security Risk Assessment.
    5. Develop a robust intelligence and security program to monitor for ongoing changes to your organisation’s threat landscape (including building capabilities such as media monitoring), and where appropriate, develop partnerships with police and security agencies to help mitigate the risk to within your organisation’s risk appetite.

    Following these steps will ensure you know where you need to focus your security effort and resources. It may be that your greatest risk is that of opportunistic individuals and organised criminals (including trusted insiders and employees or contractors of your third parties or business partners) and not serious organised crime, requiring a different treatment strategy. If in doubt, seek assistance from an appropriately qualified professional who is licenced by the State Police to give security advice in the relevant Australian jurisdiction. If in doubt, have a read of this advice from ASIAL, the Australian Security Industry Association.

    Further Reading

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

    Los Angeles rail hijackings – a form of cargo theft

    What is going on?

    Recently, there has been substantial coverage of the hijacking of goods trains by thieves on Los Angeles (LA) goods lines (McFarland & Mossburg 2022). Images of damaged or discarded shipments from distributors to consumers (end users) strewn across the train tracks are common, as are photos of railway police trying to apprehend individuals and small groups running along the tracks.

    Photo by Daniel Semenov on

    Reportedly, these criminals either force entry to stationary or slow-moving goods trains, ransacking any items which appear to be of value. Since they have been doing this for a while now, one must presume they have learned what more expensive packages look like (e.g. branded shipping boxes, specific logos) and are likely selected over lower value items (see my previous article here). Additionally, media reporting also stated that larger, harder to move goods are discarded on the train tracks over smaller items easily transported by a single human trying to flee the scene quickly. This activity is a form of Cargo Theft.

    What is cargo theft?

    The prevention of cargo theft is a core pillar of any supply chain security program, ensuring goods are not stolen in transit either from the factor to a distributor (for larger or bulk shipments), or distribution centre to end user (as appears to be seen in this example).

    Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

    How does cargo theft impact brand integrity?

    When cargo theft occurs in bulk, there is a real risk the diverted product is moved into grey markets (gray markets)  or alternately that stolen product is infiltrated into legitimate supply chains, and then on-sold to end users (see Sugden 2009). An example of the scenario that occurs here is where an authorised distributor is approached by a purported ‘wholesaler’ to purchase legitimate (non-counterfeit) stock at a discount to prices set by the manufacturer or standard wholesale prices.

    In this scenario, distributors may knowingly or unknowingly purchase stolen but non-counterfeit product and then sell this to end users, with three potential business impacts:

    • The manufacturer is disadvantaged through erosion of their profit margins,
    • A ‘legitimate market’ is created for the stolen goods through poor purchasing controls by the distributor, and,
    • Potential future revenue leakage and brand damage to the manufacturer through services and warranty fraud, if a customer who purchased the non-counterfeit good from an authorised distributor makes a claim.
    Photo by Quintin Gellar on

    Cargo Theft Typologies

    According to the latest BSI Survey on Supply Chain Risks (2020), there are four primary cargo theft typologies (note the report does not define each typology, I have added my own definitions here)

    1. Hijacking – where the vehicle (truck, train, plane, ship) carrying the goods is stopped and control is taken of the entire vehicle. Typically, vehicles are typically taken to a third location controlled by the hijackers for unloading and disposal. Hijackers may be working in collusion with trusted insiders (e.g. drivers or warehouse staff).
    2. Theft from a vehicle – whereas hijacking involves the whole vehicle, this typology involves stealing selected goods from the vehicle (e.g. specific boxes), and is what we see in the LAX examples.
    3. ‘Slash and grab’ – when cargo is transported in soft skinned trucks, the vinyl or canvas covers can be slashed and any items to hand quickly stolen.
    4. Other – undefined typologies, presumably including theft by employees or third parties as well as fraud (e.g. claims of shipments being damaged as cover for theft).

    According to BSI, cargo theft primarily occurs in six geographical locations:

    • In-transit – whilst the vehicle is moving (e.g. slowed due to traffic congestion, stopped at traffic lights or an accident)
    • Rest areas – trucks carrying high value cargo without two drivers are at risk when the driver stops for a break or sleep
    • Warehouse – there are at least two risks here:
      • Theft from warehouse by criminals (e.g. breaking & entering) with no insider involvement
      • Inventory theft or fraud by trusted insiders (e.g. employees)
    • Unsecure roadside parking – where a loaded vehicle is parked either at the point of origin or destination
    • Freight facility – where multiple trucks / trains are unloaded in a single location
    • Other locations – these are not defined

    How do the proceeds of cargo thefts end up in grey markets?

    We sometimes see high value goods, such as stolen motor vehicles, being exported from the jurisdiction where the theft occurred (e.g. the USA) to an overseas jurisdiction where the product is in high demand and where criminals can obtain substantial profit margin on the sale of the stolen goods.

    It might also be common to see sales of consumer products being sold online (either individually or in bulk) by either a business or individual seller or sold to authorised or unauthorised distributors [an ‘authorised distributor’ is defined as one which has a signed distribution agreement with the manufacturer or Intellectual Property Rights (IPR) owner and is conducting their business operations in the geographic area(s) stated in the agreement].

    In the case of the LA activity, the stolen goods seem to be packages shipped from distributors which are stolen before delivery to the consumer (end user), rather than bulk shipments (e.g. multiple copies of the same product). These stolen goods can also be sold online, in person through social networks or street corners, or local flea markets.

    Photo by Mark Dalton on

    What can be done to help mitigate this type of cargo theft?

    There are three main strategies that can be employed to mitigate the types of risks seen in Los Angeles, as follows:

    • Physical Security (including use of tamper evident seals) – appropriate (i.e. risk-based) physical security should be part of any Supply Chain Security program. This may be the responsibility of the logistics provider (i.e. a third party) or the manufacturer. Most shipments are covered by insurance against theft or damage, but this may be subject to exclusions.
    • Market Surveillance – a robust market surveillance program is essential for the protection of your products, IPRs and ongoing brand integrity. This involves using Open Source Intelligence (OSINT) techniques to monitor physical and online markets (e.g. flea markets, online market places like eBay and Gumtree) as well as social media for sales of your products, monitoring pricing (pricing surveillance), conducting test purchases (to determine the origin of the product for diversion and grey market purposes), and identification of sellers to determine whether they are authorised or unauthorised.
      • This data should be added to a Graph database to facilitate Social Network Analysis and other intelligence analysis and investigative methods which might help to identify the criminal value chain and map organised crime groups involved in this activity.
    • Collection and analysis of incident data – in my previous post on product fraud and security risk assessments, I discussed the importance of capturing current and historical incident data for analysis. The sorts of questions you need to ask of your data here includes whether there are any common themes or trends and whether any specific products are at higher risk than others (e.g. those which are more valuable or CRAVED by thieves).


    Whilst cargo theft is a risk, there are controls and other measures which can be implemented to mitigate it. Proper planning is essential, as is the use of security risk analysis to identify where effort (and budget) should be allocated, and the use of intelligence methods to continuously monitor the market and those actors (individuals, legal entities) involved in it. Ideally, any incidents are either prevented, detected or disrupted before a loss is incurred, but in some cases formal investigation may be required.

    Further Reading

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

    Defining your ‘Threat Universe’ as a building block of your intelligence capability

    Author: Paul Curwell

    The role of a threat universe in your intelligence capability

    The focus of intelligence is generally on what is happening (and likely to happen in the future) external to your organisation. In the commercial world, risk and compliance teams are often inwardly focused, looking at who is doing what and identifying potential implications, rather than focusing on the external source of the risk (i.e., the threat).

    Identifying and categorising your actual and potential threats is a first step in building a new intelligence capability. The threat universe is a taxonomy of all possible threats and their associated vectors which could target your organisation, products or supply chain. Defining your universe of threats creates the boundaries for what your intel function does and does not need to focus on, including any strategic intelligence progams such as horizon scanning.

    Photo by Kaique Rocha on

    The dangers of intelligence ‘silos’ across your organisation

    Depending on your role, you may only be interested in threats associated with a specific functional area, such as fraud, cyber-crime or physical security, as opposed to having an enterprise wide focus. However, silos create problems when threats overlap (e.g. criminals who started with opportunistic theft of physical goods move on to defrauding your organisation through its services).

    If you don’t have the right mechanisms in place, your organisation will be blind to these overlaps and you will not realise you are being targeted. An example here is fraud in banks – teams working on credit card fraud might not share their data with teams working on motor vehicle insurance fraud, yet the actual criminal targeting them might be the same person.

    The first step in building a threat universe is identifying your most important assets, as this helps inform both a threat actor’s motive and any threat vectors they are likely to use (how a threat actor might successfully defraud or attack you).

    Work out what is valuable to your business

    A basic rule of security is that you can’t protect your assets if you don’t know what you’re supposed to protect. There are many ways of doing this, but I start with a simple taxonomy and then get into further levels of detail with my clients. When I think of assets, I start with five main categories:

    Asset CategoriesDescription
    PeopleIncludes your employees and customers
    FacilitiesBuildings such as offices, plants, warehouses, laboratories
    InformationIncludes Intellectual Property (IP such as patents, copyright, personal or private information (generally covered under privacy legislation), and confidential business information (proprietary information) such as marketing plans, strategies, pricing models
    SystemsComprises the computer networks, servers and related technology that keeps the business functional
    Brand & ReputationRepresents the premium the market places on your products and services as a result of how you do business

    Your products & services are assets too!

    Products are all too often overlooked by many security and fraud professionals. There are two things you need to consider. Some threat actors make money by abusing your products or services. Pharmaceutical counterfeiting and loan fraud syndicates are two examples, both of which profit by directly targeting a company’s products or services.

    Perhaps more pernicious are those who use of your products or services as a criminal enabler. This means that your company may not lose money by having criminals use your products or services, indeed, some companies might even make money in the form of sales revenue, but your products or services are used to facilitate criminal business operations. Money laundering and identity crime are two common examples. A less obvious one is drug trafficking rings that smuggle illicit product into a legitimate shipment to transport their illicit product.

    Photo by Ketut Subiyanto on

    Identifying the threat actors likely to target your assets

    Once you have identified what is likely to be targeted in your business, the next step is to understand who is likely to target you. You will likely not have all the information you need to complete this step without some research, but you will probably be able to complete a high level summary quite quickly. Remember that criminals might be considered to lie on a spectrum, from opportunistic through to serious organised crime.

    Use this simple taxonomy for threat actors to get you started:

    Threat ActorDescription
    Opportunistic CriminalsOpportunistic criminals are only engaging in crime because they think they won’t get caught. For example, perhaps you are a retailer who sells expensive clothing, and your products can easily be slipped into a bag without paying?
    Unsophisticated CriminalsI use this category to describe people who might be engaging in crime more than just opportunistically, but are either just starting out or really aren’t any good. History has plenty of examples here, and this category (particularly those that aren’t any good), are probably the ones most likely to get caught.
    Organised criminalsOrganised criminals are just that – organised. That implies some level of competence, which likely translates into them being harder to find and catch. This is particularly the case with fraud syndicates. If you have something which is attractive to criminal groups, or can provide them with access to something that is valuable which they couldn’t get any other way (e.g. a way to launder their money or use someone else’s identity), you may be a target. Fraud syndicates and cyber-crime rings are frequently encountered examples here, although there are overlaps between these examples and all other categories.
    Organised Crime GroupsWe need to make a distinction between ‘organised criminals’, basically sophisticated groups of people engaged in criminal activity, and true ‘organised crime groups’ like the Mafia and Yakuza. Successful criminals are all organised, but not all organised criminals are members of transnational organised crime groups. Organised crime groups these days are generally transnational, and involved in a broad spectrum of legitimate and illegitimate enterprises.
    Nation States & their associatesNation states and their associates (such as front companies and intermediaries) can be involved in a range of activities including Intellectual Property Theft, technology transfer, weapons profileration, economic espionage, foreign interference, information operations (e.g. cyber attacks, misinformation / disinformation campaigns), supply chain attacks and sabotage (physical and cyber).
    Terrorism &
    Politically Motivated Groups
    An unfortunate reality of life is that some crimes are politically motivated – Terrorism is one example. Companies and their assets (including employees) may be directly targeted for some reason – perhaps they are high profile and an easier target than say a police station or government building – or they may just be in the wrong place at the wrong time. If your office is in the same building as a government agency or other high profile business, you would be wise to ensure this is on your threat universe.
    Issue Motivated GroupsIssue Motivated Groups might sound a bit strange, but these are effectively groups of people who are willing to commit crimes (sometimes serious crimes such as murder) in the name of what they feel is important. Examples include environmental activists, anti-abortion activists, religious motivations, animal rights activists and others. They range from peaceful and benign (e.g. peaceful protests) through to very serious – such as the bombing of anti-abortion clinics or the murder of staff associated with them. You need to know if your company operates in an industry that is targeted by IMGs.
    Street criminals / gangsThis might seem a strange addition to the list depending on where you live or operate, but it is important to remember the threats facing corporate travelers as companies have a duty of care towards their employees. Theft (including cargo theft), robbery, random acts of violence, and even opportunistic kidnappings perpetrated by common criminals or organised groups may need to feature on your risk register if you send employees to high risk locations.
    Insider ThreatsRefers to any person who has the potential to harm an organisation for which they have inside knowledge or access, including employees, contractors, consultants, and employees / contractors of suppliers and business partners. An insider threat can have a negative impact on any aspect of an organisation. Insiders can also collude or collaborate with external threats such as organised crime groups.

    As you start to define your threat universe, you can develop sub-categories which will help you further identify and manage the threat. For example, if your organisation is exposed to organised crime, start to categorise them. Add sub-categories such as middle east organised crime, outlaw motorcycle gangs etc. Then you can undertake research to find out what sort of activities they typically engage in, and whether your business, products or supply chain are typically targeted by each group in your region. Having done this exercise once, you can keep it up to date by building a media monitoring capability to identify emerging trends.

    Applying your threat universe in practice

    A threat universe could comprise something similar to an an organisational chart, and be supplimented with prorfiles and information you gather on each group. Advanced versions will be in a database or similar system. Your threat universe should be a living document, which develops as both your business evolves and the external environment in which your business operates changes.

    Once complete, you can start to focus your intelligence resources. Not everything on your threat universe is going to be a problem right now (i.e. be a ‘current threat’) – indeed, there may not be any threats targeting you within a specific category right now, but this can change without warning. When something strange happens or the beginnings of a new trend start to emerge, you can easily look to your threat universe and assess whether this is something you need to be worried about.

    Further reading

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

    Magazine article – “Supply Chain Integrity: Detecting Product Diversion”

    Author: Paul Curwell


    In June 2021, I was privileged to have an article I wrote on Detecting Product Diversion in the quarterly edition of Michigan State University’s Brand Protection Professional (BPP) magazine. BPP is part of the outreach program for the Center for Anti-Counterfeiting and Product Protection at the University.


    Curwell, P. (2021). Emerging Supply Chain Integrity Practices: What this means for detecting product diversion, Brand Protection Professional, June 2021, Centre for Anti-Counterfeiting and Product Protection, Michigan State University.

    The Centre for Anti-Counterfeiting and Product Protection (A-CAPP) is a non-profit, interdisciplinary research focused centre which is recognised worldwide as a leader in anti-counterfeiting and brand protection. A-CAPP operates a range of research, outreach and education initiatives including a Professional Certificate in Anti-Counterfeiting and Brand Protection which provides foundational knowledge for professionals new to this area. Reasonably priced, I have taken a few of their short courses which are informative and delivered 100% online at your own pace.

    Photo by Tiger Lily on

    So what is product diversion anyway?

    Also known as “illicit diversion”, product diversion “refers to goods that are redirected from the manufacturer’s intended area of sale or destination to a different geography or distribution channel” (Trent and Moyer, 2013). Often this terminology can be used interchangeably with the term “grey market”, despite one term referring to a fraudulent act and the other where the proceeds of that fraudulent act are sold.

    The impact of diversion is that legitimate product may be sold into grey markets, in breach of a manufacturer’s sales contracts for that geographical location. This causes margin erosion for manufacturers, erodes legitimate distributors of their market share and deprives them of sales revenue, and can damage the brand through invalid warranties and returns policies for consumers. 

    Further reading

    End User Verification

    Author: Paul Curwell


    In a product development context, an ‘end user’ is defined as the person who ultimately uses, or is intended to use, a product. However, ‘end users’ are also captured under various laws, including Export Control Regulations, where they are defined as “the person that receives and ultimately uses a good, service or technology“. End Users pose a particular challenge for all IP Rights Owners and Manufacturers in that once a product has been sold in the global market, it is very hard to control what happens to it. Depending on the product and its attractiveness to an end user, a product could ultimately end up with criminal counterfeiters, gray marketers, and sanctioned parties.

    men standing in a warehouse talking
    Photo by Tiger Lily on

    Where sanctioned parties are concerned, if a proscribed end user obtains as little as one unit of a product, this event may constitute a criminal offence (for example, the supply of materiel to North Korea) and could result in enforcement action and reputation damage. In contrast, selling a substantially discounted bulk shipment of product to an Original Equipment Manufacturer (OEM) which then resells the consignment onto an unauthorised distributor has the effect of “flooding the market with cheap product, eroding profit margins and disrupting the distribution channel” (Post & Post, 2008). Whilst the potential impacts of regulatory and business risks associated with sales to unauthorised end users are materially different, the nature of any due diligence program to mitigate these risks is the same.

    This post provides an overview of the concept of ‘End User Verification’, starting with a review of the regulatory and business risk drivers, before examining the process, identifying applicable red flags / data sources and threat patterns, before concluding with a discussion on what a good ‘End User Verification’ process looks like to enable the risks to be effectively managed.

    Regulatory Drivers for End User Verification

    Globalisation presents risks and opportunities

    A number of global regulations have a specific bearing on End Users, placing regulatory obligations on manufacturers and IP Rights Owners to understand who they are actually doing business with prior to closing a sale. Key regulations with an ‘end user verification’ obligation include:

    • Export Control Regulations (aka ‘trade compliance’) – which require parties involved in the sale of military or ‘dual use goods‘ (those with both military and civilian applications) to obtain licenses or permits prior to a sale. Often, additional steps must also be taken from a supply chain integrity and security perspective to ensure such goods are not diverted before or after delivery.
    • Economic and Trade Sanctions – can be applied by supranational bodies such as the United Nations Security Council, or individual countries (such as the United States Office of Foreign Asset Control). Very simply, sanctions laws can be breached if a product, financial transaction, or service (amongst other things) is provided to a sanctioned individual, entity, jurisdiction, or industry in a specified jurisdiction.
    • Bribery & Corruption – the most far-reaching anti-bribery and corruption laws are the US Foreign & Corrupt Practices Act (FCPA) and the UK Bribery Act. The risk here for IP Rights Owners or Manufacturers is that one of their distributors may be paying bribes to public officials, for example, to purchase their products, for which they are liable. Associated red flags might include orders from commercial enterprises where the purchaser should actually be a government agency.

    Business Drivers for End User Verification

    Gray Markets & Parallel Imports arise where a company purchases product in bulk in a low cost jurisdiction, and ships them to a high cost jurisdiction for resale. Gray market operators can work in global syndicates and quickly cause harm to consumer trust in your brand, frustrate authorised distributors by eroding their market, and impact sales. The second business driver for End User Verification is Brand Protection and Anti-Counterfeiting. In some markets, is not uncommon for unscrupulous competitors or criminal counterfeiters to purchase products for reverse engineering.

    A simple example might be where a buyer based in a country where you do not currently have a distribution arrangement purchasing samples of your product for counterfeiting and subsequent sale. Where products are in high demand from consumers in a given market, and that environment is conducive to counterfeiting, particular care should be taken to evaluate purchasers. Whilst it may be possible for counterfeiters to acquire your product from another market or a secondary market, this doesn’t mean you need to make life easy for them.

    people standing on road beside market and high rise buildings
    Photo by Rafael Guimarães on

    The End User Verification process

    There are two elements of the End User Verification process which can be undertaken simultaneously or separately, being (1) due diligence on the customer (i.e. ‘know your customer’ steps), and (2) due diligence on the transaction. Knowing your customer involves understanding who they are and whether they are in your target demographic, as well as other factors such as their credit rating. Performing due diligence on the transaction involves understanding what the customer intends to do with your product, the viability of these claims, and the risks inherent in the transaction.

    To give an example, a regional government education department purchases 100,000 computers, at a steep discount because of the volume. On the face of it, the government education department makes a good customer – they can afford to pay, they are not associated with any sort of illegal activity (e.g. named on a sanctions list) and they are the sort of customer a computer manufacturer might want to sell to, so they pass step 1, the ‘know your customer’ test. As you review the transaction, you find that that region only has the need for 50,000 computers based on student numbers. So why purchase 50,000 computers more than they could legitimately need? You reflect further and consider that bribery and corruption in that country is high – could the procurement officer be purchasing 50,000 more computers than the school requires so they can be sold to a reseller in the region at a steep discount, minus a kickback for their efforts? Clearly further investigation (End User Verification) is required.

    With the ability to make or break a sale, it is essential that the End User Verification process be independent of the sales department. For a start, doing due diligence on your own deals, which you want desperately to succeed so you can earn your sales bonus, is a clear conflict of interest. Secondly, this is not the core job of a sales team – they are unlikely to have the specialist skills required to perform the work and perhaps worse, could even engineer the End User Verification process so that any red flags remain hidden until long after they have left the company.

    Data Sources, Red Flags and Threat ‘Patterns’

    In the context of a transaction involving a large purchase of product, End User Verification involves understanding who the customer is, why they want to purchase that volume of product and what they intend to do with it. This involves a number of steps such as:

    • Determining whether the company is a going concern, and whether it has adequate financial, sales and distribution capabilities to actually execute against its stated intent
    • Understanding whether the company’s characteristics, such as its date of registration, beneficial ownership, shareholders, market presence, business licensing, and other factors align with the seller’s expectations
    • Understanding the track record of the business’ management team – can they execute against their stated intentions?
    • Identifying what controls, if any, should or are in place to prevent the buyer (End User) reselling the product to an unauthorised third party

    Due diligence teams typically compile their own lists of red flags as well as threat ‘patterns’ (aka ‘typologies’ or ‘fraud schemes’) as they relate to their respective organisations. These can be used to inform the basis of questionnaires sent to a prospective new customer or asked by the sales or compliance teams whilst reviewing and approving any sale or discount.

    analytics text
    Photo by Timur Saglambilek on

    Managing the risks – what does a good End User Verification program look like?

    Key elements of an EUV program

    A robust due diligence program is essential to minimise the risk that a product shipment will be diverted to an unapproved end user. End User Verification typically forms part of a broader program that encompasses Supply Chain Integrity and Market Surveillance (Post & Post, 2008) which comprises elements such as:

    • Knowing who your customer actually is
    • Evaluating the transaction and its legitimacy
    • Performing market surveillance to monitor the market for your product and the quality of any products being sold (i.e. authentic versus counterfeit)
    • Identifying the risks in supply and distribution chains and implementing effective internal controls, and,
    • Implementing appropriate supply chain integrity mechanisms, including track and trace programs, to identify the source of any diverted product on the market

    Who should perform the due diligence?

    Some organisations make performing due diligence the responsibility of the Sales & Distribution teams, whilst in others this work may be performed by Risk & Compliance, Audit or Finance, or alternately it may be outsourced to a specialist service provider. When deciding who will undertake the due diligence, it is important to avoid any conflicts of interest. It goes without saying that the person making the sale is almost always incentivised to make sure a deal goes ahead. They are therefore conflicted when it comes to performing any due diligence, and should not be considered independent. A good End User Verification program involves someone else in the organisation, divested from the Sales process, performing the due diligence.

    Hot Tip: Throughout my career, I have worked with Sales & Distribution or Corporate Strategy / Mergers & Acquisitions teams to perform due diligence on prospective business partners, customers or investments. I know there is nothing more frustrating for someone than to spend months, or even years, converting a deal only to have it killed at the last minute because the customer was not who they claimed to be.

    To avoid this situation, I try to be proactive and conduct at least basic screening at the first available opportunity (i.e. as soon as the prospective client list is drawn up). There might be 100 prospects on a list, but performing some initial due diligence quickly identifies unsuitable opportunities which can be eliminated, leaving front-line teams to focus their efforts on deals likely to succeed. As a customer moves along the sales funnel, additional due diligence checkpoints can be added so that progressively more in-depth screening is performed (commensurate to the risk of the transaction, product, customer or jurisdiction), until the deal is done.

    Knowledge & Training

    In order to be effective in their role, employees performing End User Verification must understand what a legitimate business looks like when reviewing its footprint in the market. These employees mus be able to identify red flags and indicators in a variety of jurisdictions, business types (e.g. distributors, OEMs), understand public and financial records, be competent at performing internet investigations, and have good general investigative and analytical skills.

    The task of End User Verification and other ‘know your customer’ activities is not always straightforward: It is quite easy for a ‘dodgy’ company to be made to look legitimate to outsiders. The news and proceedings of regulators around the world are full of examples of businesses (including those with professional Anti-Money Laundering and Sanctions Compliance staff in companies such as banks and government agencies) which have failed to identify such businesses through their diligence process. As such, it is essential that those performing the task possess the requisite knowledge and skills to effectively perform the role.

    Access to Resources

    Performing effective End User due diligence requires access to the right resources to identify red flags and other risk indicators. Depending on the extent of diligence performed, this can require access to a variety of free and paid information sources, including:

    • Company, Director and Beneficial Owner records for the relevant jurisdiction
    • Sanctions and other commercial watchlists, such as RDC or Refinitive’s WorldCheck
    • News sources, including general media (e.g. Factiva) and specialised industry publications
    • Biographical sources, such as LinkedIn and other business journals, which provide the ability to assess management’s track record in the industry
    • Investment databases, such as Crunchbase, which can show cases where new funding sources have been obtained for growth, new market entry or innovation

    Performing this sort of work requires a budget. If you are performing the due diligence yourself, you typically need to review multiple independent sources (many of which typically require an annual license subscription which doesn’t work for on-off purchases) to build the picture required to make your assessment on the End User’s validity – there is not such thing as a ‘universal database’ that will answer this for you. Further, for many sorts of due diligence inquiries databases and desktop research is only the first step in the process. You will often need access to specialist resources for tasks such as interviewing customers and competitors which cannot be replaced by a database or automated.

    Further Reading

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.