Nigeria and India: Growth, Opportunities, and Increased Risk for US Technology Companies

Sub-Sahara Africa and India are markets that continue to experience an explosion of growth, investment, and opportunity for many businesses, but particularly for western technology companies that are looking to expand or diversify international footprints. India’s population is expected to surpass that of China in 2023, while more than half the projected increase in global population by 2050 will be concentrated in just eight countries.[i] Four of those countries—the Democratic Republic of the Congo, Ethiopia, Nigeria, and the United Republic of Tanzania—are in Sub-Sahara Africa. Nigeria has the largest population of any African nation; its sustained population growth is projected to push the West African nation into the top four most populous countries by 2050.[ii]

Nigeria

There are numerous benefits for an increased presence within Sub-Sahara Africa (specifically Nigeria). This includes access to untapped talent, resources and markets, and an increased understanding of cultures and behaviors. These benefits can ultimately improve company offerings, enhance the customer experience, and increase revenue. Growth and expansion within these areas are not without risks, however.

High inflation and interest rates within Nigeria will continue to push more people into poverty[iii], while a prolonged economic downturn will lead to layoffs and increased unemployment. Desperation and underutilized technical know-how will likely push more people into murkier areas of employment—specifically using acquired skillsets to target western-backed firms and leadership that operate or have business interests within the country.

Nigeria has a long and troubled history as an epicenter for financial fraud and email-related scams. This association will not change. Company solutions for addressing this reality is often blocking or banning accounts[iv], emails, and connections that originate within Nigeria. While this strategy may reduce the number of successful scams and fraud cases, it can restrict legitimate users and merchants within the country from conducting business or receiving payments. Ostracizing people within Nigeria by banning and restricting them from services is no way to win customers and build a positive reputation.

One area of concern that companies operating within the country or looking to expand within the country must be mindful of is the use of company insiders to pilfer and alter data, identify stakeholders and customers to target, install malware, and understand internal thresholds, controls, and monitoring mechanisms so that they can be relayed to others and bypassed.

Through previous client engagements, SRG observed criminal groups performing reconnaissance using insiders to help identify vulnerable areas within call centers in Mexico. Such tactics can be applied with relative ease to other industries in different countries.  Stolen Personal Identifiable Information (PII) could also be used to help perpetrate attacks or open fictitious accounts. These insiders could be threatened to engage in such behavior, incentivized by the prospect of money and profit sharing, or pushed to act out of desperation.

One notable example that made headlines in 2021 involved a Nigerian-based individual who attempted to recruit disgruntled employees at American companies into spreading ransomware in exchange for a share of the random proceeds.[v] This scam was carried out by an amateur, according to reports. How would an act perpetrated by a more sophisticated actor or group unfold?

Black Axe, a cult-like criminal faction located within Nigeria has already established itself as an extremely violent international collective of members that are tied to human trafficking, internet fraud, and murder.[vi]Some of these members have alleged ties to Nigeria’s political establishment.[vii] Internet fraud is the primary revenue source for the gang; members share instructions for how to conduct scams amongst their global network[viii], likely on the dark web, through emails, or through encrypted platforms. The infiltration of such groups within western-backed companies that operate within Nigeria or local offices of companies that are based in Europe and the US are real concerns, as are crimes perpetrated by this group.

Black Axe’s use of online collaboration illustrates the importance of deep and dark web scanning tools to help identify trending scams, offenders, malicious code, fictitious profiles, and even Tactics, Techniques, and Procedures (TTPs). This, when combined with more advanced Artificial Intelligence (AI) scanning tools and employee education on fraud warning signs can help mitigate the number of successful attacks. Other solutions include the development of Insider Threat programs that are catered toward specific countries and high-risk operating environments, such as Nigeria. We at SRG continue to stress the importance of industry-specific programs rather than a general one size fits all approach. For Fintech companies with operations in Nigeria, Know Your Customer (KYC) procedures and ongoing monitoring are especially critical; African banks have been faulted in at least one recent case for failing to flag suspicious identities.[ix]

As western companies look to partner with or acquire Nigerian and other African businesses, it is imperative to conduct a thorough review not only of the company and its leaders, but local company policies, practices, and government ties to ensure they are operating ethically and that there are no unforeseen issues that could complicate business dealings, harm company reputations, or affect the safety of employees.

India

There continues to be a significant amount of media coverage surrounding China’s zero-COVID strategy and business interest in diversifying supply chains and operations outside of the Asian country. India’s young, educated, and growing population provides both a steady source of talent and a potential sourcing destination for goods and services.

Having previously served within technology companies with Indian footprints and for companies with Indian business dealings, we foresee the continuity of and adherence to ethical business practices as being one of the greatest challenges for western companies that acquire stakes in or downright purchase Indian businesses, as well as those looking to expand operations within India. Corruption is an impediment for businesses in a number of countries. India is no exception. Although India’s score on Transparency International’s Corruption Perception Index has remained largely stagnant over the last decade, there are concerns over the country’s democratic status as fundamental freedoms and institutional checks and balances erode.[x][xi]

Areas of particular concern on the corruption front is western companies’ use of and reliance on providers within India to “facilitate” business dealings and transactions as well as visibility into the business practices of recently acquired Indian companies. Any Illicit payments made on behalf of the business or a representative of the business—either knowingly or through willful blindness—to government officials to help facilitate paperwork, permitting, or land acquisitions will violate the US Foreign Corrupt Practices Act (FCPA). Within the past several years, there have been multiple examples of companies operating in India that have been fined for violating the US FCPA because of the payment of bribes. This includes a $19 million settlement for the advertising group WPP in 2021[xii] and a $25 million settlement for Cognizant Technology Solutions and two of its executives in 2019.[xiii]

Business leaders and executives must understand that the payment of bribes and facilitation charges, while considered a normal practice for many locals and foreign companies in India, does not mean that newly arrived technology companies must participate in and condone that practice. This is particularly important in the coming years as more businesses compete for Indian market share, talent, and real estate.

Solutions and best practices that technology companies must consider and implement as part of their acquisition strategy and transition into India include Third Party Due Diligence checks of local branches and offices to ensure parent company processes and practices align. Independent audits of existing internal controls (i.e., policies, procedures, training), accounting procedures, and escalations within the company are also necessary. As a general advisory, some red flags that could indicate bribe requests or payments include items listed as or requests for “consulting fees”, “surcharges”, “change-order requests”, and inflated invoices. The establishment and adherence to internal controls, familiarity with red flags, and supervision of Indian subsidiaries and partners will help ensure business operations within India do not run afoul with both US laws and foreign laws.

A second challenge and area of concern for technology companies making strides into India is the power and influence of labor unions within the country. As disruptive technologies and startups examine more efficient and automated ways to solve longstanding issues, workers that have long provided the bulk of the manpower and manual services may find themselves minimally employed or out of work. Industries where this problem will likely be particularly acute is transportation and logistics and manufacturing. The services industry is another sector that could potentially be affected by widescale adoption of automation and AI.

How does this translate into a business concern? Workers that belong to local labor unions (or those who stand in solidarity with those workers) may direct their anger and frustrations of being displaced at the very companies, leaders, and employees that are looking to bring about meaningful change within the country. In one case from 2018, a unionized production manager was beaten and killed by individuals hired by company engineers that were affiliated with the same local union. These engineers were upset over the manager’s decision to suspend a union leader over an illegal strike.[xiv] This particular example demonstrates the extreme steps union employees took against a member of their own community. What actions would union members be willing to take against a company, its employees, and leaders that fail to follow their instructions and demands?

Western company decisions to not engage with unions that are accustomed to facilitation payments or guaranteed services may also fall victim to increased hostility and harassment from these groups. SRG leadership has investigated numerous labor-union-related crimes and alleged crimes against US technology workers and facilities within the country. This includes an arson case and kidnappings that were allegedly carried out by local union personnel. It was assessed that the perpetration of these crimes was tied to frustrations with company refusals to participate in practices (i.e., payments) that would have likely violated US laws.

As a final note, western-based technology firms should be mindful of local cultures and sensitivities within India. What may seem like a normal business practice in other markets (e.g., layoffs, reduced hours, relocations) could spark mass demonstrations and even violence. Desperation and frustration amid rising unemployment and job shortages will likely exacerbate the problem.[xv]

How might a company looking to expand within India prevent or mitigate these issues? As a starting point, knowledge of the local operating environment and culture is key. Location assessments, Threat Vulnerability Risk Assessments (TVRAs), and enhanced due diligence on local property management companies and developer personnel can shed light on local conditions that may affect company operations and employees, either immediately or at some later time. Equally important are crisis scenario exercises and workplace strategy risk analysis. Understanding and implementing tripwires and how to escalate and respond to threats can help minimize or reduce the damage—both reputational and physical—to business operations.

The economic potential for both Nigeria and India in terms of output of goods and services and access to a growing middle class cannot be understated. There are substantial opportunities for technology companies that wish to break into or expand into these markets. These opportunities are not without risk. Pushback and threats from organized criminal groups and labor unions cannot be dismissed and will likely have a more dominant presence in western dealings, particularly as local laws are changed or revised to attract outside investment.[xvi] Western technology  companies that have invested in and solidified their own internal processes and policies and conduct proper due diligence and risk analysis on local companies, individuals, and locales will be better positioned to react to local developments that have the potential to disrupt business.

Sources:

[i] No Author, World Population Prospects 2022”, United Nations Department of Economic and Social Affairs, July 11, 2022.

[ii] No Author, “Nigeria”, CIA World Factbook, July 13, 2022.

[iii] No Author, “Nigeria Development Update: The Continuing Urgency of Business Unusual”, World Bank Group, June 2022.

[iv] Sharon Lin, “The Long Shadow of the ‘Nigerian Prince’ Scam”, Wired, April 10, 2022.

[v] Michael Kan, “Ransomware Scheme Outed as Bizarre Plan to Get Funding for Nigerian Social Network”, PCMag, August 20, 2021.

[vi] No Author, “The ultra-violent cult that became a global mafia”, BBC News, December 13, 2021.

[vii] No Author, “Black Axe: Leaked documents shine spotlight on secretive Nigerian gang”, BBC News, December 13, 2021.

[viii] No Author, “The ultra-violent cult that became a global mafia”, BBC News, December 13, 2021.

[ix] Alexander Onukwue, “Two Nigerian banks were rebuked for their role in a $4 million theft from pensioners”, Quartz Africa, November 10, 2021.

[x] No Author, “CPI 2021 For Asia Pacific: Grand Corruption and Lack of Freedoms Holding Back Progress”, Transparency International, January 25, 2022.

[xi] Lauren Frayer, Shannon Bond, “India And Tech Companies Clash Over Censorship, Privacy And ‘Digital Colonialism’”, NPR, June 10, 2021.

[xii] No Author, “SEC Charges World’s Largest Advertising Group with FCPA Violations”, U.S. Securities and Exchange Commission, September 24, 2021.

[xiii] No Author, “SEC Charges Cognizant and Two Former Executives With FCPA Violations”, U.S. Securities and Exchange Commission, February 15, 2019.

[xiv] Vijay Chavan, “MIDC staffer killed by members of his own labour union”, Pune Mirror, March 28, 2018.

[xv] Anjana Pasricha, “Violent Protests Highlight India’s Grim Unemployment Situation”, Voice of America, January 30, 2022.

[xvi] Alasdair Pal, Manoj Kumar, “Business cheer, unions fear contentious Indian labour reforms”, Reuters, September 24, 2020.