Search for:
Cybersecurity, Data and Tech

Fraud in the Modern Era and a Proactive Approach to Anti-Fraud Practices

By , and 4 Mins Read

Background

Fraud remains a critical concern for organizations across all sectors. Whether it is perpetrated against the organization itself or by individuals acting on its behalf, fraud can result in severe legal, financial and reputational consequences.

The FBI’s 2025 Internet Crime Report highlights the scale of the issue: reported losses from internet-related crimes exceeded USD 16 billion, with the top three offenses being phishing, extortion and personal data breaches.

What is ISO 37003, and what are its key ideas?

ISO 37003 is an international standard, published in May 2025, designed to support organizations in effectively and efficiently managing both internal and external fraud risks. It provides comprehensive guidance for the establishment, implementation, maintenance and continuous improvement of a robust Fraud Control Management System (FCMS). Key components include the following:

  • Identification and continuous monitoring of all types of fraud risks — not only internal and external threats to the organization, but also fraudulent activity committed on its behalf or in its interest
  • Prevention mechanisms through internal and external controls, including clearly defined policies, screening of individuals and entities, and technological and physical safeguards against potential fraud
  • Early detection of fraudulent activity through internal audits, fraud reporting mechanisms and other surveillance tools
  • Effective response strategies, aimed at conducting efficient investigations, mitigating impacts, recovering misappropriated funds and implementing measures to prevent similar incidents in the future
  • Periodic evaluation of the performance and effectiveness of the FCMS, including “pressure testing”

How does fraud relate to organizations’ compliance and criminal liability?

In cases where fraud is committed against the company, the concept of “compliance ad intra” becomes particularly significant. As recognized by the Spanish Supreme Court, this approach to compliance emphasizes that programs should not only aim to shield the company from criminal liability but also proactively safeguard it from becoming a victim of criminal acts — with fraud being one of the most common types of offenses.

Conversely, when fraudulent acts are committed in the name of the company, targeting external parties, effective internal controls (such as the ones established in ISO 37003) are essential to mitigate the risk of criminal and civil liability. The extent of this liability varies depending on the legal framework of each jurisdiction.

For instance, the offenses related to fraud “ad extra” that may generate criminal liability of the legal persons in Spain are swindling, offenses against the Public Treasury and Social Security, counterfeiting, punishable insolvency (fraud against creditors), offenses related to the market and consumers or corruption. However, the existence of an effective compliance program may serve as a mitigating factor or even exempt the company from liability altogether.

How does ISO 37003 interact with other ISO standards?

ISO 37003 adopts the ISO harmonized structure, enabling seamless integration with other ISO standards to support the development of a comprehensive Governance, Risk and Compliance (GRC) framework.

As highlighted in ISO 37003, the presence or absence of internal controls is closely linked to both external and internal fraudulent conduct. This is why the controls established under other ISO standards—such as ISO 37001 on Anti-Bribery Management Systems, ISO 37301 on Compliance Management Systems, and ISO 31000 on Risk Management (among others)— can be effective in preventing, detecting, and addressing fraud, even though (as noted above) they are not specifically designed to target fraud.

It is also worth noting that ISO 37003 places particular emphasis on technology-enabled fraud and cybercrime, which are increasingly prevalent forms of fraud. Accordingly, ISO standards focused on information security — such as ISO/IEC 27000 on Information Technology, ISO/IEC 27001 on Information Security Management Systems and ISO/IEC 27032 on Cybersecurity — can also work in conjunction with ISO 37003 to ensure that information security controls effectively address these evolving fraud vectors.

Conclusion

Waiting for a fraud incident to occur before establishing a strategy is not an option anymore. Given the alarming statistics on fraud, and especially on technology-enabled fraud, organizations must adopt a proactive approach to anti-fraud practices.

Categories:
Tags:
Author

María Miguel is a Senior Associate in Baker McKenzie, Madrid office.

Author

Alicia Franch is Team Leader in both the Dispute Resolution, Corporate Crime area and Compliance area at Baker McKenzie since September 2015.
Previously, Alicia also worked in her same areas of expertise in other law firms. She has also worked as a professor in different law firms and colleges as well.
Working as a lawyer on many types of proceedings (extraditions, European Arrest Warrants, proceedings before the European Public Prosecutor's Office and Spanish criminal proceedings) and undertaking work regarding corporate compliance.
Experience in drafting and filing all sorts of criminal complaints and appeals, cross-examination of witnesses and defendants and attendance to oral trials and expert ratifications.
Specialized in White Collar Crimes, such as crimes against the Public Treasury and Social Security, European Union subsidies fraud, crimes against the property, misappropriation, fraud, unlawful administration, bribery, fraudulent insolvencies, crimes against the environment, crimes against historical heritage, labor accidents, and felonies against the Public Administration, among others.

Author

Veronica Garcia Acedo is a Senior Associate in Baker McKenzie, Madrid office.

Related Posts