Despite the best efforts of regulators and enforcement agencies, corporate fraud continues to flourish. In recent years, business and financial institutions have become acutely aware of the risk, particularly as a renewed focus on whistleblowing has expanded the toolset of investigatory authorities. Ultimately, sound controls and a culture of compliance are key to minimising fraud. When a firm suspects that fraud may be occurring, decisive action must be taken.
Ratley: What types of corporate fraud seem to be surfacing regularly in the current market? Are there signs that companies are more aware of falling victim to fraud, and taking preventive measures?
Oldham: In terms of the large national, international and regional banks, and private equity firms and intermediaries we work with, it is easy to say that this group is more aware of falling victim to fraud and that they are taking preventive measures in the form of performing background investigations, accounting audits and appraisals prior to making a debt or equity investment or advising on the same. As a US and international background investigations firm, the types of fraud we see most frequently are misrepresentations of past and current legal matters, degrees and certifications and resumes, and bribery.
Martin: Corporate fraud encompasses a variety of different criminal and civil violations committed by one or more individuals associated with a corporation. Cases of corporate corruption regarding the manipulation of financial data continue to arise. This includes the use of fictitious performance indicators, overstatement of company earnings, and hiding debt from shareholders. Another category of fraud that now exists is that relating to cyber-crime, and companies should develop relevant preventive strategies. Employee fraud, including the use of fictitious vendors and fraud involving employee conflicts of interest, also continues to be reported. The use of offshore payments is often involved in these types of cases. Some companies are forming associations with external firms with the appropriate financial and forensic expertise to supplement their own internal audit organisation. This can enhance both the analysis and detection of fraud risks.
Aldred: The challenge is that fraud is like a virus: it adapts to what’s done to defend against it and comes back in a different form. In the last year, a fashionable fraud has involved contacting a junior person in a corporation’s finance department, posing as the organisation’s chief executive with an urgent and highly confidential instruction for the transfer of funds. These frauds have involved threats, flattery and just enough reassurance – dropping into conversations and emails comments that showed familiarity with the company’s people and processes. Hacking into email systems to take on a false identity gave the fraudsmen an extra advantage. Naturally, companies drive their staff to comply with procedures and to respect authority – not to question. It is more difficult when what is needed to defeat a fraud is a change of culture, not just an additional process.
Moosmayer: Apart from the well-known day-to-day smaller frauds, such as credit card or travel expense related fraud, we have observed a certain increase in the awareness of fraud in the procurement or supply chain management areas, and this is happening on a global scale. In spite of systemic controls, this area of commerce remains specifically volatile to individual wrongdoing in all corporations. The increase may in part be due to the ongoing recession and resulting hardships. A stark difference, however, to former years is that the perpetrators seem to have developed an in-depth knowledge of the relevant processes and the control system designed to prevent abuse in corporations. They then use this knowledge to circumvent these controls for their personal benefit. Although this is a growing concern for all corporations – independently from the specific business in which they are engaged – the topic of procurement fraud and the discussion about possible preventive and detective measures is still largely underrepresented in compliance conferences and discussions.
Heiman: Accounting fraud consistently garners headlines and generally involves the largest amounts of money. While the industries and situations are different, Enron, Worldcom, Freddie Mac, Sanford, and Bernie Madoff all involved fraudulent accounting practices. But, while the sums are usually smaller, bribery scandals often cause as much reputational damage. Publicly traded companies in the US have hired more auditors, financial controllers and compliance professionals. This has been driven in some measure by the passage of legislation such as Sarbanes-Oxley and Dodd-Frank. It is also driven by the aggressive enforcement environment and risks of shareholder lawsuits and reputational harm. The taint from a public fraud scandal lasts for years, and I believe that most C-suite executives and board members appreciate this.
Feldberg: Perhaps inevitably after the surfacing of the Libor allegations, the last 18 months has seen a significant increase in regulator focus on large financial institutions. This focus has highlighted a number of cases in which allegations have been made of market abuse or insider trading. We have also seen a significant number of ‘consumer’ based frauds with a number of Ponzi schemes coming to light. Prosecutors and regulators have also continued to use charges of false accounting to deal with false representations being made to hide the true nature of a company’s profitability. With the implementation of the Bribery Act, companies have been forced to ensure they have ‘adequate procedures’ in place to prevent bribery. Many companies have used this exercise to ensure they also have proper controls in place to prevent fraud.
Ratley: From your perspective, what have been the most noteworthy cases of corporate fraud during the last 12-18 months? Are there any particular lessons that we can draw from these cases?
Martin: In 2012, the SEC charged Allianz SE and Oracle with books and records violations related to special purpose accounts and unauthorised side funds. Even though these were FCPA related cases, these types of accounts are also often used in employee embezzlement cases. Additionally, Allianz failed to stop the use of these funds after they were identified as an issue by an internal audit, effectively allowing the illicit payments to continue. When audit findings that indicate wrongdoing are presented, companies must immediately take steps to stop the incorrect practices while also addressing the underlying issues.
Aldred: My team helped to uncover and mitigate the impact of the Kallakis property fraud, which the court described as the biggest mortgage fraud in British legal history. The fraudsmen – now serving lengthy prison sentences – mixed very clever business sense with criminal thinking. They operated with breathtaking confidence, creating networks of influential people, making careful use of aliases, using an accomplice to ‘act’ the part of a Hong Kong businessman and persuading a Lugano lawyer to write letters confirming their assets exceeded $1bn, when in fact they had nothing. The main man even forged a change to his mother’s death certificate. There has always been a strain of corporate fraudsmen driven by greed and arrogance, but what makes them difficult to spot is when they weave astute business thinking in with their criminal schemes. And peppering their supposed networks with ‘real’ relationships can make fraudsmen harder to pick out – while Kallakis had photos in his office of Tony Blair and Prince Charles, he really did know people who were central to public life in Monaco.
Moosmayer: Although this is more on the public corruption side, the current wave of investigations in China, related to alleged systemic fraud and corruption cases in the healthcare market against European and US pharmaceutical companies, should be a warning sign for management and legal and compliance staff in corporations. For sure, we have not seen final results and all the relevant facts in the published enforcement cases to date, but the question will certainly be asked why even very advanced compliance systems were not able to prevent systematic misconduct in a ‘high risk’ market. The lesson to learn is that corporations conducting business in China – and not only in the healthcare market – should review their compliance processes thoroughly without delay.
Heiman: Olympus’ $1.7bn accounting cover-up case began in 2011 and concluded this year with senior managers receiving suspended jail sentences. This story came to light when Michael Woodford, the newly appointed CEO, began to ask questions about certain transactions. This story epitomises the power of the word ‘why’. It is critical at every level of an organisation that people question things that don’t make sense. The allegations regarding GlaxoSmithKline’s Chinese travel agencies funnelling money and favours to doctors is a reminder of the risks posed by third party relationships. Companies utilising third parties to develop sales channels or to perform more mundane tasks such as travel booking must be sure that the third party fully understands and will abide by the company’s code of ethics. Additionally, no matter how robust your third party vetting program is, if your employees are willing to subvert the company’s policies, it is unlikely that the third party will resist.
Feldberg: The Serious Fraud Office (SFO) has charged four individuals with a number of offences relating to the promotion of biofuel investment products to UK investors. The men were all connected to Sustainable AgroEnergy, an alternative investment scheme. The value of the alleged fraud is approximately £23m. The four men have been charged with conspiracy to commit fraud by false representation and conspiracy to furnish false information. Three of the men have also been charged with offences of making and accepting a financial advantage contrary to section 1 (1) and 2 (1) of the UK Bribery Act 2010. The Bribery Act charges are the first to be brought by the SFO despite the Act being in force since July 2011. It is interesting that the charges relate to the acts of individuals and not to the entity itself; meaning there is no Bribery Act, Section 7 corporate offence of failing to prevent bribery. This is despite the fact that there was an entity involved as the SFO had previously obtained a freezing order against the company. As the trial proceeds it will hopefully become clear why the entity was not charged, which may well be of interest to those looking for guidance on who is sufficiently ‘associated’ with a company to trigger a corporate offence.
Oldham: One of our most noteworthy cases was the finding for a prospective new bank lender that the CEO of a US private company was in jail waiting criminal charges for attempting to bribe his current bank’s relationship manager with a large sum of cash. The day we discovered this was the same day our client was making an on-site visit with its prospect to interview certain members of senior management and, of course, the CEO was not present to be interviewed – the CFO lied, telling the bankers present that the CEO was out of the office undergoing minor surgery. Had it gone unnoticed, this fraud would have resulted in one large bank paying off another large bank.
Ratley: What advice can you offer to firms on how to prevent and detect fraud and corruption occurring within their organisation, such as in a company’s internal procurement or supply chain processes? How important is it to train staff to identify and report potentially fraudulent activity?
Moosmayer: Having a good control system and environment is key to minimising fraud. In addition, sound and transparent processes mapping out expected procedures, and detailing instances or examples indicative of red flags, are essential for a good control environment. Equally important is training relevant staff, regularly and in-person, also with a view to learning from the feedback of staff members and feeding this knowledge back into making the control environment more resistant to abuse. Often, especially in large corporations, the control systems run from headquarters are technically excellent, but practice has shown that this does not always equate to the manner in which these are deployed locally in the business units. Last but not least, investigated cases of procurement fraud should be analysed and subsequently used as ‘real life examples’ for training and remediation.
Heiman: Centralise, centralise, centralise. Centralisation lessens the number of people involved, which can help avoid purchases for reasons other than merit. A more centralised process also focuses the number of financial controls that need to be implemented and monitored. When done correctly, centralisation will increase visibility on costs and drive greater savings. Training and awareness are critical. Employees must be made to understand that when a good faith concern is raised, it will be investigated, and if evidence of wrongdoing is found, action will be taken. The company should clearly state that retaliation for raising good faith concerns is not tolerated. Finally, managers at every level need to understand how to address concerns that are raised. Studies show that the majority of employees go to their managers when they see something wrong.
Feldberg: A company wishing to increase its ability to prevent and detect fraud and corruption ought to first identify the areas internally and externally where it is likely to have the highest risk. Once these areas have been identified, proportionate controls can be put in place. There is no ‘one size fits all’ anti-fraud and corruption compliance program. It is worth noting that regulators like to see that a company has genuinely considered where its highest risk points are and acted accordingly. Adopting a proper training program and ensuring there is the correct ‘tone from the top’ are crucially important aspects to any compliance program. It is often the company culture that is remarked upon when regulators and prosecutors start to look at fraud and corruption issues within a company.
Oldham: The frauds costing the most money occur at the senior management level and involve more than one person. Training staff to step up and disclose a fraud is critical. Except as with new loan or investment due diligence, most frauds are brought to the attention of management and supervisors via an inside informant. It should be a company’s culture to advise and promote the disclosure of a fraud by anyone with this knowledge.
Aldred: Objectivity and a questioning approach are what matter. Familiarity brings blindness to the conditions that might make fraud easier. A fresh eye is hugely valuable. Staff can’t be expected to detect fraud unless they have had appropriate training, and they then can’t be expected to question and to speak out unless they get a clear message that the organisation encourages that approach. Any given organisation needs to take an objective look at its processes and to identify its weak points. This can sometimes be easier with an outsider’s help. It is just like checking around your house to see where a burglar might choose to break in. After that, the next steps involve educating the organisation’s staff, and then communicating to staff the culture that people at the top of the organisation will support.
Martin: In relation specifically to supply chain issues, one of the most important aspects of preventing fraud is to scrutinise the companies to whom payments are being made. The proper vetting of vendors and an independent purchasing organisation within the company can be very helpful to this process. An indicator of misconduct in many vendor frauds is the pressure from an operations manager to use a specific vendor rather than there being an impartial review and selection of vendors based on criteria such as technical specifications, price and lead time. In addition, vendors inherited as a result of an acquisition should also be examined to ensure that they meet the acquiring company’s standards. It is crucial to train supply chain staff to scrutinise requests to take on new vendors, to repeatedly use a single vendor or to use a vendor for goods or services that appear to be outside of that vendor’s competence or usual scope of work. Regular reviews of higher risk vendors should also be undertaken.
Ratley: When suspicions of fraud arise within a firm, what steps should be taken to evaluate and resolve the potential problem?
Heiman: A fraud allegation requires a quick assessment of the potential scope and identification of those involved. Is it an individual cheating on their travel and expense reports or is it a significant business unit misrepresenting hundreds of millions of dollars in revenues? While the initial assessment may alter over time, understanding the size of the problem at the beginning will determine the level of resources needed to investigate and remediate the issue. In the examples above, the Human Resources department may be able to address the travel and expense issue without needing other company resources. The accounting fraud example will likely require the involvement of legal, audit, and outside assistance from a law or accounting firm. A fraud issue is not resolved until root causes are identified and preventative measures are implemented to reduce the risk of repetition.
Feldberg: When a company is suspicious that a fraud may be occurring, either on its behalf or in circumstances where the firm itself is being defrauded, it is vitally important that the suspicion is taken seriously. This does not automatically mean stopping all relevant operations and suspending staff. What it does mean is creating a clear, evidence based response that demonstrates the concerns are being quickly and properly investigated. This may mean setting up an independent investigation committee, securing relevant data and liaising with human resources to ensure that the relevant individuals can be spoken to. Consideration should be given to engaging outside counsel to obtain legally privileged advice. The company should also be mindful of any reporting obligations it may have under POCA 2002. Consideration should also be given to the legal implications of continuing in a deal or transaction which may have been initiated or won through fraud or bribery.
Oldham: Any suspicion of fraud should be reported to the finder’s manager or supervisor and, if not pursued, then reported higher in the organisation. From the CEO down to the middle management level, this should be promoted as policy and be a part of the company’s culture. I believe that there is generally more communication and policy within many companies these days to support the isolation of fraud issues.
Martin: There are some very basic steps that should be taken as soon as possible if an allegation of fraud comes to the attention of the company. First, determine what the problem actually is. Second, stop any ongoing misconduct. Third, secure the evidence. Finally, institute any necessary remedial steps. In order for these steps to be executed effectively, it is important to have clear investigative policies and a structure for undertaking investigations already in place. The initial stages of a fraud investigation can be fast-moving and confusing. Multiple issues relating to topics such as legal privilege, employee discipline, the seizure of documentation and data privacy, may arise at a moment’s notice, so it is important that a structure is imposed upon any attempts to evaluate and resolve suspicions of misconduct. Once these basics have been accomplished, the next steps towards resolution of the problem can be taken.
Aldred: Companies need to stop the rot. Contain the problem, but avoid ‘tipping off’ those who might be responsible. Very often, bringing in an outsider to lead a review will be the best approach. This fits with the real issue that usually arises, in my experience, of needing to establish whether there has been any ‘inside’ involvement in the suspected fraud. This means holding information about the problem among a small group of senior people and then working fast to plan a way to a solution. It is vital to act quickly. Information about the inquiry can leak; evidence can be lost or corrupted and further damage can be done to the organisation. It is important to prioritise, and to establish what the organisation has to do – a regulator might have to be informed, for example – and what its options are. Checking insurance cover and reporting to insurers are likely to come high on the list of ‘urgent’ things to do. It is important to appreciate that frauds come in different guises and there can’t be one simple checklist to keep handy for every case: quick, original thinking is going to be called for every time.
Moosmayer: If suspicions of fraud are not reviewed or investigated in a timely manner, the likelihood is that this shortcoming may be seen as an acceptance or tolerance by the company of this type of behaviour. This then increases the risk that the behaviour may spread, or that the perpetrators become bolder and commit even greater acts of wrongdoing. It is imperative that the company is seen to be acting against such behaviour, but in a professional and transparent manner. The suspicions or behaviour complained about must be reviewed or investigated by competent persons in a transparent, professional, fair and efficient manner, ensuring that the fundamental principles of the rule of law are applied, that the conduct complained about is matched against rules of behaviour prescribed by the company or by law, and that the person accused is given a proper hearing before the issue is adjudicated by an independent and objective body that was not involved in the review or investigation. When this matter has been finalised, the company should endeavour to use the lessons learned, not only to address the policy or process weakness, but also in training other colleagues on how to prevent a reoccurrence of this behaviour. Finally, a word about the duration of investigations – it is certainly crucial to conduct the investigation quickly and efficiently but the quality of this process must be the prevailing goal.
Ratley: How has the renewed focus on encouraging and protecting whistleblowers changed the way companies manage and respond to fraud? Do you believe that employees are made sufficiently aware of internal whistleblowing procedures?
Feldberg: This renewed focus, both by companies and investigatory authorities seeking intelligence on new cases, has led to many companies taking a more robust approach to implementing effective whistleblowing procedures. Government guidance on the Bribery Act stipulates that whistleblowing procedures should form part of a companys ‘adequate procedures’ for preventing bribery. Effective compliance programs go beyond mere bribery risk mitigation and encourage whistleblowing regarding any conduct that could be considered illegal or unethical. Whilst many companies have sought to ensure their whistleblowing procedures are communicated within their organisation, that is not necessarily the case for all. An effective whistleblowing policy should go beyond simply having the policy and reporting mechanism in place. People within an organisation need to be made aware of how they can make a report and be assured that disclosure of genuine concerns will not lead to disciplinary action.
Oldham: There certainly is, or should be, a focus on protecting whistleblowers. I believe that it is not yet totally consistent among companies that employees are made aware of whistleblower procedures, although I see this trend to inform employees increasing. The fact is that a majority of corporate frauds are brought to the surface because of an internal employee ‘tip’.
Martin: All employees in a company should be fully aware of the opportunities that exist for them to bring fraudulent conduct to the attention of the company. Companies should be creative in the way they keep internal reporting procedures in the minds of employees – the use of visual media and IT is important in this area. The ease of access of methods of reporting is also crucial, as is protecting reporting employees from any retaliation. The culture around the internal reporting of fraud has changed – companies work hard to instil trust in their employees that their concerns will be taken seriously and that there will be no retaliation. In a multinational company this task can be challenging because of cultural norms in some countries or regions which do not encourage employees to speak out. Companies need to educate and reassure employees to overcome these barriers to participation. Companies also need to act in a timely fashion on information received from hotlines and other reporting channels.
Aldred: Whistleblowers continue to be a very valuable source of information about frauds. They can be massively helpful in revealing the existence of frauds in the first place, and then they can speed up – and reduce the cost of – the ‘clean-up’ costs of exercises to close down and limit the impact of frauds. In a case that I dealt with several years ago, my client’s hand was strengthened hugely by a ‘whisper’ from a former associate of a fraudsman that led us to exactly where in Switzerland a collection of valuable motor cars was being kept. More could be done to keep the concept of whistleblowing fresh in people’s minds. Too many people in organisations turn a blind eye or assume that they will bring big trouble upon themselves if they speak out. Organisations need to be clear about how they will treat whistleblowers. A good example was motor racing Formula 1’s ‘Spygate’ scandal in 2007. The FIA in Paris announced an amnesty for drivers who came forward to cast light on McLaren’s handling of confidential information from rival team Ferrari, and that move unlocked evidence about the starkest rule infringement that sport had seen – resulting in a season’s ban and a US $100m fine for McLaren. Bear in mind, too, that whilstleblowing isn’t just a source of information; its main value is as a deterrent.
Moosmayer: From our experience, whistleblowing regimes and policies are established in many ‘blue chip’ corporations. However, more important than the ‘paper’ is the way these processes are accepted and lived within a corporation. Companies serious about addressing misconduct in their own ranks would want a culture of compliance, where the reporting of wrongful conduct is a natural consequence of employees acting in the best interest of the company, and trusting the company to address the wrongful behaviour professionally. Companies that have not yet reached this level will largely have to rely on a ‘classical’ whistleblowing culture, and are then captive to all of the elements therein, including, of course, appropriate policies to protect whistleblowers who report in good faith. It is hard to evaluate whether the real incidences of whistleblowing have increased as a result of this new push, as these issues are often kept internally in companies.
Heiman: While I can only speak to my experience, I suspect all organisations are more sensitive to this issue than they were 15 or 20 years ago. For many years, we have encouraged our employees to speak up when they see something wrong. Our ‘Guide to Ethical Conduct’ states that employees not only should speak up, but it is their duty to do so. Failure to report wrongdoing can lead to discipline or termination. At every training session, whether online or live, we remind our employees that they have several options when it comes to reporting issues: their manager, human resources, legal, compliance, the ombudsman office, or a telephone ‘ConcernLine’ that allows for anonymous reporting. Frequent delivery of this kind of message should be part of every organisation’s internal communications plan.
Ratley: Do you believe that regulators sufficiently encourage and reward companies that voluntarily disclose internally detected fraud, or is there still the risk that these ‘corporate whistleblowers’ are afterwards sanctioned and debarred by authorities and blamed by public opinion?
Feldberg: A company that detects fraud internally is almost always in a better position than a company that is approached out of the blue by a regulator or prosecutor that already has suspicions of misconduct. In certain circumstances disclosure may be required by law. Both the regulatory and criminal justice systems make provisions for rewarding companies that are open and cooperative regarding internally detected fraud. Disclosure can influence both the decision of whether or not to prosecute and, in the event of prosecution, the scale of sanctions imposed. It is important to remember that a company with a genuine and effective compliance program in place is less likely to be prosecuted because of the rogue acts of individuals within it. That does not mean, however, that voluntary disclosure necessarily precludes prosecution or publication by regulators of misconduct.
Oldham: I believe that regulators do encourage the protection of whistleblowers, but it likely varies how companies perceive and honour really honest whistleblowers. Public opinion really varies because accurate public knowledge can vary or be non-existent if the fraud information is contained within the relevant company. Containment may be less within public companies, as the media today has its way of discovering information, especially if an employee or member of management is incarcerated.
Martin: The successful detection of fraud and its subsequent voluntary disclosure by a company should demonstrate to regulators, the market and the public, that a company possesses effective systems and controls which were applied with the requisite skill, care and attention. It should also demonstrate that the company possesses a high level of corporate integrity and takes its responsibilities as a corporate citizen seriously. This should have a positive effect on the way that regulators choose to dispose of a case. Of course, a risk of governmentally imposed sanctions may still remain, so it is important to minimise this risk by maintaining the highest standards of corporate compliance as well as keeping up to date with the latest regulatory policies and enforcement trends.
Aldred: This is a difficult issue on which to find a balance. Is it realistic to think that a self-reporting firm could be – or would want to be – held up as an example of model behaviour? The organisation itself would surely rather shrink into the shadows with a reduced punishment than being seen as an example for others out there, while its regulator needs to do its business in public, for maximum deterrent effect. The question of whether the ‘self reporting’ regime really works is therefore more likely to be answered by general trends in behaviour over time than by pointing to individual cases. There is a distinction to be drawn between corporates that report themselves because they’re about to be found out and those that make a clear choice to volunteer information against themselves. In the latter case, companies need to be given more confidence to do the right thing.
Moosmayer: Disclosure in terms of a ‘voluntary disclosure regime’ should be part of a sound corporate compliance regime and needs support and promotion by the enforcement authorities, the courts and the public, especially the media. Generally speaking, the regulators in many jurisdictions have indeed responded positively to disclosures. But unfortunately such disclosures may also be abused in the realm of party politicking and be used against the company disclosing, which is then entrapped in a greater negative publicity campaign. An imminent problem is also how the press and the public respond in cases of disclosure, and the negative effect of destructive information on the perception, ultimately also on the customer. A lot more effort needs to be made to educate the press and the public about corporate responsibility, and the efforts by companies to be compliant, and in so doing, disclose the wrongful acts of their employees.
Heiman: As a general proposition, if significant violations of law have taken place, it is better for the organisation to self-disclose before an individual employee decides to dictate the manner in which information is shared with regulators. However, the US Securities and Exchange Commission has indicated that it now wants defendants to admit guilt, which is a change from its previous policy of allowing certain defendants to resolve an investigation by neither admitting nor denying guilt. The guilty admission can be a trigger for civil claims by shareholders as well as debarment. This new policy may act as a disincentive for companies to voluntarily disclose fraud.
Ratley: If a company finds itself subject to a government investigation or dawn raid, how should it respond? To what extent should companies be prepared to aid the investigation as it proceeds?
Oldham: Companies should always be prepared to aid the investigation and should also immediately consult with legal counsel and, if possible, an outside accounting firm, if the fraud allegation is accounting related.
Martin: All companies should have a corporate policy that outlines its procedures for dealing with government investigations. This policy should include provisions for responding to subpoenas and warrants. Document requests generally include instructions regarding compliance and the legal department can assist in the identification and collection of documents to ensure information integrity. It is also vital that clear instructions exist on how to deal with the issue of legal privilege. In this regard, it is important that companies with a presence in multiple countries fully appreciate the differences in laws and procedures between jurisdictions. The important thing is that the relevant designated decision-makers – for example, general counsel, the CCO – are immediately notified of any issues so that they can direct the tactical and strategic response to the investigation or raid as soon as possible.
Aldred: Just as it should understand corporate governance, an organisation of any size needs to be educated about the kinds of challenges and investigations that might be sprung upon it. It should have in place lines of communication for getting hold of advice in an emergency, and internal arrangements should exist for how to operate in a crisis. Any organisation’s position should be that it will comply with the law, but a company’s position can be complicated, and a bank, for example, will owe a duty of confidentiality to its customers. That might need to be properly explored before answering questions or handing over documents. And I would think very carefully before advising any client that it should waive the privilege that might attach to any legal advice.
Moosmayer: It is expedient for companies to interact and assist the authorities where possible, while at the same time ensuring that the companies and employees’ rights are protected at all times. Often the conduct in support of an investigation will shorten the investigation, limiting the disruptive effect on business and the stress on employees. This support may also be taken into consideration by the authorities when deciding on the consequences for the relevant wrongdoing. Of course, in order to do so, corporations need a reliable and fair legal system and professional and competent public authorities. Unfortunately, this is still not guaranteed in all countries.
Heiman: This is a jurisdiction and fact specific question. In general, the EU expects a higher level of cooperation during the raid itself than does the US. But, both sets of regulators encourage cooperation by the defendant company. Any lawyer advising a business on such questions must consider the obvious facts – strength of the evidence, credibility of the witnesses, risks of cooperation and non-cooperation, and the company’s tolerance for a protracted battle that consumes time and money. Every question must be looked at through the lens of what is in the best interests of the shareholder, and that is not always a crystal clear analysis.
Feldberg: Dawn raids naturally cause considerable concern, disrupt a company’s activities, and will often trigger calls for external counsel to ‘do something’. However, often the best approach is to take some time and develop a proper response strategy. Obtain as much information as possible about what the regulator is looking for and what it expects from the corporate and individuals within the organisation. Engaging in a constructive dialogue with the regulator from the outset will pay dividends later on. Protecting the interests of the company and complying with a regulator or prosecutor’s lawful requests in a constructive way should not be mutually exclusive principles.
Ratley: Have there been any significant legal and regulatory developments relevant to corporate fraud in your region over the past 12-18 months?
Martin: In 2013, there are several examples of the SEC in the US charging auditors for failing to comply with US auditing professional standards. The SEC press release 1370539850572 dated 30 September 2013, states “The actions are part of the agency’s ongoing effort to hold gatekeepers accountable for the important roles they play in the securities industry”. This puts even more of an onus on departments with oversight and advisory responsibilities to provide accurate risk assessments and adequate follow through in high risk areas. In addition, Oracle’s August 2012 settlement of SEC FCPA books and records charges has stirred considerable debate among compliance professionals because the SEC charges were not related to any DOJ prosecution.
Aldred: The main changes in the UK over the last 12-18 months haven’t been in the rules, but in the bodies that apply them. There was uncertainty in the lead up to the establishment of the FCA, and the SFO has been easy meat for the London newspapers from time to time. A bank that’s defrauded will get no sympathy from the FCA, it will face the added challenge of showing that there’s nothing wrong with its systems that made the fraudsman’s job easy. The SFO has had some bad publicity, but it has also turned a corner, gaining confidence by winning a couple of important cases. And October this year has brought the end of the Serious Organised Crime Agency (SOCA) and the birth of the broader, but no better funded, National Crime Agency (NCA). In terms of approach, the NCA will no doubt be determined to prove its worth.
Moosmayer: The developments are certainly not limited to corporate fraud, but include a wider gambit of increasing the corporate responsibility of the company and its directors. Several jurisdictions are reviewing their legislation pertaining to the management and responsibility of companies, introducing a stricter liability for the respective senior management and introducing criminal liability statutes for corporations even in countries where the roman legal doctrine ‘societas delinquere non potest’ has been accepted for centuries. In addition, in several jurisdictions crown witness regulations are being discussed in the area dealing with corporate misconduct, including the question if, and to what extent, existing compliance systems within companies shall result in reduced penalties. In particular, all the BRIC countries have made laudable legislative efforts in this regard – but often implementation is slow or not even taken seriously.
Heiman: As a global organisation, we take an interest in developments around the world. We will be interested to see how Brazil implements its new anti-corruption legislation. We are also watching China’s growing regulatory aggressiveness in the areas of anti-corruption and fair competition. Russia and the Ukraine have also enacted new anti-corruption laws. The open question with all of these laws is will they be enforced in an even-handed manner, or are they there for appearances or to attack foreign companies. In addition, the UK Serious Fraud Office has announced its first prosecutions under the Bribery Act. Again, we will watch to see if there are trends or particular areas of focus.
Feldberg: The passing into law of Deferred Prosecutions Agreements (DPAs) and the publication by the Sentencing Council of draft sentencing guidelines for fraud, bribery and money laundering are perhaps the most significant recent developments in this area of law in the UK. It remains to be seen how many corporates will think it beneficial to enter into a DPA with either the SFO or CPS in the scheme’s current form.
The proposed sentencing guidelines provide a greater degree of certainty on the type of fines corporates should expect to receive in the event of a DPA but also send a warning signal to corporates that UK fines may now increase to be closer to the level of fines imposed in the US. Both DPAs and the sentencing guidelines put significant stock in the benefits of corporates self-reporting.
Oldham: There have been no significant developments in the last 12-18 months, but US financial institutions have over the last 10-12 years developed specific ‘Know Your Customer’ rules and requirements before doing business with a prospect with the guidance, insistence and support of the bank regulatory bodies. Such regulations do vary between countries.
Ratley: In your opinion, are directors and officers (D&Os) sufficiently aware of their liabilities and duties in respect of corporate fraud? What insurance solutions are available to help protect D&Os, and what are the benefits and limitations associated with this coverage?
Moosmayer: It is incumbent on the directors and officers of the company to be aware of their duties and liabilities, especially as the majority of control environments require, by law, personal certification acknowledging the duties and responsibilities on at least a yearly basis. Insurance may constitute a basis for financial restitution, but does very little to promote detection or prevention of this type of wrongful behaviour, and even less in terms of the mitigation of the ongoing risk the company faces, if these issues are not professionally mitigated. The ‘tone from the top’ cannot be guaranteed by insurance policies.
Feldberg: D&O insurance policies afford company managers a certain level of protection. The policies aim to protect company officers from claims that may arise from decisions or actions taken within the scope of their regular duties. Typically, D&O policies cover costs generated from a broad range of activities including engaging in administrative, criminal and employment related proceedings, and investigations by regulators or prosecutors. All current, future and past directors of a company or its subsidiaries are protected. It is only fraudulent, criminal or intentionally non-compliant acts that are not protected; although innocent directors remain fully covered even if the acts of their colleagues were intentional or fraudulent. However, it is worth highlighting some of the limitations associated with D&O cover. The cover must be in place at the time of the claim, even if the event being looked at occurred in the distant past. The insurance will not cover all associated costs and the rates paid by the cover tend to restrict the insured’s choice of lawyer. Finally, in the event of a conviction, the insurer will try to claw back the fees paid.
Oldham: I generally believe that directors and officers are aware of their duties and liabilities with respect to corporate fraud, but, based upon our background investigations findings, I think it is not consistent among companies, private or public, as to how much background due diligence is performed on directors and offices as part of their employment. There is D&O insurance available for these individuals, but such coverage normally does not cover situations where they are negligent or the company is negligent.
Martin: As corporate Sarbanes-Oxley practices have matured over the last 10 years, directors and officers are increasingly aware of their accountability to prevent and detect corporate fraud through the company’s internal control procedures. D&O liability insurance is widely available and can cover fiduciary liability as well as employment practices liability. This, however, is distinctly different from professional liability Errors and Omission (E&O) coverage which is applicable to performance errors of an individual certified professional rather than the duties of the executive team.
Aldred: The average director will be woefully blind to his – and on average, it will be ‘his’ – potential liability for fraud. The challenges are getting knowledge to the right people in companies and then keeping that knowledge fresh. Insurance is available, but two important issues arise. First, insurance doesn’t cover damage to a businessman’s reputation. Second, if it really comes to it, there can be a divergence between the objectives of an insured businessman and his insurer: the insurer can be expected to look for the cheapest financial solution, whereas the businessman might be expected to be pleased to spend all of the available insurance cover, so long as that does the job, for example, of winning an early settlement and keeping the problem under wraps.
Ratley: To what extent have you seen an increase in asset tracing and recovery services in recent years? What issues should a company consider when evaluating options for recovering assets lost to fraudulent activity?
Heiman: I have not noticed an increase in asset tracing. When considering an effort to recover assets, a cost-benefit analysis is required. Is the investment of effort, money and management distraction worth the possible return? To me, if the likelihood of success is anything near 60 percent or less, and the differential between the value of money lost versus value of effort needed to invest is small, I would advise management to walk away from the effort. The one possible exception to this approach would be if there is a compelling need to make a public statement about not condoning the fraud and theft of assets.
Feldberg: There has certainly been an increase in the number of companies offering asset tracing services beyond the traditional law and accountancy firms. However, many asset tracing cases involve the dissipation of assets abroad. Recovery of these assets can be very challenging. Even where orders are obtained in domestic courts, recovery of assets abroad will depend on the nature of the international agreements that the domestic country has with the countries to which the assets have been dissipated. Even where there are international agreements in place, there may well be complications with local legislation and the local prosecuting authority. Corporations considering trying to recover assets lost to fraudulent activity should consider whether or not there is likely to be a criminal or civil hearing in the matter, the amount of money they are looking to recovering compared the costs involved and the jurisdiction where they believe the assets remain.
Oldham: We do perform asset tracking and asset location services for banks in situations where they may be at risk of losing money due to the improper or illegal transfer of company assets in the situation where they are possibly looking at a deficiency in the case of a loan default.
Martin: The continual expansion of technology is a dual-edged sword for asset recovery. While the business world has moved to electronic records that increase the accuracy and transparency of asset monitoring and recording, criminals can also use advances in technology to move large amounts of money around the world. To combat these attempts, a company must have strong internal controls and document retention procedures so it can identify and value assets to be recovered. In addition, the legal environment in the country where the assets were taken or are believed to be held, the availability of public records, and the third party costs of recovery, are all elements that should be considered.
Aldred: To trace stolen assets, you have to be quick or lucky or both. In the last 18 months, I have had the usual frustrations of dealing with banks which – understandably playing things by the book and observing their duty of confidentiality – have slowed things down for my clients desperate to find where their money has gone. On the other hand, I have called an internet gambling company that was more than willing to freeze funds just on the strength of my phone call. And I have encountered the Great Wall of China – the analogy with medieval Britain would be that a fraudsman who gets funds safely to China can in effect claim ‘sanctuary’ for them and the tracing exercise stops dead it its tracks. A company looking to recoup its losses needs to act quickly. But it also needs to look several steps ahead and to make a cold judgement about whether its money spent on an asset-tracing exercise is likely to be worthwhile.
Moosmayer: Recovery must be dealt with on a case-by-case basis. Often, these involve lengthy judicial processes, where the cost of recovering is hardly commensurate to the loss suffered. Undoubtedly, the cost argument is not the only important one, and the reinstatement of the company’s reputation may trump even a loss in these circumstances. In these cases a company will always profit from a risk and cost, time benefit analysis.
Ratley: Looking ahead, do you expect to see any major changes in the way companies mitigate potential fraud occurring within their organisations? To what extent will this be driven by external factors, such as legislative change, and internal factors, such as overhauling policies and controls to go beyond mere compliance?
Feldberg: There appears to have been a change in the approach many corporations are taking towards the role of compliance within their organisations. Companies are providing proper funding, hiring professional compliance personnel and empowering the compliance function to have a greater say in some of the business processes. HSBC was recently reported to have hired 1600 compliance personnel in the six months preceding August 2013. We believe part of the reason for the change is increased enforcement of the current regulations rather than any recent legislative changes. It remains to be seen how the Bribery Act 2010 is enforced. To date there have been two individuals prosecuted and three more individuals charged with Bribery Act offences. To date, no corporations have been charged for failing to have ‘adequate procedures’ in place. Interestingly, the director of the SFO has stated his support for a corporate offence of a company failing to prevent crimes of dishonesty or fraud by its servants or agents, subject to a statutory adequate procedures defence. However, these comments do not appear to have triggered a rewriting of the law on fraud although the law commission is still due to look at changes to the criminal liability of companies.
Oldham: I do expect major change because of the increased extent to which fraud is being committed. This will be driven by internal and external factors, including the potential liability for officers and directors. The potential legal costs for known and unreported fraud can be significant.
Martin: Due to the continual increase in quality and quantity of electronic data, the practices in mitigating fraud are moving beyond data analysis to the newer concept of ‘big data’. A company’s ability to harness the power of its data accurately to detect fraud-related trends and identify questionable transactions will be an important component of managing a successful anti-fraud program. Tools that analyse big data may become much more important to departments with corporate oversight responsibilities if the SEC continues its trend of pursuing charges against auditors who should have known about improprieties or should have performed more in depth verification in high risk areas.
Aldred: Companies have already been driven, by statute, to educate their staff about money laundering. Also, regulators can be expected to be increasingly intrusive when it comes to setting standards for the systems that organisations have to establish in order to become more robust and to reduce the risks they face. Companies are also likely to receive a push from their insurers: apart from being told about the need to tighten things up by the courts and by their regulators, companies will receive a clear message from insurers, who can be expected to take a meaner approach to making payouts as the accepted standard for vigilance within companies is raised. There’s a continuing tension in this area. Companies like certainty. They like to think they have addressed any given issue, found an answer for it and put it behind them. They can’t do that, though, with fraud. They will have to accept that they’ve never finished. And the more clearly they define their processes, frustratingly, the more they leave themselves open to fraud. The important thing will be for companies to commit to keeping fraud on their agenda, to keep moving and to carry on adapting.
Moosmayer: A key driver for change is always the economic or financial environment; during a recession a larger driver to improve a profit margin is the reduction of costs. Another way to reduce costs would be to reduce losses suffered through wrongful conduct such as corporate fraud. It seems that this is being recognised and more effort is made by companies to refine their detection systems, procedures and policies, not only to reduce loss, but also in furtherance of a more developed compliance culture. A professional risk assessment system plays here an important role: If you are able to detect upcoming compliance risks early enough, the corporation will save not only money for investigations and remediation but also foster its reputation as a good corporate citizen. Such a risk assessment is especially needed in the course of M&A transactions in order to get an early and sound understanding which compliance risks may be with the target. Last but not least, the people: one additional factor in the fight against corporate fraud worthy of attention may be to refocus the recruitment and development of personnel. Time spent to recruit employees with high moral fibre and sound personal values, may therefore have the effect that these employees are less likely to fall prey to incompliant behaviour, thereby saving the company money, and its reputation.
Heiman: I think the mitigation tools will be the same – training, controls, monitoring, testing, investigation and remediation. Each of these requires expertise in the areas of law, accounting, education and audit. Combating fraud also requires the full engagement of business leaders. Traditionally, such efforts are led by legal or finance, but the business needs to own the process. Accordingly, the business also needs to be responsible for a lack of compliance. When something goes wrong, there should be consequences when merited such as negative performance reviews or reductions in compensation. If the organisation has a strong culture of compliance and ethics where bribery, dishonesty, theft and conflicts of interest are not tolerated, then changes to legislation should not have a significant impact on the behaviour of employees. Following the law is obviously important, but companies should encourage employees to act with integrity because it is the right thing to do.
James D. Ratley, CFE, has worked as part of the Association of Certified Fraud Examiners (ACFE) since 1988 and now serves as president and CEO. In this role, he works to promote the ACFE to the public and other professional organisations and continues to assist in the development of anti-fraud products and services to meet the needs of the ACFE’s members. In addition, he is a member of the ACFE’s faculty, and teaches regularly at workshops and conferences.
Jerry Oldham has an extensive investigations and corporate due diligence background, and a broad senior management resume in commercial banking and corporate and real estate finance. He frequently serves as a consultant or expert witness in litigation and settlement negotiations involving complex corporate finance, real estate, banking, and lending practice issues, having assisted in the settlement of hundreds of lawsuits.
Jay Martin joined Baker Hughes as vice president, chief compliance officer and senior deputy counsel in July 2004. Prior to joining Baker Hughes, Mr Martin was a shareholder at Winstead Sechrest & Minick P.C., a partner at Phelps Dunbar and Andrews Kurth, and served as assistant general counsel of Mobil Oil Corporation’s Worldwide Exploration and Production Division in Fairfax, Virginia. He has also served as general counsel of Mobil Natural Gas, Inc., in Houston, Texas.
Duncan Aldred works, mainly with banks and insolvency professionals, on contentious matters. He is highly experienced in advising clients on aspects of banking law and practice, administrations, provisional liquidations, court-appointed receiverships, injunctions and mediations. Mr Aldred has helped banks and other clients to deal with a wide variety of sensitive issues. These have ranged from technical legal questions through handling threats of blackmail to dealing with potentially adverse publicity.
Dr Klaus Moosmayer is chief counsel compliance at Siemens AG. He is responsible for legal compliance management, compliance policies, internal investigations, disciplinary sanctions, remediation and compliance risk assessment. Prior to this role, he served as Siemens’ compliance operating officer and had a leading role in developing the current compliance program. Before entering the Siemens legal department he was in private practice as a lawyer. Mr Moosmayer has published extensively on compliance and white-collar crime topics.
Matthew R. A. Heiman joined Tyco in 2007 and is the Vice President, Chief Compliance & Ethics Officer. Previously, Mr Heiman was Tyco’s Lead Counsel for its Continental Europe Fire & Security business. Before Tyco, Mr Heiman was a lawyer with the National Security Division at the US Department of Justice. He was a legal adviser to the Coalition Provisional Authority in Baghdad, Iraq and practiced as a trial lawyer with the McGuireWoods law firm.
Paul Feldberg is a senior associate at Willkie Farr & Gallagher (UK) LLP. He specialises in white-collar fraud and regulatory matters. Mr Feldberg has significant experience in SFO, FCA, FCPA and SEC enforcement actions. He works with colleagues to adopt a trans-atlantic approach when dealing with multiple regulators. He also has expertise and experience in dealing with AML and Sanctions matters.
© Financier Worldwide
MODERATOR
James D. Ratley
Association of Certified Fraud Examiners
THE PANELLISTS
Jerry Oldham
1stWEST Financial Corporation
Jay G. Martin
Baker Hughes
Duncan Aldred
CMS Cameron McKenna LLP
Klaus Moosmayer
Siemens AG
Matthew R. A. Heiman
Tyco
Paul Feldberg
Willkie Farr & Gallagher (UK) LLP