The US has done well, in its ongoing attempts to unravel the on-goings at FIFA over the years’, however a question that remains to be answered is “what compliance and information security controls were put in place to help prevent, detect and identify the bribery, corruption and money-laundering practices taking place through the company’s systems?”
Global organisations such as FIFA – particularly where there are a number of Politically Exposed Persons at the helm of affairs – should have in place a strong compliance function, supported by an operational risk and information security team to maintain appropriate checks and balances – albeit FIFA is an unregulated organisation, which may explain why it didn’t have a proactive compliance function in place.
It’s the responsibility of the Chief Compliance Officer (CCO), Chief Information Security Officer (CISO) and Chief Information Officer (CIO) of an organisation to implement internal controls, and work together to prevent regulatory breaches (including financial or information systems breaches) from taking place within a company or through it’s IT systems. Again, the trio have a responsibility to also detect and identify such incidences if they occur, and flag these to the appropriate persons to action.
To work effectively, the compliance function should be backed up by IT security and operational risk management processes, systems and staff to ensure a robust and proactive approach is adopted to protect the company’s reputation by preventing fraud, bribery, corruption or any other crime, including cyber-security crime from taking place within or against the company.
With the persistent allegations raised against FIFA over the years’, risk management systems should have been deployed to maintain a register of FIFA officers deemed at risk of financial misconduct- and the company’s Chief Compliance Officer should have been charged with proactively owning and managing the risk – working within the company to reduce the probability of financial crime from taking place.
The CISO should have also been charged with monitoring and reducing the risk of the company’s systems being used to facilitate any illegal transactions – which could have been done by the setting up of alerts, alarms and KPIs to flag the large amounts of money being laundered or paid out in bribes – when transmitted to banks.
It’s a crying shame that in Switzerland (the country that gave the world the three iterations of the Basel Accord to supervise global banks), FIFA officials located in Zurich, barely 53 miles from Basel City, were allowed to get up to their own devises, unchecked, unregulated and acting with impunity for so long until the US stepped in, citing global financial crime breaches.
As FIFA gears up to reform with new leadership at the helm, there’s a reminder that global compliance and IT functions have a joint responsibility to protect their company against operational, conduct, or business risk – whatever the sector of business operations.