November 2014 Issue
Conventional forms of fraud persist but are being joined by a new wave of technology-driven techniques. Regulators around the world are making a concerted effort to sharpen their prosecution tools and increase enforcement activities in this area. For companies, the challenge is to design robust internal controls and compliance programs with a zero-tolerance attitude. Promoting fraud awareness among employees and encouraging internal reporting go a long way to reducing risk.
Ratley: What types of corporate fraud seem to be surfacing regularly in the current market?
Hardin: The same types of fraud that have plagued businesses for years continue to be pervasive in the current market including corruption, asset misappropriation and financial statement fraud. However, the introduction of new technology and enhanced big data management techniques are proving to more readily result in and uncover new schemes to perpetrate fraud. The incentives of greed and personal financial advancement are still having an effect in the marketplace. From bribes being paid to officials to financial statements being altered, the economic impact from these historic types of transactions continue to provide the opportunities to those making the choice to commit fraud. More recently, cybercrime is making big waves. No industry is immune from cyber thieves taking data and using it to record fraudulent transactional charges or to steal identities for even bigger gains. From a financial reporting perspective, the US Securities and Exchange Commission’s (SEC’s) use of data analytics tools to uncover high risk companies and potential accounting issues will likely lead to an increase in more financial disclosure cases.
Moosmayer: Besides corruption and antitrust violations, I would highlight money laundering. This is often a ‘necessary partner’ of every fraud scheme but was, for a long time, seen as an issue only related to the financial sector. This is not true. Money laundering risks may appear in real estate transactions, M&A activities and during a – on first glance – normal customer relationship which takes a strange twist when the other party suddenly wants to change the payment structure. Traditional industry companies are, from our point of view, not sufficiently aware of this risk and rarely have proper anti-money-laundering (AML) processes in place. But regulators are increasingly focusing on AML – for example, in Germany there are now special AML regulators for traditional industries in place – and companies should be prepared for this change.
Raskin: Corporate fraud comes in many shapes and sizes. We are seeing a steady increase in regulatory matters and internal investigations for multinational corporations and financial institutions in the areas of economic sanctions, money laundering and export control violations. The investigations often focus on the front companies, financial institutions and businesspeople involved in transactions designed to sidestep anti-money laundering laws and conceal the involvement of Specially Designated Nationals and countries that are restricted by the US Treasury’s Office of Foreign Assets Control (OFAC).
Eastwood: Conventional bribery and corruption risks continue to surface regularly. Recent high-profile scandals are a testament to the persistence rather than decline of traditional types of fraud. However, markets are dynamic. New risks frequently emerge and the matters that regulators consider fraudulent are also evolving. Cybercrime has increased as organisations move more of their business online. It has rapidly risen on the agenda of governments and compliance regulators. For instance, Mary Jo White, chair of the SEC, has described cyber security as a topic of “extraordinary and long-term seriousness”.
Edmonds: We are seeing an increasing amount of corporate fraud, particularly fraud committed by employees. We have a number of criminal cases where employees have left their employment but prior to leaving or indeed once they have left, have managed to access confidential and commercially sensitive data without authorisation which they have then used to set up against their previous employer or have taken with them to use at their next employment. We have also seen a huge increase in cybercrime and have a number of cases where corporate systems have been hacked and confidential data taken. This is a very serious problem for corporates and can have devastating effects on a business.
Meads: Advances in technology, globalisation and increasingly competitive markets make fraud an evolving and ever increasing risk for corporates. The PwC ‘2014 Global Economic Crime Survey’ identifies the three types of economic crime most commonly reported by corporates globally as asset misappropriation, procurement fraud, and bribery and corruption. Due to the increased reliance on connectivity and IT, an increasingly prevalent and serious category of fraud is cybercrime, which can encompass a vast range of offending. For businesses, the main threats are hacking and Distributed Denial of Service (DDOS) attacks. In the former, a company may not even realise that their systems have been breached, or precisely what has been lost or stolen. The latter is little more than a modern day extortion racket.
“Since the introduction of the defence of ‘adequate procedures’ by the Bribery Act 2010, there has been a sharper focus on companies’ risk management, compliance programs and internal controls by UK authorities.”
Ratley: Have there been any significant legal and regulatory developments relevant to corporate fraud in your region over the past 12-18 months?
Raskin: Sanctions laws and regulations evolve with world events and foreign policy shifts. For example, throughout 2014, OFAC has imposed Ukraine-related sanctions against entities and individuals – primarily Russian – alleged to be involved in the situation in Ukraine. Also, in January 2013, President Obama signed into law the National Defense Authorization Act for Fiscal Year 2013, which significantly increased the range of Iran-related transactions that can attract US extraterritorial sanctions. We are also seeing unprecedented efforts by US authorities to pursue misconduct occurring abroad. Federal prosecutors and regulators are more frequently and successfully collaborating with their overseas counterparts in targeting cross-border entities. Even state-level US authorities are pursing multinationals. Indeed, the New York State Department of Financial Services has been taking an aggressive stance in pursuing economic sanctions cases against banks holding licences to do business in New York and has recently entered into high profile settlements with a handful of multinational banks.
Meads: On 24 February 2014, we saw the introduction of Deferred Prosecution Agreements (DPAs), under which criminal prosecution of a corporate is deferred pending compliance with terms and conditions, often including an overhaul of the company’s compliance program. No DPAs have, as yet, been concluded in the UK. However, it is understood that the UK’s Serious Fraud Office (SFO) is currently in negotiations with at least one corporate. The extent, therefore, to which DPAs will be seen as a fair, effective and compelling option for corporates remains to be seen, particularly given the director of the SFO’s comments that, “prosecution remains the preferred option for corporate criminality”. The new UK ‘Sentencing Guidelines for Fraud, Bribery and Money Laundering offences’, came into force on 1 October 2014. As well as acting as a definitive guideline, they will assist in giving a degree of certainty as to the financial penalty a corporate can expect to receive under a DPA.
Eastwood: DPAs were introduced in the UK in February 2014 and serve as an alternative to full prosecution by allowing a prosecutor and corporate to suspend proceedings subject to the company fulfilling certain conditions. The addition of DPAs represents an attempt to give prosecutors greater flexibility and to stimulate self-disclosure amongst offending companies. However, there are considerable disincentives to self-reporting fraud. There is no guarantee that a DPA will be offered and the penalties are broadly similar to those upon full prosecution.
Edmonds: 2013 saw the national roll out of ‘Action Fraud’, which means fraud can no longer be reported by visiting a local police station, specialist economic crime team or by calling 999. Instead, it must be reported by calling a central number or using the online reporting service. Details of the case are then passed to the National Fraud Intelligence Bureau (NFIB) based at the City of London Police. The NFIB will then assess if viable lines of enquiry are required and if so will assign the case to a police force to investigate. Frustratingly for victims, Action Fraud does not provide an update on the progress of the case, therefore cases often sit in the system for months with the victim none the wiser as to whether it is being investigated. More often than not, cases are rejected for the most whimsical of reasons. Our experience has been that large complex fraud cases are often being rejected despite the evidence being overwhelming.
Moosmayer: From a global point of view, it is obvious that regulatory pressure is increasing in China, both on the antitrust and on the fraud and corruption side. The enforcement activities of different Chinese regulators have reached out far beyond the famous GSK case and involve all major industries. Regarding Russia, we have to closely monitor the development of the new sanctions regime. It is too early to say if the political situation will result in increased enforcement actions for corporate fraud – for example, against foreign investors in Russia – but there is certainly a risk. A word on Germany: we have an intense discussion about a change to the sanction regime for corporations, moving toward true criminal liability of corporations. In our in-house lawyers association we have made a counter-proposal to better incentivise companies to invest in compliance, and will see in the coming months how this develops.
Hardin: In the United States, we are seeing increased regulations from the Consumer Financial Protection Bureau and the SEC. With respect to financial services, we see a focus on increased protections for consumer oriented products, such as mortgages and student loans. Whistleblower bounty programs are being pushed by governmental regulators, who hope that incentives will encourage employees to come forward regarding fraud that occurs at their corporations. With cybercrime, identity thieves are acquiring information from medical records and selling it on the black market. We anticipate that significant regulations will be passed in the coming years to protect medical information beyond the current regulations.
“My advice would also be to look not only at your own company but to conduct an external risk assessment. You should analyse cases outside your own company and ask the question: ‘Could this also happen in our own enterprise?’”
Ratley: Can you highlight any recent, noteworthy fraud-related cases? What lessons can we draw from their outcome?
Edmonds: In the 2014 case of R (Virgin Media Ltd) v Zinga, Virgin Media Ltd commenced a private prosecution against the defendant who was illegally selling set top boxes which allowed for free viewing of premium channels which viewers typically had to pay to watch via a subscription. It was estimated that Virgin’s lost revenue as a result of this fraud was £380m. The appellant was convicted of conspiracy to defraud and sentenced to eight years imprisonment. Virgin then commenced confiscation proceedings against the defendant to deprive him of his proceeds of crime. The principal issue raised in this appeal was whether a private prosecutor was entitled to bring confiscation proceedings under the Proceeds of Crime Act 2002, even if it had no financial or other personal interest in the outcome. The Court of Appeal held that merely because private prosecutors will not be, and cannot employ, an appropriate officer under s 378(1), that does not mean they cannot participate as a prosecutor in confiscation proceedings. Private prosecutors may seek assistance from an appropriate officer and the mere fact that they cannot conduct the investigation does not impair their ability to participate fully in confiscation proceedings. Confiscation is a very useful tool for corporates bringing private prosecutions and who want to send out a powerful deterrent message.
Hardin: From a cybercrime perspective, we see many corporations that have been impacted by hackers that have stolen information. With regard to some of the retailers that have been impacted, the lessons to be drawn range from continuous monitoring and changing procedures to identifying suspicious anomalies in the system. We recommend a people, process and technology approach. Many corporations are merely relying on technology to detect fraudulent schemes; however, it is the people and the overall system processes that should provide insights, with a technological overlay to complement them.
Meads: The UK’s Serious Fraud Office (SFO) has recently imposed its highest monetary fine ever, penalising Barclays Bank £38m after it failed to properly safeguard client assets. This exemplifies the no-nonsense enforcement approach of the regulators, stressing the need for an organisation to have in place adequate systems and controls. A number of high profile corruption cases have recently concluded, including Innospec and Aluminium Bahrain. Each case involved substantial sentencing discounts to defendants who cooperated with the prosecution. However, it is the near future that holds potentially noteworthy fraud cases with foreign exchange rigging and LIBOR investigations ongoing. Several high profile SFO and Financial Conduct Authority (FCA) cases concerning a number of FTSE 100 companies are also at various stages, including the prosecution of the former CEO of JJB Sports, the former treasurer and head of tax at WM Morrisons for insider dealing, investigations into GSK for corruption and the misstatement of Tesco’s half year results.
Eastwood: The 2014 case of Otkritie v George Urumov is interesting as it concerned two distinct frauds, referred to as the Argentinian Warrants Fraud and the Sign-On Fraud. The former concerned a deal whereby Otkritie Securities was deceived by Mr Urumov and other employees into overpaying some US$150m for 1.6 billion Argentine GDP peso (ARS) denominated warrants – the excess going to Mr Urumov and his co-conspirators. The latter concerned the circumstances in which Mr Urumov came to be employed by Otkritie, joining on payment of a $25m ‘golden hello’ for himself and four other securities traders. The claimants asserted this amount was paid in reliance on representations from Mr Urumov that each new employee had a guaranteed income of $5m per annum at their previous employers and the ‘golden hello’ would be shared equally. In fact, the money was used by Mr Urumov for substantial bribes and kickbacks, including to two senior employees within the Otkritie Group who lobbied for his employment. Two lessons can be drawn from this case. Firstly, it is a reminder that bribery may be an integral part of wider fraud schemes. Secondly, it highlights the risk of focusing solely on financial incentives and related reporting for employers. Recent high-profile scandals have emphasised the contribution of ‘bonus culture’ to misconduct. A different tone is needed to encourage compliance.
Raskin: Penalties in fraud-related cases are through the roof, often in the six and seven figures. In 2013, the US Department of Justice (DOJ) reported $3.8bn in settlements from False Claims Act cases alone. A recent settlement with a French bank for OFAC violations set the record at $8.9bn. Key lessons can be drawn from a 2012 case in which a global bank paid $1.9bn for violations of anti-money laundering and sanctions laws. The bank failed to detect and report suspicious activity, including the laundering of $881m in drug trafficking proceeds through US-dollar accounts held at the bank’s affiliate in Mexico. This case underscores the importance of strong due diligence, risk-based compliance programs, and robust internal controls. Conducting proactive data analysis to detect and respond to warning signs early on, and regularly auditing and monitoring transactions, are critical to keeping out of the headlines.
Moosmayer: In Germany, the recent verdict of the Munich higher court against a former board member of Siemens, confirming his civil liability for compliance failures in the company before 2007, is certainly noteworthy. For the first time, a civil court ruled that it is the responsibility of every board member to immediately ‘step in’ if he or she observes a compliance weakness which is not sufficiently addressed by the legal or compliance department, or the responsible management. This is not only a CEO responsibility. It is important to stress that the board member in question was not criminally convicted, but a practically unlimited civil liability for all damages in relation to a compliance case might be of equal deterrence. In the US, the legal privilege for internal investigations has been challenged several times. In the Halliburton case it prevailed, while in the recent verdict of the Supreme Court of Delaware in the Wal-Mart case it did not. This has to be monitored closely by legal and compliance professionals.
Ratley: To what extent are boards and senior executives taking proactive steps to reduce fraud arising within their company?
Eastwood: Most businesses have already taken up many of the essential components for effective compliance programs. Companies routinely have anti-bribery and corruption (ABC) policies and codes of conduct. These often include clear penalties for violations and in most cases there is a top down commitment to compliance from senior management. Corporates in developed markets are more likely to implement proactive ABC measures. There remains a gap with emerging markets, though this seems to be narrowing as a consensus around best practice strengthens. However, pressures to meet financial targets always risk encouraging boards and senior executives to ignore potential frauds if it assists the business. That is why a strong compliance program remains crucial.
Raskin: In the current regulatory climate, proactive risk management has by necessity become an increasingly crucial priority for boards and senior executives. Boards are increasingly taking proactive steps to reduce fraud, including by providing written policies to convey a zero-tolerance standard regarding fraud, conducting periodic risk assessments, establishing processes for employees, customers, vendors and other third parties to report fraud or suspicion of fraud, and engaging outside counsel and experts to conduct audits and internal investigations.
Moosmayer: The risk awareness of the C-suite and senior management has significantly increased. This is not only due to the visible risk of personal liability in a strict legal sense, but also due to the overall reputational risks for themselves and for the companies they represent. Today, customers, shareholders, investors and public opinion are certainly much more sensitive when it comes to the perception of fraud or other misconduct in enterprises. This affects businesses in the short to midterm. As a practical result, the number of compliance departments installed by boards has ‘exploded’ in recent years. But to be proactive means more: a constant and powerful tone from the top and sustainable efforts to create a true compliance culture in the company. This should be the main task of management in order to fight against fraud.
Meads: Boards and senior executives remain crucial in fostering a culture hostile to fraudulent conduct. Since the introduction of the defence of ‘adequate procedures’ by the Bribery Act 2010, there has been a sharper focus on companies’ risk management, compliance programs and internal controls by UK authorities. Regulators are adopting an aggressive approach, as illustrated by the fine imposed by the FCA on Besso Limited earlier this year. The company was found to have had inadequate internal controls against fraudulent conduct, notwithstanding the FCA findings that no illicit payments or inducements had actually taken place. The signal is clear that impropriety is not required in order to attract regulatory attention, and should serve as an example to boards and senior executives that active steps must be taken at all levels to ensure a company’s internal controls are robust, extensive and consistently implemented.
Hardin: Corporate boards are actually being shaken up and their compositions changed to help combat fraud. Certain board members with non-financial backgrounds are being replaced by members that have financial and technology experience. In addition, boards are receiving specialised training in risk management. Companies have steadily increased investing in compliance programs, and many have increased spending by investing in compliance officers, investigations practices and enhanced internal audit functions. We have also seen an increase in communications to employees in an effort to promote internal reporting of fraud. The new whistleblower bounty programs have placed companies in a position to worry about information being shared with regulators without their knowledge. Executives understand that bloggers, employees, hackers and other parties will report issues about the company to regulators, law enforcement and across social media. With that understanding, budgets are being increased for proactive efforts ranging from cyber security testing to compliance monitoring.
Edmonds: Many boards and senior executives of companies are becoming progressively imaginative in their approach to reduce fraud within their company. One of the methods increasingly employed is the use of private prosecutions which has an effective deterrent effect on those who are considering committing fraud against that particular company. Private prosecutions can be brought by any company, individual or organisation and the right to do so is preserved by section 6 Prosecution of Offences Act. They are an effective means of ensuring justice prevails, especially in cases where the police have refused to investigate or prosecute yet there is clear evidence of fraud.
“Regulators have plainly stated that more is needed than the basic components of a compliance program. There must be function over form. ”
Ratley: What advice can you offer to firms on how to detect potential fraud and corruption within their organisation? What measures can be taken to strengthen a company’s internal procurement or supply chain processes, for example?
Moosmayer: Proper risk assessment is the key. You have to do it bottom up – for example, setting up well prepared risk workshops in the operating entities – and top down, using the outcome of audits and internal investigations, for example. My advice would also be to look not only at your own company but to conduct an external risk assessment. You should analyse cases outside your own company and ask the question: “Could this also happen in our own enterprise?”
Hardin: Integrating people, process and technology is a sound way to detect fraud and corruption. First, the key to detecting potential fraud starts with people and the tone at the top – an attitude that works its way through the balance of the organisation. The promotion of active communication; employees understanding that reporting fraud is encouraged and will not result in retaliation; and that senior management will take action to investigate and remediate fraud are paramount. Second, the process of strategically investing in internal controls and compliance programs is necessary to keep up with the dramatic increase of information sharing and technology in today’s environment. Lastly, investing in technology platforms to track, vet, authorise and approve customers and vendors limits the ability of a company’s divisions to function autonomously. This decreases the risk of potentially retaining or entering into questionable business or political relationships.
Meads: An organisation’s approach to dealing with fraud needs to be set out in a clear code of conduct that emphasises the standards which are expected. Regular staff training is fundamental and the creation of a ‘no tolerance’ culture within the organisation, which is encouraged by directors and board members, is key to encouraging the same behaviour from employees. Staff must be encouraged to report any behaviour about which they have concerns, and must be assured that such action will not bring about adverse repercussions. It is essential that ongoing risk assessments are carried out to identify areas of potential vulnerability. This will assist in ensuring that the appropriate controls and due diligence are in place to monitor potential weaknesses surrounding internal procurement and supply chain processes, as well as good internal and external auditors, as a further check and balance function.
Edmonds: We have seen an increasing number of cases involving fraud and corruption in the procurement process and no company is completely immune to these risks. The reputational damage and financial losses caused as a result of fraud and corruption can be devastating, therefore companies must have in place effective mechanisms to reduce the risk and increase detection. It is essential that companies have a good, solid whistleblowing policy in place and they are aware of their obligations under the Bribery Act 2010 to prevent bribery by people working for or on its behalf. Internal controls and procedures around the procurement process must be detailed and should be assessed and revised regularly to meet the challenges of new risks that arise. We would also recommend that due diligence on suppliers should be carried out as a matter of course, as it is amazing how many frauds are committed which could have been avoided by greater due diligence.
Eastwood: In order to mitigate the significant compliance risks facing businesses in the current market, firms need to recognise that policies and training are only the first step. Regulators have plainly stated that more is needed than the basic components of a compliance program. There must be function over form. Detection of potential fraud and corruption begins with the board. They should regularly review internal controls and the driving risks for their business. Forensic data analysis is a particularly useful tool for senior management to assess what areas are at greatest risk – for example, the threat of procurement fraud at supplier level. Specialised anti-corruption due diligence should also be routine, with flexible procedures in place to respond when fraud is discovered.
Raskin: Firms need to implement and monitor rigorous internal controls, as well as ensure that they establish a culture of compliance reinforced by the tone at the top. This includes conducting risk assessments, reviewing existing policies and developing compliance policies addressing economic sanctions, export controls, anti-bribery and anti-money laundering regimes. It also means preparing Know Your Customer procedures throughout the business and across each jurisdiction. Firms should regularly conduct internal audits and monitoring functions. They should use proactive data analysis to identify potential fraud or misconduct. They should also implement hotlines and whistleblower mechanisms, with confidentiality protections and follow-up procedures, to encourage reporting fraud and ensure that reporting employees are not subject to retaliation as a result of the report. When information relating to actual or potential fraud is uncovered, management should be prepared to conduct a thorough and objective internal investigation, with assistance from outside counsel.
“We have seen increased efforts by organisations to enhance policies and even promote better communication; however, many employees still fear that management will retaliate should they come forward and blow the whistle.”
Ratley: How important is it to train staff to identify and report potentially fraudulent activity? In your experience, do companies pay enough attention to refreshing employee education and reiterating its value?
Meads: The importance of comprehensive, innovative training cannot be underestimated. Fraud often occurs when an employee wilfully circumvents or undermines the protective procedures that are in place, and therefore training all staff to have awareness and to be able to identify the red flags is vital to protect that business. Moreover, training should not just be a tick-box, sterile test; instead it should be training that promotes independent thinking, debate and communal values. Training needs to be refreshed as the risk profile of the business is re-evaluated. Reporting structures should be clear, defined and anonymous to give the confidence to staff to report.
Raskin: The importance of training really cannot be overstated. Training is the foundation for a robust control environment. In training staff, management should consider developing fraud awareness initiatives that are comprehensive, regular and frequent, tailored to job functions and risk areas, integrated with other training efforts, and effective in a variety of settings. A company’s compliance staff must be empowered to communicate with authority and to implement the company’s compliance programs. It is important to remember, though, that the board of directors and company management are responsible for setting the tone at the top, establishing a culture of compliance, and ensuring institutional support for ethical and responsible business practices.
Edmonds: It is imperative that effective fraud detection forms part of a company’s anti-fraud strategy and that adequate training is given to staff to spot the risks. Ongoing risk assessments should be completed regularly and staff should be trained in how to spot fraud and how to report it. Training should be given from board level down so that all are aware of the risks. We have often found that some companies do not have adequate mechanisms in place to allow staff to report suspicions of fraud. They also often do not have fraud awareness training in place as part of the induction programme for new entrants.
Hardin: Companies are not paying enough attention to employee reporting. Training has to change in that the old adage “say, see, and do” should be performed. Once employees are given instruction, they need to see it, and then perform it. With fraudsters regularly changing their techniques for committing fraud, companies would be well served by regularly bringing in experts that understand and investigate the latest fraudulent techniques. Having those experts provide regular training gives corporations an edge in combating crime.
Moosmayer: Training and communication will remain key factors in preventing all types of fraud. Such activities, if professionally conducted, are in my opinion much more important than having thick rule books for employees. Refreshing education is a big and challenging topic. Many companies and compliance officers have conducted the first training session, and after some time the question comes up: “What is next?” Simply repeating a session is neither useful nor will it catch the attention of the audience. What is needed are more risk-specific training sessions for different groups of employees – not every colleague in the accounting department, who has no contact with competitors, needs to become an antitrust specialist.
Eastwood: Training staff properly is crucial; they are not only a vital line of defence against fraudulent activity, but also vulnerable to involvement in corruption themselves. In order to limit the risk of fraud, organisations should ensure their employees are able to identify and report potential misconduct. Training should be practical and clear. It is important that training is not seen as a ‘tick-box’ exercise but is engaging and ensures that employees can spot issues at an early stage. Companies often deliver introductory training to staff but do not regularly refresh. This is clearly inadvisable as it is crucial that staff do not see anti-corruption and compliance as an issue that they, and the company more generally, merely pays lip-service to.
Ratley: How have companies changed the way they manage and respond to fraud in light of the renewed focus on encouraging and protecting whistleblowers? What more needs to be done?
Hardin: While there is still work to be done regarding employee reporting, companies have definitely taken steps in that direction in light of the government regulation that encourages whistleblowers – such as bounty programs – and the increased number of whistleblower retaliation claims. We have seen increased efforts by organisations to enhance policies and even promote better communication; however, many employees still fear that management will retaliate should they come forward and blow the whistle. Too often, on many of the investigations we have recently worked, the whistleblower, and others, have stood by watching a fraud occur but did not immediately report the violation. The answer we hear more often than not is the fear of retaliation. This is where the attention needs to be focused to improve employee reporting.
Eastwood: Whistleblower rules apply broadly to all possible securities law violations and are intended to encourage voluntary self-disclosure. Despite renewed focus on internal reporting, many companies have failed to mitigate risks by introducing clearly defined policies. It is important to establish accessible whistleblowing hotlines. Procedures for processing complaints should be simple and easy to operate. A key measure of success will be whether the policy gives employees the confidence to come forward with their concerns. Top down commitment to compliance is crucial to maintaining an embedded culture of ethical behaviour and reducing the risk that fraud will go undiscovered.
Edmonds: Some companies have very secure and efficient mechanisms in place to encourage and protect whistleblowers, however there is still far more to do, especially within certain industries such as sport. Despite the legal protection offered to whistleblowers by the Public Interest Disclosure Act 1988 and the Enterprise and Regulatory Reform Act 2013, many potential whistleblowers are still deterred from disclosing crucial intelligence due to concerns about victimisation. Companies need to ensure that those who threaten or victimise whistleblowers are dealt with effectively and appropriate sanctions imposed. The focus should be on encouraging other employees to raise concerns without fear of reprisals.
Moosmayer: Frankly, I do not see a major change over recent years. An effective compliance system always had to encourage reporting from employees and third parties and is obliged to grant protection from retaliation to the extent a private company is able to do so. However, this important topic requires ongoing and professional discussion. For example, I am not in favour of financially incentivising whistleblowers to come forward, because we should expect that employees will report potential fraud without such an incentive. Others are in favour of such a system, perhaps for good reasons and due to their own experience.
Raskin: Companies are increasingly conducting training and implementing non-retaliation policies in codes of conduct and employee handbooks prohibiting unlawful retaliation. Companies are also implementing monitoring programs to ensure that employees are not being retaliated against for their whistleblowing. However, companies need to reassess their fraud reporting and anti-retaliation policies to specifically cover contractors and subcontractors in light of recent US Supreme Court jurisprudence in Lawson v. FMR LCC, holding that the anti-retaliation protections the Sarbanes-Oxley Act of 2002 provides to whistleblowers also applies to employees of a public company’s private contractors and subcontractors. The Lawson decision now requires corporations to monitor third-party contractors and subcontractors to ensure that whistleblowers of those companies are not retaliated against.
Meads: The Enterprise and Regulatory Reform Act 2013 increased protection for whistleblowers against their employers. Section 19 of the Act amends section 47B of the Employment Rights Act 1996, such that an employer can now be vicariously liable for any detriment caused by its employees to a colleague who has made a protected disclosure. The employer will not be liable, however, if they can show that they took all reasonable steps to prevent this from happening. As a result, employers should have clear policies in place which state that their colleagues should not harass or mistreat whistleblowers and that such behaviour may result in disciplinary action. In order to ensure that an employer can show that they have taken reasonable steps to prevent whistleblowers from being subject to detriment, it is also necessary for these policies to be clearly communicated to their workers and complemented by training.
“Corruption and bribery often pose the greatest risk in relation to third party relationships which can have devastating effects on business from a reputational perspective.”
Ratley: Could you outline the main fraud-related risks that can emerge from third party relationships? What types of third parties – such as suppliers, agents, intermediaries and consultants – pose the greatest risks?
Raskin: Third parties pose risk of significant fraud, corruption, and export controls and sanctions violations. A company may be liable under the US Foreign Corrupt Practices Act (FCPA) for bribery engaged in by its third-party agents, consultants or contractors, even if the company has no direct knowledge of the offending payments. Third-party distributors pose a particularly high FCPA risk because distributors, unlike other third parties, often take title of goods and resell them to end users, creating a lack of transparency and an opportunity to structure transactions in ways that violate anti-corruption laws. Distributors also pose significant export control and sanctions risks as companies can face severe penalties for a distributors’ conduct with restricted parties. Companies should ensure that distributors are aware of and agree to comply with anti-bribery laws and US sanctions regulations.
Moosmayer: For years, third-party risks have been in the focus of corporate compliance measures. However, I would say, regarding risks in procurement and the supply chain: do not assess this area only from an internal fraud-risk perspective. A ‘sham supplier’ can be easily used to create a slush fund outside the company to bribe a public official. It is outdated to relate corruption risks only to the typical business consultant who earns 10 percent of a contract without doing any real work on a project. Far more compliance efforts have to be undertaken on the procurement side – with the challenge that the number of suppliers is normally quite high and they are often not centrally managed, which makes control difficult.
Meads: All third parties should be treated as posing a potential risk. The type of risk and warning flags will depend on the nature of the third party relationship. A company can be a direct victim of fraud by suppliers, suffer the actions of employees corrupted to act against the company’s interests, or risk liability for corrupt actions carried out by intermediaries engaged on its behalf. The extent of the risk will be determined by many factors, including operating location, responsibilities, roles undertaken, distance down the chain from central supervision, services provided, contact with foreign public officials, budgetary sign-off, and so forth. In order to reduce these risks, monitoring and oversight is key. To the extent possible, third parties should commit to awareness, training and adherence to a company’s integrity or anti-corruption policy. The International Chamber of Commerce has created an anti-corruption clause that can be used by SMEs for this purpose. Auditing third parties is also necessary to ensure compliance.
Edmonds: Corruption and bribery often pose the greatest risk in relation to third party relationships which can have devastating effects on business from a reputational perspective. Companies are now exposed to a greater degree of risk in this respect due to an increase in outsourcing and offshoring. I would not pinpoint one particular type of third party as posing the greatest risk as we are seeing many cases encompassing them all. We are seeing an increase in the number of invoicing frauds where false invoices are sent to the accounts department of a particular company requesting payment for fictitious goods or services. Often the systems in place are not adequate to pick up on the fraud and it is only discovered later down the line.
Hardin: For many businesses, the primary risk is bribery, but money laundering is also frequently seen. Any third party poses risk, and the risk may increase depending on the type of business, the geographic location, and the ability of the business to obtain information about the third parties. From a cybercrime perspective, those third party relationships can also be a weak link for hackers to gain access to systems. We recommend that companies have a defined third party due diligence process in place. By being part of the compliance program, companies can vet third parties up front, as well as longstanding third parties to understand changes in their organisations.
Eastwood: A very significant corruption risk relating to third parties is that of procurement fraud perpetrated by suppliers. The direct costs of this deception are considerable, but still often dwarfed by indirect costs relating to management time and resources spent dealing with the issue. Businesses face particularly great risks in their supply chain, threatened by kickbacks, fraudulent billing and various purchasing and sales agreements. Where third parties operate in high-risk jurisdictions and engage with public authorities, the potential for fraud is compounded. In many instances, perpetrators are in league with the corporate’s own employees. Anti-corruption due diligence of third parties is essential. Enterprises should be sensitive to circumstances that indicate a propensity to commit fraud. Whatever the character of third parties, compliance programs should ensure a standardised process is undertaken at all levels.
Ratley: If a company finds itself subject to a government investigation or dawn raid, how should it respond? To what lengths should companies go to aid the investigation as it proceeds?
Edmonds: It is important the company establishes whether the dawn raid is legally issued and that LPP lawyers are present as soon as possible. Companies should have a policy in place dealing with how legally privileged material will be dealt with in these circumstances. It is important to negotiate a resolution and ensure that any items, if imaged, are returned. It is very important to maintain the reputation of the company and to ensure confidential material of the company is dealt with appropriately but to balance that with complying with any lawful request. Obtaining legal advice at an early stage is imperative.
Hardin: Each case is different. The facts will vary, and should be properly vetted to establish the best and most appropriate course of action. In our experience, a company’s retention of experienced outside counsel, who are accustomed to working with regulators or other investigators, is an important first step in responding to such situations.
Meads: It is imperative that companies have a response protocol and that appropriate members of staff have been trained in it. Companies have a legal obligation not to impede searches or destroy any material – an obligation backed up by criminal sanction against individuals. However, it is imperative to ensure that a company’s position is protected. Accordingly, a first port of call under such a protocol should be to seek legal advice. In responding to the immediate crisis situation of a dawn raid, particularly one which comes out of the blue, the company’s overall strategy will be unclear. The priority will be to ensure compliance with its legal obligations. An understanding of why the company is being searched will influence the type of materials sought and the degree to which a company cooperates. As the nature of the allegations, and the risks to the company, become clearer, the company can form an appropriate strategy.
Eastwood: All businesses are under a duty to cooperate with a lawful investigation. However, it is important to be aware of the limits placed on the authorities’ powers to ensure they do not exceed their mandate. If an investigation occurs, senior management and legal counsel must be notified immediately. The next step is to check the investigators identification and authority to conduct a raid. You should then make arrangements for a room where the officials can work without disruption. When answering oral questions, the corporate representative may refuse to answer if they go beyond the scope of the investigation or would directly incriminate the company. They should also avoid volunteering unnecessary explanations and not speculate on answers. It is critical that an accurate record is kept of the investigation. Whilst businesses are under a duty to cooperate, their principal concern should be proper procedure.
Raskin: Foremost, subjects of dawn raids must cooperate with investigators by being calm, polite and cooperative during the raid. It is important to engage and involve senior management immediately. Request to delay the start of searches and copying or seizure of documents until outside counsel arrives, but understand that the delay is at the investigators’ discretion. Subjects should also protect themselves from arbitrary interference with the company’s business, ensure the necessary level of confidentiality regarding the raid, and make sure that legal privileges are respected. As such, avoid offering unsolicited information or answering hypothetical or unclear questions. Avoid leaving investigators alone. If possible, designate one lawyer or member of the company’s staff as a ‘shadower’ to each investigator to record all substantive communications with and actions of investigators in as much detail as possible.
Moosmayer: First of all, you can never fully anticipate or prevent a dawn raid, but you can prepare for it. Develop precise, and of course legally compliant, dawn raid guidelines and a checklist in order to get the legal and compliance departments, as well as external counsel, on the spot as soon as possible. Second, establish trust with the enforcement agency in charge of the investigation. Make them understand that you are here to support and cooperate, not to obstruct. My experience is – at least in countries which have a sound legal and judiciary system in place – this attitude helps to promote an early solution with regulators, which enables the company to continue its operations despite ongoing investigations against individuals, which may take years.
“Conduct entity-wide risk assessments to understand the risks that are unique to the business, the gaps or weaknesses in controls, and a practical plan for reducing or managing risk.”
Ratley: What advice can you offer to companies on implementing and maintaining a robust fraud risk assessment process, with appropriate internal controls?
Eastwood: There is no single method that works best for the prevention, detection and reporting of fraud. Each company must examine its own vulnerabilities and opportunities for corruption – both internal and external. That said, Compliance and Internal Audit should form the first line of defence. Internal Audit should actively evaluate the risk of fraud and how that risk is managed by the organisation. Significant exposures and control issues, whether relating to particular jurisdictions or types of work, should be reported to senior management and the board. Compliance must adopt a similar risk-based approach: identifying and reporting on high-risk areas to an independent sponsor. Boards and management need to regularly review these internal controls to ensure risk assessment keeps pace with emerging threats. Any fraud program must be comprehensive, flexible and enforced across the organisation in order to remain effective.
Raskin: Establish a culture of compliance by designating compliance officers who have authority to ensure that their directions are heeded. Conduct entity-wide risk assessments to understand the risks that are unique to the business, the gaps or weaknesses in controls, and a practical plan for reducing or managing risk. Management should ensure that such risk assessments are periodically conducted across the entire organisation with an audit committee set up to oversee the process. Increase cooperation between board directors and enforcement agencies in order to increase transparency and protect corporations from sanctions. Adopt compliance policies specifically addressing identified risks. Ensure that all employees and new hires are provided regularly scheduled training programs. Options include inviting outside counsel to talk about legal and regulatory trends and relevant corporate fraud risks.
Moosmayer: Do not simply ‘buy’ a risk assessment from external advisers. You have to develop it, together with management, on your own. Having said that, good and experienced advisers are certainly useful – they can structure the process and provide examples from outside your company. But only your own management knows the real compliance and business challenges, and has to assume responsibility for mitigation and control.
Hardin: To be successful, senior executives must first communicate the need for change and promote the implementation of a fraud risk assessment process. Second, it is crucial to seek guidance from third parties, including peers in the industry, in order to understand the strengths, weaknesses, successes and failures of their risk assessment processes. Third, the process should be continually vetted, tested and monitored to ensure it is not static and is sufficient to prevent, detect and correct fraud.
Edmonds: Each company is different, but as a rule there are basic structures that can be put in place to seek to prevent, or at least reduce fraud. There needs to be regular independent audits of the systems currently in place. A whistleblowing system with independent monitoring of issues should be introduced as whistleblowing is an invaluable and significant tool in the battle against internal and external fraud. Effective supervision is also paramount. Supervisors must be prepared to ask pertinent questions and be supported by the company if corruption or a breach of company policies are found.
Ratley: Going forward, do you expect any further regulatory or legislative changes in the near future? What factors will shape the way companies mitigate potential fraud occurring within their organisation in the years ahead?
Moosmayer: Legislative efforts are clearly increasing globally. Just look at the recently enacted Clean Companies Act in Brazil, a similar law planned in Spain or discussions in Germany to create, for the first time, true criminal liability for companies. Interestingly, non-governmental regulation on anti-fraud and anti-corruption is increasing as well. The International Organization for Standardization (ISO) is going to issue two compliance standards, triggered by Australia and the UK. As an example, the German Association of Auditors has issued its own audit standard on Compliance Management Systems. Companies are faced with the increasingly complex challenge of complying with several standards, and the advisory industry is pressing for costly certifications. I am sceptical about ‘competition’ between actual legislators and ‘private regulators’. And, I believe there is no need for additional standards since we have accepted the OECD guidelines for companies, which can be used as a reference point.
Eastwood: David Green QC CB, the director of the SFO, has proposed that the corporate offence of failure to prevent bribery, under section 7 of the UK Bribery Act 2010, should be extended to other corporate financial crimes. If enacted, the change would significantly extend liability, with corporates exposed to conviction even if the board knew nothing of improper conduct. Broadening section 7 would encourage businesses to review and strengthen their existing internal controls and lend greater consistency to the law. To have this legal requirement in respect of one type of fraud – specifically bribery – but not others is illogical. The concept of ‘directing mind’ in corporate fraud offences, typically meaning the need for board level oversight, allows a cynical defence to companies that ensure knowledge of wrongdoing never leaves a transactional level. However, if section 7 is extended, corporates will need to readdress their efforts around risk management if they are to avail themselves of the firmer adequate procedures defence.
Edmonds: It will be interesting to see what impact DPAs have in the near future. DPAs came into force on 24 February 2014 and are offered to companies where evidence of fraud, bribery or other economic crime is identified. It is an agreement between the prosecution and an organisation which allows a prosecution to be suspended for a defined period provided the organisation meets certain specified conditions and the agreement is reached under judicial supervision. Conditions may include disgorgement of profits, payment of a fine, compensation for victims and costs, cooperation in any prosecution of individuals, and implementation of a compliance program, with a monitor appointed if necessary.
Hardin: We expect more regulations. Whether new or existing regulations will help mitigate fraud is yet to be determined. The macro issue with regulations is the enforcement associated with them.
Meads: The law of corporate criminal liability is often the focus of pressure for reform, and currently this pressure is falling squarely on offences of fraud. It was reported last month that the attorney-general, with cross party support, is considering proposals to widen corporate criminality. This would see an extension to the section 7 ‘failure to prevent’ offence under the UK Bribery Act, to encompass a failure of a company to prevent acts of financial crime by its associated persons – an idea first canvassed by David Green CB QC, director of the SFO. This offence would be subject to the defence of ‘adequate procedures’, as currently available under the Bribery Act. Should this come in to effect, it will no doubt serve to prompt organisations to ensure that compliance controls that they currently have in place are fit for purpose.
Raskin: With the recent US sanctions against Russia and the continued conflict in Ukraine, we expect to see increased sanctions enforcement actions involving companies with business relationships in or related to Russia. Sanctions compliance remains a moving target as the political, economic and regulatory climate changes. The key to managing fraud risks is anticipating, identifying and addressing new risks as they emerge. Companies that are proactive in evaluating crisis management infrastructure to ensure it can move quickly at the first sign of trouble will fare better in the ever changing legal and regulatory landscape. The biggest challenge now is for boards and senior executives to not stop halfway. Boards have a tendency to invest time and money in times of crisis. Yet, as the economic climate improves, board directors would do well to remember that the time to fix the roof is when the sun is shining.
James D. Ratley, CFE, has worked as part of the Association of Certified Fraud Examiners (ACFE) since 1988 and now serves as president and CEO. In this role, he works to promote the ACFE to the public and other professional organisations and continues to assist in the development of anti-fraud products and services to meet the needs of the ACFE’s members. In addition, he is a member of the ACFE’s faculty, and teaches regularly at workshops and conferences. He can be contacted on +1 (800) 245 3321 or by email: jratley@ACFE.com.
David Raskin represents institutions and individuals in white-collar criminal and regulatory matters, including investigations and litigation involving the US DOJ, SEC, CFTC, and other federal, state and local agencies. He conducts internal investigations for institutions and audit committees and advises institutions on FCPA risk mitigation and other anti-corruption matters. Mr Raskin served for more than 12 years as a prosecutor at the United States Attorney’s Office for the Southern District of New York. He can be contacted on +1 (212) 878 3438 or by email: david.raskin@cliffordchance.com.
Tamlyn Edmonds is one of the founding partners of Edmonds Marshall McMahon – the first and only specialist private prosecution law firm in the UK. Ms Edmonds is an experienced prosecutor specialising in high value fraud and counterfeiting. She commonly advises companies on strategies to tackle fraud where the police or CPS have refused to investigate and prosecute. She can be contacted on +44 (0)207 583 8392 or by email: tamlynedmonds@emmlegal.com.
Bill Hardin works in Navigant’s Chicago Office and has worked on hundreds of cases involving white-collar crime, cyber security, theft of trade secrets, forensic accounting and anti-corruption investigations. He is frequently called in by clients to assist with crisis management. In addition, he performs strategy/operational consulting assignments for clients and services in interim senior management positions. Mr Hardin is a CPA/CFF, CFE, PMP, and has an MBA from the University of Chicago Booth School of Business. He can be contacted on +1 (312) 583 4119 or by email: bill.hardin@navigant.com.
Sam Eastwood is a dispute resolution lawyer based in London. He is experienced in handling a broad range of large commercial disputes for major corporations and financial institutions. He also heads the firm’s business ethics and anti-corruption group. Mr Eastwood’s experience includes: pursuing and defending claims arising from significant corporate acquisitions; competition litigation; advising on joint venture and shareholder disputes; fraud investigation; seeking injunctive relief and the conduct of corporate investigations. He can be contacted on +44 (0)20 7444 2694 or by email: sam.eastwood@nortonrosefulbright.com.
Rebecca Meads is an employed barrister in the business crime department at Peters & Peters. Ms Meads has expertise in large scale fraud, anti-bribery and corruption, sanctions, challenging Interpol Red Notices, and extradition and MLA Requests. She has worked on a number of high profile cases and has experience of conducting criminal litigation at all levels. She can be contacted on +44 (0)207 822 7723 or by email: rmeads@petersandpeters.com.
Klaus Moosmayer, since January 2014, has been the Chief Compliance Officer of Siemens AG and head of the global Siemens Compliance Organization. Before his recent nomination he served from July 2010 as the Chief Counsel Compliance of Siemens AG and was responsible as Head of the Compliance Governance Organization for legal compliance management, compliance policies, internal investigations, disciplinary sanctions, remediation and compliance risk assessment. He can be contacted on +49 (9131) 742 162 or by email: klaus.moosmayer@siemens.com.
© Financier Worldwide
MODERATOR
Association of Certified Fraud Examiners
THE PANELLISTS
Clifford Chance US LLP
Edmonds Marshall McMahon
Navigant Consulting
Norton Rose Fulbright
Peters & Peters
Siemens AG