FORUM: Developing a multinational fraud compliance strategy


Financier Worldwide Magazine

July 2014 Issue

July 2014 Issue

FW moderates a discussion on multinational fraud compliance strategies between Matthew Flood at Balfour Beatty, Shaun Kelly at Crawford & Company, Phil Ostwalt at KPMG, Rebecca Meads at Peters & Peters, and William M. Sullivan, Jr at Pillsbury Winthrop Shaw Pittman LLP.

FW: In your opinion, are senior directors and executives at multinational companies doing enough to understand the threat of fraud facing their organisation? What new methods and technologies are being utilised to perpetrate fraud?

Flood: Most multinationals – particularly listed companies – will be required to have in place adequate controls and processes to prevent risk, including fraud, and these are usually described in their annual reports and signed off by the board and executive committees. Listed UK companies almost all have audit committees – and all have external auditors – and large US corporates are subject to even more stringent Sarbanes-Oxley requirements. Consequently, I think that fraud as a concept is firmly on the board agenda. In the cases of fraud I have had to deal with often the methods are sophisticated but simple. People are now more easily able to impersonate someone with signing authority in a company by creating a fake email address or pretending to be using the MD’s wife’s email account while the MD is on holiday. Often, where companies are victims of fraud, the perpetrators either have inside knowledge or have found out how to ‘work the system’ in order to take advantage of a weakness in controls or processes.

Kelly: Executive management in any organisation would be naive and negligent not to understand and respond to the threat of fraud facing their organisation. There needs to be an appropriate mix of transparent and other methods that include mandatory training and testing of all employees on related subjects along with active monitoring of aspects of the workplace environment. There are quite simple but effective measures that can be deployed, for instance, in respect of bribery a contemporaneous analysis of employee overseas travel bookings against the Corruption Perception Index published by Transparency International to ensure effective training and controls are in place for people visiting high risk countries. More businesses are extending their pre-employment checks on prospective employees to include in all instances criminal record and credit history reviews. These are increasingly deployed on an ongoing regular basis for current employees and any adverse findings adjudicated upon by the governance function rather than perhaps Human Resources or line management as was previously the case. Increasingly, organisations create a risk and compliance function reporting outside of operations to an appropriate executive management role or non-executive board director. They bring subject matter expertise and create governance measures that are intended to be fit for purpose. Such dedicated functions have the focus to gain and maintain and an awareness of the constantly changing dynamics around such areas as fraud.

Ostwalt: There has been increased attention by directors and executives on the threat of fraud, largely due to boards paying more attention to the risk agenda. This trend has its roots in the economic environment of the turbulent 2007-2008 period, which resulted in the new regulatory regimes and oversight organisations that we see today. In terms of new methods and technologies used to commit fraud, a couple of trends come to mind. In general we are seeing an increase in fraud committed through collusive acts, where two or more individuals come together to commit the fraud, as stricter regulations and controls have made it more difficult for a single person to engage in such activity. Fraudsters are also utilising social engineering, tapping into email and other forms of communication to portray themselves as someone else, typically after they have launched a malware attack on an employee’s computer to take over an email account. Often they will portray themselves as a member of senior management and instruct a lower level employee to transfer funds or make a payment to a foreign entity. While it may appear to be a small act, we have seen frauds of this type reach into the millions of dollars. We have seen five instances of such fraud in the last month alone.

Meads: Some senior directors place inordinate faith in the ability of their existing systems and controls to detect and prevent fraud. Others recognise that threats are constantly evolving, and that they must constantly reassess possible risk. Certain kinds of fraud have always existed – whether it is low level fraud such as abuse of expenses claims, theft of cash or other assets, or high level fraud involving misstatement of financial results, directors have a duty to manage the risk posed and to put effective controls in place. The relentless growth of commercial activity online has been matched by a rise in cyber crime, such as theft of customer information, the creation of fake websites and, of course, ‘phishing’ emails purporting to emanate from a legitimate business. Cyber crime also carries with it the risk of separate and additional liability for a business under data protection and privacy laws which exist in a number of jurisdictions.

Sullivan: The need for senior management of multinational corporations to be aware of, prevent, detect and address suspicious activities, continues to accelerate. Today, most businesses are operating in an increasingly difficult and competitive marketplace, and with the decline in growth of mature economies, management and boards of directors are increasingly pursuing opportunities in emerging, rapid-growth markets. A new and untested market can be a fertile ground for fraud, and companies that operate across borders and outside their traditional markets are more vulnerable to corruption risks, just as their size, and separation of business units, departments and functions can magnify the difficulties in managing such risks. And the regulatory and enforcement response to these corruption risks continues to be aggressive, supported by increased international cooperation, as well as the promulgation of new local anti-corruption statutes.

Executive management in any organisation would be naive and negligent not to understand and respond to the threat of fraud facing their organisation.
— Shaun Kelly

FW: Are you aware of any recent regulatory developments aimed at combating corporate fraud? Do you believe that regulatory changes have had any impact on the nature or scale of corporate fraud?

Kelly: Across a global business there are many developments, but of note is the UK Bribery Act that applies to all UK registered businesses and their subsidiaries, and broadly to UK passport holders irrespective of location. That law creates a corporate offence of effectively failing to prevent bribery and so poses a more significant threat to a business than the US Foreign & Corrupt Practices Act (FCPA). In the UK we have seen regulation of the financial services sector enable the Financial Conduct Authority to impose fines in the millions, not for actual bribery but a lack of systems and controls to prevent bribery. There is also, of course, Sarbanes-Oxley.

Ostwalt: Fraud detection and prevention has been the key mission element of a number of recent regulatory developments. In the US, the Consumer Finance Protection Bureau arose out of the Dodd-Frank Act. With respect to anti-bribery statues, the UK Bribery Act 2010 was a milestone, as is the new Brazilian Clean Companies Act enacted in January 2014. These are just a few recent developments aimed at business practices and fraud. It’s too early to tell whether or not they will have any impact on discouraging fraud. Generally, meaningful enforcement of the laws is required to produce any real evidence that fraud activities are being curtailed. This takes time. But we can expect a change that means corporate executives will be held to task for any bad behaviour.

Meads: When using the phrase ‘corporate fraud’ it is appropriate to draw a distinction between fraud against a business as opposed to fraud by, or for the benefit of, a business. The Bribery Act 2010 Section 7 ushered in a new era of corporate liability in corruption cases, by criminalising a failure to prevent corruption for its benefit by a person associated with the business. Some, most notably the current director of the SFO, have called for this form of liability to be extended to other forms of economic crime, including fraud. Corporate sentencing guidelines for statutory fraud offences have recently been introduced. However, the most significant regulatory development in the last year has been the introduction of Deferred Prosecution Agreements (DPAs) as a means of imposing sanctions for corporate delinquency.

Sullivan: The UK Bribery Act and the Dodd-Frank Reform and Consumer Protection Act come immediately to mind, and the whistleblower provisions embodied in Dodd-Frank include incentives and rewards that are potentially enormous. But what is perhaps most significant for multinational corporations, the pace of international law enforcement cooperation in the anti-corruption setting has quickened since 2009. Over the last five years, the US DOJ and SEC have worked closely with partners in a host of the most populated and economically vital developing countries in the world, including China and Hong Kong, Indonesia and Mexico. Moreover, US regulators have developed close working relationships with their counterparts in other jurisdictions that historically have been considered high-risk for anti-corruption or money laundering purposes, such as Costa Rica and Panama.

Flood: Various governments have introduced anti-corruption legislation, and the financial services sector in particular seems to have ever-increasing rules applied to it to try and prevent and detect money-laundering. However, welfare or benefits, and consumer fraud aside, since Sarbanes-Oxley, very little has actually been done by legislatures to tackle fraud itself. Year on year, cases of scams and fraud seem to increase and become more international in nature. The perpetrators of fraud take advantage of new technologies to commit scams from afar, steal people’s identities and trick people into providing personal information or account details. Generally they are outside local court jurisdiction and once money is transferred, it is very hard if not impossible to get back. Ancient, equitable laws of tracing in common law countries do not really stack up in these modern days of direct debits and BACS transfers. It is mostly left up to companies to come up with defences and strategies to combat the ever changing scams which they face, relying on best practice and advice from those who have experienced similar issues in the past.

Ancient, equitable laws of tracing in common law countries do not really stack up in these modern days of direct debits and BACS transfers.
— Matthew Flood

FW: In your experience, what steps can multinationals take to monitor, prevent and detect suspicious, potentially fraudulent activities within their own organisation or which are targeted at their organisation?

Meads: In our experience, UK prosecutors, whose armoury has been significantly expanded by the Bribery Act 2010 and the Crime and Court Act 2013 which introduced DPAs, would expect a multinational to have in place elements such as a code of conduct; an appropriate training and education program; internal ‘whistleblowing’ procedures for reporting suspected fraudulent conduct which enable officers and employees to report issues in a safe and confidential manner; and reasonable procedures for undertaking due diligence on potential projects, acquisitions, business partners, agents, representatives, distributors, sub-contractors and suppliers.

Ostwalt: First and foremost, companies need to develop a corporate ethics and compliance program. One step in this process is performing a fraud and compliance risk assessment. The compliance program will be directly affected by how thorough the risk assessment was, and if it was able to identify the areas where fraud might occur, or where compliance breaches might be committed. The strongest assessments will include the participation of executives at the top of the company as well as personnel across all the firm’s functions. Once the risks are identified, individuals should be educated about the potential impact that a breach of the compliance program can have on the organisation.

Sullivan: Companies must establish and maintain credible anti-corruption programs to protect against the risks inherent in doing business in today’s global economy. Just as companies purchase insurance to protect against any number of foreseeable risks, so too must companies protect themselves from an array of corruption risks. Implementing such a program is the first step in protecting the company, and conversely, not having an effective compliance program exponentially increases a company’s criminal and civil risk – including the risk of individual officer and director liability. An effective compliance program must be tailored to the commercial activities of the company, the industry in which it competes, its customers, its sales practices, and the geographic regions where the company does business. Robust compliance requires the efforts of employees throughout the organisation – from management, to sales, marketing, accounting and finance. The essentials of an integrated program begin with both a focused risk assessment, and a commitment from leadership, and also include updated policies and procedures, anti-corruption training and messaging, and periodic program audits.

Flood: Given fraud is all about obtaining financial advantage through deception, fraud generally occurs either when you are charging someone too much or wrongfully paying money out. So, that is where multinationals need to focus their attention. Having in place a set of proper financial and commercial controls to prevent money going out of the company, and keeping track of it when it’s within the company is 99 percent of the solution. These processes should be backed up by good internal and external audit teams, who regularly and rigorously test invoicing, payment and receipt processes for weakness and abuse. The other key area is IT. Having in place appropriate IT security policies and systems is crucial to either detect fraud, or to minimise its impact once you are attacked.

Kelly: Multinationals should and must be able to deploy dedicated resource as part of a governance function as the oversight of a business to undertake a risk assessment for fraud and engage controls cannot be a part-time activity for roles that may be distracted by other responsibilities. There must be clear education around regulatory requirements, clear rules and acceptable behaviour, and controls that identify potential suspicious activity to be investigated by the governance function that has the required autonomy to act appropriately. This has to be underscored by a well promoted ‘whistleblower’ program that encourages people within the business to report good faith suspicions without fear of any form of recriminations. There has to be what can be termed an ‘authority matrix’ that articulates very clearly what people and roles can do what and at what financial level. There has to be a segregation of responsibility so that even an expense claim for a CEO has to be approved by someone else, ideally the governance function reporting to the board, including checks against the authority matrix.

FW: In your opinion, does the biggest threat of fraud come from employees, suppliers or third-parties? Why?

Sullivan: The vast majority of staff in any organisation is trustworthy and honest. But our increasingly competitive global marketplace presents challenges to success that might appear to be overcome through the adoption of practices that are inconsistent with legal compliance. The use of third parties is often a regular aspect of doing business internationally, but these ‘agent’ business relationships present inherent corruption risks that must be mitigated. A key component of an effective compliance strategy includes due diligence in both the hiring of company employees, as well as in the engagement of agents, vendors, contractors, consultants and intermediaries. Such due diligence is especially important for those employees involved in disbursements, financial reporting and sales. The scope and depth of the due diligence inquiry depends on the company’s identified risks, the prospective employee’s job responsibilities and level of authority, and the applicable laws of the country in which the company resides, as well as those in which it does business.

Flood: Employee fraud carries the most serious consequences, particularly for businesses working for governments or regulated clients. Overcharging of those customers – either for personal gain or to cover up poor performance – could potentially be group-threatening. A conviction of fraud will get you banned for life from government work anywhere in the EU. In the US, with qui tam whistleblowers receiving a share of whatever is received back by the federal government under the False Claims Act, the stakes are very high. Contracts obtained by fraud are generally unenforceable, so you can end up working for nothing. Recent scandals of overcharging and wrongful billing of the UK government by companies in the services sector and the resulting impact on their share price is testament to this. Even if the actions are carried out by rogue employees, your clients will not really care about the niceties of agency law and vicarious liability.

Ostwalt: The real emerging threat is coming from third parties. This is a hot topic in the field of forensics, and risk and compliance. In part the threat is growing due to proliferation of third parties that firms are engaging to help achieve their business objectives. This includes managing supply chain complexity, dealing with the logistics of moving goods and services, and general outsourcing of non-core business functions, such as technology and human resources. Third parties that are brought under a company’s umbrella rarely have an appreciation of the company’s values or its ethical tone. They do not necessarily get an opportunity to hear the ‘tone at the top’ from the company, which means there is an inherent lack of appreciation for that company’s corporate oversight and control function.

Meads: Cuts in pay, salary freezes and intense demands to hit targets in the economic downturn have been identified as factors associated with increased pressure on UK employees to commit fraud. As ‘insiders’ employees are perfectly placed to identify weaknesses in processes and internal controls and exploit them to their advantage, and are potentially vulnerable to approaches from outsiders. A supplier can be in cahoots with employees or part of a cartel with other suppliers. Their threats include the inflation of contract prices, price-fixing and bid-rigging. Therefore an organisation must ensure it has active engagement and management in its procurement process. Depending on the particular relationship, the conduct of third parties can either implicate a company – such as a sales agent paying bribes – or can directly harm a business’s economic interests. Unfortunately third parties are often harder to control and monitor because they are at arms’ length.

Our increasingly competitive global marketplace presents challenges to success that might appear to be overcome through the adoption of practices that are inconsistent with legal compliance.
— William M. Sullivan, Jr

FW: What key considerations do multinational firms need to make when rolling out a fraud compliance strategy across multiple jurisdictions? What aspects do firms need to address, such as cost and resource management?

Ostwalt: One point to make is that the compliance program itself needs to be available in local languages. Another is that there needs to be training, and that training should be conducted in the local language. A further consideration relates to reporting systems. In some countries, it is not particularly smiled upon to raise your hand and bring issues forward, which promotes the notion of having a hotline or call centre available for people to report potential wrongdoing. For this, the company needs to staff the call centre with people who have local language skills and also understand the nuances of business culture in the country where the report is logged. A challenge of dealing with compliance on a multinational basis is the additional compliance cost that comes with these systems, processes and supporting infrastructure.

Meads: There is no ‘one-size-fits-all’ approach to compliance. However, the authors of any fraud compliance strategy will need to ensure a comprehensive understanding and an atmosphere of absolute compliance with the laws and regulations of every jurisdiction in which they, their partners, subsidiaries, and so on, operate. They need to adhere to the highest standards to which they are subject, given the risk that conduct in one jurisdiction might be scrutinised in the jurisdiction in which its effects are felt. The controls in place to prevent fraud must be supported at senior management and board level – the right tone must be set from the top. A comprehensive risk assessment must be undertaken to enable the creation of robust policies and procedures that link all the functions of a commercial organisation: business, IT, legal – which should incorporate compliance – and HR.

Sullivan: Today global and effective anti-corruption compliance mandates an appreciation that culpable activity may be pursued vigorously wherever it occurs, and by regulators acting in concert around the world. For today’s multinationals doing business in a global market, the fact is that foreign regulatory partners, specifically those in developing and emerging markets, can both instigate and expedite US investigations. Accordingly, companies must think locally while acting globally. Given the interactive nature of universal anti-corruption enforcement, if a company is facing corruption scrutiny anywhere in the world, it runs the risk of its local challenge metastasising into a global problem. All of a company’s anti-corruption stakeholders – worldwide – should be advised so as to initiate prudent preventative measures to protect against ongoing questionable activities undertaken by one subsidiary that may have already been suspended by another.

Kelly: There needs to be an initial and ongoing risk assessment appropriate to the nature and extent of the business conducted by relevant internal resource or through the engagement of a specialist service provider. Multinational firms absolutely need an internal risk and compliance infrastructure that identifies issues around such governance matters as fraud and marshals an effective response. A recent prosecution of a financial services company in the US and its employee around a financial crime saw the business exonerated because it was able to demonstrate tight controls and mandatory training and testing that had near 100 percent completion rates – the offending employee had completed the training a number of times and still gone off on an adventure of his own. The employee was convicted.

Firms must evaluate regulatory priorities and related enforcement activities, to identify where they concentrate their investigation efforts.
— Phil Ostwalt

FW: What advice can you offer to companies on dealing with increasing government investigations and frequent regulatory changes, in terms of maintaining an effective compliance program?

Flood: It is very difficult to keep up to date with all the various regulations of different countries. One way to try is to form alliances with local law, risk management and accountancy practices, and ask them to warn you proactively of issues that may arise due to regulatory changes – which they will generally do in the hope of gaining fee-based work. The other approach is to try and create a principles-based compliance program. People need to start thinking “Am I doing the right thing?” not “Am I doing what’s legal?” Where there is a law there is generally a loophole. However, do you really want to be explaining that loophole on the front page of the New York Times? Governments also have a tendency of closing loopholes, and it can take a while for multinationals to change their systems to ensure compliance. It is also key to forge good relationships with the important regulators in your sector. It never pays to have a regulator who has it in for you. Even if you eventually win, the cost, pain and bad press of dealing with investigations are often worse than any eventual fine.

Meads: An effective compliance program or strategy should contain mechanisms through which changes in law, regulation and governmental guidance can be monitored and reacted to swiftly. Internal or external counsel might properly be delegated responsibility for ensuring that the legal and regulatory parameters are known to those with responsibility for compliance, but this does of course require ownership by a senior board member. There is a plethora of guidance, from government agencies, NGOs, to specialist lawyers, all of which can assist compliance officers to assess the adequacy or otherwise of their own strategies. Compliance should be integrated with the legal function, and be seen as part of the business, involved in planning and strategic decision-making, and any compliance strategy should assist a corporate to assess the changing risks to its integrity and ethical conduct.

Sullivan: Certain hallmarks of an effective compliance program which can adapt to an increasingly aggressive regulatory environment are universal. The tone at the top, and middle, matters. Senior management must be invested in a compliance program’s success, but equally important is the integration of middle management, making it accountable for designated compliance implementation and monitoring. In addition, anti-corruption policies and procedures must be regularly updated, training and messaging must be consistent and sustained, and periodic audits must be routinely scheduled and completed. The fact is that well-trained employees are a company’s first line of defence in the anti-corruption setting. A demonstrative, articulate and lucid code of conduct that is compellingly communicated to employees is one of the most critical tools in establishing and maintaining a corporate culture of compliance.

Kelly: In many ways, such investigations and changes are helpful as they identify a need to do something. What that something is, though, is not always very clear as a regulation may be principle-based rather than rule-based. So a principle may be broadly that a business needs to have effective systems and controls around financial crime. Whether what the business has in place is effective may only be judged when the regulator undertakes a proactive audit or investigates in response to an issue – you’ll only know at that point. Deficiencies at either point may attract fines, sanctions and reputational harm irrespective of any actual crime. There are many examples around bribery.

Ostwalt: Companies need to stay abreast of their regulatory agencies’ priorities. As more investigations and regulatory changes come to light, the pattern shows they are often aimed at a particular element of business or a particular sector, such as finance or pharmaceuticals. Firms must evaluate regulatory priorities and related enforcement activities, to identify where they concentrate their investigation efforts. Companies can do this by joining industry associations, keeping apprised through newsletters and webcasts from law firms and accounting firms, and attending conferences. All these things are vital to staying ahead of the trends. By tracking current events, a company can modify its risk assessments to be prepared to address issues on which regulators are focused. Firms must always be mindful of the need to adjust their compliance audit programs, to address what those issues are, to be committed to a compliance audit schedule at the beginning of the year, and to quickly address any necessary modifications. We have also seen a significant increase in the use of data analytic routines to detect potential breaches in a compliance program.

FW: What increased complexity is there in being a multinational company, subject to several different regimes at the same time? Are there occasions where the regulation is inconsistent?

Sullivan: No international legal regime is entirely consistent country to country and that is, of course, a challenge to any multinational company. In the anti-corruption area, the inconsistencies that immediately come to mind are the handling of facilitation or ‘grease’ payments, strict corporate liability, the availability of defences, and whether liability can be insured against. There are, of course, many more areas where the various national laws may differ, but for example, under the US FCPA, facilitation payments may not be illegal while under the UK Bribery Act they likely are impermissible. Some countries’ penal codes require an element of ‘scienter’ or guilty knowledge at management level before a company can be held criminally responsible for illegal acts undertaken in the company’s name or for its benefit by lower level employees or agents. The UK Bribery Act now provides for a strict liability corporate offence of failure to prevent bribery. Likewise, the UK Act provides for a defence of adequate compliance procedures to prevent bribery, while under the US FCPA the existence and adequacy of any compliance program is simply a matter that the prosecuting authority may consider in its discretion.

Flood: We are facing a world where multinational companies have to comply with complex legal systems that may actually conflict. In federal countries, you can even find legislation which conflicts from state to state and again at federal level – tax authorities are notorious for this. For example, if under a contract in India you are providing both goods and services, and you place a separate value on each component, you can find yourself accused of tax fraud by one authority if they feel you have not valued that component high enough. If you change the valuation – for example, to say the services are worth more – then the other taxing authority now losing out on revenue can equally accuse you of tax fraud for not paying enough. You can either pay the higher amount to both authorities, or fight a long running tax avoidance investigation. Another example people might not think of is use of encryption software and hardware. In one country, this may be an effective tool to prevent fraud and protect personal information. In another, it may be outlawed due to anti-surveillance concerns.

Ostwalt: Differences in the specific elements of regulation are apparent from country to country, and companies obviously have to maintain their ‘in country’ compliance. In terms of cross-border, extraterritorial regulations, we are beginning to see agencies make a concerted effort to enforce similar regulations and cooperate with each other to that end. Companies need to hold their internal thresholds to a higher standard than all of the regulations to which they may be subject. If you work toward a higher standard, you should be compliant, but this can be difficult to achieve in practice. It is a complex issue.

Meads: Multiple jurisdictions add complexity to planning, procedures and, if ever to occur, management of investigations. Where a corporate is to conduct business in multiple jurisdictions, it needs to identify a reliable source for legal advice within each jurisdiction. The laws and regulations can be widely divergent, and indeed, inconsistent. Facilitation payments are one example: while the UK has never recognised facilitation payments as exempt from the prohibition upon paying bribes, in other jurisdictions, low value facilitation payments to expedite or to secure the performance of a routine governmental action are permitted in certain circumstances. The extraterritorial reach of prosecuting agencies, and the emphasis on maintaining integrity by UK standards, whatever the jurisdiction, increases the burden. It must always been borne in mind that there is no such thing as a global settlement; issues that have been resolved in one country may reappear in the UK or in the US some time later.

It must always been borne in mind that there is no such thing as a global settlement; issues that have been resolved in one country may reappear in the UK or in the US some time later.
— Rebecca Meads

FW: How should companies engage their management and staff on the topic of corporate fraud, particularly when they are dealing with multiple jurisdictions or sectors with different values and operating models?

Meads: There are three key components. First, is ‘tone at the top’ – the board must ensure institutional support for ethical and responsible business practices at the highest levels of the organisation and in all jurisdictions. Second, is a ‘zero tolerance’ policy for fraudulent or corrupt conduct – the board should ensure a climate of vigilance and zero-tolerance for fraudulent conduct. Third is education and training – companies should invest in regular training, which also addresses the regulatory differences across jurisdictions.

Ostwalt: For a training program to be truly effective, active engagement must occur. Companies need to design training programs and roll them out in ways that highlight differences present in each country. Ultimately, the program should articulate and emphasise the standards it sets for individual behaviour – that dialogue, led by senior management, is what really establishes the tone at the top. This is the most important factor in creating a deep culture of ethics and compliance. Being able to engage people and discuss the program in terms of how it can be realised throughout the organisation is absolutely vital.

Sullivan: As mentioned, so-called ‘tone at the top’ is one of the recognised foundational points for any fraud and corruption risk assessment, avoidance or management program. If senior management recognises the risks and sets out transparently to address them, middle management and staff are likely to fall into line. That said, a thorough, management driven review of the culture, laws and practices of the various jurisdictions in which a company does business is likewise crucial. Cultural arrogance is not only a business risk but a significant legal risk. A well-designed compliance program designed with the competing factors in mind and proportional response to them is certainly something that we recommend. The collaborative use of experienced counsellors and advisers across the platform, and both internal and external, is often the best calculated to result in an acceptable response, recognising of course that there is no silver bullet here.

Flood: The key here is to adopt a principles based compliance program, and to have an internal system of whistleblowing that is effective and well-publicised. People need to know that if they see their colleagues or suppliers cheating, that they can raise a complaint and it will be dealt with effectively and thoroughly. Often the best way to do this is to provide people with concrete examples of what might constitute fraud, or to publicise investigations once they have been completed. This may seem very counterintuitive to companies worried about their reputation, or who are scared that their financial controls and processes may not be viewed as effective by observers such as analysts or corporate regulators. However, from an employee and management point of view, there is no better way to grab people’s attention and reinforce the company’s values.

FW: Could you outline the potential risks to directors and officers of a company investigated for fraud? What can D&Os do to manage and mitigate such risks?

Kelly: Clearly, there are fines and sanctions for the business and reputational harm for the business and its leaders. In addition, some jurisdictions impose a personal liability on certain directors and officers that can have a profound financial impact for them, which they are legally prohibited from being indemnified or insured against. Put simply, directors and officers could lose their houses and with their reputation in tatters, their ability to hold gainful employment. They could also go to jail.

Ostwalt: For D&Os to understand what is happening within their organisation, they need to step back and identify who in the company might be in a position to know where the deficiencies lie. These individuals would include legal counsel, internal audit and compliance leaders. D&Os need to engage with these leaders in regular conversations about concerns they may have. Have they noticed compliance gaps and shortfalls? Where are they seeing increased risk? It is concerning when boards avoid dealing with this topic, but they have to understand that a strong program governing fraud and compliance is good for stakeholders and increases value. When a deficiency arises, that is where the responsibility to do the right thing kicks in. D&Os need to get the right independent party in place to evaluate the situation; certainly, it is poor practice to place an investigation in the hands of people who may have been involved. Whatever that matter is, the company needs to obtain a full independent review. Failing to do that is one of the biggest risks the D&Os can take.

Meads: The risks to D&Os have become particularly acute with the advent of the DPA provisions. The government has made it abundantly clear that DPAs will not be used as a means for individuals to avoid being prosecuted. In fact, an aspect which favours the use of a DPA is cases where the offending represents isolated actions by individuals, for instance a rogue director. It follows that a company that wishes to avoid the consequences of this criminal conduct may have little incentive to protect company officers in the firing line, where to do so might jeopardise the prospects of a DPA. Personal – as opposed to corporate – risk can be minimised by proactively assisting in the creation of an anti-fraud culture. It is also prudent to check their insurance policies to see what support they will receive in the event of an investigation for fraud, bearing in mind that insurers are likely to have reviewed their policies in light of the DPA requirements.

Sullivan: Typically, corporate officers and shareholders were shielded from direct personal liability for legal violations by the corporation itself, consistent with the notion that a corporation has a distinct and separate legal identity. However, a concept sometimes called ‘the responsible corporate officer doctrine’ has evolved in some jurisdictions, including the US, either by court decision or legislation under which individuals can be held liable for corporate misconduct without involvement in or even awareness of the wrongdoing. Recent indications suggest that regulatory authorities are making aggressive use of this doctrine. Under the UK Bribery Act, section 14 specifically provides for personal officer and director liability for organisational offences under certain conditions, and the prosecuting authorities have made it clear that they are looking to bring individuals to trial where senior officers can be shown to have permitted bribery or corruption to take place. The starting point to managing and mitigating this risk is recognition of the legal duties and responsibilities that officers and directors owe to their companies. These are often characterised as fiduciary obligations or the highest degree of care and loyalty. There is a level of personal responsibility that directors and officers must recognise and accept.

Flood: If directors and officers are implicated in fraud themselves they can face fines, director disqualification, jail time, and potentially extradition. All this can be made public and careers can be ruined forever. Officers who are accountants or lawyers can face professional sanctions, such as being struck off the roll. Sometimes, even turning a blind eye will be enough to get a conviction, even if D&Os are not directly involved in the fraud themselves. D&Os should mitigate this by ensuring that they have in place a robust risk management program, which they regularly test and monitor.


Matthew Flood is general counsel and divisional manager of the Services Division at Balfour Beatty plc. Mr Flood and his team deal with large-scale infrastructure/outsourcing projects for government and private clients and support Balfour Beatty’s back office functions (such as IT, supplier payments and procurement). Mr Flood is on the Division’s Board, heads up its compliance program, and co-leads efforts on Diversity and Inclusion. He previously worked in M&A/Treasury/commercial legal roles at Balfour Beatty plc, SABMiller plc, and BP plc. Mr Flood is dual-qualified in Victoria, Australia and England & Wales.

Shaun Kelly is a director of the Risk & Compliance Group at Crawford & Company. Mr Kelly and his team facilitate solutions in response to compliance and business risk issues, including legislation, regulation, market dynamics and matters arising generally around the broad area of governance. Mr Kelly has been engaged in various operational and technical capacities and has held a number of management roles. He is an Associate of the Chartered Insurance Institute, Fellow of the Chartered Institute of Loss Adjusters and certified Business Continuity Practitioner.

Phil Ostwalt is a partner at KPMG. He currently serves the firm  as the National Investigation Services Network Leader, and Global Coordinator for Investigations for the Global Forensic practice. He specialises in performing investigations on behalf of management, audit and special committees, and governmental organisations, generally performed in conjunction with legal counsel.

Rebecca Meads is an employed barrister in the business crime department at Peters & Peters. Ms Meads has expertise in large scale fraud, anti-bribery and corruption, sanctions, challenging Interpol Red Notices, and extradition and MLA Requests. She has worked on a number of high profile cases and has experience of conducting criminal litigation at all levels.

Bill Sullivan is a partner at Pillsbury Winthrop Shaw Pittman LLP. He has an extensive corporate investigations and white-collar criminal background with an emphasis on criminal antitrust enforcement and the Foreign Corrupt Practices Act (FCPA). Mr Sullivan is co-leader of Pillsbury’s Corporate Investigations & White Collar Defence practice. He served for 10 years as an Assistant United States Attorney for the District of Columbia.

© Financier Worldwide 

©2001-2019 Financier Worldwide Ltd. All rights reserved.