Paul Curwell

What is product diversion?

Product diversion, also known as “illicit diversion”, “refers to goods that are redirected from the manufacturer’s intended area of sale or destination to a different geography or distribution channel” (Trent and Moyer, 2013). The term “product diversion” is used interchangeably with “grey market” by some authors, despite one term referring to a fraudulent act and the other where the proceeds of that fraudulent act are sold. As referenced, one outcome of product diversion is that diverted product may be sold into grey (unauthorized) markets, in breach of a manufacturer’s sales contracts for that geographical location. This causes margin erosion for manufacturers, erodes legitimate distributors of their market share and deprives them of sales revenue, and can damage the brand through invalid warranties and returns policies for consumers. To minimize product diversion, we must first understand how it happens and who perpetrates it before implementing appropriate mechanisms to detect it. Here we lay out how product diversion can occur at a more fundamental level, identify the individual “elements” of a diversion event, and then look at how these can be used to develop a detection or monitoring program to identify when diversion is / has occurred as early as possible to facilitate an effective response.

How have we historically prevented product diversion?

According to Post and Post in Global Brand Integrity Management: How to Protect Your Product in Today’s Competitive Environment, there are four main drivers of product diversion: (1) theft during manufacture, transport, storage or point of sale, (2) false end users, particularly relevant for bulk purchases where volumes of product are bought at a discount and then resold, (3) substitution, or swapping legitimate product with substandard or counterfeit product into the supply chain, and (4) disposition, taking product marked for destruction and passing it off as conforming and fit for sale.  As with any fraud or security issue, the risk of product diversion is typically managed through a comprehensive program encompassing policies, procedures, risk assessments, organizational culture, training & awareness, internal controls, and control assurance. However, unlike traditional fraud and supply chain security programs, product diversion programs need to be broader and encompass activities such as “end user due diligence” (to ensure an end user is who they claim to be and their intended purpose is legitimate), and a “market surveillance” program to monitor where their product is being sold, by whom, and for how much (pricing surveillance).

Depending on where the diversion event happens in the supply chain, perpetrators can be (a) an external party with no direct connection to the product manufacturer (e.g. customers, criminals) or (b) trusted insiders (e.g. employees, contractors, agents, suppliers) as well as insiders in collusion with external parties. The management of insider threats is made harder in product diversion because of the number of third parties, and even fourth parties, and the global nature of the supply chain. Minimizing product diversion is challenging given it is dependent on the standards, policies, culture and expectations of a product manufacturer being aligned with its third parties, and their third parties, including through contractual mechanisms and business partner selection processes. This complexity means that it is not feasible to rely on prevention alone: threat identification and detection is now a critical component of any anti-product diversion program.

Enter convergence: building a next generation capability to detect product diversion

The field of product protection is not unique in experiencing the challenges associated with detecting threats across an ecosystem of third parties, disparate systems and data sources, and geographies. In fact, these challenges are common across all fraud and security-related functions whether manufacturers, banks or law enforcement agencies. Unfortunately, our historically siloed practices, where data points are held in disparate systems managed by different functional teams and rarely connected, are increasingly inadequate to detect serious or sophisticated crime.

In response, organizations are increasingly adopting in-house intelligence programs to identify threats and drive detection and response efforts, building integrated data models and detection systems that cut across organizational silos, and operating models that maximize collaboration, cooperation and communication to enable a timely and effective “whole-of-organization” response. The term for this response is “security convergence”, which refers to the merging of fraud, physical security, cyber security and other risk and operational functions which are traditionally siloed and operate in isolation, into one cohesive entity. The benefit of convergence is that it allows you to detect a threat actor’s interactions with your organization “end to end”- from the minute they initiate contact through to the “attack” and subsequent escape. This increases the likelihood of early detection and effective response.

While convergence has been discussed as a theory since the early 2000’s, it has only become a reality over the past few years as technology and our capacity to process “big data” has evolved. Globally, banks are leading the push for convergence having big budgets and being directly impacted by regulatory fines and sanctions. However, just as these approaches can help banks, they can also help manufacturers and product owners address product diversion by detecting potential diversion events and enabling timely incident response and investigation.

So where do you start on this journey?

Building a next-generation “converged” detection system is a four-step process which requires a multidisciplinary team with skills including IT, data science / data analytics and corporate security. Fortunately, many companies increasingly have access to these advanced analytics skills through their cybersecurity functions or marketing departments.

  • The first step on this journey is conducting a threat assessment. However unlike traditional “wordy” threat assessments, when developing fraud detection capabilities, threat assessments must identify the perpetrator types and the detailed steps (typologies) each might take to divert product, which requires process mapping. Typologies can be compiled based on open source or industry research and the organization’s own experiences. Potential Risk Indicators (PRI) or “red flags” should then be identified for each typology to facilitate detection and alerting.
  • The second step is to build a data model using the primary or most reliable data sources and attributes for each typology and PRI. Having too many data sources can become burdensome, so less mature organizations should select 3-8 PRI’s, which strongly correlate with each product diversion typology for the data model. “Machine Learning” is increasingly being used to identify threats such as these, but successful implementation requires large volumes of data for training. Global manufacturers may meet this bar, but small manufacturers may need to rely on manual processes and traditional “rule-based” approaches to identify potential diversion events.
  • The third step in the process involves configuring your detection tools and systems. Small organizations can use desktop visualization tools, while larger businesses may use a more robust analytics solution, which can ingest larger volumes of data from multiple source systems. While fraud detection historically required expensive investments in technology, these capabilities are becoming increasingly accessible with advances in cloud computing, data science, and open-source software. Two challenges are then  (1) accuracy, as too many false positive “alerts” flagged for investigation will consume team resources, and (2) finding a “true” incident quickly enough to do something about it or recover the diverted product. Success here may also require digitizing business processes so that steps such as visual inspections of packaging are documented via online forms or smartphone apps to expose these data points to detection systems.
  • The final step in building a capability such as this is also the most important, and that is the operating model. Roles and responsibilities must be clearly identified, a consideration made more complex when responsibility for detection and incident response resides in another country or business. Detection systems must evolve continuously with changes in the threat environment and be subject to regular testing and evaluation to minimize false positives. Importantly, implementing detection systems such as this can be a steep learning curve, particularly for business functions or occupations with anti-product diversion responsibilities who are not used to dealing with qualitative and quantitative data in this manner. Seconding skilled resources in other parts of the organization, such as from marketing, fraud or cybersecurity, can help expedite attempts to build these capabilities from scratch, as can co-locating analysts with product diversion responsibilities within a “Security Operations Centre” to instill the requisite operational behaviors and routines.

While these measures will not solve the counterfeit problem, they help to reduce the volumes of conforming and partially-conforming product being diverted into non-approved markets, which will in turn have a positive impact on overall supply of diverted product in grey markets.

*Paul Curwell is a Director in Deloitte’s Forensic practice in Australia where he works with public and private sector clients to develop intelligence and investigative analytics capabilities to improve the management of fraud, security and business integrity risks. He is a co-author of “Terrorist Diversion: A Guide to Prevention and Detection for NGOs” published by Routledge (2021).