Luxembourg with its banks, financial services companies and data centres, is a prime target for financial criminals whose reported priorities are asset misappropriation, followed by cybercrime and money laundering; nearly half of the 7,200 companies participating in PwC’s 2018 Global Economic Crime and Fraud Survey self-reported as having been victims of economic crime.

Luxembourg companies, despite continuing to build their defences, continue to report a 42% crime rate since the 2016 survey.

Gregory Coleman, ex-FBI agent and cybercrime expert, suspects that the number is being under-reported to safeguard reputational damage as many companies are not aware of fraud risks they face and are not prepared on how to handle them.

When it comes to screening and meeting regulatory requirements, companies in Luxembourg are good at AML/KYC, but by placing their trust on off-the-shelf tools less good when it comes to transaction monitoring. The deficiencies in calibration often result in a distractingly high reporting rate of false positives as confirmed by 43% of our survey respondents.

Structural mechanisms, in addition to protective software for detecting fraud according to Michael Weis, partner and Forensic Services and Financial Crime Leader at PwC Luxembourg, include a corporate awareness culture that is sensitised to suspicious activity monitoring and escalation. Michael Weis cautioned that “although external actors account for 82% of the fraud committed, it is the internal, often senior, members of staff whose misconduct is the most damaging and difficult to detect.”

Beyond the cost of the actual crimes, additional costs accrue as a result of remediation and fines from increasingly vigilant regulatory agencies, to say nothing of inestimable reputational damage! 18% of Luxembourgish companies estimated losses due to economic crime ranged from €100,000 to €5 million.

Advice for companies in the climate of cybercrime is to become more fraud aware and recognise what kind of issues they can face, including disruption of business processes, extortion and IP theft. Companies need to embark on a continually adaptive approach and maintain a realistic response plan, and test how they would respond to ensure business continuity. Most importantly, “as it is people who commit crimes”, to invest in people and sensitise them to recognise suspicious activities and report them to the right people for quick resolution, and not to assume that technology is the sole answer.​