November 2015 Issue
Corporate fraud – be it insider trading, money laundering or the embezzlement and misappropriation of corporate assets – continues to be prevalent within organisations, with the internet now the platform of choice for those bent on committing serious fraud. Alongside the aggressive enforcement tactics currently being adopted by regulatory authorities, the requirement to implement robust policies and procedures to mitigate the risk of fraud is now top of the agenda for corporates.
Ratley: In your experience, what types of corporate fraud or misconduct seem to be featuring most prominently in the current marketplace?
Girgenti: The internet has become the new crime scene of the 21st century and the platform of choice for those intent on committing serious fraud and misconduct. Perpetrated by both insiders and those outside of a company, cyber crime and the theft of company information, employee data, customer information and personal identification data has dominated both headlines and the attention of boards and the C-suite. For companies doing business globally, bribery and corruption continue to be top risks. Traditional and non-traditional financial institutions continue to struggle with risks presented by money laundering and trade sanctions. As part of the aftermath of the financial crisis, this year there have been major settlements for abuses related to the origination and securitisation of subprime mortgages. New areas of misconduct have been related to market manipulation of LIBOR and foreign exchange rates.
Swift: The past year has seen a number of high-profile developments in the investigation and enforcement of corporate fraud and misconduct. In February 2014, the Deferred Prosecution Agreement (DPA) was introduced in the UK. Although a DPA has yet to be concluded, the Serious Fraud Office (SFO), through its director David Green CB QC, indicated in September 2015 that it anticipates at least two DPAs being completed this year. The past year has also seen the first jury trial for a LIBOR rigging case – the case against Tom Hayes – and subsequent to his conviction, the longest sentence ever to be imposed for financial fraud, 14 years imprisonment in total. According to the SFO, a further 11 defendants await trial in connection with LIBOR rigging, and more charges are likely in autumn 2015. In the past year, there have also been the first convictions under the Bribery Act 2010 in the Sustainable AgroEnergy trial, and the first conviction after trial of a corporate for foreign briber, when Smith and Ouzman Ltd was convicted of paying bribes to win contracts to print ballot papers for elections in Kenya and Mauritania. The SFO has also continued to investigate several large and well-known corporate organisations, including Tesco and Barclays. We can expect a number of high-profile cases to dominate the headlines and provide a warning bell to corporates in the coming months and years.
Moosmayer: Fraudulent or corrupt misuse of third parties is still the main focus of the compliance organisations – and the authorities. The expected level of third party due diligence by corporations is still on the rise but factually limited by a lack of transparency when it comes to beneficial ownership of companies. When we talk about third parties, it is not sufficient to restrict scrutiny to traditional business consultants – we also have to look at long-term relationships with joint venture partners. Sham suppliers may be used as an instrument to channel money off the books for illegal purposes, but are much more difficult to screen and detect due to the often huge number of suppliers.
McNally: Many financial institutions, corporations and others have been victimised by cyber attacks resulting in the loss of trade secrets, customer information and other sensitive and proprietary business information. Securities fraud also remains a hot topic. The US Attorney’s office in NY and the Criminal Division headquarters at the Department of Justice in DC (DOJ) have aggressively pursued a variety of cases including for insider trading, fraudulent bond sales and stock manipulation. This hard-line enforcement environment won’t subside any time soon. As recently as August 2015, for example, DOJ and the SEC jointly brought an action involving both cyber fraud and securities fraud, charging several foreign hackers and traders who allegedly misappropriated mergers and acquisition announcements from investor relations firms, and then traded on the information ahead of the actual events.
Scott-Mackenzie: The most frequent corporate fraud that we encounter continues to be theft by employees. However, the way in which this is committed continues to evolve with the increasing complexity of Australian businesses. This increasing complexity arrives in many guises, such as geographical expansion into overseas markets, the use of technology or outsourcing business activities such as payroll or third party manufacturers. Accordingly, no longer is the ‘head office’ able to control end to end processes but is reliant upon remote locations, third parties or technology.
Zimiles: Advances in technology have led to new and unique ways to commit fraud and misconduct. For example, the increased use of phishing and malware programmes has led to large scale identity theft schemes in both the public and private sector. Additionally, hackers have gained access to consumers’ bank and brokerage funds – illegally trading through those accounts and stealing funds. Denial of service schemes have shut down company websites and prevented them from conducting business. And digital currency such as bitcoin has given criminals a new way to mask their identity. At the same time, traditional fraud and misconduct schemes such as embezzlement and misappropriation of corporate assets, insider trading and money laundering continue to occur, both with the use of advanced technology and through conventional means.
“Fraudulent or corrupt misuse of third parties is still the main focus of the compliance organisations – and the authorities.”
Ratley: What impact have legal and regulatory developments had on the landscape of corporate fraud and misconduct in your region over the past 12-18 months?
Scott-Mackenzie: The increasing vigilance on bribery has had a clear ripple effect across the fraud landscape. The increased focus in Australia, and the application of the US Foreign Corrupt Practices Act or the UK Bribery Act, has captured incidents across the spectrum of illegal behaviour. There is a clear correlation between a corporate culture that fosters the illegal payment of bribes and one that is likely to also foster other corporate fraud. As an example, we have seen a matter in which an investigation was undertaken on the concern of bribery by company executives. Whilst an analysis was undertaken of the transactions to detect any payment of bribes, it was detected that a senior executive was implicated in a multimillion dollar theft spanning many years.
Zimiles: The implementation of rules and regulations around Dodd-Frank and FATCA, the imposition of severe sanctions on corporations and individuals, and statements by regulators and prosecutors that corporate fraud will continue to be taken seriously have led to a greater appreciation of compliance. Indeed, the focus by the US Department of Justice on personal liability has become an even stronger focus. As a result, there is an increased need for qualified compliance professionals and compliance hiring is on a huge upswing. At the same time, compliance professionals are now concerned about their personal liability. On a related note, companies are also increasing their compliance-related technology spending – looking for, and implementing solutions that help the human compliance professionals do their jobs more efficiently. Management and boards are becoming more involved in the compliance process, developing a better understanding of how their organisation’s processes work and what can be done to improve them.
Girgenti: We are in a new era of regulatory enforcement that is more aggressive and has an arsenal of new laws expanding the authority and reach of enforcement agencies. Among the major legal and regulatory developments over the past year and a half that have influenced the landscape of corporate fraud have been the reliance by the government and its enforcement efforts on whistleblower laws and the focus on the prosecution of individuals and gatekeepers. The recently released Yates Memo by the Department of Justice underscored the government’s focus on the prosecution of individuals in order for a company to receive credit for cooperation. In addition, with the appointment of a compliance counsel in the fraud division of the Department of Justice, the government has further emphasised that it will closely scrutinise the effectiveness of corporate compliance programmes and internal controls. The SEC’s use of administrative proceedings rather than federal courts to bring its enforcement actions tips the balance further in the government’s favour.
Moosmayer: More and more national legislators are including compliance incentive programmes in their sanction systems for corporations. For example, recently Spain has introduced a programme into its criminal law provisions and Germany is currently debating such a regulation. These regulations will encourage companies to voluntarily self disclose internally detected misconduct. Furthermore, implementing or enhancing compliance measures is crucial in the fight against corruption, and is fully in line with the recommendations of the Anti-Bribery Taskforce of the Business and Industry Advisory Committee to the OECD (BIAC). Besides this focus on companies, the US Department of Justice’s recently issued Yates Memo rightfully reminds us that the individuals who are breaking laws and internal compliance rules must remain in the focus of prosecution.
McNally: New York is ground zero for many of these cases. In October 2015, the US Supreme Court declined to review the most recent decision in United States v. Newman, which held that the benefits an insider receives in exchange for divulging material inside information must be “of some consequence”. And that – in order to be liable under the securities laws – the tippee who subsequently trades on that information must actually know the insider received a benefit. Prior to Newman, prosecutors merely had to prove that the tippee, however far removed from the actual source of information, traded on inside information, even if they did not know that the insider received a personal benefit for divulging such information. Without Supreme Court guidance, courts must now determine what constitutes a “benefit” to an insider – whether it’s the exchange of money, or something less, that’s required. Another headline is that US, European and other executives are now facing acute new pressures from the public, press and prosecutors for individual business leaders to be singled out and charged with criminal conduct.
Swift: The introduction of DPAs has been a significant development. DPAs have been used in the US for years. They are an agreement between the company and the prosecuting authority that generally involve financial and other sanctions, but fall short of a criminal conviction. Corporates should expect to see the use of DPAs in the UK going forward, and therefore should be aware of common issues faced when negotiating DPAs with US regulators, as these may also become relevant in the UK.
Ratley: What lessons can we learn from recent fraud and misconduct-related cases and their outcome?
McNally: For an EU or US corporation, government investigations, while serious, can be the least of the consequences stemming from a fraud case. At this time, the number of class action lawsuits filed against VW for its allegedly rigged exhaust emissions will likely exceed 100 separate cases here in the US. During the past 30 years, America’s top business litigators have successfully defended corporations facing such extinction-level civil litigation – and also won huge awards on behalf of businesses that have themselves been victimised by corporate fraud. On other fronts, cyber fraud is a new frontier in white-collar crime. Hacking and other crimes committed electronically and remotely are sophisticated, difficult to detect and can have devastating consequences on a company. Companies are obliged to devote significant resources to bolstering their cyber security, and to work cooperatively with government authorities when attacks occur.
Zimiles: As evidenced in public statements made by Attorney General Loretta Lynch and SEC Chair Mary Jo White, as well as the recent Memo issued by Deputy Attorney General Sally Quillian Yates, the investigation and aggressive prosecution of both corporations and individuals for fraud is of paramount importance to the US government as such conduct undermines the integrity of world markets. In addition, prosecution of corporate fraud and misconduct has gone global as international prosecutors have stepped up their efforts and collaboration between US and international prosecutors continues to rapidly improve. At the end of the day, companies need to be nimble enough to quickly adapt to new regulations and new regulatory focuses while also being proactive in ensuring they have designed and implemented compliance programmes that include procedures, processes and controls that are designed in a manner to adequately prevent and detect fraud and misconduct.
Moosmayer: The Volkswagen case has the potential to become the next ‘game changer’ following the Siemens case. After the Siemens case, anti-corruption compliance became a ‘must’ throughout the industry. Indeed, the Siemens case triggered the creation of anti-corruption compliance departments and programmes in all major companies and increasingly at mid-sized companies too. The Volkswagen case brings another important question to the table: Where do the responsibilities of the compliance team start and finish? The prevention and control of ‘technical compliance’ in companies is so far not in the scope of any compliance department I know. That means, unless there is a specific whistleblower complaint to the compliance organisation, misconduct in this area will most likely not come to the attention of the CCO. The Volkswagen case may open the discussion on whether a ‘holistic’ compliance concept is warranted and if this should run under the responsibility of the compliance department.
Girgenti: The principal lesson learned is that fraud and misconduct will occur at times in every organisation. Accordingly, companies must continue to design and implement compliance functions that not only have strong internal controls around areas of risk, but also are continuously evaluated for their effectiveness. Since third party risk is so prevalent, whether in the area of bribery and corruption, money laundering, cyber crime, trade sanctions or supply chains, organisations need to be especially focused on mitigating the risks presented by third parties.
Swift: One of the most high-profile cases in recent months has been the conviction, and sentence, of Tom Hayes for LIBOR manipulation. Mr Hayes received, in total, a sentence of 14 years imprisonment, which is the longest sentence ever imposed in the UK for financial fraud. In paragraph 12 of his sentencing remarks, the judge told Mr Hayes: “The conduct involved here must be marked out as dishonest and wrong and a message sent to the world of banking accordingly. The reputation of LIBOR is important to the City as a financial centre and of the banking industry in this country. Probity and honesty are essential, as is trust which is based upon it. The LIBOR activities, in which you played a leading part, put all that in jeopardy”. It does not, of course, necessarily follow that all LIBOR sentences will be as long as that imposed on Mr Hayes; each case must turn on its own facts.
Scott-Mackenzie: We are seeing cyber crime as the emerging trend that causes us the most concern. It would appear that cyber crime is badly underreported and much of the analysis is focused upon cases such as the theft of personal data at major companies, such as the 2014 cyber attack of Target in the US. However, it is SMEs that are often the most at risk, as they are unlikely to have the infrastructure or personnel to respond. A recent incident that we have seen has highlighted this. In this matter a staff member opened an email with ‘crypto-locker’. In this matter, a staff member clicked on an email and the email installed the crypto-locker software. This software encrypts all of the business’s data unless certain payment was made. The result is that the SME was unable to trade until the crypto-lock was dealt with. The key learning in this case was that the SME had a relationship with their insurer that provided the relevant IT expertise to advise on how to deal with the crypto-locker and to meet the costs associated with the business interruption.
“Management and boards are becoming more involved in the compliance process, developing a better understanding of how their organisation’s processes work and what can be done to improve them.”
Ratley: In your opinion, to what extent are boards and senior executives taking proactive steps to reduce fraud arising within their organisation?
Moosmayer: Whereas in former times compliance was often seen as just another staff function, this has changed dramatically in the days since Enron and Siemens. The Volkswagen case triggered the resignation of the group CEO and several executives within days of the scandal coming to light. All executives of companies that have lived and survived a compliance crisis know very well that they own compliance.
Swift: Whilst any well-run company will want to ensure it takes steps to reduce fraud within its organisation, the introduction of offences imposing a duty – albeit indirectly – on companies to do so will make it all the more essential that a corporation has adequate procedures in place to tackle any misconduct. Section 7 of the Bribery Act 2010 provides that a company is guilty of an offence if a person ‘associated’ with it, which includes an employee, bribes another person, intending to gain an advantage for the company. The company does have a defence if it can show that ‘adequate’ procedures were in place to prevent that.
Scott-Mackenzie: There are some industries, such as financial services, which are well equipped, whereas there are many high-growth businesses that we deal with that have not reviewed their risk management frameworks in light of their growth. However, many executives do not recognise the full cost of fraud. Many executives focus upon the amount that may be misappropriated. However, the ‘ripple’ effect of fraud can dwarf the amount stolen. The loss of customers, employee morale, as well as regulatory and legal costs and brand impact are often unrecognised when developing the risk framework.
Zimiles: The imposition of harsh financial penalties and other sanctions against corporations has made boards and senior executives realise that such penalties can no longer be seen simply as a cost of doing business. In addition, corporate executives and employees are going to jail for fraud-related offences. And, the US Department of Justice recently stated that for a corporation to get credit for cooperation in a corporate prosecution, they must identify and provide relevant evidence against individuals involved in the misconduct. As a result of all of these facts, we are seeing them taking more of an ‘ownership stake’ in compliance to reduce fraud within their organisations. They are becoming better educated about the regulatory requirements and expectations that impact their organisations. They are developing a better understanding of the risks their organisations face that could expose them to regulatory liability, as well as an understanding of the processes, procedures and controls that the organisation has developed and implemented to mitigate those risks.
Girgenti: Companies and boards are making the effort to build more effective compliance programmes, but often fall short in some critical areas, such as effective due diligence and continuous monitoring of third parties, building effective internal reporting mechanisms for wrongdoing, and focusing sufficient attention on the need and importance of building a culture of integrity.
McNally: In the US, many corporate leaders and boards have stepped up to face these new threats by devoting substantial resources towards developing and strengthening compliance programmes to combat fraud within their ranks. For example, in 2014, after suffering a cyber attack compromising the contact information of 76 million household accounts and 7 million small business accounts, JP Morgan invested $250m towards strengthening its cyber security programme and risk mitigation efforts. Despite that substantial sum, it was reported that in 2015, the bank doubled its spending to $500m, signalling the seriousness with which it viewed the risks to its business. The bank’s CEO Jamie Dimon remarked that it would double its spending on cyber security yet again over the next five years. Many companies both small and large, private and public, are dedicating significant resources to enlist expertise to help enhance efforts to prevent, detect and mitigate fraud risks.
Ratley: What advice would you give to senior executives on how to detect potential fraud or misconduct within their organisation?
Girgenti: Our advice to senior executives is to leverage the power of data and analytics for more effective risk management, to place greater focus on due diligence and the monitoring of third parties, and to implement a plan of continuous risk assessment to identify emerging risks that are the result of new regulations or changed focus of enforcement activity.
Swift: Fraud and corruption thrive on opportunity. Systems and controls can provide an effective deterrent, where properly implemented and monitored. Generally speaking, larger organisations tend to have in place more developed and sophisticated systems. That said, one need only take a casual and occasional glimpse at the press to see where such systems fail. It is worth remembering that the costs of putting systems and controls in place are minor when compared to those associated with an investigation into allegations of fraud and corruption, particularly where the organisation faces potential liability itself.
McNally: The FBI, SEC, federal prosecutors and state AGs are focused on US, European and other corporate leaders. Because regulators place a strong emphasis on the ‘tone at the top’ when reviewing the effectiveness of a compliance programme, senior executives must be personally involved in creating and communicating a strong culture of compliance. A robust compliance programme is a critical way to detect potential fraud. But few companies have sufficient in-house expertise to keep abreast of rapidly changing threats and other developments. Even with outside expertise, senior executives and board members must actively be involved in developing and implementing a compliance programme that is specifically tailored to address the risks unique to their business.
Moosmayer: Executives need to talk about this issue, especially those detected cases in their own company. There is no stronger story than “Look, this happened in our company and this is how we have reacted”. Compliance topics need to be discussed in meetings with sales and project managers, not just during compliance training.
Scott-Mackenzie: The first step is to establish an anti-fraud, anti-bribery and anti-corruption policy. This should then be the basis to ‘set the tone from the top’, including training of staff on both the expectations of staff, as well as a framework for reporting any concerns. However, many businesses that we deal with have implemented an effective risk framework but have not moved beyond preventative planning. Given the likelihood that a business will be struck by major fraud, Australian businesses should consider implementing a response plan to deal with major fraud. The key to this will be what legal, forensic accounting, public relations and insurance advisers will be engaged. In addition, such response planning should be tested annually through the use of table top exercises to identify gaps in the plan.
Zimiles: The best advice we can give is that senior executives must clearly demonstrate that they take compliance seriously and convey that priority to their subordinates. Make sure that you have a compliance programme that demonstrates there is a strong culture of compliance within the organisation. This means that leadership should actively support and understand compliance efforts, compliance interests should not be compromised by the revenue interests of the organisation, relevant information should be shared up and down and across the organisation, and most importantly with compliance, adequate resources in terms of numbers and qualifications should also be devoted to compliance. Additionally, compliance programmes should be considered living, breathing organisms requiring constant nurturing. With that in mind, the compliance programme should be reviewed and tested on a periodic basis to ensure its continued efficacy. If it is deemed necessary, the compliance programme should be enhanced to ensure that it remains regulatory compliant.
“One of the most high-profile cases in recent months has been the conviction, and sentence, of Tom Hayes for LIBOR manipulation.”
Ratley: What should companies do in terms of implementing and maintaining a robust fraud and misconduct risk framework?
Moosmayer: Big Data and its use for fraud prevention is one of the core topics to emerge of late. Many corporations and compliance departments have accumulated a huge amount of data in the course of their business dealings, compliance controls and due diligence. The challenge will be to extract from this data the relevant anti-fraud profiles without violating the applicable data privacy laws. But the systematic use of Big Data for prevention purposes will also change the profile of the compliance officers from a controller to a proactive risk manager.
Scott-Mackenzie: Companies should assume that they are are already being defrauded, and assume that lack of detection does not mean that it’s not occurring, but rather that it is not being detected. Experience suggests that this is unfortunately a much more likely scenario. With such a grim outlook, there is a clear opportunity to ‘invest’ in anti-fraud measures, as these will reduce the business leakage attributable to fraud. Measures such as implementing a rigorous anti-fraud framework, providing anti-fraud training and using specialised data mining techniques to detect unusual transactions are likely to assist.
Zimiles: The key to ensuring that a corporate compliance programme will effectively prevent and detect fraud and misconduct is the development and documentation of a risk assessment. An effective risk assessment will identify and assess the level of risk associated with an organisation’s products and services, the industry in which it operates, the distribution channels for its products and services, and the geographic locations in which it operates. Once the risks are identified and assessed, the organisation should seek to identify and assess the controls that are in place to mitigate those risks. Any gaps identified as a result of the process should be remediated through the implementation or enhancement of its existing controls.
McNally: First, corporate leaders in the US and EU should have internal or outside experts identify the particular risks associated with each of their business segments. The company’s compliance programme and risk framework should then be specifically tailored to eliminate or mitigate such risks. Second, the risk framework should promote an organisational culture that encourages ethical conduct and a commitment to compliance with the law, including commitment from the CEO down to even the company’s third party contractors. Third, compliance officers should regularly monitor the occurrence of risks, and make determinations as to whether those risks are evolving as the business and markets change. If so, the risk framework must quickly and regularly adapt. Compliance officers should offer training to all employees, and compliance programmes must be tested, including by outside experts, to determine whether the company’s framework for identifying and eliminating fraud risk is actually working as intended.
Girgenti: A robust fraud and misconduct framework begins with building a strong culture of integrity and with the engagement of the entire organisation along the Three Lines of Defence. The Three Lines of Defence model clarifies the essential roles and duties of key parts of the organisation. The first line of defence is the board of directors, management and operations. The second line of defence is the compliance function. And the third is the internal audit function. This organisational model requires a robust risk assessment process and a framework for governance, risk and compliance that builds effective processes around prevention, detection and response controls.
Swift: It is important for organisations to consider which measures are most suitable for them, based on their size and structure. The Ministry of Justice’s Guidance as to section 7 of the Bribery Act 2010 provides some help when it comes to considering the sort of measures that may be appropriate. Firstly, appointing a compliance officer to oversee the risk framework and sufficiently empowering him or her to effect change. Secondly, undertaking a thorough risk assessment, particularly in light of the requirements placed on companies by section 7 of the Bribery Act 2010, and the proposed new offence of failing to prevent tax evasion. Thirdly, ensuring that all staff members are aware of the company’s zero tolerance approach to corporate crime, and are educated about the relevant legal framework. Fourthly, ensuring that due diligence processes of all ‘associated persons’ – employees and agents, for example – are sufficiently detailed. Fifthly, developing investigative and whistleblowing mechanisms – many organisations have implemented confidential ethics hotlines, so that criminal activities can be safely and confidentially reported. Finally, organisations should ensure they are continually monitoring and updating their practices, to ensure that those are in line with legal developments.
“Companies and boards are making the effort to build more effective compliance programmes, but often fall short in some critical areas.”
Ratley: How important is it to train staff to identify and report potential fraud and misconduct activity? In your experience, do companies pay enough attention to employee education?
Zimiles: A compliance programme’s procedures, processes and controls can only work if they are effectively communicated throughout the organisation. Effective communication of a compliance programme’s requirements in turn is accomplished through training. An effective training programme should provide all employees, not just compliance staff, with an understanding of the company’s policies, procedures, processes and controls and how they are designed to ensure compliance with applicable regulatory requirements and expectations. Our experience is that the best training programmes use hypotheticals and case studies to transmit the necessary information. We’ve also found that management involvement in training makes the training more effective because it shows employees that the organisation takes its training obligations seriously.
McNally: It’s critical to train employees to identify and report potential fraud and misconduct. Prosecutors and regulators look at whether target companies sufficiently trained their employees to understand and comply with company policies and practices to detect, mitigate and prevent fraud. And will often consider a company’s level of training as a factor in determining whether to open an investigation or to proceed with enforcement actions. In our experience in the US, there’s always room to improve. We have found that companies with strong leaders who have bought into compliance culture, help develop compliance procedures, hold themselves accountable to such procedures, and clearly and regularly communicate those procedures to their colleagues will more likely than not be successful in getting their teams to effectively identify, report and address potential fraud and misconduct.
Girgenti: Training is key if an organisation is to have an effective compliance programme. Organisations are challenged to make their training programmes meaningful and effective. Training programmes need to be customised for the different levels in an organisation, from senior managers to frontline supervisors and employees, each of whom face different challenges and have different responsibilities. Companies need to take advantage of advancements in delivering learning programmes. Shorter, but more frequent, exposure to training on ethics and compliance, combined with real-life scenarios and the use of gaming techniques and social media, help organisations deliver more meaningful and timely content and get the buy-in that they need to make their training programmes effective.
Swift: It is important to ensure that employees are aware of their obligations to mitigate the risk of fraud and misconduct. One of the key principles for bribery reduction set out in the 2011 Ministry of Justice Guideline is communication, including training, as set out at Principle 5, paragraph 5.1: “communication and training deters bribery by associated persons by enhancing awareness and understanding of a commercial organisation’s procedures and to the organisation’s commitment to their proper application”. This is likely to be less effective if delivered in the form of a ‘one size fits all’ approach, or in an ad hoc manner. Therefore, it is important that a comprehensive training and communications plan is implemented into the general risk framework.
Scott-Mackenzie: There is no benefit to having an outstanding anti-fraud framework without effectively communicating with, and training, employees. Whilst there may be a perception that auditors are tasked to identify fraud, the primary line of defence must be employee vigilance when it comes to recognising illegal behaviour. In many cases, it is only after a fraud has occurred that employee will realise that there were ‘red flags’ that should have been identified. By educating employees, this provides them both the understanding of what to look for, as well as engaging them so that they are comfortable to report fraud when they see it.
Moosmayer: We believe that employee education is perceived by all compliance departments as a core task. Also, external service providers offer a wide variety of e-learning programmes, particularly in the areas of anticorruption and antitrust. The key question is not if or what to teach employees but how to keep those employees interested in the training, especially when it comes to refresher courses. We have had some success using case studies of real cases which have been detected and have happened in an environment similar to the one in which staff are working. Based on such case studies we have conducted dialogues rather than conducting formal training with employees addressing questions such as “Could this have happened to us?” and “What might have been the root cause of the incident?”.
Ratley: What impact have recent whistleblower laws had on what companies need to do to prevent and detect fraud and misconduct? What more do you think needs to be done in this area?
McNally: The new whistleblower laws are game changers. They create huge incentives for companies and individuals to race to get expert counsel and to be the first to act. In 2014, the SEC authorised an award of over $30m to an individual who provided original information that allowed the SEC to discover a substantial and ongoing fraud that otherwise would have been very difficult to detect. All in, the SEC authorised 14 such awards last year. We have represented both whistleblowers and companies, and while not every such tip has merit, the potential windfalls have had a huge impact. The SEC’s Office of the Whistleblower reported that last year it received over 3500 whistleblower tips, a number that has grown every year since the programme began.
Swift: Any well-run company, with proper standards of corporate governance, will want to investigate whistleblower reports, as they would any other credible intelligence, revealing matters of concern. By encouraging individuals to come forward, robust mechanisms for protecting whistleblowers provide substantial benefits to the organisation concerned. Research this year by the law firm Slater & Gordon has indicated that a third of employees would not speak out, even if they observed illegal activity. However, over two-thirds of employees would do so if they could complain anonymously. One method of reducing risk and encouraging individuals to come forward should they observe wrongdoing, then, is the introduction of confidential ethics hotlines within the organisation. Another method could be the appointment of a designated compliance officer, and ensuring that employees know they can approach that person should they have a concern.
Scott-Mackenzie: The Australia Pacific region is still behind many other jurisdictions in the promotion of whistleblowing and there is more to be done to instil confidence in employees. As an example, almost half of companies in the region do not have whistleblowing hotlines. In addition, many employees in the region are concerned at both whether any report will be confidential and whether the legal protections available are sufficient. As a result, a recent survey suggests that only 53 percent of employees are prepared to use a whistleblower hotline.
Moosmayer: More needs to be done to provide employees with whistleblower channels. Providing protection to bona fide whistleblowers to the extent possible is a key task of every compliance organisation, but this is a difficult task. Unfortunately, the public discussion is conducted in a way that professionals who deal every day with whistleblowers are either not heard or criticised if they mention their experiences, which are often not black or white – whistleblowers are sometimes involved in misconduct or reports due to personal or even egotistical reasons. Ideally, public debate should be honest in this regard.
Girgenti: Whistleblower laws have required companies to re-evaluate the effectiveness of internal reporting processes to help ensure that those who observe misconduct in an organisation are encouraged in the first instance to report internally rather than to outside government agencies. This is perhaps the weakest area in most compliance programmes. It is imperative that organisations build a culture where people are willing to raise their hand when they observe wrongdoing. Frontline supervisors, who employees most often report misconduct to, should be properly trained on how to receive and address reported misconduct. And employees need to feel comfortable that organisations will address misconduct at any level fairly and ensure the anonymity of reporters, as well as their protection from retaliation.
Zimiles: The whistleblower provisions of the Dodd-Frank legislation have had several effects. First and foremost, the fact that it is now illegal to retaliate against whistleblowers now means that employees who may have otherwise feared coming forward may be more likely to do so now since the law protects them. This, coupled with the payment of bounties for information that leads to enforcement action, has also increased the likelihood that people will come forward. Additionally, the fact that whistleblowers cannot be prevented from going to the government with their allegations before going to the company makes it even more important that companies’ compliance programmes include robust policies, procedures and controls that seek to prevent and detect illegal conduct. Finally, from a company’s perspective, all of these factors make it even more important to develop and implement processes and protocols to ensure that all whistleblower complaints are addressed in a measured, comprehensive manner.
“Compliance officers should offer training to all employees, and compliance programmes must be tested, including by outside experts.”
Ratley: Could you highlight the main fraud-related risks that can emerge from third party relationships? What can companies do to manage such risk in connection with suppliers, agents, intermediaries and consultants?
Swift: Any commercial relationship with a third party carries risk of one sort or another. Oversight of procurement is essential to prevent the organisation falling victim to fraud and corruption, either by staff being corruptly induced to enter into disadvantageous contracts or as a result of innocently falling prey to deliberate fraud by third parties. Such risks can be mitigated by relatively simple systems and controls, including appropriate due diligence, but require a clear message and culture of compliance. Of greater potential significance to an organisation is the possibility of enforcement action where individuals associated with an organisation engage in criminal behaviour in the erroneously perceived furtherance of the corporate’s goals. Alongside the introduction of the Bribery Act 2010, the UK has upped its enforcement of overseas corruption. This year saw the first conviction after trial of a corporate for foreign bribery, relating to Smith and Ouzman’s security printing business in Africa.
Girgenti: The fraud risks related to third parties depend on the nature of the services provided by third parties and interactions – direct or indirect – they are having on behalf of the company. With that being said, companies should build more defined processes around the areas of identification and qualification of their third party relationships. This should include performing due diligence, contracting and on-boarding, as well as monitoring and oversight, including establishing a business sponsor responsible for the third parties. It should also involve renewals, with the same level of vetting as performed in the qualification process to identify any changes with third parties, including the nature of their services and the locations in which they operate.
Moosmayer: The proper selection of third parties is a business task and should be embedded in the company’s business strategy. “How do I want to penetrate the market?” “Where is a third party needed?” “What kind of support do we expect from the third party and are we sure that this is not available within our own company?” Compliance has to support this process by offering a systematic and risk-based approach, as well as by using lessons and red flags from past cases. In addition, third party management cannot be done from afar. Higher risk third parties need to be monitored and visited onsite. Higher risk third party audit clauses should be negotiated and such audits should actually be conducted.
Zimiles: Many of the cases brought by the Department of Justice and Securities & Exchange Commission under the Foreign Corrupt Practices Act involve situations where a third-party, hired to provide services for a multinational company in a foreign country, bribes a government official in that country so that the company can obtain or retain valuable business in that country. The company in most cases then falsely reports the transaction on its books and records as a legitimate expense. To mitigate the potential legal, regulatory and reputational liability associated with third-party relationships, companies need to develop, document and implement a robust, risk-based due diligence programme that identifies and assesses the nature and scope of the specific risks that the third-party presents and refreshes the due diligence on a periodic basis. Factors that should be addressed during the due diligence process include, but are not limited to, the type of services being provided, the geographic location in which they are provided and which the third party is paid, and the third-party’s reputation and background.
Scott-Mackenzie: Many businesses that engage third party providers look at due diligence on the provider too late in the engagement process and therefore these are seen as compliance hurdles that hinder the business. Rather, the due diligence process should be integrated into the building of business relationships, and should be focused on understanding the corporate culture of the provider. This will give a better understanding, not only of the fraud risks, but also any other broader commercial opportunities and risks that the new relationship entails.
McNally: Third parties are the third rail of FCPA and many other investigations. They stand apart and yet can cause company derailments or even fatal consequences. Many of the FCPA cases that have had the most disastrous consequences for US and EU companies and executives are the result of third party actions. The third party may serve as a conduit for bribes paid by a company to another party as part of a quid pro quo arrangement. Such arrangements are commonplace in foreign business transactions and often create FCPA exposure. Third parties often serve as ‘consultants’ who are paid to cover their gifts, bribes and kick-back ‘commissions’ by creating the appearance of providing legitimate goods and services. Companies can manage the risks associated with such third party relationships by strengthening their internal controls and accounting practices.
Ratley: If a firm finds itself subject to a fraud-related regulatory investigation, what should be its initial response? Furthermore, to what lengths should a company go to aid an investigation?
Zimiles: In terms of whether an organisation should voluntarily self-report a potential violation of the law, unfortunately there is no simple answer. The DOJ and SEC continue to state that voluntary disclosure of wrongdoing will be given credit in determining the existence, nature and scope of a potential sanction. Notwithstanding, that doesn’t automatically mean that a company should self-report every instance of wrongdoing. That decision depends on the facts and circumstances of the specific situation. These include whether the wrongdoing has or may have a material effect on the company’s financial statements, whether the wrongdoing is related to a control function, whether the company has conducted an investigation into the wrongdoing if an investigation has been conducted, whether the company has been able to determine whether the conduct is ongoing or whether the conduct is limited in scope or enterprise wide, whether the company has taken any remedial actions to address the wrongdoing, and whether the company has reviewed and enhanced its compliance programme and related controls to close any gaps that may have allowed such wrongdoing to occur.
Scott-Mackenzie: An initial response will vary widely based upon the specific circumstances and should also be dependent upon advice from the firm’s advisers. In many cases that we see, businesses that adopt a defensive approach are likely to be perceived by the regulator – or other stakeholders – as having something to hide, and so there should be a general tendency toward cooperation. In many cases, the company may be able to take ownership of the investigation and, whilst these internal investigations can be expensive, this can allow the business to better understand both the issues and to more effectively manage the business implications. However, there is often a complex mix of legal, employee and other stakeholder management and other commercial considerations that may need to be regarded in balancing how and to what length a company should assist.
McNally: Say nothing to investigators other than a pledge of cooperation, and immediately call experienced counsel with deep expertise, experience and credibility with authorities. Counsel should respond immediately when the FBI or other investigators show up with questions, a search warrant or a subpoena. Businesses need counsel with the toughness, talent and tools necessary to offer immediate protection, including offering a privileged attorney-client relationship to best defend confidential communications, strategies and work product.
Swift: An early evaluation of risk is essential. In most companies this is likely to require immediate assistance from external counsel, but within the organisation there has to be a senior and independent individual or group of individuals to manage and take responsibility for the process and form the ‘client group’ for the purposes of ensuring the protection of privilege. The intelligence which gives rise to the suspicion will be the starting point, but the company must determine and then continually review the scope of the investigation. All relevant data, both electronic and hard copy, should be locked down to prevent interference or destruction. The position of employees embroiled in the matter under investigation has to be considered very carefully. Once documents have been gathered and analysed, it may be desirable to interview relevant employees. If a self-report is contemplated, law enforcement may have a view on interviews, particularly of the principal suspects. The organisation will need to consider whether to make a self-report, and if so, to whom. In order to make this decision the organisation needs to evaluate in which jurisdictions it has potential liability. Timing is always an issue – reporting too soon carries the risk of doing so erroneously, without sufficient knowledge of the facts, while a company that reports too late may be criticised and find the range of possible resolutions narrowed.
Moosmayer: Companies have no alternative but to cooperate with the regulators. Cooperation must be honest and comprehensive. ‘Lip service cooperation’ is extremely dangerous as the regulator will feel cheated and react accordingly. Having said that, honest and full cooperation is not self-abandonment. It should also be possible to raise legal arguments, such as over the applicability of the statute of limitation. Regarding the length of the investigation, it is notable that several high ranking US enforcement officials have recently stated that they do not expect a company to look for a needle in a haystack. This certainly opens the door to a discussion with the authorities about the length and scope of an internal investigation. The Yates Memo reminds companies that individual responsibility at all management levels must be in the scope of each internal investigation and subsequent disclosure to regulators.
Girgenti: Nothing can make potential fraud or misconduct worse than an ineffective investigation or response. To ensure an effective response, companies must have a well-designed investigative process that assigns responsibility within the organisation to those who will conduct the investigation and those who will provide oversight. An investigation needs to be objective and when a regulatory body is involved most often independent as well. This will require oversight by the audit committee or special committee of the board, direction by independent outside counsel with experience in conducting investigations, retention protocols for documents, and the appropriate use of service providers with essential competencies, including forensic accounting, data and analytics, computer forensics and electronic discovery.
“Whilst there may be a perception that auditors are tasked to identify fraud, the primary line of defence must be employee vigilance when it comes to recognising illegal behaviour.”
Ratley: Do you expect to see any further regulatory or legislative changes in the near future? What factors are likely to shape the way companies mitigate potential fraud or misconduct in the years ahead?
Scott-Mackenzie: Australia may soon see enacted a mandatory notification, to the regulator and potentially affected individuals, where there has been a more serious privacy data breach. In many cyber fraud incidences, there is not only the loss of corporate assets – customer or employee data is often compromised too. As a result, we expect to see an increase in customer awareness of these frauds. However, regulator and stakeholder management of these reports will also be critical in reputation management. With proper risk management, including the use of cyber insurance, it is possible to not only mitigate the business risk, but to actually enhance corporate reputations through well-managed incidents.
Moosmayer: We expect more and more national legislations will take compliance efforts and voluntary disclosures into account as something good that should be incentivised. We would hope that this trend is taken up by powerful international institutions such as the OECD and the UN which host the most important anti-bribery conventions globally. The Anti-Bribery Taskforce of the BIAC will put extra emphasis on these topics and on the risk of double or multiple jeopardy for cooperating companies on an international level.
Girgenti: We do not expect to see any major regulatory or legislative changes in the absence of a major event or set of circumstances, such as the recent financial crisis. What we do expect to see is continued, aggressive government enforcement that will leverage an array of strategies and tools which will include, among other things, greater global cooperation, increased use of sophisticated data and analytic techniques, heightened focus on individual wrongdoers, greater scrutiny of the effectiveness of compliance programmes and controls as a condition for mitigating penalties and fines, and the continued use of monitorships as well as deferred and non-prosecution agreements. In order to mitigate potential fraud and misconduct in the years ahead, companies will need to closely scrutinise the settlements and agreements that companies and others reach with the government for signs of those factors that the government will consider most important in determining whether internal controls and compliance programmes are operating as designed.
McNally: The risks here remain large, and the consequences can be catastrophic. One closely watched case is the appeal of Jesse Litvak, a former bond trader who was convicted for misrepresenting the prices of bonds sold to customers, misleading customers about the provenance of such bonds, and creating fictitious third parties to create the false appearance of market demand. Litvak’s conviction is on appeal, and the court’s decision will affect what a trader may tell her customer and how much she can embellish the sales pitch. The decision will establish a clearer standard of fraud in complex financial cases, and depending on the court’s holding, could lead to a high water mark for Wall Street fraud cases. DOJ, the SEC, and other agencies have delayed certain actions as they await the decision, and scores of Wall Street banks have been subjects of pre-enforcement investigations concerning similar such practices.
Swift: The UK government has recently performed a u-turn on reform of the law on corporate criminal responsibility. We have for some time been expecting legislative change to make it easier to prosecute companies for offences committed by employees. As it stands, aside from the as yet untested offence of failure to prevent bribery, prosecutors face an uphill struggle finding evidence which implicates someone of sufficient seniority within an organisation, so that the identification principle can be applied to convict a company of serious economic crime.
Zimiles: Criminals have historically adapted to new laws and regulation intended to prevent or deter various types of illegal activity. Consequently, regulatory and legislative changes have historically followed crime trends and patterns as a reactive countermeasure. For example, WWI resulted in the enactment of espionage laws, the increase in bank robberies in the 1930s resulted in the expansion of the FBI, the ‘drug wars’ of the 1980s led to enhancements in drug, money laundering and forfeiture laws, 9/11 led to the passage of Patriot Act, and the financial crisis of 2008 led to increased regulation of financial institutions through the Dodd-Frank Act. A combination of changes in the legal and regulatory landscape and a company’s own experience from changes in certain crime trends ultimately affects how they develop their own deterrence and mitigation procedures. Companies will always need to maintain and update current risk assessments to not only mitigate their exposure to criminals but to also comply with new regulations and laws.
James D. Ratley, CFE, has worked as part of the Association of Certified Fraud Examiners (ACFE) since 1988 and now serves as president and CEO. In this role, he works to promote the ACFE to the public and other professional organisations and continues to assist in the development of anti-fraud products and services to meet the needs of the ACFE’s members. In addition, he is a member of the ACFE’s faculty, and teaches regularly at workshops and conferences. He can be contacted on +1 (800) 245 3321 or by email: jratley@ACFE.com.
Jeremy Scott-Mackenzie is the regional commercial institutions manager – Financial Lines, at AIG Australia. He is a leading authority in his field and is responsible for the strategic development of AIG’s Commercial Crime and Directors & Officers Liability insurance portfolio across Australasia, having been with AIG for over 10 years in a variety of roles across the Asia Pacific region. He is a member of the Australian Institute of Company Directors and the President of the Australian Professional Indemnity Group, Inc.He can be contacted on +61 2 9240 1712 or by email: jeremy.scott-mackenzie@aig.com.
Edward McNally, a white-collar and antitrust partner at Kasowitz, has served as a US Attorney, in the Criminal Division leadership at the Justice Department, and at the White House as the nation’s first General Counsel for homeland security. He has successfully defended corporations and individuals against government investigations, and helped secure hundreds of millions for businesses damaged by fraud and other crimes. He can be contacted on +1 (212) 506 1708 or by email: emcnally@kasowitz.com.
Richard H. Girgenti is the National and Americas leader for KPMG’s Forensic Advisory Services and a member of its Global Forensic Executive Committee. He has more than 40 years of experience conducting investigations, helping assess, design and implement compliance programmes, and providing fraud risk management services in the private, public and not-for-profit sectors. Mr Girgenti is the co-author of ‘Managing the Risk of Fraud and Misconduct’. He can be contacted on +1 (212) 872 6953 or by email: rgirgenti@kpmg.com.
Ellen Zimiles is Head of Navigant’s Financial Risk and Compliance business segment and its Global Investigations & Compliance practice. She has more than 30 years of litigation and investigation experience, including 10 years as a federal prosecutor. Ms Zimiles is a leading authority on fraud control, anti-money laundering programmes, corporate governance, foreign and domestic public corruption matters, regulatory and corporate compliance and monitorships. She can be contacted on +1 (212) 554 2602 or by email: ellen.zimiles@navigant.com.
Neil Swift is a partner in the Business Crime Department of Peters & Peters Solicitors LLP. He specialises in advising corporate and individual clients in corruption investigations, criminal cartel matters, mutual legal assistance requests, FCA inquiries and tax delinquency. Much of Mr Swift’s work involves him advising as part of multijurisdictional and multidisciplinary teams of legal, forensic accounting and tax professionals. He can be contacted on +44 (0)20 7822 7763 or by email: nswift@petersandpeters.com.
Klaus Moosmayer, since January 2014, has been the Chief Compliance Officer of Siemens AG and head of the global Siemens Compliance Organisation. Before this appointment he held various management roles in developing the new Siemens Compliance Program. Since the end of 2013 he has served as Chair of the Anti-Corruption Taskforce of BIAC, the Business and Industry Advisory Committee to the OECD. He can be contacted on +49 (9131) 742 162 or by email: klaus.moosmayer@siemens.com.
© Financier Worldwide
THE MODERATOR
Association of Certified Fraud Examiners
THE PANELLISTS
AIG Australia
Kasowitz, Benson, Torres & Friedman LLP
KPMG LLP
Navigant, Inc.
Peters & Peters Solicitors LLP
Siemens AG